System Center Mobile Device Manager TechCenter >
Mobility Forums
>
System Center Mobile Device Manager
>
No internet connection when connected through VPN
No internet connection when connected through VPN
- Hi guys,
Got again something strange, i've searched the forums and the internet, but cannot find the cause of my next problem;
When a device is connected through VPN, it cannot access the internet. Some facts;
- The device CAN query the internal DNS servers, they return an ip adress
- The device CANNOT browse internal websites
- The device CANNOT go to the internet.
My config:
GW server internal ip-adress:
192.168.230.10/24 NO gateway configureed
GW server external ip-adress: 194.194.194.194 (dummy ip) WITH gateway ip configured
The configuration is shown as attached:
- Edited bySander Weenen Tuesday, June 30, 2009 2:04 PM
- Edited bySander Weenen Tuesday, June 30, 2009 2:04 PM
- Edited bySander Weenen Tuesday, June 30, 2009 2:05 PM
- Edited bySander Weenen Thursday, July 02, 2009 9:46 AM
- Edited bySander Weenen Tuesday, June 30, 2009 2:04 PM
Answers
- Well... I've gotten it to work via source based routing, connected an extra ip interface to my gateway & my ISA server in the DMZ side and re-routed the traffic that way. Though i still do not understand why it doesn't work with the standard setting (redirect mobile traffic through the gateway server's Gatewya IP....
Thanks for the help.- Marked As Answer byWayne Phillips.MVP, ModeratorThursday, September 03, 2009 9:24 AM
All Replies
- Sander,
What I did is that I've used the source-based routing.
The address for the Gateway IP is the internal interface address of the MDM-Gateway server in my case.
Works fine.
Perhaps you should try that option.
Veel succes man!
Hans - Hmm, i've tried that (with restarting my GW server just to be sure), but i keep getting time-outs, ergo no internet connection... (testing it with vxutil)
- Hi Sander, Does the routers/equipment in your Internet DMZ know where to route the 192.168.231.x VPN pool packets back to your GW server on 194.194.194.194?
You mentioned internal DNS server above, does this mean you can't lookup external DNS names?
|\\arco..
http://marco.blogsite.org Hi Sander, Does the routers/equipment in your Internet DMZ know where to route the 192.168.231.x VPN pool packets back to your GW server on 194.194.194.194?
You mentioned internal DNS server above, does this mean you can't lookup external DNS names?
|\\arco..
http://marco.blogsite.org
I've got routes from my internal network back to my DMZ through an firewall, so the route back is;
192.168.231.x mask 255.255.255.0 via 192.168.11.254 which is my firewall that routes it back to the internal nic of my Gateway server. I can ping devices on my servers, so routing should be good or not?
My devices can query the internal DNS servers, so if i do a nslookup for an external website (with e.g. xutil), I get an ip-adress back).
Thanks again.- You have created an inconsistent route. Your firewall might flag as spoofing.
When your device (within the VPN) tries to connect to a web server, the traffic leaves the external GW interface. The return taraffic travels through the internal GW interface. If these interfaces are connected to different firewall ports, the firewall may detect this as spoofing.
To correct this inconsistency you should setup the VPN pool exactly like Noordhuh has explained.Sander,
What I did is that I've used the source-based routing.
The address for the Gateway IP is the internal interface address of the MDM-Gateway server in my case.
Works fine.
Perhaps you should try that option.
Veel succes man!
Hans
How is the VPN Network defined in ALL your firewalls. The firewall will probably class the traffic as either Internal, Optional/DMZ or External ! If the ALL your firewalls think this traffic is from an Optional/DMZ network, then you need to create some firewall rules.
Have you added firewall rules :
MDM VPN Network -> External TCP 80
MDM VPN Network -> External TCP 443
Best practice would be to set a web proxy in your Group Policy Documents. Your internal traffic is working, so I’m guessing internal traffic to a web proxy would work.
Cheers
Wayne You have created an inconsistent route. Your firewall might flag as spoofing.
When your device (within the VPN) tries to connect to a web server, the traffic leaves the external GW interface. The return taraffic travels through the internal GW interface. If these interfaces are connected to different firewall ports, the firewall may detect this as spoofing.
To correct this inconsistency you should setup the VPN pool exactly like Noordhuh has explained.Sander,
What I did is that I've used the source-based routing.
The address for the Gateway IP is the internal interface address of the MDM-Gateway server in my case.
Works fine.
Perhaps you should try that option.
Veel succes man!
Hans
How is the VPN Network defined in ALL your firewalls. The firewall will probably class the traffic as either Internal, Optional/DMZ or External ! If the ALL your firewalls think this traffic is from an Optional/DMZ network, then you need to create some firewall rules.
Have you added firewall rules :
MDM VPN Network -> External TCP 80
MDM VPN Network -> External TCP 443
Best practice would be to set a web proxy in your Group Policy Documents. Your internal traffic is working, so I’m guessing internal traffic to a web proxy would work.
Cheers
Wayne
Hmmm. I'm really clueless again... One mistake; also internal sites also cannot be reached, can look them up, cannot ping (icmp not allowed). I'm really starting to doubt everything, i've followed all neccesairy steps but just cannot get it to work.
I've got 1 persistant route on my gateway server which points to the internal LAN subnet for the server to the gateway ip of the firewall between the DMZ and LAN.
I've configured the internal interface ip of the gateway server as the source based routing ip for the gateway
On the external interface of the gateway server there is NO firewall at place at the moment.
Thats's it or not? Internet traffic from my devices do not come anywhere near my internal firewall or am i wrong?Goedemorgen Sander (that is translated for you not Dutch people: Goodmorning Sander) ;-)
What I did is that I've added a persistent route on the Gateway server:
Local DMZ translated adresses to default gateway.
Do you have a persistent route added on the Gateway server?
Hans- Mogguh :)
Can you please explain "Local DMZ translated adresses to default gateway."
I've got one persistant route added yes, but it fingers to my internal network. (route –p add <corporate subnet> mask <subnet mask> <Firewall IP>
Sander,
I have similar settings.
What I meant was that our GW server is in a DMZ.
On the internal interface of our GW server is another firewall, and we are using NAT addresses in the DMZ obviously.
So, devices receive an address from the GW server (DHCP), and then connect to the GW server (public ip address)
On the Firewall/router behind the GW server (internal interface of GW server) NAT is done.
The route on the GW server routes to the interface of the firewall/router.
Hans- I think you’ve forgotten to add a route back ! Your devices know how to route traffic to your internal servers, but your servers don’t know to route traffic back to your devices.
There are two ways get fix this :
1. Add a static route to each internal servers, including MDM Device Managment Server.
route -p add 192.168.231.0 mask 255.255.255.0 192.168.230.10
2. Add a static route to your firewall (the one connected to the GW internal Interface)
ip route 192.168.231.0 255.255.255.0 192.168.230.10You should implement #2. The firewall should be allowed to propagate this static route throughout your network.
Cheers Wayne
Airloom - Hi Wayne, nslookups work fine, so the route isn't the problem i guess.
The main issue that i'm having, is that when I let the settings on default; "VPN tunnelled traffic uses the default gateway on the gateway server if no other gateway is configured" in the VPN server configuration just doesn't work whilst i do not know what i'm doing wrong. It seems like a straightforward configuration, but the devices just cannot access the internet. (but they can lookup hostnames, so the route to/from my internal dns servers seem to work).
Any other suggestions? What is your firewall telling you ? If your routing is working (I am assuming the DNS servers are in the same subnet as the other server) then you must open all the relevant firewall ports. This is coming from the Perimeter Zone into your Trusted Zone, so ports need to be opened.
Policy updates and Software deployment are also inbound connections. Are these working ? Can you deploy policies and application ?
Cheers Wayne
AirloomWhat is your firewall telling you ? If your routing is working (I am assuming the DNS servers are in the same subnet as the other server) then you must open all the relevant firewall ports. This is coming from the Perimeter Zone into your Trusted Zone, so ports need to be opened.
Policy updates and Software deployment are also inbound connections. Are these working ? Can you deploy policies and application ?
Cheers Wayne
Airloom
My firewall between the GW server and the internet is completely turned off. If a device wants to initiate http traffic, it only does a nslookup to my internal dns servers and then initiates the traffic directly through the external interface of the GW server or not?
Policy updates, and software deployment do work.- Sander,
Not to my opinion. My devices connect for http traffic to the INTERNAL interface of the GW server, that is (in my case) the firewall for the DMZ.
So, http requests go to the internal interface of the GW server, to the DMZ firewall on which runs NAT (DNS server is reachable through a NAT address as well).
There the request gets routed to my internal proxy server.
Hope this answer helps.
(Let op je source based routing in het eerste scherm)
Kind regards,
Hans Noordhuis - Sander,
You are not giving us much to work with here "firewall is turned off". You really want to turn that firewall back on ! ;-)
The problem is probably with your firewall(s).
Cheers Wayne
Airloom - Well... I've gotten it to work via source based routing, connected an extra ip interface to my gateway & my ISA server in the DMZ side and re-routed the traffic that way. Though i still do not understand why it doesn't work with the standard setting (redirect mobile traffic through the gateway server's Gatewya IP....
Thanks for the help.- Marked As Answer byWayne Phillips.MVP, ModeratorThursday, September 03, 2009 9:24 AM
