VPN Clients and DNS/WINS registration

Z

Zane

I have VPN clients connecting to our corporate network using XP built in VPN
clients -

Question or request:

When the VPN clients connect, HOW can I have the capability to PING these
clients my HOSTNAME or DNS Name fro internally? Not IP, but Hostname.

Example:

JoeVPN connects via VPN to our corp network, then I would like to PING this
VPN connected computer while I am at the corporate network (in office).

Obviously, the VPN clients must register their name WINS or DNS wise that
must be "routable" or understood by VPN.

I hope that makes sense - thx!
 
A

Ace Fekay [MVP]

In
Zane in said:
I have VPN clients connecting to our corporate network using XP built
in VPN clients -

Question or request:

When the VPN clients connect, HOW can I have the capability to PING
these clients my HOSTNAME or DNS Name fro internally? Not IP, but
Hostname.

Example:

JoeVPN connects via VPN to our corp network, then I would like to
PING this VPN connected computer while I am at the corporate network
(in office).

Obviously, the VPN clients must register their name WINS or DNS wise
that must be "routable" or understood by VPN.

I hope that makes sense - thx!
Click to expand...

VPNs are an interesting facet and cause issues and are somewhat problematic
due to the DNS settings of the client. I know of one person, Dean Wells
(MVP) that created a little script that will populate the HOSTS files of
the users' machines when they connect in for all the resources they need to
use internally. I don't know if anyone else came up with something else to
address this. You can also check the VPN properties on the client to insure
it uses the VPN connection as the default once its connected, assuming its
getting the DNS addresses from the VPN server.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
 
H

Herb Martin

Zane said:
I have VPN clients connecting to our corporate network using XP built in VPN
clients -

Question or request:

When the VPN clients connect, HOW can I have the capability to PING these
clients my HOSTNAME or DNS Name fro internally? Not IP, but Hostname.

Example:

JoeVPN connects via VPN to our corp network, then I would like to PING this
VPN connected computer while I am at the corporate network (in office).

Obviously, the VPN clients must register their name WINS or DNS wise that
must be "routable" or understood by VPN.
Click to expand...
I hope that makes sense - thx!
Click to expand...

Perfectly. First, do these clients "get" the correct DNS and
WINS server settings on connect (as clients themselves?)

If their IP properties are being correctly (and temporarily)
modified then the next step is to get them to register.

[I have not tried this personally; I just know how it works and
predict this is the method. ]

If not, we have to get the RRAS/VPN server to give them the
correct (Dynamic) DNS server and the correct WINS server.
(Yes I know this is so they can find "other" machines but this
is also where you wish them to register in order to be found.)

Now, run the registration for each name resolution type:

ipconfig /registerDNS
nbtstat -RR

Nbtstat is for WINS and "case COUNTS" in that "big RR" command.

I believe you users may need to be admins on their box for these to operate.
If it works (as I describe) we could probably get around the admin
requirement with a bit of work.

Let me know where you have problems or when it works - or if
you have to tweak or add any steps, please.
[/QUOTE]
 
P

ptwilliams

Another, alternate to the other good suggestions, is to give the VPN
Connection Gateway setting a higher metric than that of the NIC that
accesses the web. DNS binds to the NIC with the gateway; thus a higher
(well lower actually) metric will force DNS to look to the internal DNS
server not your ISPs.

--

Paul Williams
_________________________________________
http://www.msresource.net

Join us in our new forums!
http://forums.msresource.net
_________________________________________
I have VPN clients connecting to our corporate network using XP built in VPN
clients -

Question or request:

When the VPN clients connect, HOW can I have the capability to PING these
clients my HOSTNAME or DNS Name fro internally? Not IP, but Hostname.

Example:

JoeVPN connects via VPN to our corp network, then I would like to PING this
VPN connected computer while I am at the corporate network (in office).

Obviously, the VPN clients must register their name WINS or DNS wise that
must be "routable" or understood by VPN.

I hope that makes sense - thx!
 
H

Herb Martin

ptwilliams said:
Another, alternate to the other good suggestions, is to give the VPN
Connection Gateway setting a higher metric than that of the NIC that
accesses the web. DNS binds to the NIC with the gateway; thus a higher
(well lower actually) metric will force DNS to look to the internal DNS
server not your ISPs.
Click to expand...

