TMG 2010 - VPN Clients can't access internal web servers
-
28 Maret 2012 23:32
TMG is configured as Edge Firewall (with 2 interfaces - INTERNET and LAN )
TMG is also configured as a VPN Server, using Static IP Address Range that is excluded from the "Internal" server address range
"Internal" Address Range = LAN Servers (10.x.x.0 - .149) and gateways (.251 - .254)
VPN Clients Static IP Address Range = 10.x.x.150 - .250 - therefore VPN server is 10.x.x.150 and the VPN clients get their DNS and WINS settings from the TMG LAN interface as expected - IPconfig /all on the VPN shows the correct DNS servers.
A TMG VPN Client Access rule is configured - to allow all outbound from VPN Clients to Internal (servers) - this is working correctly EXCEPT for internal web servers, which use DNS.
Split DNS is configured so that:
portal.domain.com = Internet Address - if connected outside network (not being used at the moment and not fully published by TMG)
portal.domain.com = IntraNet Address - if connected inside network (or used by VPN Client)
When an MS VPN client is connected ...
(Use default gateway on remote network is NOT checked, so that all Internet traffic goes through the user's local gateway which could be anything)
a) connecting to file shares on "Internal" range works when using \\webservername\sharename - works
b) ping to the intranet web server (portal.domain.com) - ping connection works - replies received
c) tracert - shows connecting to 10.x.x.150 (VPN server) as expected then to web server with only two hops - route works as expected
d) nslookup on VPN client - shows the correct DNS server trying to respond 10.x.x.35, but requests time-out.... so the VPN client IE browser doesn't load the page
e) nslookup on LAN client - shows correct DNS responding (so it gets to the DNS server) and subsequently the browser does not load the page - "request to unknown timed-out"
So the problem appears to be DNS lookups on VPN clients - not working
Could this be related to the Split DNS - or is there some reason DNS lookup wouldn't return a DNS response for VPN clients? The user's browser could have any gateway and their browser could be using any local proxy server or configuration.
What have I missed in configuring the VPN clients to also access internal web servers?
How do VPN Clients connect to IntraNet sites when a split DNS is configured?
Is this problem related to the IE browser (Connections), the VPN Client or TMG?
Your help is appreciated.
Asutherland
Semua Balasan
-
28 Maret 2012 23:35
Correction - edited wrong paragraph
d) nslookup on VPN client - shows the correct DNS server trying to respond 10.x.x.35 (so it gets to the DNS server), but requests time-out.... so the VPN client IE browser doesn't load the page - "request to unknown timed-out"
e) nslookup on LAN client - shows correct DNS responding and subsequently the browser does load the page
So LAN clients work and VPN Clients don't for DNS lookups.
Asutherland
-
03 April 2012 8:08Moderator
Hi,
Thank you for the post.
Please check if the PPTP adapter was last in the binding order of the client machine. If yes, please change the binding order on the client machine, the PPTP adapter should on the top of the order.
Regards
Nick Gu - MSFT
- Disarankan sebagai Jawaban oleh Nick Gu - MSFTMicrosoft Contingent Staff, Moderator 03 April 2012 8:08
- Ditandai sebagai Jawaban oleh Nick Gu - MSFTMicrosoft Contingent Staff, Moderator 05 April 2012 3:58
-
09 Mei 2012 15:34
Hi,
any news to this topic? Same problem here...
The only difference, we use the default gateway on remote network - all traffic except local traffic is routed to TMG.
I checked and changed the binding order, no success.
Regards,
Tom
-
15 Mei 2012 12:33
Hi,
my problem is solved: http://blogs.technet.com/b/isablog/archive/2006/09/25/why-do-i-need-a-deny-rule-to-make-an-allow-rule-for-a-custom-protocol-work-correctly.aspx
Regards,
Tom
.png)
