Split DNS

The Split DNS feature allows the Endpoint Security VPN client to use multiple DNS servers:

  • A regular DNS server to resolve the external resources.

  • An internal company DNS server assigned by the Office Mode to resolve the internal company resources.

By default, the Split DNS feature is disabled in the Endpoint Security VPN client.

To configure Split DNS in the Endpoint Security VPN client:

  1. Configure your VPN Gateway to assign internal company DNS Servers for Office Mode.

  2. Configure Split DNS in the Endpoint Security VPN client locally in the Endpoint Security VPN client or from the VPN Gateway.

To configure your VPN Gateway to assign internal DNS Servers for Office Mode:

  1. In SmartConsole, open the Security Gateway object.

  2. Go to VPN Clients > Office Mode.

  3. Click Optional Parameters.

  4. In the DNS Servers section, configure the internal DNS Servers.

  5. In the DNS suffixes field, enter your internal domain names.
    The Endpoint Security VPN client uses these DNS suffixes to calculate which resources are internal.

  6. Click OK.

  7. Install the policy on the Security Gateway.

To configure Split DNS locally in the Endpoint Security VPN client:

  1. Log in to the Endpoint Security VPN client computer with administrator privileges.

  2. Edit this file in a plain text editor:

    /Library/Application Support/Checkpoint/Endpoint Security/Endpoint Connect/trac.defaults

  3. Find the attribute split_dns_for_mac.

  4. Set the attribute value:

    • false (default) - The Endpoint Security VPN client disables the Split DNS.

    • true - The Endpoint Security VPN client enables the Split DNS.

  5. Save the changes in the file and close the text editor.

  6. Go to the Applications folder > Utilities folder.

  7. Open the Terminal application.

  8. Close and launch the Check Point Endpoint Security VPN client service. Run:

    sudo launchctl stop com.checkpoint.epc.service

    sudo launchctl start com.checkpoint.epc.service

To configure Split DNS from the VPN Gateway:

Note - These steps affect all Endpoint Security VPN clients that connect to this VPN Gateway.

  1. Connect to the command line on the VPN Gateway.

  2. Log in to Expert mode.

  3. Create a backup copy of the $FWDIR/conf/trac_client_1.ttm file:

    cp -v $FWDIR/conf/trac_client_1.ttm{,_bkp}

  4. Edit the $FWDIR/conf/trac_client_1.ttm file in a plain text editor:

    vi $FWDIR/conf/trac_client_1.ttm

  5. Add the split_dns_for_mac property to the file in this format:

    Copy 
    :split_dns_for_mac (
        :gateway (
            :map (
            :true (true)
            :false (false)
            :client_decide (client_decide)
        )
        :default (your desired value)
        )
    )

  6. Set the value for the :default attribute:

    • true - The Endpoint Security VPN client enables the Split DNS.

    • false - The Endpoint Security VPN client disables the Split DNS.

    • client_decide (default) - The Endpoint Security VPN client configures the Split DNS based on the value of the attribute split_dns_for_mac in its local file /Library/Application Support/Checkpoint/Endpoint Security/Endpoint Connect/trac.defaults. See the procedure To configure Split DNS locally in the Endpoint Security VPN client above.

  7. Save the file and close the text editor.

  8. Install the policy on the VPN Gateway.

  9. Configuration changes are applied when the Endpoint Security VPN client connects to the VPN Gateway and downloads the new policy.