You also have to bear in mind the interface bindings and the potential for FW or web proxy Client behavioral interference. If "Remote access connections" is bound after any of the physical NICs, you'll typically use your own name resolution structure first (depending on if the FW client is installed, the state of app "s" in the ISA "Application Settings" tab, the phase of Jupiter's moons and whether or not you washed your hands before leaving the restroom). ..sometimes you just have to hold your mouth right... Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Sun, 19 Sep 2004 22:01:17 -0500 "Thomas W Shinder" <tshinder@xxxxxxxxxxx> wrote: http://www.ISAserver.org Hey guys, What I typically see is that when the VPN connection is established, the preferred DNS server changes to the DNS server provided by the VPN server. However, with XP SP2, it keeps the primary connection's DNS server. At least that's what it seems like. However, I can't make any definitive statements about it because I haven't checked it out in a controlled environment (if there is such a thing :-) Tom -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Sunday, September 19, 2004 8:59 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN Users having Issues connecting to internal resources http://www.ISAserver.org What you have to remember is that since W2K, all 'normal' name resolution is handled thus: if complex name, hand to DNS lookup local cache hosts file DNS server list (using domain name devolution) if simple name or DNS lookup fails local NB name cache lmhosts file WINS server (if configured) WINS broadcast Thus, it isn't "always" anything in particular, but it depends on the current configuration and especially in the case of VPN connections, whether or not "use default gateway on remote network" is set in the connectoid. If a DNS or WINS server is in the "local" net, then the client will use it if necessary (part of the DNS or WINS server list). Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ----- Original Message ----- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Sunday, September 19, 2004 14:30 Subject: [isalist] RE: VPN Users having Issues connecting to internal resources http://www.ISAserver.org Hey guys, I use daily a PPTP EAP-TLS connection to the office and have not experienced that problem so far. The ISA 2000 SP2 is running on a fully patched Windows 2000 SP4 and the client is a Windows XP SP2. However, with the help of Ethereal I've seen that occasionally the ISP DNS servers are tried instead of the VPN assigned DNS servers, although without adverse effect. HTH, Stefaan -----Original Message----- From: Bryan D. Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx] Sent: zondag 19 september 2004 23:06 To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN Users having Issues connecting to internal resources http://www.ISAserver.org So yeah that is what I have done as well. Correct me if I am wrong - I always thought that when you are connected to vpn, that internal requests (same domain suffix) always went through your local dns. Is it all requests or just local domain requests, or does it actually try first on your ISP then if the DNS is not there it attempts local resolution through your VPN dns servers? I ask because we did make some external DNS changes that has a wildcard entry sending all others to a specific address... but I was under the impression that VPN users used our internal DNS. If the way it works is that it checks primary dns first then your VPN dns servers then this might be the source of our problem... Thanks. -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Friday, September 17, 2004 10:33 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN Users having Issues connecting to internal resources http://www.ISAserver.org Hi Bryan, Normally this is not the case. However, I too have been plagued with this problem since upgrading to SP2. I haven't worked out the issues yet, but I have to get around it by keeping a shortcut to the HOSTS file on my desktop. HTH, Tom -----Original Message----- From: Bryan D. Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx] Sent: Thursday, September 16, 2004 6:04 PM To: [ISAserver.org Discussion List] Subject: [isalist] VPN Users having Issues connecting to internal resources http://www.ISAserver.org It looks like to me that somehow when users are VPNd in they are still resolving DNS from their ISP DNS. I am affected at home as well. When I ping an internal box via "ping tatl0s11" it adds the suffix and then tries to ping via the internet. I had to create a host file entry to get my firewall client to reach isa. I am not sure what has happened. Nothing changed that I can recall... event logs look normal. Rebooted client boxes, reset routers, etc. Any thoughts as to where to start looking are appreciated. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: bandrews@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx