Skip to main content

How can we help you?

Search

help Knowledge Base
forum Community
checklist Release Notes
event Events

Policy enforcement & reporting discrepancies with Roaming Client

Tmark

Hopefully I explain this well enough…new to DNS Filter.

I setup a site (my home office) and have roaming agents on my laptop and android phone.  Seems to work well…debug.dnsfilter.com page shows the categories allowed/blocked properly.  So all good.

I setup another site (at my office)…it has a different public IP address (if that matters for roaming agents?).   I installed the roaming agent on a test machine there.  The roaming agent shows up in the list of roaming agent devices.  When I remote to the test machine and go to debug.dnsfilters.com none of the categories that i've blocked in the policy for that site (different policy than my home office site), show as blocked.  I can go to any site (gambling/etc).  I've also set one site url as blocked in the policy, but can go to that URL.

…that would be the first issue I suppose.

Also, when I look at the reports for this Roaming Client…it shows that the traffic to the url for the site that I blocked is Blocked (I was hitting the site on the client computer and updating the report insights).  Also, the other URLs/site for the blocked sites I tested were showing as blocked, but on the client I could get to them.

I have not changed the DNS settings on that site's firewall yet (there are other computers there and I want to make sure that everything works properly before I make those sorts of changes).

1. Do the settings for a roaming client “override” whatever settings (e.g. DHCP) happen to be served up at whatever network they're on (e.g. office/airport/home/etc)?

2. Why when the policy says that it's blocking a category, can that roaming client get to those sites?

3. Why when the client can get to those sites, is it showing in the report as blocked?

Please and thanks in advance!

Comments

4 comments

Date Votes
  • Official comment
    Chris Todd Community Manager DNSFilter Staff
    Community Regular

    hi Tmark -

    Sorry to hear about the challenges. I discussed with an expert here to make sure I give you the right info. Let's see if we can get this resolved.

    • I believe the underlying issue is related to transparent proxying.
      (In some instances, you could have browser caching problems. The best practice is to test in Incognito mode first, as it shouldn't have anything cached. If/when that works, then you can address clearing the browser's cache.)
    • Enable DNS over TLS, which will encrypt the DNS request and should resolve the issue.

    Answers to your questions:

    1. Do the settings for a roaming client “override” whatever settings (e.g. DHCP) happen to be served up at whatever network they're on (e.g. office/airport/home/etc)? Yes
    2. Why when the policy says that it's blocking a category, can that roaming client get to those sites? no, assuming the Roaming Client is using the policy and the requests aren't being intercepted.
    3. Why when the client can get to those sites, is it showing in the report as blocked? See the response to #2. Also, confirm the report is for the specific Roaming CLient and not from your local testing. 
  • Tmark

    Thanks.  

    Just to add.  The problem test machine is in the site BBB Toronto, with policy CustomBlock applied…and it doesn't seem to matter which policy I apply (BlockThreats, CustomBlock, TestBlock1, etc).  I have another site AAA Toronto….everything works fine.  I can change the policy, switch to a different policy, etc.

    1. I've cleared the caches of the browsers…rebooted.  I've also created another policy and assigned it to the Site that this machine is in….no change

    2. I've added additional DNS servers to the interface configuration (so it has 172.0.0.2, 103.247.36.36 and 103.247.37.37)

    3. I've added another new site CCC Toronto…installed the roaming agent on a test machine there.  It picked up the BlockThreats policy (global).  I changed it to the Custom policy CustomBlock….and it applied (after a little while.

    4.  Meanwhile the test machine in BBB Toronto site still allows through to everything.

    **** I neglected to mention….I had originally created an MSP Organization called BBB Toronto, and put a BBB Toronto site in there, that had the same IP of the site.  I realized that I didn't actually want another MSP Organization, but rather a Site under the original MSP organization.  I deleted the BBB MSP Organization.  Maybe that's messed things up for this site?  If so, how can that be resolved?

    0
  • Tmark

    Just now…I took another computer from BBB Toronto location….installed the Agent.  It showed up but didn't take any policy filters (everything is allowed).  So it looks to be something stuck with that Site using that office's IP address.

    0
  • Chris Todd Community Manager DNSFilter Staff
    Community Regular

    Tmark -

    Unfortunately, this is going to take a deeper dive. This article has some help with log analysis: https://help.dnsfilter.com/hc/en-us/articles/37655337790867 → see the sections on Filtering Policy isn't blocking websites and Internet Redirects to unknown.dnsfilter.com. If that runs into a dead end as well, the next step is to contact Support for further analysis.

    0

Please sign in to leave a comment.

New post

Featured posts