This forum is closed. Thank you for your contributions.

Remove From My Forums

DirectAccess - Accessing server outside Internal network

Question
0

Sign in to vote
All,

I have an interesting problem that I am trying to solve. Here is the scenerio:

We have outsourced our payroll to an external company, thus in order to access it you have to go to an external web server. To keep folks from accessing the web server from outside our organization, the hosting provider put IP blocks on to only allow our enterprise IP space to be able to access it.

Everything works great until you fire up a laptop and try to connect when Direct Access is running. What happens is because we created a DNS alias internal to the company called payroll.contoso.com which is an A record pointing to the external hosting providers server, Direct Access believes it's an internal address but when you look at the TMG logs it denies the connection.

I thought an easy way to get around this is to simply add the external hosting providers server IP into the Internal network setting within the UAG network interface configuration, but that didn't seem to help either.

I would turn off split tunnelling for Direct Access which I assume would fix this problem, but we also use Office Communicator and Live Meeting which at the time of our implementation (Fall, 2010) were not supported/or working through Direct Access.

Anyone have any thoughts on this?

Thanks,

Sam
- Edited by SamEvans Wednesday, February 15, 2012 7:53 PM
Wednesday, February 15, 2012 7:49 PM

All replies

0

Sign in to vote

Have you tried adding payroll.contoso.com to the NRPT exception list?

http://blogs.technet.com/b/edgeaccessblog/archive/2010/05/12/split-brain-dns-configuring-directaccess-for-office-communications-server-ocs.aspx

Cheers

JJ
Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

Wednesday, February 15, 2012 10:05 PM
0

Sign in to vote

Have you tried adding payroll.contoso.com to the NRPT exception list?

http://blogs.technet.com/b/edgeaccessblog/archive/2010/05/12/split-brain-dns-configuring-directaccess-for-office-communications-server-ocs.aspx

Cheers

JJ

Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

Thanks for the reply, JJ --

I am not sure how split-brain DNS would help in this case. The reason I say that is ideally we want all traffic to this one particular host to route through our internal network, but not other external traffic including the likes of LiveMeeting and OCS (which are published using split brain DNS).

I may just end up publishing a remote desktop application that spawns an IE session off our RD Gateway to connect the user to the site from their laptop.

-Sam

Wednesday, February 15, 2012 11:38 PM
0

Sign in to vote
Ah ok, sorry misunderstood...

Yeah IE as a seamless RemoteApp is a good option if the remote site is expecting a specific source IP...

Cheers

JJ

Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
- Edited by Jason Jones [MSFT]Microsoft employee Thursday, February 16, 2012 12:17 AM
Thursday, February 16, 2012 12:16 AM
0

Sign in to vote

Hi

Did you add this particular DNS zone in your NRPT to be resolved with DNS64? If not, it is normal that UAG does not provide DNS resolution.
BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

Thursday, February 16, 2012 8:01 PM