none
NRPT for Always On VPN

    Question

  • I'm setting up Always On VPN on Server 2016. I've created my XML profile. Some services such as OWA and webservers need to be resolved externally rather than internally. How can i edit the VPN Profile to accomplish this? 

    Mike Pietrorazio

    Tuesday, April 17, 2018 6:25 PM

Answers

  • I was able to get it to work by specifying an external DNS server address for FQDN's I wanted to resolve externally.

    EXAMPLE:

    <DomainNameInformation>
     <DomainName>OWA.domain.com</DomainName>
     <DnsServers>1.1.1.1.</DnsServers>
    </DomainNameInformation>


    Mike Pietrorazio

    Wednesday, April 25, 2018 1:03 PM

All replies

  • Hi

    I have the same Problem with Skype for Business and I'm looking for a solution with nrpt.

    Meanwhile we have implemented a solutions with a dns Server von the vpn Server. This dns aerver forwards some fqdn Name requests to an external dns and all the other stuff to an internal dns. We have acomplished that with conditional forwarders.

    Another possibility would be to use a win 16 dns Server, which gives you an addtional dns feature (DNS Policies). DNS Policies can handle split DNS Scenarios.

    I would prefere a solutions on the vpn Client with NRPT rather then use a dns solution, which is not so flexible.

    Bueschu


    Bueschu

    Wednesday, April 18, 2018 5:36 AM
  • You'll need to add the DomainNameInformation element in your ProfileXML. Guidance here:

    https://directaccess.richardhicks.com/2018/04/23/always-on-vpn-and-the-name-resolution-policy-table-NRPT/

    Hope that helps!

    Monday, April 23, 2018 3:48 PM
  • Sounded good in theory. In reality, even with the missing <DnsServer> element for the FQDN, I'm still getting internal resolution. I even tried putting the "exceptions" ahead of the elements that include the DNS Server, in the profile, so it would maybe find a match and use external, but no go.

    EXAMPLE

    <DomainNameInformation>
     <DomainName>exception.domain.com</DomainName>
    </DomainNameInformation>

    <DomainNameInformation>
     <DomainName>.domain.com</DomainName>
     <DnsServers>192.6.1.X</DnsServers>
    </DomainNameInformation>


    Mike Pietrorazio

    Monday, April 23, 2018 5:46 PM
  • I was able to get it to work by specifying an external DNS server address for FQDN's I wanted to resolve externally.

    EXAMPLE:

    <DomainNameInformation>
     <DomainName>OWA.domain.com</DomainName>
     <DnsServers>1.1.1.1.</DnsServers>
    </DomainNameInformation>


    Mike Pietrorazio

    Wednesday, April 25, 2018 1:03 PM
  • Now I was able to solve my Problem. It was an GPO Issue with the Applocker Policy on the Win 10 Clients. The Powershell command get-dnsclientnrptpolicy returned blank, but the get-dnsclientnrptrule listed all the entries

    The workaround is little bit strange. I made an NRPT entry under "Name Resolution Policy" in the applocker Policy and applied this Policy to the win 10 Client. Afterwards I deleted this entry in the Policy and NRPT still works. Get-dnsclientnrptpolicy returns now the entries.


    Bueschu

    Thursday, May 3, 2018 12:12 PM