Re: VPN and DNS configuration

On Thu, 13 May 2010 08:19:42 -0700 (PDT), yaro137
<> wrote:

>I have client's who use VPN to access their folders and emails on the
>server. There are quite a few of them so I was wandering whether
>rather than modifying everyone's host file is there a way to set up
>the DNS server in a way so when the clients try to resolve office host
>names they use the company's DNS server but when they browse the
>Internet they use their ISP's DNS?
>yaro

Unless you have a split zone scenario, you can still use your
company's DNS servers in the VPN, which you need to anyway to access
internal resources while connected. On the client side, set it to use
the local gateway, this way any non-company resources will be
connected to (not resolved by) the local client gateway instead of the
traffic going back to the office and out to the internet and back.

Cisco calls this split-tunneling.

Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

On Fri, 14 May 2010 08:06:52 -0700 (PDT), yaro137
<> wrote:

>On 14 May, 14:38, "Ace Fekay [MVP - Directory Services, MCT]"
><ace...@mvps.RemoveThisPart.org> wrote:
>> On Thu, 13 May 2010 08:19:42 -0700 (PDT), yaro137
>>
>> <yaro...@googlemail.com> wrote:
>> >I have client's who use VPN to access their folders and emails on the
>> >server. There are quite a few of them so I was wandering whether
>> >rather than modifying everyone's host file is there a way to set up
>> >the DNS server in a way so when the clients try to resolve office host
>> >names they use the company's DNS server but when they browse the
>> >Internet they use their ISP's DNS?
>> >yaro
>>
>> Unless you have a split zone scenario, you can still use your
>> company's DNS servers in the VPN, which you need to anyway to access
>> internal resources while connected. On the client side, set it to use
>> the local gateway, this way any non-company resources will be
>> connected to (not resolved by) the local client gateway instead of the
>> traffic going back to the office and out to the internet and back.
>>
>> Cisco calls this split-tunneling.
>>
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>>
>> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.
>>
>> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
>> Microsoft Certified Trainer
>> Microsoft MVP - Directory Services
>>
>> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please checkhttp://support.microsoft.comfor regional support phone numbers.
>
>What do you mean by split zone? They use the company DNS on their VPN
>but this doesn't help them with resolving host names to IPs. They can
>pind the remote server and workstations by IP address but not by
>hostname. You need host names for stuff like outlook and mapped
>drives. Especially for Outlook (2k7) they now need host names both in
>form of "IP - hostname" and "IP - hostname.domain.local" otherwise
>Outlook doesn't work properly. It's related to Exchange 2k7
>Autodiscover functionality in some way. If I remember well something
>wasn't right with the service records that Outlook was looking for. So
>now I need to modify the hosts file on every new computer.
>yaro

I think we are skewing the terminology slightly. The "single name"
hostname (as you called it), is really the NetBIOS name. An FQDN would
be in the form of "hostname.domain.com."

I know what you mean about Autodiscover and such, but Autodiscover
uses the AUtodiscover URL (FQDN) for the intial connection. I believe
you are talking about the Availability service, at least for backwards
compatibility for Exchagne 2003? Availability service replaces the
previous Exchagne version Free/Busy connector, which requires NetBIOS
name support. Some argue that Exchange 2007 and 2010 doesn't need
NetBIOS name support, but I say it does... but that's for another time
to discuss.

So what you want to do is ping and get a response using the NetBIOS
name. Then you need WINS.

YOu can also ping by single name and return the FQDN in the reply, but
there must be a Search Suffix added that must be set to the zone name
where the record exists.

But from what you are saying, you need WINS.

And I wouldn't suggest using HOSTS files. HOST files and LMHOSTS files
went out over 15 years ago because now:-)

Cheers!