You mean lowest numeric for the preferred "interface", right?
(So what we really need to do is bump the cost up on the hardware
NICs so that they will always be greater.)

I don't think this is dynamic though when the interfaces are added;
is that correct or not?

At least not for NEW "registration" -- it will start using that DNS for
resolution and will register there if we Re-Register DNS (or WINS)
but it won't just do it without prompting I think.
 
P

Phillip Windell

I never had to go through any special accomidations for the ones I used. I
simply made sure that the VPN Connection received the proper WINS and DNS
settings via DHCP and everything worked fine. One other situation where it
recieved only the IP#/Mask from DHCP but nothing else,..so I simply added
the WINS and DNS entried statically into the connectoid settings. I never
had a bit of trouble with it.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Ace Fekay [MVP]"
 
P

ptwilliams

You mean lowest numeric for the preferred "interface", right? (So what
we really need to do is bump the cost up on the hardware NICs so that they
will always be greater.)

Yes, I always use highest - but I meant highest as in highest priority -
lowest number in reality ;-)

I don't think this is dynamic though when the interfaces are added; is
Click to expand...
that correct or not? At least not for NEW "registration" -- it will start
using that DNS for resolution and will register there if we Re-Register DNS
(or WINS) but it won't just do it without prompting I think.

I honestly don't know!! I guess it depends on the DNS Registration
settings, and the aging settings...but I'm not sure.

I see what you are saying, and this is perhaps not dynamic enough; but with
a little effort it certainly works. The issue is, as you imply, for
non-admin users... :-(



--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________
ptwilliams said:
Another, alternate to the other good suggestions, is to give the VPN
Connection Gateway setting a higher metric than that of the NIC that
accesses the web. DNS binds to the NIC with the gateway; thus a higher
(well lower actually) metric will force DNS to look to the internal DNS
server not your ISPs.
Click to expand...

You mean lowest numeric for the preferred "interface", right?
(So what we really need to do is bump the cost up on the hardware
NICs so that they will always be greater.)

I don't think this is dynamic though when the interfaces are added;
is that correct or not?

At least not for NEW "registration" -- it will start using that DNS for
resolution and will register there if we Re-Register DNS (or WINS)
but it won't just do it without prompting I think.
 
A

Ace Fekay [MVP]

In
Phillip Windell in said:
I never had to go through any special accomidations for the ones I
used. I simply made sure that the VPN Connection received the proper
WINS and DNS settings via DHCP and everything worked fine. One other
situation where it recieved only the IP#/Mask from DHCP but nothing
else,..so I simply added the WINS and DNS entried statically into the
connectoid settings. I never had a bit of trouble with it.
Click to expand...

I've always heard of mixed views on this. Glad it worked out for you!
:)

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroup so all
can benefit.

This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
 
A

Ace Fekay [MVP]

In
ptwilliams in said:
(So what we really need to do is bump the cost up on the hardware
NICs so that they will always be greater.)

Yes, I always use highest - but I meant highest as in highest
priority - lowest number in reality ;-)


added; is that correct or not? At least not for NEW "registration"
-- it will start using that DNS for resolution and will register
there if we Re-Register DNS (or WINS) but it won't just do it without
prompting I think.

I honestly don't know!! I guess it depends on the DNS Registration
settings, and the aging settings...but I'm not sure.

I see what you are saying, and this is perhaps not dynamic enough;
but with a little effort it certainly works. The issue is, as you
imply, for non-admin users... :-(
Click to expand...

As with anything else, something to be tested. I've heard of so many
different solutions, its hard to say what's best. But whatever works is what
I say!
:)

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroup so all
can benefit.

This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
 
B

Bill Grant

On re-reading the original post, we (except Herb) seem to be missing the
point. What he really wants to do is resolve the name of the remote client
from the LAN end. This requires the remote client to register its name and
VPN IP address correctly in WINS and/or DNS.

Registering in WINS should work as long as the client gets the correct
WINS address. The problem with registering "transient" connections in WINS
is that they hang around for quite a while after the user disconnects.

One suggestion I have seen (and tried in a test setup) uses DDNS.
Create a zone for the remotes (say remotes.mydomain.com ) and set the client
to register in DNS with this suffix. The zone should, at any time, have
entries for all currently connected remote clients.

