Welcome to ISAserver.org

VPN Client DNS/DHCP

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> VPN >> VPN Client DNS/DHCP

Page: [1]

Message

<< Older Topic Newer Topic >>

VPN Client DNS/DHCP - 21.Jan.2008 3:35:08 PM

zebo51

Posts: 22
Joined: 27.Aug.2007
Status: offline

Making some progress on setting up ISA 2006 and VPN Clients, but still having a few issues. I can connect and ping devices on the internal network by IP, but DNS is not working. Using either option of DHCP range in ISA server or Static address pool gives me the same results. Both ways assign the VPN client an IP and the correct DNS server, but the VPN client can't resolve anything.

Here is my ipconfig /all when using Static address pool.

PPP adapter CC VPN:

       Connection-specific DNS Suffix . :
       Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
       Physical Address. . . . . . . . . : 00-53-45-00-00-00
       Dhcp Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 192.168.11.253
       Subnet Mask . . . . . . . . . . . : 255.255.255.255
       Default Gateway . . . . . . . . . : 192.168.11.253
       DNS Servers . . . . . . . . . . . : 192.168.1.7


When I try a nslookup, I get:

> name1
Server: dns.domain.com
Address: 192.168.1.7

*** dns.domain.com can't find name1: Server failed

If I use a static address pool, the log shows the error below when I try and ping:

255.255.255.255 - 137 - NetBios Name Serivce - Denied Connection - Default Rule - 192.168.11.253 - VPN Clients - Local Host ......

So I created an access rule:

Allow - NetBios Datagram, NB name services & NB sessions from VPN Clients to Internal for All Users and that didn't work.

I have also tried using a static address pool of 172.16.x.x range and see the same thing.

If I use DHCP option,

PPP adapter CC VPN:

       Connection-specific DNS Suffix . :
       Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
       Physical Address. . . . . . . . . : 00-53-45-00-00-00
       Dhcp Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 192.168.1.155
       Subnet Mask . . . . . . . . . . . : 255.255.255.255
       Default Gateway . . . . . . . . . : 192.168.1.155
       DNS Servers . . . . . . . . . . . : 192.168.1.7


I see this in my log, but it is random. It seems as nothing is logged when I try a ping, it just errors out on my vpn client.

255.255.255.255 - 67 - DHCP (request) - Dennied Connection - Default Rule - 192.168.1.3 (<--This is my ISA box) - Internal - Local Host

I messed around with the DHCP relay agent, but my vpn client is getting addresses wihtout it, so I am not sure that is something to follow up on.

My setup is a simple Edge firewall config, internal nic and external nic, no DMZ. Just publishing a few websites and an exchange server.

Help Please

Post #: 1

Featured Links*

RE: VPN Client DNS/DHCP - 22.Jan.2008 4:06:05 AM

justmee

Posts: 505
Joined: 14.May2007
Status: offline

Hi zebo,
In order to resolve single lable names you need the appropiate DNS suffix for that.
Either have the primary DNS suffix set on that machine or push to the VPN clients through DHCP options the Connection-specific DNS Suffix. For that you need the DHCP relay on ISA:
http://www.isaserver.org/tutorials/2004dhcprelay.html
Be aware of the fact that ISA might drop the DHCP Inform packet as spoofed. For that you need to apply a reg fix on ISA:
http://forums.isaserver.org/fb.aspx?m=2002037138
Also the wrong DNS server might be used(I see from your post you do not have that problem yet). For that you need another reg hack:
http://www.isaserver.org/tutorials/work-around-VPN-clients-split-DNS.html
http://support.microsoft.com/default.aspx?scid=kb;en-us;311218
Or simply use Wins for resolving single lable names.
I assume you have the appropiate access rules on ISA.
You can test by pinging with FQDN.
Regards!

(in reply to zebo51)

Post #: 2

RE: VPN Client DNS/DHCP - 22.Jan.2008 1:58:07 PM

elmajdal

Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline

also check this please : http://forums.isaserver.org/cant_ping_with_hostname/m_2002006262/tm.htm

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to zebo51)

Post #: 3

RE: VPN Client DNS/DHCP - 22.Jan.2008 2:18:33 PM

justmee

Posts: 505
Joined: 14.May2007
Status: offline

http://technet.microsoft.com/en-us/library/bb457118.aspx

(in reply to elmajdal)

Post #: 4

RE: VPN Client DNS/DHCP - 23.Jan.2008 4:02:27 PM

zebo51

Posts: 22
Joined: 27.Aug.2007
Status: offline

quote:

ORIGINAL: justmee

Hi zebo,
In order to resolve single lable names you need the appropiate DNS suffix for that.
Either have the primary DNS suffix set on that machine or push to the VPN clients through DHCP options the Connection-specific DNS Suffix. For that you need the DHCP relay on ISA:
http://www.isaserver.org/tutorials/2004dhcprelay.html
Be aware of the fact that ISA might drop the DHCP Inform packet as spoofed. For that you need to apply a reg fix on ISA:
http://forums.isaserver.org/fb.aspx?m=2002037138
Also the wrong DNS server might be used(I see from your post you do not have that problem yet). For that you need another reg hack:
http://www.isaserver.org/tutorials/work-around-VPN-clients-split-DNS.html
http://support.microsoft.com/default.aspx?scid=kb;en-us;311218
Or simply use Wins for resolving single lable names.
I assume you have the appropiate access rules on ISA.
You can test by pinging with FQDN.
Regards!