RAS'd in : why traffic sent through VPN router ?

[John A Grandy]

Why is it when RAS'd into a VPN that a much of your network traffic gets
routed through the inet router of the VPN ?

I'm not talking the case where you are Remote Desktop'd into a machine that
part of the VPN's network.

I'm talking having the the case of having VPN connection open, and the
following two types of requests:

1. Making simple browser requests from your box to public websites:
google.com , whatever. If you look at the tracert and you see that the
VPN's network's router and then it's inet provider is forwarding the
packets. This slows down speed of web access.

2. When Outlook needs to contact its assigned Exchange Server it tries to
find it on the VPN's network ! Incredibly annoying. You can see Outlook
popping up message boxes above the systray saying it's unable to find it's
Exchange Server.

Can XP Pro SP2 be confi'd so that it knows to first go to the local network
and the local router for requested urls, including local network resources ?

 

[Robert L [MS-MVP]]

For security reason, the default gateway uses remote gateway. you may uncheck "use default gateway on remote network" or modify the routing table. This link may help,

routing issues on vpn Can't access the internal server when remote client establishes VPN Can't access the Internet while using VPN Can't access the remote network after ...
www.chicagotech.net/routingissuesonvpn.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"John A Grandy" <johnagrandy-at-yahoo-dot-com> wrote in message Why is it when RAS'd into a VPN that a much of your network traffic gets
routed through the inet router of the VPN ?

I'm not talking the case where you are Remote Desktop'd into a machine that
part of the VPN's network.

I'm talking having the the case of having VPN connection open, and the
following two types of requests:

1. Making simple browser requests from your box to public websites:
google.com , whatever. If you look at the tracert and you see that the
VPN's network's router and then it's inet provider is forwarding the
packets. This slows down speed of web access.

2. When Outlook needs to contact its assigned Exchange Server it tries to
find it on the VPN's network ! Incredibly annoying. You can see Outlook
popping up message boxes above the systray saying it's unable to find it's
Exchange Server.

Can XP Pro SP2 be confi'd so that it knows to first go to the local network
and the local router for requested urls, including local network resources ?

 

[Lanwench [MVP - Exchange]]

In

Why is it when RAS'd into a VPN that a much of your network traffic
gets routed through the inet router of the VPN ?

In addition to Robert's reply (regarding 'use remote gateway'), you really
don't want anyone connecting to the compny network from their own (possibly
insecure) networks via VPN, unless all non-VPN traffic is disabled at the
time.

I'm not talking the case where you are Remote Desktop'd into a
machine that part of the VPN's network.

I'm talking having the the case of having VPN connection open, and the
following two types of requests:

1. Making simple browser requests from your box to public websites:
google.com , whatever. If you look at the tracert and you see that
the VPN's network's router and then it's inet provider is forwarding
the packets. This slows down speed of web access.

Perhaps, but I think it's worth the minor inconvenience given the security
issues opened up if you *don't* use remote gateway.

2. When Outlook needs to contact its assigned Exchange Server it
tries to find it on the VPN's network ! Incredibly annoying. You
can see Outlook popping up message boxes above the systray saying
it's unable to find it's Exchange Server.

Well, where *is* the Exchange server, and how do you connect to it?

Can XP Pro SP2 be confi'd so that it knows to first go to the local
network and the local router for requested urls, including local
network resources ?

Yes; it's 'use remote gateway', but if the IT staff responsible for the
remote network care about security, they won't allow that to work.

 

[John A Grandy]

Hi Bob, and thanks for the response.

I read through that article, but I'm not a networking guy, so it was a tough
read. (For example, why would setting the default gateway to the VPN's
enhance security?)

My client is XP Pro SP2. I know that the VPN is most probably built almost
entirely with Windows Servers, but I don't know the details.

I see how to uncheck "Use default gateway on remote network". However, my
understanding of the article leads me to believe that now I won't be able to
access resources local on the VPN network (which is the only reason I'm
connecting to the VPN in the first place).

My goals are: 1. my browser url requests should be routed to my local
gateway (a LinkSys BEFSX41 attached to a Comcast cable moden) and app
requests for local resources (such as local Exchange Servers) be resolved
locally (not be routed to the VPN).

Strangely enough, with the "Use default gateway on remote network" box
checked , I have no problem accessing any *other* type of local resource
(local web servers and file servers via browser, and SQL Servers via
SSMS05).

For security reason, the default gateway uses remote gateway. you may
uncheck "use default gateway on remote network" or modify the routing table.
This link may help,

routing issues on vpn Can't access the internal server when remote client
establishes VPN Can't access the Internet while using VPN Can't access the
remote network after ...
www.chicagotech.net/routingissuesonvpn.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"John A Grandy" <johnagrandy-at-yahoo-dot-com> wrote in message
Why is it when RAS'd into a VPN that a much of your network traffic gets
routed through the inet router of the VPN ?