"Ace Fekay [MVP]"
 
A

Ace Fekay [MVP]

In
Bill Grant in said:
On re-reading the original post, we (except Herb) seem to be
missing the point. What he really wants to do is resolve the name of
the remote client from the LAN end. This requires the remote client
to register its name and VPN IP address correctly in WINS and/or DNS.

Registering in WINS should work as long as the client gets the
correct WINS address. The problem with registering "transient"
connections in WINS is that they hang around for quite a while after
the user disconnects.

One suggestion I have seen (and tried in a test setup) uses DDNS.
Create a zone for the remotes (say remotes.mydomain.com ) and set the
client to register in DNS with this suffix. The zone should, at any
time, have entries for all currently connected remote clients.
Click to expand...

Good point. I have to remind myself to read closer next time! :)

We can use a shortly TTL in WINS, but that can cause replication errors
among partners, as I've foundin the past. The remote zone sounds like a good
idea. After all, AD doesn't really require the clients to register in 99% of
the cases. But the one thing that must be done to insure that, as you said,
is to set the Primary DNS Suffix on the clients in order for this to work. A
GPO setting can handle this, with possibly following ptwilliams' suggestions
with the metrics and binding order and making sure the client is set to use
that as default when connected so the DNS address from the VPN connection is
used to register and ensuring the GPO applies.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroup so all
can benefit. This posting is provided "AS-IS" with no warranties and
confers no rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
 
T

Thomas W Shinder [MVP]

Hi Bill,

I routinely turn off this function for VPN clients, as you'll end up with a
holy mess of your own making. However, you are correct, the VPN clients can
leverage DDNS to register their names and create subsequent problems.

HTH,
--
Tom
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
ISA Server and Beyond Seminars - http://tinyurl.com/9sce
MVP -- ISA Server 2000


: On re-reading the original post, we (except Herb) seem to be missing
the
: point. What he really wants to do is resolve the name of the remote client
: from the LAN end. This requires the remote client to register its name and
: VPN IP address correctly in WINS and/or DNS.
:
: Registering in WINS should work as long as the client gets the correct
: WINS address. The problem with registering "transient" connections in WINS
: is that they hang around for quite a while after the user disconnects.
:
: One suggestion I have seen (and tried in a test setup) uses DDNS.
: Create a zone for the remotes (say remotes.mydomain.com ) and set the
client
: to register in DNS with this suffix. The zone should, at any time, have
: entries for all currently connected remote clients.
:
: "Ace Fekay [MVP]"
: message : > In : > ptwilliams in <[email protected]> posted their thoughts, then I
offered
: > mine
: > > >You mean lowest numeric for the preferred "interface", right?
: > > (So what we really need to do is bump the cost up on the hardware
: > > NICs so that they will always be greater.)
: > >
: > > Yes, I always use highest - but I meant highest as in highest
: > > priority - lowest number in reality ;-)
: > >
: > >
: > > >I don't think this is dynamic though when the interfaces are
: > > added; is that correct or not? At least not for NEW "registration"
: > > -- it will start using that DNS for resolution and will register
: > > there if we Re-Register DNS (or WINS) but it won't just do it without
: > > prompting I think.
: > >
: > > I honestly don't know!! I guess it depends on the DNS Registration
: > > settings, and the aging settings...but I'm not sure.
: > >
: > > I see what you are saying, and this is perhaps not dynamic enough;
: > > but with a little effort it certainly works. The issue is, as you
: > > imply, for non-admin users... :-(
: > >
: > >
: >
: > As with anything else, something to be tested. I've heard of so many
: > different solutions, its hard to say what's best. But whatever works is
: what
: > I say!
: > :)
: >
: > --
: > Regards,
: > Ace
: >
: > Please direct all replies ONLY to the Microsoft public newsgroup so all
: > can benefit.
: >
: > This posting is provided "AS-IS" with no warranties and confers no
: > rights.
: >
: > Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
: > Microsoft Windows MVP - Active Directory
: >
: > HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
: > pig. --
: > =================================
: >
: >
:
:
 
P

ptwilliams

Hey Tom, we don't see you here often ;-)

How's that ISA/VMware article coming along???

(I'll have to write it myself at this rate <grin>)

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________
Hi Bill,

I routinely turn off this function for VPN clients, as you'll end up with a
holy mess of your own making. However, you are correct, the VPN clients can
leverage DDNS to register their names and create subsequent problems.