Ace

Ace

On Mon, 17 May 2010 06:30:07 -0700 (PDT), yaro137
<> wrote:

>On 17 May, 06:15, "Ace Fekay [MVP - Directory Services, MCT]"
><ace...@mvps.RemoveThisPart.org> wrote:
>> On Fri, 14 May 2010 08:06:52 -0700 (PDT), yaro137
>>
>>
>>
>> <yaro...@googlemail.com> wrote:
>> >On 14 May, 14:38, "Ace Fekay [MVP - Directory Services, MCT]"
>> ><ace...@mvps.RemoveThisPart.org> wrote:
>> >> On Thu, 13 May 2010 08:19:42 -0700 (PDT), yaro137
>>
>> >> <yaro...@googlemail.com> wrote:
>> >> >I have client's who use VPN to access their folders and emails on the
>> >> >server. There are quite a few of them so I was wandering whether
>> >> >rather than modifying everyone's host file is there a way to set up
>> >> >the DNS server in a way so when the clients try to resolve office host
>> >> >names they use the company's DNS server but when they browse the
>> >> >Internet they use their ISP's DNS?
>> >> >yaro
>>
>> >> Unless you have a split zone scenario, you can still use your
>> >> company's DNS servers in the VPN, which you need to anyway to access
>> >> internal resources while connected. On the client side, set it to use
>> >> the local gateway, this way any non-company resources will be
>> >> connected to (not resolved by) the local client gateway instead of the
>> >> traffic going back to the office and out to the internet and back.
>>
>> >> Cisco calls this split-tunneling.
>>
>> >> Ace
>>
>> >> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>>
>> >> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.
>>
>> >> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
>> >> Microsoft Certified Trainer
>> >> Microsoft MVP - Directory Services
>>
>> >> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please checkhttp://support.microsoft.comforregional support phone numbers.
>>
>> >What do you mean by split zone? They use the company DNS on their VPN
>> >but this doesn't help them with resolving host names to IPs. They can
>> >pind the remote server and workstations by IP address but not by
>> >hostname. You need host names for stuff like outlook and mapped
>> >drives. Especially for Outlook (2k7) they now need host names both in
>> >form of "IP - hostname" and "IP - hostname.domain.local" otherwise
>> >Outlook doesn't work properly. It's related to Exchange 2k7
>> >Autodiscover functionality in some way. If I remember well something
>> >wasn't right with the service records that Outlook was looking for. So
>> >now I need to modify the hosts file on every new computer.
>> >yaro
>>
>> I think we are skewing the terminology slightly. The "single name"
>> hostname (as you called it), is really the NetBIOS name. An FQDN would
>> be in the form of "hostname.domain.com."
>>
>> I know what you mean about Autodiscover and such, but Autodiscover
>> uses the AUtodiscover URL (FQDN) for the intial connection. I believe
>> you are talking about the Availability service, at least for backwards
>> compatibility for Exchagne 2003? Availability service replaces the
>> previous Exchagne version Free/Busy connector, which requires NetBIOS
>> name support. Some argue that Exchange 2007 and 2010 doesn't need
>> NetBIOS name support, but I say it does... but that's for another time
>> to discuss.
>>
>> So what you want to do is ping and get a response using the NetBIOS
>> name. Then you need WINS.
>>
>> YOu can also ping by single name and return the FQDN in the reply, but
>> there must be a Search Suffix added that must be set to the zone name
>> where the record exists.
>>
>> But from what you are saying, you need WINS.
>>
>> And I wouldn't suggest using HOSTS files. HOST files and LMHOSTS files
>> went out over 15 years ago because now:-)
>>
>> Cheers!
>>
>> Ace
>>
>> Ace
>
>I thought Microsoft say we don't need WINS any more since we've got
>DNS but yes, that seems to be working all right.
>Thanks
>
>yaro

True, they do say that, but there are other circumstance that still
require it. I say Exchange does require it. I always have and always
will install WINS with any multi-segmented network or if VPNs are
involved.

Good to hear that WINS did the trick for you.

Ace