Re: Name resolution for VPN Clients
- From: "Jim Harrison \(ISA SE\)" <jmharr@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 9 Aug 2007 13:16:06 -0700
This is normal behavior if the modem is
1. using an IP that is part of the VPN client's normal "local" network
2. defined as the VPN client's DNS server
A local network is a network-cheaper name lookup than any VPN connection.
This behavior causes even more fun when you use one of the popular
"spoof-blocker" DNS services.
If possible, define the "local" DNS server to be one provided by your ISP
and this behavior should stop.
--
Jim Harrison (ISA SE)
This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html
"johnny_mango" <johnnymango@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:87670400-B408-41FC-9F21-323CDE4117C3@xxxxxxxxxxxxxxxx
Yep, i totally agree with you - the user should have their Internet access
controlled by the ISA when connected by VPN etc.
It just surprises me that the modem DNS answers when you run nslookup and
not the DNS server in the internal network, despite the fact that to all
intents and purposes the internal DNS server does indeed to be resolving the
name resolution petitions.
"Phillip Windell" wrote:
There is only one DNS Server that a LAN Client should ever ever ever use,
that is the Active Directory DNS Server. The ISP's DNS would be a
forwarder
within the Config of the AD/DNS. It doesn't matter if the client is a
permanent LAN Client or a VPN User.
The Internet Device (DSL, CableTV, whatever) should never be involved in
any
way with DNS in a commercial network. They can be used for Home User
setups, but even then I don't recommend it.
Remember that with Remote Access VPN, when the user makes the "call" that
VPN Connectiod takes over all network communication so whatever DNS or
WINS
the Connectiod uses is what the user will be using. When they disconnect
the VPN they go back the whatever they were using on their regular Nic.
This is one of the reasons Remote Access VPN is never meant to be "always
up",...you are supposed to connect,..do whatever job you connected to
do,...then disconnect and leave. Much of the other network (local user's
LAN) communication is "on hold" while the VPN is active.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or
Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------
"johnny_mango" <johnnymango@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4C4BA608-DED2-4ED3-A679-E39C3144BBC5@xxxxxxxxxxxxxxxx
Yep.
But in general terms, which DNS server should answer the client in
nslookup?
The local DNS server (the ADSL modem) or the DNS server in the remote
network?
"Phillip Windell" wrote:
Did you create the Access Rule to allow VPN Users to make DNS queries
to
the
AD/DNS Server?
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or
Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
Troubleshooting Client Authentication on Access Rules in ISA Server
2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------
"johnny_mango" <johnnymango@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2934B944-2BDF-46C1-9A37-CCDD534CB03F@xxxxxxxxxxxxxxxx
Hi,
How should a VPN client resolve names? I ask because I wish a VPN
client
to
be able to communicate with an internal server by name, and not by
IP,
but
upon executing nslookup on the client, the DNS server on my modem
responds
and not the DNS server in the remote network.
In my network bindings, I have placed the RRAS connection to the top
of
the
list and in the properties of the VPN in the ISA Server console I
have
configured the clients to use the internal DNS server, but to no
avail.
Thanks for any help available.
.
- References:
- Re: Name resolution for VPN Clients
- From: Phillip Windell
- Re: Name resolution for VPN Clients
- From: Phillip Windell
- Re: Name resolution for VPN Clients
- From: johnny_mango
- Re: Name resolution for VPN Clients
- Prev by Date: Re: How to bind the PPTP Interface to a specific IP?
- Next by Date: Site-To-Site VPN Issues
- Previous by thread: Re: Name resolution for VPN Clients
- Next by thread: VPN between 2 routers Cisco
- Index(es):
Relevant Pages
|
