© 2020 Pulse Secure, LLC. 34
VPN Tunneling Configuration Guide
Auto-allow Select Auto-allow IP's in DNS/WINS settings (only for split-tunnel enabled mode) if you
want to create an allow rule for the DNS server. For example, if you have defined policies to
allow requests from IP address 10.0.0.0 but your DNS server has an address of
172.125.125.125 the DNS server requests will be dropped. If you select this option, the
system creates a rule to allow the DNS requests.
DNS search order Select the DNS server search order. Applicable only if split tunneling is enabled:
• Search client DNS first, then the device
• Search the device's DNS servers first, then the client
• Search device DNS only.
Note: DNS search order does not work with iOS clients. The DNS name resolution fields
(located on the System > Network > Overview window) must be configured, otherwise all DNS
queries will go to the client's DNS server.
Pulse Secure client 5.0 and greater supports all DNS search order options. Prior versions of
Pulse Secure client support only Search client DNS first, then the device and Search the
device's DNS servers first, then the client.
For the Search client DNS first, then the device and Search the device's DNS servers first, then
the client options, DNS configured on the system are added to the end user's system along
with the existing DNS already available on the end user's system. So, either the device DNS
servers or client DNS servers get precedence at the end user's systems.
When the Search device DNS only option is selected, DNS on the end user's system are
replaced with device DNS. This option is recommended to avoid ISP's DNS hijacking. Note that
this option is applicable only for Windows platforms; non-Windows clients will use the Search
the device's DNS servers first, then the client search order if this option is selected. When
using this option, you must ensure that packets to the system DNS are going through the
tunnel. To do this, add the required routes to the split tunnel networks policy (Users >
Resource Policies > VPN Tunneling > Split-Tunneling Networks), or select the Auto-allow IPs in
DNS/WINS settings option.
For the Search device DNS only option, the client software (Pulse), removes the DNS
information of the available adapters on the client system after the tunnel is created. Once
the tunnel is created, the client does not monitor the presence of new adapters and does not
monitor if changes are made to the DNS settings of existing adapters. Because of this, the
Search device DNS only option may not work properly if any of the following occurs after the
tunnel is created:
• A new interface appears with a DNS server that does DNS hijacking.
• A third-party application adds DNS to the adapters whose DNS was removed by the client
as part of the tunnel set up process.
• Third-party applications change the TCP/IP option from "Use the following DNS servers"
to "Obtain DNS servers automatically" for those adapters whose DNS was removed by
the client software as part of the tunnel set up process.
• End users enable the interfaces that are in the disabled state during the tunnel set up
process.
Note: On Windows 8, selecting either the first or second radio button sends DNS requests to
both the client's and Pulse Secure gateway's DNS at the same time. On Windows 10, selecting
the first radio button will have the same effect as the second button.
Proxy Server Settings
Proxy server settings Select one of the following options:
Setting Guidelines