HTH,
--
Tom
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
ISA Server and Beyond Seminars - http://tinyurl.com/9sce
MVP -- ISA Server 2000


: On re-reading the original post, we (except Herb) seem to be missing
the
: point. What he really wants to do is resolve the name of the remote client
: from the LAN end. This requires the remote client to register its name and
: VPN IP address correctly in WINS and/or DNS.
:
: Registering in WINS should work as long as the client gets the correct
: WINS address. The problem with registering "transient" connections in WINS
: is that they hang around for quite a while after the user disconnects.
:
: One suggestion I have seen (and tried in a test setup) uses DDNS.
: Create a zone for the remotes (say remotes.mydomain.com ) and set the
client
: to register in DNS with this suffix. The zone should, at any time, have
: entries for all currently connected remote clients.
:
: "Ace Fekay [MVP]"
: message : > In : > ptwilliams in <[email protected]> posted their thoughts, then I
offered
: > mine
: > > >You mean lowest numeric for the preferred "interface", right?
: > > (So what we really need to do is bump the cost up on the hardware
: > > NICs so that they will always be greater.)
: > >
: > > Yes, I always use highest - but I meant highest as in highest
: > > priority - lowest number in reality ;-)
: > >
: > >
: > > >I don't think this is dynamic though when the interfaces are
: > > added; is that correct or not? At least not for NEW "registration"
: > > -- it will start using that DNS for resolution and will register
: > > there if we Re-Register DNS (or WINS) but it won't just do it without
: > > prompting I think.
: > >
: > > I honestly don't know!! I guess it depends on the DNS Registration
: > > settings, and the aging settings...but I'm not sure.
: > >
: > > I see what you are saying, and this is perhaps not dynamic enough;
: > > but with a little effort it certainly works. The issue is, as you
: > > imply, for non-admin users... :-(
: > >
: > >
: >
: > As with anything else, something to be tested. I've heard of so many
: > different solutions, its hard to say what's best. But whatever works is
: what
: > I say!
: > :)
: >
: > --
: > Regards,
: > Ace
: >
: > Please direct all replies ONLY to the Microsoft public newsgroup so all
: > can benefit.
: >
: > This posting is provided "AS-IS" with no warranties and confers no
: > rights.
: >
: > Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
: > Microsoft Windows MVP - Active Directory
: >
: > HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
: > pig. --
: > =================================
: >
: >
:
:
 
P

Phillip Windell

Bill Grant said:
On re-reading the original post, we (except Herb) seem to be missing the
point.
Click to expand...

(ahhemmh) Hey now,...I knew what was up,...but I said my little "thing" and
then got out of the way. ;-}
 
T

Thomas W Shinder [MVP]

Hi Paul,

LOL! I do think about it everyday. :)

I've been busy writing the ISA 2004 book, so it keeps getting on the back
burner. The good news is that chapter6 will have the complete VMware
procedure for the example network used throughout the book. So, by the time
Chapter 6 is finished, that content will be ready and I'll post it to the
www.isaserver.org site (No, don't ask me to do it for VPC too :)

