|
Problem: Some VPN client may
experience issues with name resolution, while both in or out of the quarantine
network. The issue can be seen by attempting to PING a remote server by name
only and the name can not be resolved to an IP address, resulting in a PING
failure. However, the same PING test to a remote server using the Fully
Qualified Domain Name (FQDN) works as expected.
Cause: This is usually the result of the VPN client not having a valid DNS
suffix search list available. When a computer name is provided to Windows to be
resolved, Windows will append the configured DNS suffixes to the server name in
order and attempt to resolve them as a FQDN. If no suffixes are in place then a
valid FQDN can not be constructed and name resolution fails.
Furthermore, when a DNS suffix is
configured on the DHCP server, and ISA Server is configured to issue IP
addresses to VPN clients, the only DHCP options that are received by the VPN
clients are the DNS & WINS server addresses. No other DHCP options are sent to
the VPN client.
Workaround:
The ISA Server can be configured to run a DHCP relay agent to allow VPN clients
to access the additional DHCP options, including the DNS suffix list. Full
details of how to configure this are available on ISAserver.org - (http://www.isaserver.org/tutorials/2004dhcprelay.html).
Note: This article is applicable to ISA Server 2004 and 2006.
Alternatively, the DNS suffix settings
can also be configured via Active Directory group policy. See Microsoft KB294785
(http://support.microsoft.com/kb/294785/)
for more information.
More information:
When ISA Server issues the IP address to a VPN client it will also
include the IP addresses of the WINS & DNS servers (if configured). After ISA
Server issues the IP address to a VPN client, the VPN client will issue a DHCP
Inform request in the form of a broadcast from its newly issued IP address.
Note: This request is not part of the initial request for an IP address.
However, ISA Server will drop the DHCP request packet it receives from the
client (ISA is the destination for the broadcast in this case) as per the the
default block rule. Installing a DHCP relay agent allows ISA to route the DHCP
Inform broadcast request to the DHCP server, but requires a rule to allow the
DHCP Request packets into the ISA Server. ISA will allow the request to leave
the ISA Server, destined for the DHCP server, via the built in DHCP System
Policy rule. The DHCP server will send the response directly to the IP address
of the client as the Relay Agent preserves the actual client IP when forwarding
the request to the DHCP server. Thus a second rule is required to allow the DHCP
server to send the DHCP Reply directly back to the VPN client.
Future versions of VPN-Q may include the ability to configure the DNS suffix in
the VPN client its self.
|