Saturday 20 November 2010

Macs - Entourage - Split DNS - SBS2003 - Cisco 1841

Here's a question...

In this client's domain, there are a couple of servers.  Both SBS2003.  It is set up with an internal mydomain.local address.

The server has an external name - mail.mydomain.com.

The Macs have been set up with WebDAV and Entourage... and point to mail.mydomain.com... so on the SBS2003 DNS Server, mail.mydomain.com has to be defined as the 192.168.0.2 address of the server.  If it is not then the request for mail.mydomain.com is forwarded off to external DNS servers, which returns the address of the external interface of the Cisco 1841 router...

Clients on the outside can see mail.mydomain.com ... but they often open a VPN connection to the Cisco 1841 router... the router gives them a DNS of something.. it's own DNS proxy perhaps?

So the client has a network connection somewhere in the world... with DNS local to that ISP... they connect to the VPN and are given an IP address of 192.168.0.x ... and DNS is something...

but they can no longer connect to mail.mydomain.com ...

Is there an easy answer?   My only answer so far is to look up CCNA courses nearby... :)  The company who should look after this router want £NNN for a solution they can't guarantee will work... And it's not a client we want to mess around with... it has to work or not.

2 comments:

  1. Don't forget that not all VPNs are the same.

    In a typical configuration using the Cisco VPN (IPSEC) client, the router will issue the remote user temporary IP settings for the duration of the session, which (hopefully) include DNS server(s) and search domain to allow participation in the newly connected network.

    Unless the the VPN client is configured (or allowed) to operate in what is known as "split tunnel" mode, all traffic will be forced through the tunnel, even traffic that would previously have exited locally. However this is considered by many organisations to be a security risk.

    A typical symptom of establishing a VPN tunnel therefore, is the loss of local connections (Outlook, file shares, internet etc).

    So the problem you note above now changes to this: How do I access mail.mydomain.com through the tunnel? This relies on being able to find a meaningful address for mail.mydomain.com from the DNS settings supplied as part of the VPN session by the router.

    Once the VPN has been established, use ipconfig and nslookup to verify that the dns server(s) provided are able to resolve the mail server (and any other required resources) correctly.

    If the name resolves correctly, then are you able to reach the address with ping or telnet?

    Of course the tricky bit is how to fix it if it doesn't work.... but first establish if you have a DNS problem or a reachability problem.

    ReplyDelete
  2. Hi Phil
    Thank-you for your input. I have reviewed my notes on the original issue.

    Remote User A on the public internet.

    1) They connect to OWA/WebDAV at mail.mydomain.com (resolved through public DNS) via an external IP

    2) They connect to the VPN to view Shared Folders on the server (via server.mydomain.local or the internal IP) - mail.mydomain.com is now resolved to the internal IP.

    -- Their OWA/WebDAV session is disconnected --

    3) They disconnect the VPN and they can use OWA. And they cannot use both at the same time, apparently. (Perhaps if they tried closing OWA/Entourage completely and re-opening without restarting the VPN connection?)

    They are connecting directly to the Cisco 1841 VPN - possibly with a standard VPN setup - i.e. no specific lists of DNS resolvers by host/domain name.

    I don't know what the status of this is... it was almost a year ago. (And the network may be overhauled fairly soon anyway.) The suggested fix was:
    1) remote users who are not connected to VPN use public DNS
    2) remote users connected to VPN are issued with a public DNS but a Cisco DNS list routes specific traffic to certain hosts (so mail.mydomain.com -> external address; but server01.mydomain.local -> internal address) ?
    3) Local users are routed internally as before normal (mail.mydomain.com points to internal address)

    Point 2 is the question. Issuing all VPN users with external DNS by default, except for internal resources to which VPN users require access. Is is possible to specify internal hosts (on a .local address for example).

    Oliver

    ReplyDelete