We have set up Global Protect with split-tunnel for mobile clients (iPhone, Android). The goal is that ActiveSync is using the tunnel to reach internal servers, and all other traffic can go directly to the internet. GP is set up to distribute routes to two internal networks to the clients through the Access Route parameter in Gateway configuration
One strange thing we observe, is that Facetime is sending traffic destined for some Apple servers over the VPN tunnel despite the fact that the routing table says otherwise. We can observe the Facetime traffic in traffic monitor on the gateway.
Has anyone else observed this?
An other observation: Even when we specify Google DNS servers in the GP client settings, all DNS requests seem to go over the tunnel. It seems thatl GP always send DNS requests over the VPN tunnel, regardless of the routing.
I don't have access to the device for the moment, but the Access route is to one internal network only, like: 192.168.100.0/24
We see two specific oddities, where one might be by design:
-If primary and secondary DNS for GP clients is set to i.e. 188.8.131.52 and 184.108.40.206, DNS traffic is still sent over the tunnel
-We see Facetime traffic from iPhone over the tunnel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!