Hi Steve, I think that's what the problem is. The VPN client should be using the Internal DNS server when the VPN connection is active, but the problem is that the client is using an External DNS server, so the names are resolved to public addresses instead of the private addresses. If this is the problem, I've seen it before. Often its fixed by disconnecting and reconnecting. If not, then I just manually enter the Internal network DNS server in the NICs DNS settings for the duration of the VPN call, and then reset it. You can also manually set the DNS server entry in the VPN client connectoid too. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA 2004 Beta - Get it now! http://www.microsoft.com/isaserver/beta/default.asp ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Steve Moffat [mailto:steve@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Friday, April 16, 2004 5:51 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: OT: VPN and DNS http://www.ISAserver.org The way I see it is server.corp.com has external dns servers on the internal network. A vpn client should be querying the internal servers and shouldn't be resolving from the external servers. S -----Original Message----- From: Greg Mulholland [mailto:gmulholland@xxxxxxxxxxxxxxx] Sent: Friday, April 16, 2004 7:38 AM To: Isa Weblist Subject: [isalist] RE: OT: VPN and DNS http://www.ISAserver.org Joe, im confused a little. Are you saying that the problem is that you cant resolve internal records on you public/external dns ie. Server.corp.com or that your vpn clients are contacting 192.168.1.1 which is a dns server and not 10.1.1.2. In this case don't they have similar zones and it shouldn't really matter which one resolves dns queries, just depends on your routes Greg Mulholland http://www.isaserver.org http://www.isaserver.mine.nu http://groups.google.com -----Original Message----- From: Joe Pochedley [mailto:joepochedley@xxxxxxxxx] Sent: Friday, April 16, 2004 1:30 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: OT: VPN and DNS http://www.ISAserver.org Yes, I have definitely experienced issues where the local client's address space is the same as the remote network's (VPN's) address space... For instance, if the local address is 10.1.1.x/24 this definitely conflicts with the VPN network which is running 10.1.x.x/16... It really makes the VPN connection just fall apart... That's just a situation that's pretty much irresolvable AFAIK... Definitely a sticky wicket for VPN's... (Any suggestions on how to resolve that issue would make for interesting reading!) The issue I'm concerned with is similar, but different... Take a client with an address of 192.168.1.x/24... SOHO router serving IP options via DHCP... Sets the client with itself as default gateway and DNS as 192.168.1.1... Now the client connects to a VPN... VPN IP 10.1.1.x/24... VPN DNS 10.1.1.2... Internal network using corp.com as Active Directory address space... corp.com also being used for external addressing (www.corp.com , mail.corp.com , etc) VPN client, with active VPN connection tries to do a DNS lookup for server.corp.com... The "local" DNS server (192.168.1.1) is still available and can respond, and since Windows has established this as an active DNS server, sends the query for server.corp.com... Of course the external DNS servers for corp.com don't have the internal address for server.corp.com and therefore the DNS lookup fails (or responds with the external address, which doesn't do any good for directing traffic through the VPN connection)... Since the 192.168.1.1 DNS 'server' responds, the client never tries to hit the 10.1.1.2 DNS server to properly resolve the server.corp.com I don't know if there really is a clean solution, but there's always hope... Joe Pochedley Weiler's Law - Nothing is impossible for the man who doesn't have to do it himself. -----Original Message----- From: cismic [mailto:cismic@xxxxxxx] Sent: Thursday, April 15, 2004 2:11 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: OT: VPN and DNS http://www.ISAserver.org Hi Joe, I've seen this before. The cause was the local client had lets say 10.0.0.1 type of subnet and the client that you VPN to had similar subnet 10.0.1.1. This caused a strange conflict but, I was able to move files from my subnet to there subnet. I was using the CISCO. VPN client. Not sure if this is what you meant but, I thought it was similar. Thank you, Joseph ----- Original Message ----- From: "Joe Pochedley" <joepochedley@xxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, April 15, 2004 8:13 AM Subject: [isalist] RE: OT: VPN and DNS http://www.ISAserver.org Ladies and gentlemen... Just wanted to clarify one item that was suggested off list... My VPN clients are _not_ using split tunneling, yet items on the client's local subnet (including the DNS server) are still available... Still looking for suggestions.... TIA! Joe Pochedley Weiler's Law - Nothing is impossible for the man who doesn't have to do it himself. -----Original Message----- From: Joe Pochedley Sent: Wednesday, April 14, 2004 9:42 AM To: [ISAserver.org Discussion List] Subject: [isalist] OT: VPN and DNS http://www.ISAserver.org Sorry for the OT post, but since Dr. Shinder and others on this list have spent so much time in this area, I'm hoping someone here can offer some suggestions... In short: As more and more users want to work from home in hotels with high speed connections, etc; we're having issues with more and more SOHO routers or hotel configs and are looking for solutions / work-arounds... We're using the same DNS space internally and externally (split DNS). Users VPN in using MS's VPN (PPTP at the moment). This works great over dial-up and with some high speed lines... However, some SOHO routers (SMC, Dlink, Microsoft and some hotel's wireless systems have all been culprits thus far) submit themselves to the clients as the local DNS server and in effect perform a DNS forwarding (maybe some local caching too, I don't know). The problem this appears to cause is that the local client can still reach the "local" DNS server because it's on the same subnet... When this happens the client doesn't use the VPN supplied DNS servers and therefore DNS lookups either fail or return the wrong addresses. My assumption always used to be that all traffic from the client would be forwarded through the VPN when the VPN is active, but this appears to not be the case. Local traffic still will go out to other local clients and therefore since the DNS server appears local, the client machine will try to hit the local DNS server (and will be successful albeit with results we don't want)... FWIW, Windows 2000 Domain, MS RRAS and ISA running on Windows Svr 2003. Windows 2000 and XP Pro clients The only solutions I've come up with thus far are: 1) HOSTS files... Yuck. 2) I could write a script that would modify the client's DNS settings, effectively removing the "local" DNS server during the VPN session, but that's a PITA all the way around... I'd happily entertain any other suggestions! TIA! Joe Pochedley Weiler's Law - Nothing is impossible for the man who doesn't have to do it himself. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: JoePochedley@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: JoePochedley@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gmulholland@xxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: steve@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') This E-Mail is confidential. It is not intended to be read, copied, disclosed or used by any person other than the recipient named above. Unauthorised use, disclosure, or copying is strictly prohibited and may be unlawful. Optimum IT Solutions disclaims any liability for any action taken in connection of this E-Mail. The comments or statements expressed in this E-Mail are not necessarily those of Optimum IT Solutions or its subsidiaries or affiliates. administrator@xxxxxxxxxxxxxxxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')