DNS not resolving correctly on VPN

[Guest]

Some users have been unable to send messages because the machine, running xp
or 2000, resolves to the wrong ip address
Our remote users dial into our vpn server and they are able to access all of
our resources. For email purposes, they have to log in to vpn to send
messages because our 3rd party message scanner only accepts connections from
our public ip address, nothing else.

Now, on some machines, if I type ping smtp.myserver.com, I get our public ip
address instead of our internal mail server address, which causes Outlook to
error out when sending. it's only a hand full and the workaround is to use
the ip address instead of the fqdn. Why is this happening?

I tried flushing the cache, reboot the machine, reconnect via vpn. What
would it fix this?

Thanks a lot for any suggestions
Elliott
===============================
Elliott Bujan
Initial Tropical Plants - USA

 

[Ace Fekay [MVP]]

In

Some users have been unable to send messages because the machine,
running xp or 2000, resolves to the wrong ip address
Our remote users dial into our vpn server and they are able to access
all of our resources. For email purposes, they have to log in to vpn
to send messages because our 3rd party message scanner only accepts
connections from our public ip address, nothing else.

Now, on some machines, if I type ping smtp.myserver.com, I get our
public ip address instead of our internal mail server address, which
causes Outlook to error out when sending. it's only a hand full and
the workaround is to use the ip address instead of the fqdn. Why is
this happening?

I tried flushing the cache, reboot the machine, reconnect via vpn.
What would it fix this?

Thanks a lot for any suggestions
Elliott
===============================
Elliott Bujan
Initial Tropical Plants - USA

If you're getting the public IP on *some* of the machines, it's telling me
you have your machines configured with a public DNS server and your internal
DNS server. Assuming you have Active Directory, this is a huge mistake. You
must only use the internal DNS on ALL machines in the AD domain. I'm
surprised there aren't any other issues occuring due to this. Make sure all
machines only use the internal DNS. Check DHCP Option 006 to make sure it
only shows the internal DNS. When connecting thru a VPN, I'm sure your DHCP
is supplying the VPN user's IP configuration, including the DNS addresses.
As long as you have it set to use the internal DNS, there shouldn't be a
problem.

As for the first paragraph, can I assume you are using Exchange? Why not let
the users use the OWA from the Internet side? But what I'm assuming based on
your post, that you are using either OUtlook Express or an Outlook MAPI
client set for POP3 or IMAP4 and using SMTP to send mail to the mail server.
Is that true? If not, please elaborate on your mail configuration to better
understand your setup.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

 

[Guest]

We don't have AD. Our network is basically a peer-2-peer network at this
time where all tcp info comes from dhcp. We don't have logon domains and the
"logon to domain" option under VPN properties is unchecked. our DHCP server
is linux based sending:

option subnet-mask 255.255.255.0;
option domain-name "initialplants.com";
option domain-name-servers [DNSserver];
option time-servers [timeserver];
option routers [firewallIP]

Nothing fancy, very simple. All IPs are internal.

When they log in via VPN, we pass the same DNS server (internal ip). What's
strange is that ipconfig shows only 1 DNS server: the internal one. I even
tried to specify the DNS server under the connection advanced properties.

As far as email goes, we don't use Exchange; we use Imail and yes they are
using a POP3 account. Most of our users use the web interface when their
laptop is at the shop or they're having issues with vpn or the email client.
I wish they could use IMAP to resolve other issues like big folder files but
that's just a wish at this time.

I will work with one of this machines today and post back.
thanks Ace
--
===============================
Elliott Bujan
Initial Tropical Plants - USA

 

[Ace Fekay [MVP]]

In

We don't have AD. Our network is basically a peer-2-peer network at
this time where all tcp info comes from dhcp. We don't have logon
domains and the "logon to domain" option under VPN properties is
unchecked. our DHCP server is linux based sending:

option subnet-mask 255.255.255.0;
option domain-name "initialplants.com";
option domain-name-servers [DNSserver];
option time-servers [timeserver];
option routers [firewallIP]

Nothing fancy, very simple. All IPs are internal.

When they log in via VPN, we pass the same DNS server (internal ip).
What's strange is that ipconfig shows only 1 DNS server: the internal
one. I even tried to specify the DNS server under the connection
advanced properties.

As far as email goes, we don't use Exchange; we use Imail and yes
they are using a POP3 account. Most of our users use the web
interface when their laptop is at the shop or they're having issues
with vpn or the email client. I wish they could use IMAP to resolve
other issues like big folder files but that's just a wish at this
time.

I will work with one of this machines today and post back.
thanks Ace

No problem for the help.

Just an FYI, whether AD or not, if you have internal private resources with
private IPs that are also accessible from the Internet by their public IPs
(proably doing a NAT re-map?), then the internal DNS will need to have the
private IPs only of the resources. Eg. if your website is accessible by
www.example.com and it's public IP is a.b.c.d, then that IP would also be
your WAN IP of your NAT/firewall device. The will get port remapped
internally to say, 192.168.20.80. The internal DNS would have your
example.com zone, and you wold also have a www record created, but it would
have 192.168.20.80 for the IP so your internal users can get to it.

Make sense?

Ace

 

[Guest]

Got it. thanks. That's the way we have it.
I'll get to the configs again and manke sure nothing has changed.


--
===============================
Elliott Bujan
Initial Tropical Plants - USA

In

We don't have AD. Our network is basically a peer-2-peer network at
this time where all tcp info comes from dhcp. We don't have logon
domains and the "logon to domain" option under VPN properties is
unchecked. our DHCP server is linux based sending:

option subnet-mask 255.255.255.0;
option domain-name "initialplants.com";
option domain-name-servers [DNSserver];
option time-servers [timeserver];
option routers [firewallIP]

Nothing fancy, very simple. All IPs are internal.

When they log in via VPN, we pass the same DNS server (internal ip).
What's strange is that ipconfig shows only 1 DNS server: the internal
one. I even tried to specify the DNS server under the connection
advanced properties.

As far as email goes, we don't use Exchange; we use Imail and yes
they are using a POP3 account. Most of our users use the web
interface when their laptop is at the shop or they're having issues
with vpn or the email client. I wish they could use IMAP to resolve
other issues like big folder files but that's just a wish at this
time.

I will work with one of this machines today and post back.
thanks Ace

No problem for the help.

Just an FYI, whether AD or not, if you have internal private resources with
private IPs that are also accessible from the Internet by their public IPs
(proably doing a NAT re-map?), then the internal DNS will need to have the
private IPs only of the resources. Eg. if your website is accessible by
www.example.com and it's public IP is a.b.c.d, then that IP would also be
your WAN IP of your NAT/firewall device. The will get port remapped
internally to say, 192.168.20.80. The internal DNS would have your
example.com zone, and you wold also have a www record created, but it would
have 192.168.20.80 for the IP so your internal users can get to it.

Make sense?

Ace

 

[Ace Fekay [MVP]]

In

Got it. thanks. That's the way we have it.
I'll get to the configs again and manke sure nothing has changed.

Cool.



Ace