|
it
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Internal and external IP resolutionIs there a way that I can configure Windows XP clients so that when they connect to our internal network over the VPN (RRAS) their DNS cache will clear and my internal DNS servers will move up to the top of the list of servers they use to resolve IP addresses? Long Version: We are having some inconvinient problems regarding name resolution when people are working remotely. Specifically with Outlook clients connecting to our Exchange Server when connecting via the VPN. I am posting here because it is more of a networking issue than Exchange/Outlook. Here is the senerio. 1. We have had our internal network setup since 2000 with the same domain name OURDOMAIN.COM. 2. We have on the network our Exchange 2003 server (upgraded years ago from 5.5) MAILSERVER.OURDOMAIN.COM. 3. Outlook clients are configured to connect to MAILSERVER (mailserver.ourdomain.com) 4. We also have registered on the Internet our domain OURDOMAIN.COM 5. So we don't get rejected by overly aggressive SPAM filters like crummy Comcast and Verizon who think they own the Internet we have to have our mail server setup so they can reverse lookup and see that the sending IP and DNS name match up so we have MAILSERVER.OURDOMAIN.COM setup in our ISPs DNS list as something that can be reverese looked up. 6. Yes, the Exchange Server is locked down tight against open relays, etc. 7. Our internal network is 192.168.0.x. 8. We have setup a VPN server to allow remote access. Now here is the problem. Users can get their mail without issue on the network. If they go on the road and directly connect to the VPN and then fire up Outlook they get the right internal IP for MAILSERVER.OURDOMAIN.COM (192.X.X.X) however if they just decide to bang out a few emails in Outlook and connect later to send them they cannot because Outlook already caused Windows to check for MAILSERVER.OURDOMAIN.COM and it resolved to the external IP address of the Exchange server. To protect the Exchange server I have my firewalls configured to only accept Port 25 from a limited amount of IP addresses from my Anti-spam service and I naturally can't just open up connections to the for direct connections for Outlook clients to the Exchange server because I have no idea where in the world the users may be at any moment. Is there a way that I can configure Windows XP clients so that when they connect to our internal network over the VPN their DNS cache will clear and my internal DNS servers will move up to the top of the list of servers they use to resolve IP addresses? JN <m*@here.com> wrote:
Show quoteHide quote > Short Version: Is your internal domain name in AD, ourdomain.com ?> > Is there a way that I can configure Windows XP clients so that when > they connect to our internal network over the VPN (RRAS) their DNS > cache will clear and my internal DNS servers will move up to the top > of the list of servers they use to resolve IP addresses? > > Long Version: > > We are having some inconvinient problems regarding name resolution > when people are working remotely. Specifically with Outlook clients > connecting to our Exchange Server when connecting via the VPN. I am > posting here because it is more of a networking issue than > Exchange/Outlook. > Here is the senerio. > > 1. We have had our internal network setup since 2000 with the same > domain name OURDOMAIN.COM. > 2. We have on the network our Exchange 2003 server (upgraded years > ago from 5.5) MAILSERVER.OURDOMAIN.COM. > 3. Outlook clients are configured to connect to MAILSERVER > (mailserver.ourdomain.com) > 4. We also have registered on the Internet our domain OURDOMAIN.COM > 5. So we don't get rejected by overly aggressive SPAM filters like > crummy Comcast and Verizon who think they own the Internet we have to > have our mail server setup so they can reverse lookup and see that > the sending IP and DNS name match up so we have > MAILSERVER.OURDOMAIN.COM setup in our ISPs DNS list as something that > can be reverese looked up. 6. Yes, the Exchange Server is locked down > tight against open > relays, etc. 7. Our internal network is 192.168.0.x. > 8. We have setup a VPN server to allow remote access. > > Now here is the problem. Users can get their mail without issue on > the network. If they go on the road and directly connect to the VPN > and then fire up Outlook they get the right internal IP for > MAILSERVER.OURDOMAIN.COM (192.X.X.X) however if they just decide to > bang out a few emails in Outlook and connect later to send them they > cannot because Outlook already caused Windows to check for > MAILSERVER.OURDOMAIN.COM and it resolved to the external