Thanks!
--
Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


: Hey Tom, we don't see you here often ;-)
:
: How's that ISA/VMware article coming along???
:
: (I'll have to write it myself at this rate <grin>)
:
: --
:
: Paul Williams
: _________________________________________
: http://www.msresource.net
:
:
: Join us in our new forums!
: http://forums.msresource.net
: _________________________________________
: : Hi Bill,
:
: I routinely turn off this function for VPN clients, as you'll end up with
a
: holy mess of your own making. However, you are correct, the VPN clients
can
: leverage DDNS to register their names and create subsequent problems.
:
: HTH,
: --
: Tom
: www.isaserver.org/shinder
: ISA Server and Beyond: http://tinyurl.com/1jq1
: Configuring ISA Server: http://tinyurl.com/1llp
: ISA Server and Beyond Seminars - http://tinyurl.com/9sce
: MVP -- ISA Server 2000
:
:
: : : On re-reading the original post, we (except Herb) seem to be missing
: the
: : point. What he really wants to do is resolve the name of the remote
client
: : from the LAN end. This requires the remote client to register its name
and
: : VPN IP address correctly in WINS and/or DNS.
: :
: : Registering in WINS should work as long as the client gets the
correct
: : WINS address. The problem with registering "transient" connections in
WINS
: : is that they hang around for quite a while after the user disconnects.
: :
: : One suggestion I have seen (and tried in a test setup) uses DDNS.
: : Create a zone for the remotes (say remotes.mydomain.com ) and set the
: client
: : to register in DNS with this suffix. The zone should, at any time, have
: : entries for all currently connected remote clients.
: :
: : "Ace Fekay [MVP]"
: : message : : > In : : > ptwilliams in <[email protected]> posted their thoughts, then I
: offered
: : > mine
: : > > >You mean lowest numeric for the preferred "interface", right?
: : > > (So what we really need to do is bump the cost up on the hardware
: : > > NICs so that they will always be greater.)
: : > >
: : > > Yes, I always use highest - but I meant highest as in highest
: : > > priority - lowest number in reality ;-)
: : > >
: : > >
: : > > >I don't think this is dynamic though when the interfaces are
: : > > added; is that correct or not? At least not for NEW "registration"
: : > > -- it will start using that DNS for resolution and will register
: : > > there if we Re-Register DNS (or WINS) but it won't just do it
without
: : > > prompting I think.
: : > >
: : > > I honestly don't know!! I guess it depends on the DNS Registration
: : > > settings, and the aging settings...but I'm not sure.
: : > >
: : > > I see what you are saying, and this is perhaps not dynamic enough;
: : > > but with a little effort it certainly works. The issue is, as you
: : > > imply, for non-admin users... :-(
: : > >
: : > >
: : >
: : > As with anything else, something to be tested. I've heard of so many
: : > different solutions, its hard to say what's best. But whatever works
is
: : what
: : > I say!
: : > :)
: : >
: : > --
: : > Regards,
: : > Ace
: : >
: : > Please direct all replies ONLY to the Microsoft public newsgroup so
all
: : > can benefit.
: : >
: : > This posting is provided "AS-IS" with no warranties and confers no
: : > rights.
: : >
: : > Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
: : > Microsoft Windows MVP - Active Directory
: : >
: : > HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
: : > pig. --
: : > =================================
: : >
: : >
: :
: :
:
:
:
 
P

ptwilliams

Ah well, the 2004 book *is* more important.

I'll let you off...

Glad to hear that's coming along ;-)

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


Hi Paul,

LOL! I do think about it everyday. :)

I've been busy writing the ISA 2004 book, so it keeps getting on the back
burner. The good news is that chapter6 will have the complete VMware
procedure for the example network used throughout the book. So, by the time
Chapter 6 is finished, that content will be ready and I'll post it to the
www.isaserver.org site (No, don't ask me to do it for VPC too :)

