Skip to main content
Skip table of contents

Windows Agent VPN Compatibility

At HYAS, we understand that many organizations utilize VPNs as part of their network security strategies. To support these environments, the HYAS Protect Agent has been tested with leading VPN solutions—specifically within split-tunnel configurations, which we endorse as the reliable and supported method for deployment. This approach ensures accurate threat protection without compromising performance or visibility.

Disclaimer: The HYAS Agent is designed to function optimally with split-tunnel VPN configurations. While alternative workarounds or OS-specific settings may technically enable operation in certain scenarios, the wide variability of system environments, security policies, and user configurations makes it impossible to guarantee compatibility or performance in all cases. We explicitly endorse the use of split-tunnel VPN setups with the Agent, as this is the configuration we have thoroughly tested and validated to ensure coverage and functionality as advertised. Use of non-split-tunnel configurations may result in unpredictable behavior or failure to meet stated capabilities. Please consult official documentation for supported deployment methods.

VPN

Compatibility Testing Results

Bitdefender

Using Bitdefender VPN and HPA simultaneously will prioritize Bitdefender. Deactivating Bitdefender grants preference to HPA.

Cisco AnyConnect

In every observed scenario, enabling the HPA consistently results in HYAS DNS taking precedence, ensuring proper functionality of both HPA and internet access.

Fortinet FortiClient

In every observed scenario, enabling the HPA consistently results in HYAS DNS taking precedence, ensuring proper functionality of both HPA and internet access.

PAN Global Protect

In every observed scenario, enabling the HPA consistently results in HYAS DNS taking precedence, ensuring proper functionality of both HPA and internet access.

It should be noted that in some cases, the VPN must be disabled in order to give preference to the HPA to resolve DNS queries. Once a VPN is disabled, the HPA will automatically take over DNS resolution capabilities.

Windows Configuration

In certain environments, additional configuration may be required to ensure full compatibility between the HYAS Protect Agent and VPN software. On Windows systems, conflicts can occasionally occur due to how DNS resolution is routed when a VPN is active. These issues may result in:

  • Complete loss of internet connectivity

  • Content not being blocked as expected

  • DNS resolution failures

  • User-level policies not applying correctly

To prevent these issues, we recommend running the HYAS Protect Agent alongside your VPN using a split-horizon configuration. This allows local DNS queries to continue resolving through HYAS Protect while routing other traffic through the VPN tunnel.

If a split-horizon setup isn't feasible, alternate troubleshooting steps may involve temporarily disabling the agent and configuring your DNS settings to route through your VPN’s internal resolvers.

Using the HYAS Protect Agent with VPNs

In enterprise environments, it's common to use VPNs for secure access to internal resources while also enforcing DNS-layer protection. The HYAS Protect Agent is compatible with VPN solutions when properly configured.

To avoid potential conflicts—such as DNS resolution issues or filtering bypass—we recommend configuring your VPN in a split-horizon setup. This allows local DNS queries to continue resolving through HYAS Protect, while intranet and other VPN-designated traffic routes through the tunnel. This configuration ensures consistent DNS policy enforcement without disrupting access to corporate resources.

If a split-horizon configuration is not feasible, an alternative approach may involve temporarily disabling the HYAS Protect Agent and routing DNS traffic through the VPN’s internal resolvers. This should only be used in controlled or exception-based scenarios.

Option 1: Reprioritize Network Interface Metric Values

Windows prioritizes DNS resolvers based on interface metrics. Some VPN clients automatically assign the lowest metric to their virtual adapters, which can override DNS settings and disrupt the HYAS Protect Agent’s ability to enforce policies.

To address this, you can manually reprioritize the metric of the primary network interface to ensure DNS traffic routes through HYAS Protect:

Steps:

  1. Open Network Connections Settings (right-click Start or search “Network Connections”).

  2. Select your primary Ethernet or Wi-Fi adapter.

  3. Right-click the adapter and choose Properties.

  4. Select Internet Protocol Version 4 (TCP/IPv4), then click Properties.

  5. Click Advanced, then go to the IP Settings tab.

  6. Uncheck Automatic Metric.

  7. Set a manual metric value (e.g., 10) — it must be lower than the VPN adapter’s metric.

  8. Click OK on all windows to save the changes.

Once complete, Windows will prioritize DNS resolution through your primary adapter, allowing the HYAS Protect Agent and your VPN to operate simultaneously as expected.

Option 2: Route VPN DNS Traffic Through the HYAS Protect Agent

You can configure your VPN to direct DNS traffic through the HYAS Protect Agent by setting the VPN’s DNS resolver to the loopback IP address 127.0.0.2. This ensures DNS queries are processed by the agent rather than bypassing it through the VPN tunnel.

Exact configuration steps will vary depending on your VPN provider. Refer to your VPN vendor’s documentation or support resources for specific instructions.

Once the VPN is configured, ensure you add the relevant local domain names and associated resolver IP addresses within the HYAS Protect dashboard. This enables the agent to forward DNS requests for those local domains to the appropriate internal resolvers, preserving access to intranet resources while maintaining external DNS filtering.

Forwarding VPN DNS Traffic Through HYAS Protect Resolvers

When using a full-tunnel VPN configuration, all DNS traffic is routed through the VPN’s internal resolvers by default—bypassing the HYAS Protect Agent and its filtering policies. This may allow users to unintentionally (or intentionally) circumvent network security controls.

While we strongly recommend using a split-tunnel VPN configuration for full compatibility, an alternative approach for maintaining DNS-layer protection is to set up DNS forwarding from within the VPN network itself. This ensures DNS traffic is still evaluated against your organization's filtering policies, even under full-tunnel conditions.

Steps:

  1. In the HYAS Protect dashboard, create a new Source Network.

  2. Enter the VPN’s egress IP address in the “Address” field.

  3. In your VPN's DNS settings, forward all DNS traffic to the HYAS Protect resolvers.
    (Consult your VPN vendor’s documentation for DNS configuration steps.)

  4. Create and apply the desired Policy to the Source Network.

  5. The Source Network policy will now apply to DNS traffic routed through the VPN.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close