IP address > of the Exchange server. > To protect the Exchange server I have my firewalls configured to only > accept Port 25 from a limited amount of IP addresses from my > Anti-spam service and I naturally can't just open up connections to > the for direct connections for Outlook clients to the Exchange server > because I have no idea where in the world the users may be at any > moment. > Is there a way that I can configure Windows XP clients so that when > they connect to our internal network over the VPN their DNS cache > will clear and my internal DNS servers will move up to the top of the > list of servers they use to resolve IP addresses? Your VPN users should be receiving only your internal IP addresses for DNS, dynamically assigned when they connect. However, since you have Exchange 2003, why would you not just use RPC over HTTP? That uses SSL, connects over 443, doesn't open you up to relay issues or spam. Using VPN just for mail access is silly in this day & age ;-)
Show quote
Hide quote
"JN" <m*@here.com> wrote in message It sounds like VPN server is giving the clients an external DNS server in news:uVNKJFP8JHA.4608@TK2MSFTNGP05.phx.gbl... > Short Version: > > Is there a way that I can configure Windows XP clients so that when they > connect to our internal network over the VPN (RRAS) their DNS cache will > clear and my internal DNS servers will move up to the top of the list of > servers they use to resolve IP addresses? > > Long Version: > > We are having some inconvinient problems regarding name resolution when > people are working remotely. Specifically with Outlook clients connecting > to our Exchange Server when connecting via the VPN. I am posting here > because it is more of a networking issue than Exchange/Outlook. > > Here is the senerio. > > 1. We have had our internal network setup since 2000 with the same domain > name OURDOMAIN.COM. > 2. We have on the network our Exchange 2003 server (upgraded years ago > from 5.5) MAILSERVER.OURDOMAIN.COM. > 3. Outlook clients are configured to connect to MAILSERVER > (mailserver.ourdomain.com) > 4. We also have registered on the Internet our domain OURDOMAIN.COM > 5. So we don't get rejected by overly aggressive SPAM filters like crummy > Comcast and Verizon who think they own the Internet we have to have our > mail server setup so they can reverse lookup and see that the sending IP > and DNS name match up so we have MAILSERVER.OURDOMAIN.COM setup in our > ISPs DNS list as something that can be reverese looked up. > 6. Yes, the Exchange Server is locked down tight against open relays, > etc. > 7. Our internal network is 192.168.0.x. > 8. We have setup a VPN server to allow remote access. > > Now here is the problem. Users can get their mail without issue on the > network. If they go on the road and directly connect to the VPN and then > fire up Outlook they get the right internal IP for > MAILSERVER.OURDOMAIN.COM (192.X.X.X) however if they just decide to bang > out a few emails in Outlook and connect later to send them they cannot > because Outlook already caused Windows to check for > MAILSERVER.OURDOMAIN.COM and it resolved to the external IP address of the > Exchange server. > > To protect the Exchange server I have my firewalls configured to only > accept Port 25 from a limited amount of IP addresses from my Anti-spam > service and I naturally can't just open up connections to the for direct > connections for Outlook clients to the Exchange server because I have no > idea where in the world the users may be at any moment. > > Is there a way that I can configure Windows XP clients so that when they > connect to our internal network over the VPN their DNS cache will clear > and my internal DNS servers will move up to the top of the list of servers > they use to resolve IP addresses? > > it's IP configuration. It MUST only provide internal DNS addresses. I also agree with Lanwench's assessment. -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT Microsoft Certified Trainer ace***@mvps.RemoveThisPart.org http://twitter.com/acefekay For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. The internal DNS server is correctly resolving names with internal IP
addresses. The problem is that if the user for any reason looks for MAILSERVER.OURDOMAIN.COM while off the network "before" connecting internally the name will naturally be resolved by an external DNS from the ISP and will naturally resolve it to the external IP. If they boot up and correctly connect to the VPN before firing up Outlook or addressing MAILSERVER.OURDOMAIN.COM, the IP will be resolved properly by our internal DNS to 192.x.x.x Example 1: Boot up at home Fire up Outlook Outlook checks if MAILSERVER.OURDOMAIN.COM is available MAILSERVER.OURDOMAIN.COM is resolve as 65.x.x.x Connect to VPN Open Outlook again Computer checks DNS cache for server, still resolves to 65.x.x.x Example 2: Boot up at home Connect to VPN Fire up Outlook Outlook checks if MAILSERVER.OURDOMAIN.COM is available MAILSERVER.OURDOMAIN.COM is resolved as 192.168.x.x Outlook functions fine. As far as RPC over HTTPS I was under the assuption that I had to have the Exchange Server as the Global Catalog. My network has a W2K DC, and the W2k3 Exchange 2003 member server. I did not think I could get RPC over HTTPs to work with this setup. Show quoteHide quote "Ace Fekay [Microsoft Certified Trainer]" <ace***@mvps.RemoveThisPart.org> wrote in message news:O$4urcQ8JHA.3544@TK2MSFTNGP03.phx.gbl... > "JN" <m*@here.com> wrote in message > news:uVNKJFP8JHA.4608@TK2MSFTNGP05.phx.gbl... >> Short Version: >> >> Is there a way that I can configure Windows XP clients so that when they >> connect to our internal network over the VPN (RRAS) their DNS cache will >> clear and my internal DNS servers will move up to the top of the list of >> servers they use to resolve IP addresses? >> >> Long Version: >> >> We are having some inconvinient problems regarding name resolution when >> people are working remotely. Specifically with Outlook clients >> connecting to our Exchange Server when connecting via the VPN. I am >> posting here because it is more of a networking issue than >> Exchange/Outlook. >> >> Here is the senerio. >> >> 1. We have had our internal network setup since 2000 with the same >> domain name OURDOMAIN.COM. >> 2. We have on the network our Exchange 2003 server (upgraded years ago >> from 5.5) MAILSERVER.OURDOMAIN.COM. >> 3. Outlook clients are configured to connect to MAILSERVER >> (mailserver.ourdomain.com) >> 4. We also have registered on the Internet our domain OURDOMAIN.COM >> 5. So we don't get rejected by overly aggressive SPAM filters like >> crummy Comcast and Verizon who think they own the Internet we have to >> have our mail server setup so they can reverse lookup and see that the >> sending IP and DNS name match up so we have MAILSERVER.OURDOMAIN.COM >> setup in our ISPs DNS list as something that can be reverese looked up. >> 6. Yes, the Exchange Server is locked down tight against open relays, >> etc. >> 7. Our internal network is 192.168.0.x. >> 8. We have setup a VPN server to allow remote access. >> >> Now here is the problem. Users can get their mail without issue on the >> network. If they go on the road and directly connect to the VPN and then >> fire up Outlook they get the right internal IP for >> MAILSERVER.OURDOMAIN.COM (192.X.X.X) however if they just decide to bang >> out a few emails in Outlook and connect later to send them they cannot >> because Outlook already caused Windows to check for >> MAILSERVER.OURDOMAIN.COM and it resolved to the external IP address of >> the Exchange server. >> >> To protect the Exchange server I have my firewalls configured to only >> accept Port 25 from a limited amount of IP addresses from my Anti-spam >> service and I naturally can't just open up connections to the for direct >> connections for Outlook clients to the Exchange server because I have no >> idea where in the world the users may be at any moment. >> >> Is there a way that I can configure Windows XP clients so that when they >> connect to our internal network over the VPN their DNS cache will clear >> and my internal DNS servers will move up to the top of the list of >> servers they use to resolve IP addresses? >> >> > > > It sounds like VPN server is giving the clients an external DNS server in > it's IP configuration. It MUST only provide internal DNS addresses. > > I also agree with Lanwench's assessment. > > -- > Ace > > This posting is provided "AS-IS" with no warranties or guarantees and > confers no rights. > > Please reply back to the newsgroup/forum to benefit from collaboration > among responding engineers. > > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT > Microsoft Certified Trainer > ace***@mvps.RemoveThisPart.org > http://twitter.com/acefekay > > For urgent issues, you may want to contact Microsoft PSS directly. Please > check http://support.microsoft.com for regional support phone numbers. >
Show quote
Hide quote
