We are running an ISA 2006 server and PPTP VPN connection works fine. Clients are able to connect to internet, access Outlook, CRM, etc. The problem we are encountering is that host name resolution is not working.
Example, when connected via VPN I can’t ping any box other than the VPN server by the host name. I can ping everything fine via IP address. But for clients, they need to be able to access their “mapped” drives over the VPN which all are mapped by host name.
I recently took over this position and it sounds like this used to work. What would be the best place to check first? I haven’t had much exposure to ISA and have been reading up a bit on installation procedures, etc.
DNS is hosted and running on our domain controller, as well as WINS. It isn’t on the ISA box.
Is there a firewall policy that perhaps got removed? What usually is required for host name resolution to pass through.
From: Taylorville, IL
Make sure the VPN Clients are getting the correct DNS and WINS IP#s dynamically after they connect. They need to get teh same DNS and WINS off the DCs as any other client on the LAN gets.
You also want the client to have enabled "Use gateway on remote network" enabled in their dialup setting or you may get inconsistant behavor if they try looking at their own ISPs DNS or elsewhere rather than the one you want them to look at while connected.
Lastly,..VPN is just plain and simply an "imperfect world". If you want perfection and consistency,..that's probably never going to happen,..particularly with Remote Access VPN which follows the same general behavor as the old style Dial Up Connection technology. That,..in my opinion, is why VPNs are becoming a thing of the past and being replaced by things such as MS's Direct Access Terchnology that came out with Server 2008R2 (and enhanced by MS's UAG. The Site-to-Site VPNs are falling way to private MPLS (and similar) systems.
Thank you for your reply. I ended up having to bind the WINS server to the internal NIC. And that seemed to do the job. Even though connected clients were already getting correct server information when doing an ipconfig /all.
Yes I agree with you, when it comes to VPN there is a like a black box. Hard to troubleshoot. We are looking at other solutions such as hardware firewalls, Barracuda and UAG.
From: Taylorville, IL
Firewalls are just firewalls. There is no functional difference. They all sit on some kind of hardware and they all run some kind of software. However I understand what you are trying to say. But the simpler the device the worse the VPN is to deal with. VPN requires a lot to make it behave properly and simpler devices just cannot do what is required to make VPN behave well. ISA/TMG is probably the best product in existence to make VPN as transparent as possible (yet you'll still fight battles with it).
Anyway, the UAG is probably the best product out there for getting the most out of MS's Direct Access Technology. However it is extremely difficult to get set up. I can not even begin to do it myself, nor help with it. I have pretty much backed out of all that kind of work and abandoned it. I just want to retire and move to a deserted island somewhere :-)
Windows Server 2008R2's "Direct Access" is simpler and already comes as part of the OS for free. I assume the new Windows Server 2012 has improved it even more. But again,..I don't touch it myself,...I only know "of" it,..but not "about" it.