RE: VPN Users having Issues connecting to internal resources

  • From: Jim Harrison <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Sun, 19 Sep 2004 22:48:26 -0700

You also have to bear in mind the interface bindings and the potential for FW 
or web proxy Client behavioral interference.

If "Remote access connections" is bound after any of the physical NICs, you'll 
typically use your own name resolution structure first (depending on if the FW 
client is installed, the state of app "s" in the ISA "Application Settings" 
tab, the phase of Jupiter's moons and whether or not you washed your hands 
before leaving the restroom).

..sometimes you just have to hold your mouth right...

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Sun, 19 Sep 2004 22:01:17 -0500
 "Thomas W Shinder" <tshinder@xxxxxxxxxxx> wrote:
http://www.ISAserver.org

Hey guys,

What I typically see is that when the VPN connection is established, the
preferred DNS server changes to the DNS server provided by the VPN
server. However, with XP SP2, it keeps the primary connection's DNS
server. At least that's what it seems like. However, I can't make any
definitive statements about it because I haven't checked it out in a
controlled environment (if there is such a thing :-)

Tom 

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: Sunday, September 19, 2004 8:59 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Users having Issues connecting to internal
resources

http://www.ISAserver.org

What you have to remember is that since W2K, all 'normal' name
resolution is handled thus:

if complex name, hand to DNS lookup
    local cache
    hosts file
    DNS server list (using domain name devolution)

if simple name or DNS lookup fails
    local NB name cache
    lmhosts file
    WINS server (if configured)
    WINS broadcast

Thus, it isn't "always" anything in particular, but it depends on the
current configuration and especially in the case of VPN connections,
whether or not "use default gateway on remote network" is set in the
connectoid.
If a DNS or WINS server is in the "local" net, then the client will use
it if necessary (part of the DNS or WINS server list).

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!

----- Original Message -----
From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Sunday, September 19, 2004 14:30
Subject: [isalist] RE: VPN Users having Issues connecting to internal
resources


http://www.ISAserver.org

Hey guys,

I use daily a PPTP EAP-TLS connection to the office and have not
experienced
that problem so far. The ISA 2000 SP2 is running on a fully patched
Windows
2000 SP4 and the client is a Windows XP SP2. However, with the help of
Ethereal I've seen that occasionally the ISP DNS servers are tried
instead
of the VPN assigned DNS servers, although without adverse effect.

HTH,
Stefaan

-----Original Message-----
From: Bryan D. Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx]
Sent: zondag 19 september 2004 23:06
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Users having Issues connecting to internal
resources

http://www.ISAserver.org

So yeah that is what I have done as well.

Correct me if I am wrong - I always thought that when you are connected
to
vpn, that internal requests (same domain suffix) always went through
your
local dns. Is it all requests or just local domain requests, or does it
actually try first on your ISP then if the DNS is not there it attempts
local resolution through your VPN dns servers?

I ask because we did make some external DNS changes that has a wildcard
entry sending all others to a specific address... but I was under the
impression that VPN users used our internal DNS.

If the way it works is that it checks primary dns first then your VPN
dns
servers then this might be the source of our problem...

Thanks.


-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Friday, September 17, 2004 10:33 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Users having Issues connecting to internal
resources

http://www.ISAserver.org

Hi Bryan,

Normally this is not the case. However, I too have been plagued with
this
problem since upgrading to SP2. I haven't worked out the issues yet, but
I
have to get around it by keeping a shortcut to the HOSTS file on my
desktop.

HTH,
Tom

-----Original Message-----
From: Bryan D. Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx]
Sent: Thursday, September 16, 2004 6:04 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] VPN Users having Issues connecting to internal
resources

http://www.ISAserver.org

It looks like to me that somehow when users are VPNd in they are still
resolving DNS from their ISP DNS.

I am affected at home as well. When I ping an internal box via "ping
tatl0s11" it adds the suffix and then tries to ping via the internet.

I had to create a host file entry to get my firewall client to reach
isa.

I am not sure what has happened. Nothing changed that I can recall...
event logs look normal. Rebooted client boxes, reset routers, etc.

Any thoughts as to where to start looking are appreciated.




------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bandrews@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


Other related posts: