Skip to main content
Skip table of contents

HYAS Agent Configuration

Once the HYAS Protect Agent is installed and running, you can configure how it behaves across your environment. These configuration options are designed to support advanced use cases like split-horizon DNS, internal domain resolution, Safe Search enforcement, and more.

Configuration only needs to be completed once—typically during initial setup or when making changes to your organization’s security or network policies. Once saved, your settings will automatically apply to all deployed agents within your organization. You do not need to reconfigure the agent on each device.

These configuration settings only apply to Windows and macOS deployments.

The available configuration options include:

Local Resolution Settings

More details on how to configure Local Resolution Settings

  • What it is:
    Local Resolution Settings allow the HYAS Protect Agent to resolve internal domain names using your organization’s internal DNS infrastructure. This ensures that private or internal services—like intranet portals, authentication servers, or application endpoints—are resolved locally rather than being sent to external DNS resolvers.

This configuration consists of two components:

  • Local Domains: The internal domains you want to resolve locally.

  • Local Resolvers: The internal DNS servers that will be used to resolve those domains.

  • Why you’d configure it:
    To ensure seamless access to internal systems while keeping sensitive DNS traffic inside your trusted network. It improves performance, prevents resolution failures, and avoids exposing internal domain names to public DNS resolvers.

  • If you don’t configure it (or configure it incorrectly):

    • Internal domains may not resolve, breaking access to critical services.

    • DNS queries for sensitive internal domains may be sent to external resolvers, increasing the risk of exposure.

    • HYAS Protect Agents will be unable to properly differentiate internal DNS traffic, especially in split-horizon environments.

  • How to configure it:

    • In the Local Domains field:

      • Enter each internal domain that should resolve through your internal DNS infrastructure.

      • Each domain must include a second-level domain (SLD) and top-level domain (TLD).

    • In the Local Resolvers field:

      • Enter the IP address(es) of your internal DNS servers.

      • Use valid IPv4 or IPv6 addresses only.

    • Save the configuration, (bottom of page)

Split-Horizon DNS: Local Network Test

Split-Horizon DNS is when the same domain resolves to different IPs depending on whether a device is on an internal or external network. The Local Network Test helps the HYAS Protect Agent detect its location by sending a test DNS query to your internal resolver and checking for an expected IP. This ensures the agent applies the correct settings based on network context.

More details on configuring Split-Horizon DNS: Local Network Test

  • What it is:
    A test the HYAS Protect Agent uses to determine if a device is on an internal (trusted) or external network by querying a local DNS resolver and checking if the response matches an expected internal IP address.

  • Why you’d configure it:
    To ensure the agent behaves appropriately based on network location—such as routing internal domains correctly or disabling enforcement on trusted networks. This is essential for environments using split-horizon DNS or hybrid deployments.

  • If you don’t configure it (or configure it incorrectly):
    The agent will always assume it’s on an external network. This can lead to broken internal DNS resolution, incorrect policy application, or failure of features like "Disable Agent on Local Network."

  • How to Configure:

    • Identify a domain that resolves differently depending on whether you're inside or outside your corporate network. This should be an internal-only domain or subdomain (e.g., test.internal.company.com).

    • Determine the expected internal IP address that this domain should resolve to when the device is on the local network (e.g., 10.0.0.99).

    • In the Split-Horizon DNS: Local Network Test section:

      • Enter the internal domain in the Test Query field (e.g., test.internal.company.com).

      • Enter the expected internal IP address in the Test Value field (e.g., 10.0.0.99).

  • Save the configuration (bottom of the page)

Disable Agent on Local Network

Allows the agent to automatically disable itself when it confirms the device is on a trusted internal network (requires Local Network Test to be configured and agent version 2.2.11+).

More details on configuring Disable Agent on Local Network

  • What it is:
    This option allows the agent to automatically disable itself when it detects that it's on a trusted internal network.

  • Why you’d configure it:
    To reduce unnecessary DNS enforcement or prevent conflicts with internal DNS policies while on a secure internal network. Useful for environments that already monitor DNS internally or have strict internal routing setups.

  • If you don’t configure it (or configure it incorrectly):
    The agent will continue enforcing policies and intercepting DNS—even on internal networks—potentially leading to duplicate logging, policy conflicts, or unnecessary complexity.
    Note: This setting requires the Local Network Test to be properly configured.

  • How to Configure:

    • Configure Split-Horizon DNS: Local Network Test (instructions above)

    • Enable ‘Disable Agent on Local Network’

    • Save the configuration (bottom of the page)

Safe Search

Enforce Safe Search on supported search engines including Google, YouTube, Bing, and DuckDuckGo.

More details on configuring Safe Search

  • What it is:
    This setting forces Safe Search to be enabled on supported search engines (Google, YouTube, Bing, and DuckDuckGo), helping filter out explicit or inappropriate content.

  • Why you’d configure it:
    To support compliance with internet safety policies, especially in education, public sector, or regulated industries. It adds a layer of content control at the DNS level.

  • If you don’t configure it:
    Users can disable Safe Search in their browser or search engine settings, and DNS will not enforce restrictions—potentially exposing the organization to policy violations or inappropriate content.

  • How to configure:

    • Enable ‘Safe Search’

    • Save the configuration (bottom of the page)

Allow Employee to Temporarily Disable Agent

Permit end users to disable the agent for up to 5 minutes at a time—helpful in scenarios like accessing captive portals on public Wi-Fi.

More details on Allowing Employees to Temporarily Disable the Agent

  • What it is:
    This optional setting allows end users to disable the HYAS Protect Agent for five (5) minutes at a time.

  • Why you’d configure it:
    To give users flexibility when encountering restrictive environments like captive portals (e.g., hotel or airport Wi-Fi login pages) that may require temporary DNS bypassing.

  • If you don’t configure it:
    Users may not be able to complete logins or network registration on certain public Wi-Fi networks, leading to access issues and increased support tickets.

  • How to configure:

    • Enable ‘Allow Employees to Temporarily Disable Agent’

    • Save the configuration (bottom of the page)

These settings help ensure the HYAS Protect Agent operates efficiently in both internal and external environments, balancing security with usability. In the sections that follow, you'll learn how to configure each option step-by-step.

Configure these settings at: apps.hyas.com>Settings>Organization Settings>Protect Agent>Settings

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close