Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
Advisor
Jump to solution

No Intranet Connection

Hello, Team.

I have a problem with a VPN user connection, which is connected by Endpoint Security VPN agent.

The user logs in, no problem, but once connected, when he tries to access an internal resource (INTRANET).
The access to the internal resource is a URL.

I have a couple of doubts:


1- In the Firewall rule, should the DNS service be allowed, for this type of connection?

2- In which part of the Remote Access VPN configuration, can I be sure that the company's internal DNS are being delivered to the VPN users' connections?

Thanks for the clarification.

0 Kudos
1 Solution

Accepted Solutions
Matlu
Advisor

Hello,

To update, I was able to solve the problem.

I noticed, that the flow was "incomplete".

It turns out that there was no Firewall rule that allows the connection of the IP pool of the users that connect through the RA VPN to the server that owns the domain. 😁

I would still like to clarify a doubt.

If you have a web service that you publish to the Internet, when you log in through RA VPN, with the Internal DNS provided by the VPN, and you try to access that web service, the network card of the user's PC, to which DNS gives "more priority" at the moment of consuming the service? Is it the DNS assigned to me by the VPN, or is it the DNS of my Local ISP?

Thanks for your help and clarification.

View solution in original post

13 Replies
G_W_Albrecht
Legend Legend
Legend

Did you define an access rule for the RA users ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_Atkinson
Employee Employee
Employee

What are your office mode settings, DNS suffixes etc?

Are you seeing logs indicating DNS traffic is being dropped?

Are the remote access clients MacOS or Windows?

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

Below is what you need, make sure its correct.

Andy

 

Screenshot_1.png

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Indeed. Just don't expect Google to resolve your internal URLs. 😛

CCSM R77/R80/ELITE
(1)
the_rock
Legend
Legend

Thats why this is a lab 🤣

0 Kudos
Matlu
Advisor

Hello,

I have a question.

If the resource to which you want to access, is a resource that is published both on the Internet, as well as a resource that can be consumed by Intranet, when you are already logged in to the VPN, and try to consume this resource, let's say the URL is https://dev.example.com.

When you are connected to the VPN, and the user tries to open this resource, would it be using the Internal DNS of the VPN, or the External ones that you have from your local ISP connection?

Which DNS takes the highest priority?

0 Kudos
the_rock
Legend
Legend

Hey bro,

Chris can confirm for you, but Im pretty sure it would go based on the priority list from screenshot I sent...primary, first backup, second backup.

You got my direct email, so we can do remote and I can show you in my R81.20 lab.

Kind regards,

Andy

0 Kudos
Matlu
Advisor

Hello,

To update, I was able to solve the problem.

I noticed, that the flow was "incomplete".

It turns out that there was no Firewall rule that allows the connection of the IP pool of the users that connect through the RA VPN to the server that owns the domain. 😁

I would still like to clarify a doubt.

If you have a web service that you publish to the Internet, when you log in through RA VPN, with the Internal DNS provided by the VPN, and you try to access that web service, the network card of the user's PC, to which DNS gives "more priority" at the moment of consuming the service? Is it the DNS assigned to me by the VPN, or is it the DNS of my Local ISP?

Thanks for your help and clarification.

the_rock
Legend
Legend

It all depends on the fact what DNS is able to resolve once connected, thats all.

Cheers,

Andy

0 Kudos
PhoneBoy
Admin
Admin

Generally, the default DNS of the client gets replaced by whatever the gateway assigns after the Remote Access client connects and gets an Office Mode address assigned.
However, there is nothing preventing the end user from changing their DNS configuration if they have admin rights to their local PC.

the_rock
Legend
Legend

@Matlu 

@PhoneBoy makes an excellent point, as always. There is literally nothing stopping a person once they connect to RA to change DNS servers, as long as they have admin access to the local PC. Not quite certain about this, "MAYBE" that can be controlled by harmony endpoint product, but again, I could be mistaken on that part.

Regards,

Andy

0 Kudos
PhoneBoy
Admin
Admin

We don't control those settings, but I assume the settings can be locked via GPO or similar.

the_rock
Legend
Legend

Got it, makes sense.

Cheers,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events