I'm not talking the case where you are Remote Desktop'd into a machine that
part of the VPN's network.

I'm talking having the the case of having VPN connection open, and the
following two types of requests:

1. Making simple browser requests from your box to public websites:
google.com , whatever. If you look at the tracert and you see that the
VPN's network's router and then it's inet provider is forwarding the
packets. This slows down speed of web access.

2. When Outlook needs to contact its assigned Exchange Server it tries to
find it on the VPN's network ! Incredibly annoying. You can see Outlook
popping up message boxes above the systray saying it's unable to find it's
Exchange Server.

Can XP Pro SP2 be confi'd so that it knows to first go to the local network
and the local router for requested urls, including local network resources ?

 

[John A Grandy]

I see this as a trade-off issue with 3 angles:

1. performance: yes, minor incovenience when hitting google, but that's the
fastest site on earth. Other sites can go from 1-2 sec when routed via local
inet gateway to 10+ secs when routed through remote VPN inet gateway. This
eventually adds up to a significant loss in productivity. I know of a
company where 50%+ employees have two boxes (typically one laptop, one
desktop). One box is RAS'd in to the client's VPN; the other is not and is
used for all web research.

2. security : if all client-originating inet traffic routes bidirectionally
through a better firewall, then yes security is improved. When connecting
home office to workplace VPN, I see security issues as a reasonable argument
for "Use default gateway on remote network". However, when connecting from
one highly secure workplace environment to the VPN of another highly secure
workplace envionment, I don't see the benefit -- unless one environment is
proven to be significantly more secure than the other.

3. system failures : in the workplace case, where Outlook points to an
Exchange Server (ES) on the local network, Outlook can easily become
locked-up trying to locate its ES on the VPN. This can sometimes require
killing the Outlook process; and sometimes it even requires hard rebooting
the machine. This can kill a good 15 mins restarting all the apps, RAS'ing
in again, starting the apps on the VPN, etc.


"Lanwench [MVP - Exchange]"

 

[Lanwench [MVP - Exchange]]

In

I see this as a trade-off issue with 3 angles:

1. performance: yes, minor incovenience when hitting google, but
that's the fastest site on earth. Other sites can go from 1-2 sec
when routed via local inet gateway to 10+ secs when routed through
remote VPN inet gateway. This eventually adds up to a significant
loss in productivity. I know of a company where 50%+ employees have
two boxes (typically one laptop, one desktop). One box is RAS'd in to
the client's VPN; the other is not and is used for all web research.

That sounds like it might be a fine workaround, honestly, unless you allow
VPN only from locked down company laptops, and make sure you aren't opening
up your network to uninvited guests. If you wouldn't plug some visitor's
uninspected laptop into your LAN, you ought to be equally paranoid about
letting people connect via VPN.

Note that there are plenty of VPN options out there that might improve
performance - even SSL VPN appliances, some of which have SSL accelerators
in them as well.

2. security : if all client-originating inet traffic routes
bidirectionally through a better firewall, then yes security is
improved. When connecting home office to workplace VPN, I see
security issues as a reasonable argument for "Use default gateway on
remote network". However, when connecting from one highly secure
workplace environment to the VPN of another highly secure workplace
envionment, I don't see the benefit -- unless one environment is
proven to be significantly more secure than the other.

Sure - I do see your point. However, how will you, as the admin in HQ, know
to trust the connecting computer or not? If VPN is required on a regular
basis from a location, I'd set up VPN between the routers/firewalls, rather
than relying on a client.

3. system failures : in the workplace case, where Outlook points to an
Exchange Server (ES) on the local network,

Local meaning, the client-side LAN?

Outlook can easily become
locked-up trying to locate its ES on the VPN. This can sometimes
require killing the Outlook process; and sometimes it even requires
hard rebooting the machine. This can kill a good 15 mins restarting
all the apps, RAS'ing in again, starting the apps on the VPN, etc.

I haven't seen that happen myself. I'm not doubting you, just saying I
haven't seen it. I presume name resolution isn't the issue? Outlook 2003 and
cached mode makes life a lot easier for everyone, note...not sure if you're
running that or not. In fact, OL2003, cached mode, and RPC over HTTP means I
rarely have any clients using VPN anymore, except for the few who sync local
files to their home directories, etc., and they don't stay online very long
to do that.

Terminal Services is another swell option if you have the budget for it. And
the performance is a hell of a lot better, in most cases.

Sorry I can't provide more help. Just my $.02.

"Lanwench [MVP - Exchange]"

In

In addition to Robert's reply (regarding 'use remote gateway'), you
really don't want anyone connecting to the compny network from their
own (possibly insecure) networks via VPN, unless all non-VPN traffic
is disabled at the time.


