|
-
March 15th, 2005, 02:58 PM
#1
DNS Traffic - I Think
I Hope this is the right forum.
OK. I have 7 users in a Las Vegas hotel. All running W2K SP4 current patch level and av at latest pattern. All 7 users work perfect everywhere except at the Hotel.
Basically these guys launch their Cisco VPN client and then Outlook. But when connected at the hotel, outlook will not connect to the exchange server.
When I received the first call I figured it was a user error so I logged on remotely to the laptop to watch what the user was doing. Sure enough no traffic between the client and exchange server. So for Kicks and giggles I launched IE and tried to open our local intranet.
Here's where it gets weird. An ISA error was displayed. Sorry I don't have the exact error, but basically ISA said it couldn't resolve the name. I quickly added an entry in the hosts file for the intranet and exchange servers and everything works fine.
I assume that somehow DNS traffic is being blocked, but the users can browse the web just fine, with or without the VPN client running. Since the hosts entry fixed the problem - this must be a DNS issue.
My question is (Finally) Can ISA specify that DNS traffic go to only one server, and if so how do you think DNS requests to my local DNS Server, when connected to the VPN, are blocked?
I am not splitting the tunnel?
Or am I just way off and not seeing the real issue?
-
March 15th, 2005, 03:40 PM
#2
Hi dinowuff,
You say everything works fine except at the hotel ...and this is in Las Vegas...if I were to assume that it is a Casino Hotel you are in I would be inclined to believe that the hotel has some kind of security feature to prevent certain features that may aid in cheating at the tables such as using laptops to gain access to their systems etc...
If it's just the Las Vegas Hotel where the problem resides that would be my guess...that the Casino is somehow blocking certain features to thwart cheaters.
With all the money that flows through a casino on a daily basis...I would imagine their security features would be top of the line and capable of more than the average security system.
Eg 
-
March 15th, 2005, 03:40 PM
#3
On the win2k clients check with nslookup if resolving is an issue on the client.
You can quickly see if it's the clients DNS configuration.
I'm assuming the clients are able to setup the VPN because you can remotely control them.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
March 15th, 2005, 03:48 PM
#4
Originally posted here by Egaladeist
Hi dinowuff,
You say everything works fine except at the hotel ...and this is in Las Vegas...if I were to assume that it is a Casino Hotel you are in I would be inclined to believe that the hotel has some kind of security feature to prevent certain features that may aid in cheating at the tables such as using laptops to gain access to their systems etc...
If it's just the Las Vegas Hotel where the problem resides that would be my guess...that the Casino is somehow blocking certain features to thwart cheaters.
Eg
This is my thinking, and in response to SirDice:
They can create a VPN tunnel and the concentrator gives the session all the DHCP, DNS info. So my confusion is How can encrypted vpn traffic be blocked? It's like all vpn traffic goes where it's supposed to, except DNS. ipconfig gave all the correct DNS settings for the client but nslookup couldn't find the server?
-
March 15th, 2005, 04:04 PM
#5
You said something about splitting the tunnel? Don't split the tunnel. Force the client to push all the traffic through the VPN.
It's a bad idea to split the traffic anyway. Somebody in the same hotel might be able to leapfrog via the client into your network.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
March 15th, 2005, 04:54 PM
#6
SirDice
Your right I don't split the tunnel but that is the only way I can explain the DNS issue. i.e. If the tunnel is split, port 80 traffic would go out through the hotel proxy - DNS traffic also? But other traffic would be encapsulated within the VPN tunnel.
I'm going too make sure that the user cannot change the client settings on the vpn. I'll let you know
-
March 15th, 2005, 07:06 PM
#7
Ok. I checked out the concentrator settings, looks like when I installed the thing I missed a setting. A user can can split the tunnel. After some more research I discovered that a users son did some research and showed Dad how to use the internet without launching the vpn. This information was passed to all field sales folks.
I fixed the setting, logged off all users and forced a new update /w stricter policies.
Some days you get the bear - some days the bear gets you.
I hate making stupid mistakes!
Thanks all for the input
-
March 15th, 2005, 07:26 PM
#8
ROFLMAO....
"No matter how foolproof you have made your system they turn around and breed better fools"
that a users son did some research
In this case it seems that the fools themselves are evolving.....
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote