RE: VPN Users having Issues connecting to internal resources

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 23 Sep 2004 12:46:34 -0500

Hey guys,

I tested this in a "clean room" environment with XP SP2. Sorry to say
that it works fine. The VPN client's preferred DNS server is set to the
VPN server assigned DNS server. So, the next step is to figure out
what's wrong with my production setup and what there isn't a change
over, and what the difference is between my "clean room" setup and my
production setup.

HTH,

Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls



-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Thursday, September 23, 2004 10:37 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Users having Issues connecting to internal
resources


http://www.ISAserver.org

Hi Bryan,

Well, I tested on a SP1 XP machine and everything works the way it
should. The VPN server assigns the VPN client a new DNS and WINS server
address, and the VPN client uses that information preferentially. So no
problem there.

Now I need to confirm with a XP SP2 client to replicate what I'm seeing
in my production network.

Conclusions so far: XP SP1 no problems. ISA 2004 VPN provides Internal
addresses for name servers and the VPN client uses them. It works great.
        Stay tuned for SP2

HTH,

Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls



-----Original Message-----
From: Bryan D. Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx] 
Sent: Thursday, September 23, 2004 6:53 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Users having Issues connecting to internal
resources


http://www.ISAserver.org

Any last comments before we start creating a permanent workaround?

Thanks.

-----Original Message-----
From: Bryan D. Andrews 
Sent: Tuesday, September 21, 2004 7:10 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Users having Issues connecting to internal
resources

http://www.ISAserver.org


We do not use Wins, nor do we configure the LMHost file.

Just to keep it simple (for simple minds like me), it was mentioned that
the DNS server on the VPN connection is normally used. Is it possible
that the main interface dns servers were always queried first, then the
vpn DNS (if the main dns did not return records)? 

I ask this because we added a wildcard external dns record (but we were
under the impression that it should not affect us internally because we
do resolution with our internal dns servers).

We have not updated to XPsp2 yet but we are up to date on all preSP2
updates. Thanks!



-----Original Message-----
From: Thor [mailto:thor@xxxxxxxxxxxxxxx] 
Sent: Monday, September 20, 2004 2:01 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Users having Issues connecting to internal
resources

http://www.ISAserver.org

Before I compose my pedantic response, I have to acknowledge the fact
that 
you said "connectoid."  Only a bad ass such as yourself can get away
with 
any -oid reference on a Sunday night.  I'm just you did not combine it
with 
"kernel mode data pump," or I may have wet myself.

Regarding the default NBT name lookup methods in Win2k, it is actually 
different. Obviously the nbt cache is first- not withstanding that, if
the 
DHCP server did not set a node type for the client, or no WINS server is

explicitly set at the client, then b-node, or the broadcast method will
be 
used first, and then the lmhosts file lookup.

If a WINS server is configured by DHCP without specifically setting the
node 
type, or if the client has a WINS server set, the h-node will be used by

default. h-node will first directly query the WINS server, and then
perform 
a broadcast if necessary.  The lmhosts file will be used after that.

These can be changed by registry setting at the client, which will set
the 
default regardless of any other default node type assignment, and even 
overrides any DHCP node type assignment. This would be required if you
have 
no DHCP server node assignment, and you wish for the client to use
m-node 
(broadcast then WINS query) or p-node (WINS server only).

But of course, nbt name resolution sucks anyway.

t

----- Original Message ----- 
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Sunday, September 19, 2004 6:58 PM
Subject: [isalist] RE: VPN Users having Issues connecting to internal 
resources


> http://www.ISAserver.org
>
> What you have to remember is that since W2K, all 'normal' name
resolution 
> is handled thus:
>
> if complex name, hand to DNS lookup
>    local cache
>    hosts file
>    DNS server list (using domain name devolution)
>
> if simple name or DNS lookup fails
>    local NB name cache
>    lmhosts file
>    WINS server (if configured)
>    WINS broadcast
>
> Thus, it isn't "always" anything in particular, but it depends on the 
> current configuration and especially in the case of VPN
> connections, whether or not "use default gateway on remote network" is
set 
> in the connectoid.
> If a DNS or WINS server is in the "local" net, then the client will
use it 
> if necessary (part of the DNS or WINS server list).
>
>  Jim Harrison
>  MCP(NT4, W2K), A+, Network+, PCG
>  http://isaserver.org/Jim_Harrison/
>  http://isatools.org
>  Read the help / books / articles!
>
> ----- Original Message ----- 
> From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Sunday, September 19, 2004 14:30
> Subject: [isalist] RE: VPN Users having Issues connecting to internal 
> resources
>
>
> http://www.ISAserver.org
>
> Hey guys,
>
> I use daily a PPTP EAP-TLS connection to the office and have not 
> experienced
> that problem so far. The ISA 2000 SP2 is running on a fully patched 
> Windows
> 2000 SP4 and the client is a Windows XP SP2. However, with the help of
> Ethereal I've seen that occasionally the ISP DNS servers are tried
instead
> of the VPN assigned DNS servers, although without adverse effect.
>
> HTH,
> Stefaan
>
> -----Original Message-----
> From: Bryan D. Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx]
> Sent: zondag 19 september 2004 23:06
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: VPN Users having Issues connecting to internal
> resources
>
> http://www.ISAserver.org
>
> So yeah that is what I have done as well.
>
> Correct me if I am wrong - I always thought that when you are
connected to
> vpn, that internal requests (same domain suffix) always went through
your
> local dns. Is it all requests or just local domain requests, or does
it
> actually try first on your ISP then if the DNS is not there it
attempts
> local resolution through your VPN dns servers?
>
> I ask because we did make some external DNS changes that has a
wildcard
> entry sending all others to a specific address... but I was under the
> impression that VPN users used our internal DNS.
>
> If the way it works is that it checks primary dns first then your VPN
dns
> servers then this might be the source of our problem...
>
> Thanks.
>
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Friday, September 17, 2004 10:33 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: VPN Users having Issues connecting to internal
> resources
>
> http://www.ISAserver.org
>
> Hi Bryan,
>
> Normally this is not the case. However, I too have been plagued with
this
> problem since upgrading to SP2. I haven't worked out the issues yet,
but I
> have to get around it by keeping a shortcut to the HOSTS file on my 
> desktop.
>
> HTH,
> Tom
>
> -----Original Message-----
> From: Bryan D. Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx]
> Sent: Thursday, September 16, 2004 6:04 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] VPN Users having Issues connecting to internal 
> resources
>
> http://www.ISAserver.org
>
> It looks like to me that somehow when users are VPNd in they are still
> resolving DNS from their ISP DNS.
>
> I am affected at home as well. When I ping an internal box via "ping
> tatl0s11" it adds the suffix and then tries to ping via the internet.
>
> I had to create a host file entry to get my firewall client to reach
isa.
>
> I am not sure what has happened. Nothing changed that I can recall...
> event logs look normal. Rebooted client boxes, reset routers, etc.
>
> Any thoughts as to where to start looking are appreciated.
>
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading
> Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
> Security Resource Site: http://www.windowsecurity.com/ Network
Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading
> Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
> Security Resource Site: http://www.windowsecurity.com/ Network
Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> bandrews@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading
> Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
> Security Resource Site: http://www.windowsecurity.com/ Network
Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> stefaan.pouseele@xxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:

> jim@xxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:

> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> 


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bandrews@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bandrews@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources
• » RE: VPN Users having Issues connecting to internal resources

1. Home
2. isalist
3. Archive
4. 09-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---