Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

VPN issue communicating with DNS

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN issue communicating with DNS Page: [1]
Login
Message << Older Topic   Newer Topic >>
VPN issue communicating with DNS - 26.Jun.2008 11:43:23 AM   
Thorny

 

Posts: 10
Joined: 16.May2006
Status: offline 		Hope someone can shine a light on this for me.

I have VPN working fine via PPTP & L2TP with certificates.

I've one little problem that is niggling away at me and just cannot resolve.
When trying to talk to our servers with static ip address they cannot be contacted just by there server name but only by their IP address or their FQDN. (ie not server1 but server1.mydomain.com/10.1.1.10.

If changing the DNS settings to become "Append these DNS suffixes" to have mydomain.com in, it resolves the name as expected.

I've gone through Thomas Shinders "Enabling DHCP Relay for ISA Firewall VPN Clients" documents along with numerous others. Tried different combinations for DHCP to no avail.

Old entries in Wins for some servers and enabling Netbios (erk!) is one way but need to get the client talking to DNS the way it should. It's strange that it uses DHCP ok and can resolve the names of any other machine which are registered via DHCP but not static.

Any help/pointers greatly appreciated.
Post #: 1
RE: VPN issue communicating with DNS - 27.Jun.2008 7:55:26 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi Mark,
So you want your VPN clients to resolve single label names using DNS.
As you know you need a DNS suffix for that.
With DHCP Options you can give to your VPN clients the connection specific DNS suffix.
The VPN client will issue a DHCP INFORM packet which the DHCP relay on ISA will pass to the DHCP server.
So you got the DHCP realy installed on ISA and the needed access rules in place.
Also there is an access rule allowing DNS from VPN clients to the internal DNS server.
Connect with one of your VPN clients.
Issue an ipconfig /all.
If everything is fine you should have a connection specific suffix for the PPP adapter.
If not:
- the DHCP INFORM packet is dropped by ISA as spoofed. Solution: apply this reg hack on ISA:
See http://forums.isaserver.org/m_2002037070/mpage_/key_/tm.htm#2002037103

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray\Debug\FWSRV]"FWS_PNP_IPHELPER_QUITE_PERIOD"=dword:000005dc

You have a connection specific DNS but is still not working.
- verify if the correct DNS server is used(the internal DNS server), issue an nslookup command. If not edit the registry on your VPN clients to move the Remote Access Services connection to the top of the binding order
See:
http://support.microsoft.com/default.aspx?scid=kb;en-us;311218
http://www.isaserver.org/tutorials/work-around-VPN-clients-split-DNS.html

These will give you a quick troubleshooting start.
Note that you cannot give through DHCP Options the DNS suffix search list(not supported by the Microsoft DHCP server). If you want to do that you need to use the GPO for example (see http://support.microsoft.com/kb/294785, http://technet2.microsoft.com/windowsserver/en/library/5fe46cef-db12-4b78-94d2-2a0b62a282711033.mspx?mfr=true, http://support.microsoft.com/kb/275553).

Do not forget to look at ISA's live log to see if any required packet is denied by ISA.

Regards!

(in reply to Thorny)
Post #: 2
RE: VPN issue communicating with DNS - 30.Jun.2008 6:29:56 AM   
Thorny

 

Posts: 10
Joined: 16.May2006
Status: offline 		Hi,
Have tried the above but to no avail.
Doing some searches, it appears others have been down this road aswell, including putting manual entries in using the CMAK, which I had previously tried .
A few older posts on here but appears frequently throughout many other forums but never with a solution to be found. All with very similar settings, methods of diagnoses etc
http://forums.isaserver.org/m_2002014028/printable.htm
http://forums.isaserver.org/m_300079500/mpage_1/tm.htm
I shall continue during the week to find out more about this.
Thanks

(in reply to justmee)
Post #: 3
RE: VPN issue communicating with DNS - 30.Jun.2008 7:14:30 AM   
Thorny

 

Posts: 10
Joined: 16.May2006
Status: offline 		This is working ok now.
We're using ISA 2004 Enterprise. I've rules for VPN for us in IT within the Enterprise policy (is this good or bad practice instead of the Firewall policy? )
Adding the DHCP Relay/Reply rules in there and the problems are resolved.
Maybe this is possibly where others have had similar problems?
Cheers

(in reply to Thorny)
Post #: 4
RE: VPN issue communicating with DNS - 30.Jun.2008 7:28:29 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi Mark,
If you do not tell us what exactly you have done, we can't help you.
I'm using too the DHCP relay on a couple of ISAs and I have no problems.
Does your PPP adapter have a connection specific DNS suffix or not after it's connected ?

Here is one thing you can do to troubleshoot this:
Install Wireshark on the vpn client machine, connect to ISA with your VPN client.
Start a Wireshark capture on the PPP adapter *not* on your physical adapter. Doing so you will see the traffic inside the L2TP tunnel. Make sure you do not enable compression on the VPN connection(don't put a checkmark in the enable software compression check box).

Ping by single label name your server frpm your VPN client.
DNS will by tried first. If your VPN client machine has a primary DNS suffix, this suffix wil be appended to the single label name. Then the group policy configured DNS Suffix Search List, then the connection specific DNS...
If DNS fails WINS will be used.
Check this for more details:
http://forums.isaserver.org/m_2002047348/mpage_1/key_/tm.htm#2002047532

Now, tell us, what name does the VPN client queries the VPN client the internal DNS server in the Wireshark trace?

J

(in reply to Thorny)
Post #: 5
RE: VPN issue communicating with DNS - 30.Jun.2008 7:30:33 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Ahh,
You've posted that you got it working when I was writing the above post.
Ha!

(in reply to Thorny)
Post #: 6
RE: VPN issue communicating with DNS - 30.Jun.2008 2:18:03 PM   
Thorny

 

Posts: 10
Joined: 16.May2006
Status: offline 		It's stange, all machines I've tried, it works absolutely fine inc here back at home.
I had a half day today, due to bank managers and mortgages, texted one of my boses to ask to test and suddenly he's encountering an additional 'm' between the period/dot and the domain suffix. Is it a gremlin on his machine as it's a literal creation of the reply/relay dhcp within the Enterprise as it was in Firewall - ie no mention of the domain name typed into the additonal rules (as in typo). If anything, resolving of names appears that much quicker, imo.

Again thanks for your feed back and hopefully may help others who stumble across this with a similar setup.

(in reply to justmee)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN issue communicating with DNS Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts