If the "Block Local DNS Requests" option in the Identity Provider configuration has been enabled, Appgate client users on Windows might face issues with the Network Connection Status Indicator - the icon in the system tray which shows when the user is connected to the internet - failing to detect internet connectivity. This can be an issue since other Microsoft services - eg. Office 365, OneDrive, etc. - rely on NCSI and refuse to work when it doesn't report an internet connection.
The problem seems to be that by default NCSI uses “Active” DNS probes to validate that internet connectivity is possible on each network interface. Active probing is described in more detail here: https://technet.microsoft.com/en-us/library/cc766017(v=ws.10).aspx. However, these DNS checks are restricted and NCSI will refuse to send them to a DNS server on a different interface.
Microsoft engineering are aware of this issue and have released a new policy setting in Windows 10 1709 to correct the problem. The fix involves changing a group policy setting to disable interface binding when performing DNS lookups by the NCSI. This setting can be enabled via Active Directory group policy by navigating to Computer Configuration > Administrative Templates > Network > Network Connectivity Status Indicator > Specify global DNS. Select Enabled and check the option to Use global DNS.
The same change is available by modifying a registry setting:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\Windows\NetworkConnectivityStatusIndicator" /v UseGlobalDNS /t REG_DWORD /d 1 /f
For an overview see https://directaccess.richardhicks.com/category/network-connectivity-status-indicator/.