"JN" <m*@here.com> wrote in message First, RPC over HTTPS, also known as Outlook Anywhere, works whether news:OP$SA%2338JHA.1492@TK2MSFTNGP03.phx.gbl... > The internal DNS server is correctly resolving names with internal IP > addresses. The problem is that if the user for any reason looks for > MAILSERVER.OURDOMAIN.COM while off the network "before" connecting > internally the name will naturally be resolved by an external DNS from the > ISP and will naturally resolve it to the external IP. If they boot up and > correctly connect to the VPN before firing up Outlook or addressing > MAILSERVER.OURDOMAIN.COM, the IP will be resolved properly by our internal > DNS to 192.x.x.x > > Example 1: > > Boot up at home > Fire up Outlook > Outlook checks if MAILSERVER.OURDOMAIN.COM is available > MAILSERVER.OURDOMAIN.COM is resolve as 65.x.x.x > Connect to VPN > Open Outlook again > Computer checks DNS cache for server, still resolves to 65.x.x.x > > Example 2: > > Boot up at home > Connect to VPN > Fire up Outlook > Outlook checks if MAILSERVER.OURDOMAIN.COM is available > MAILSERVER.OURDOMAIN.COM is resolved as 192.168.x.x > Outlook functions fine. > > As far as RPC over HTTPS I was under the assuption that I had to have the > Exchange Server as the Global Catalog. My network has a W2K DC, and the > W2k3 Exchange 2003 member server. I did not think I could get RPC over > HTTPs to work with this setup. Exchange is on a DC or not, but HIGHLY preferable, and HIGHLY recommended to not be on a DC. It sounds like you're ok in this department. But you will need a public certificate for the Exchange server. Since you have Exchange 2003, that's easy. You just need a simple certificate that you can get at GoDaddy, Verisign, Digicert, etc. I like Digicert, but that's up to you. Go into Exchange's Windows Add/Remove, add components, Networking, and add RPC server. Follow the following links to configure it: How can I configure RPC over HTTP/S on Exchange 2003 (single ...RPC over HTTP/S is a cool method for connecting your Outlook 2003 client to the corporate Exchange Server 2003 from the Internet or WAN, without the need .... http://www.petri.co.il/how-can-i-configure-rpc-over-https-on-exchange-2003-single-server-scenario.htm Configure Outlook 2003 to use RPC over HTTP/SHow can I configure Outlook 2003 to use RPC over HTTP/S? RPC over HTTP/S is a cool method for connecting your Outlook 2003 client to the corporate Exchange. http://www.petri.co.il/configure_outlook_2003_to_use_rpc_over_http.htm As for the other local DNS cache issue, it looks like a chicken before the egg, or vice versa issue. Normally when a VPN is connected, the VPN connection goes to the top of the binding order. Funny, I've haven't had this issue with any of my customers, but then again, their internal and external names are different. One way to get around it is a batch file saved on the desktop to run a simple "ipconfig /flushdns." Just instruct them to double click on it after they connect. There are other methods to reset the DNS eligible resolver list, but that is not needed here, because as I said above, the VPN becomes the default connection that the resolver service will use the DNS entries on it to be queried first, so it wouldn't matter to reset the list. Oh, I wanted to comment on the "[...[ aggressive SPAM filters like crummy Comcast and Verizon who think they own the Internet [...]" comment. It's actually the fact they use various RBLs, one of which is the SORBS list, which is pretty stringent. I've had to deal with SORBS once in the past at a place I worked that put us on their list when one user's credentials were hijacked and his account sent out over 20,000 emails over night. Of course, without saying, it prevented us from sending to AOL, Verizon, Comcast and a few others. We went through their process to clean it up. If you are having problems sending to these domains, and others, I would suggest to check if your IP is on the SORBS list at www.sorbs.net. I would also check to see if you are on other RBLs just in case, as well as make sure you have a valid and correct SPF configured (http://old.openspf.org/wizard.html). RBL Checks: On an RBL? Find out why. Free tool. Instant, no registration required. http://www.MXToolbox.com MSRBL - Multi RBL CheckerMulti-RBL Check. Enter the IP address below to check listings in multiple RBLs. ... Checking RBLs (This may take upto a minute to process) ... http://checker.msrbl.com Multi-RBL checker, Multi-DNSBL lookupMulti DNS blacklist (DNSBL), Real-time Blackhole List (RBL) lookup :. Whois · Traceroute · Link Popularity · RBL Check Close ... http://cqcounter.com/rbl_check/ I hope that helps. Ace  
Other interesting topics
Should we disable IPv6 ?
DHCP sbs 2k3 and dns - driving me crazy How to connect to a USB drive installed on the server, but from a client PC? RRAS on Win2003 with 2 public ip's IIS Vs Apache WINS Problem in NT4.0 Server User setup installed winxp on hyper V virtual machine, cannot see network cards Power option settings creates slow logon time, how to fix |
|||||||||||||||||||||||