Perhaps, but I think it's worth the minor inconvenience given the
security issues opened up if you *don't* use remote gateway.

Well, where *is* the Exchange server, and how do you connect to it?


Yes; it's 'use remote gateway', but if the IT staff responsible for
the remote network care about security, they won't allow that to
work.

 

[paragon]

As far as security goes, the VPN we connect to requires personalized
microchip cards in card readers USB'd into each dev box with custom to
handle card reading and authentication. The cards have user-specific pins;
plus, account credentials (username + password) are required to access any
specific boxes or apps housed within the VPN domain (as opposed to their
intranet in general).

As far as Outlook ... I don't think we're running in cached mode, RPC over
HTTP. Our typical use for Outlook is either typical usage case (Exchange
Servers housed on our LAN) , or employees RAS'ing in from home to *our* (not
the customers' VPN). Many employees actually shut their Outlook down while
they are RAS into the customer's VPN.

"Lanwench [MVP - Exchange]"

In

I see this as a trade-off issue with 3 angles:

1. performance: yes, minor incovenience when hitting google, but
that's the fastest site on earth. Other sites can go from 1-2 sec
when routed via local inet gateway to 10+ secs when routed through
remote VPN inet gateway. This eventually adds up to a significant
loss in productivity. I know of a company where 50%+ employees have
two boxes (typically one laptop, one desktop). One box is RAS'd in to
the client's VPN; the other is not and is used for all web research.

That sounds like it might be a fine workaround, honestly, unless you allow
VPN only from locked down company laptops, and make sure you aren't
opening up your network to uninvited guests. If you wouldn't plug some
visitor's uninspected laptop into your LAN, you ought to be equally
paranoid about letting people connect via VPN.

Note that there are plenty of VPN options out there that might improve
performance - even SSL VPN appliances, some of which have SSL accelerators
in them as well.

2. security : if all client-originating inet traffic routes
bidirectionally through a better firewall, then yes security is
improved. When connecting home office to workplace VPN, I see
security issues as a reasonable argument for "Use default gateway on
remote network". However, when connecting from one highly secure
workplace environment to the VPN of another highly secure workplace
envionment, I don't see the benefit -- unless one environment is
proven to be significantly more secure than the other.

Sure - I do see your point. However, how will you, as the admin in HQ,
know to trust the connecting computer or not? If VPN is required on a
regular basis from a location, I'd set up VPN between the
routers/firewalls, rather than relying on a client.

3. system failures : in the workplace case, where Outlook points to an
Exchange Server (ES) on the local network,

Local meaning, the client-side LAN?

Outlook can easily become
locked-up trying to locate its ES on the VPN. This can sometimes
require killing the Outlook process; and sometimes it even requires
hard rebooting the machine. This can kill a good 15 mins restarting
all the apps, RAS'ing in again, starting the apps on the VPN, etc.

I haven't seen that happen myself. I'm not doubting you, just saying I
haven't seen it. I presume name resolution isn't the issue? Outlook 2003
and cached mode makes life a lot easier for everyone, note...not sure if
you're running that or not. In fact, OL2003, cached mode, and RPC over
HTTP means I rarely have any clients using VPN anymore, except for the few
who sync local files to their home directories, etc., and they don't stay
online very long to do that.

Terminal Services is another swell option if you have the budget for it.
And the performance is a hell of a lot better, in most cases.

Sorry I can't provide more help. Just my $.02.

"Lanwench [MVP - Exchange]"

In John A Grandy <johnagrandy-at-yahoo-dot-com> typed:
Why is it when RAS'd into a VPN that a much of your network traffic
gets routed through the inet router of the VPN ?

In addition to Robert's reply (regarding 'use remote gateway'), you
really don't want anyone connecting to the compny network from their
own (possibly insecure) networks via VPN, unless all non-VPN traffic
is disabled at the time.


I'm not talking the case where you are Remote Desktop'd into a
machine that part of the VPN's network.

I'm talking having the the case of having VPN connection open, and
the following two types of requests:

1. Making simple browser requests from your box to public websites:
google.com , whatever. If you look at the tracert and you see that
the VPN's network's router and then it's inet provider is forwarding
the packets. This slows down speed of web access.

Perhaps, but I think it's worth the minor inconvenience given the
security issues opened up if you *don't* use remote gateway.

2. When Outlook needs to contact its assigned Exchange Server it
tries to find it on the VPN's network ! Incredibly annoying. You
can see Outlook popping up message boxes above the systray saying
it's unable to find it's Exchange Server.

Well, where *is* the Exchange server, and how do you connect to it?


Can XP Pro SP2 be confi'd so that it knows to first go to the local
network and the local router for requested urls, including local
network resources ?

Yes; it's 'use remote gateway', but if the IT staff responsible for
the remote network care about security, they won't allow that to
work.