Thanks!
--
Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


: Hey Tom, we don't see you here often ;-)
:
: How's that ISA/VMware article coming along???
:
: (I'll have to write it myself at this rate <grin>)
:
: --
:
: Paul Williams
: _________________________________________
: http://www.msresource.net
:
:
: Join us in our new forums!
: http://forums.msresource.net
: _________________________________________
: : Hi Bill,
:
: I routinely turn off this function for VPN clients, as you'll end up with
a
: holy mess of your own making. However, you are correct, the VPN clients
can
: leverage DDNS to register their names and create subsequent problems.
:
: HTH,
: --
: Tom
: www.isaserver.org/shinder
: ISA Server and Beyond: http://tinyurl.com/1jq1
: Configuring ISA Server: http://tinyurl.com/1llp
: ISA Server and Beyond Seminars - http://tinyurl.com/9sce
: MVP -- ISA Server 2000
:
:
: : : On re-reading the original post, we (except Herb) seem to be missing
: the
: : point. What he really wants to do is resolve the name of the remote
client
: : from the LAN end. This requires the remote client to register its name
and
: : VPN IP address correctly in WINS and/or DNS.
: :
: : Registering in WINS should work as long as the client gets the
correct
: : WINS address. The problem with registering "transient" connections in
WINS
: : is that they hang around for quite a while after the user disconnects.
: :
: : One suggestion I have seen (and tried in a test setup) uses DDNS.
: : Create a zone for the remotes (say remotes.mydomain.com ) and set the
: client
: : to register in DNS with this suffix. The zone should, at any time, have
: : entries for all currently connected remote clients.
: :
: : "Ace Fekay [MVP]"
: : message : : > In : : > ptwilliams in <[email protected]> posted their thoughts, then I
: offered
: : > mine
: : > > >You mean lowest numeric for the preferred "interface", right?
: : > > (So what we really need to do is bump the cost up on the hardware
: : > > NICs so that they will always be greater.)
: : > >
: : > > Yes, I always use highest - but I meant highest as in highest
: : > > priority - lowest number in reality ;-)
: : > >
: : > >
: : > > >I don't think this is dynamic though when the interfaces are
: : > > added; is that correct or not? At least not for NEW "registration"
: : > > -- it will start using that DNS for resolution and will register
: : > > there if we Re-Register DNS (or WINS) but it won't just do it
without
: : > > prompting I think.
: : > >
: : > > I honestly don't know!! I guess it depends on the DNS Registration
: : > > settings, and the aging settings...but I'm not sure.
: : > >
: : > > I see what you are saying, and this is perhaps not dynamic enough;
: : > > but with a little effort it certainly works. The issue is, as you
: : > > imply, for non-admin users... :-(
: : > >
: : > >
: : >
: : > As with anything else, something to be tested. I've heard of so many
: : > different solutions, its hard to say what's best. But whatever works
is
: : what
: : > I say!
: : > :)
: : >
: : > --
: : > Regards,
: : > Ace
: : >
: : > Please direct all replies ONLY to the Microsoft public newsgroup so
all
: : > can benefit.
: : >
: : > This posting is provided "AS-IS" with no warranties and confers no
: : > rights.
: : >
: : > Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
: : > Microsoft Windows MVP - Active Directory
: : >
: : > HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
: : > pig. --
: : > =================================
: : >
: : >
: :
: :
:
:
:
 
A

Ace Fekay [MVP]

In Thomas W Shinder [MVP] in <[email protected]> posted their thoughts, then
I offered mine
I'll post it to the www.isaserver.org site (No, don't ask me to do it
for VPC too :)

Thanks!
Click to expand...

I was just going to ask that...
:)

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroup so all
can benefit. This posting is provided "AS-IS" with no warranties and
confers no rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
 
T

Thomas W Shinder [MVP]

Hi Paul,

Thanks! I promise as soon as that section in chapter 6 is done, I'll give it
away on www.isaserver.org!

--
Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


: Ah well, the 2004 book *is* more important.
:
: I'll let you off...
:
: Glad to hear that's coming along ;-)
:
: --
:
: Paul Williams
: _________________________________________
: http://www.msresource.net
:
:
: Join us in our new forums!
: http://forums.msresource.net
: _________________________________________
:
:
: : Hi Paul,
:
: LOL! I do think about it everyday. :)
:
: I've been busy writing the ISA 2004 book, so it keeps getting on the back
: burner. The good news is that chapter6 will have the complete VMware
: procedure for the example network used throughout the book. So, by the
time
: Chapter 6 is finished, that content will be ready and I'll post it to the
: www.isaserver.org site (No, don't ask me to do it for VPC too :)
:
: Thanks!
: --
: Tom
: www.isaserver.org/shinder
: Get the book!
: Tom and Deb Shinder's Configuring ISA Server 2004
: http://tinyurl.com/3xqb7
: MVP -- ISA Firewalls
:
:
: : : Hey Tom, we don't see you here often ;-)
: :
: : How's that ISA/VMware article coming along???
: :
: : (I'll have to write it myself at this rate <grin>)
: :
: : --
: :
: : Paul Williams
: : _________________________________________
: : http://www.msresource.net
: :
: :
: : Join us in our new forums!
: : http://forums.msresource.net
: : _________________________________________
: : : : Hi Bill,
: :
: : I routinely turn off this function for VPN clients, as you'll end up
with
: a
: : holy mess of your own making. However, you are correct, the VPN clients
: can
: : leverage DDNS to register their names and create subsequent problems.
: :
: : HTH,
: : --
: : Tom
: : www.isaserver.org/shinder
: : ISA Server and Beyond: http://tinyurl.com/1jq1
: : Configuring ISA Server: http://tinyurl.com/1llp
: : ISA Server and Beyond Seminars - http://tinyurl.com/9sce
: : MVP -- ISA Server 2000
: :
: :
: : : : : On re-reading the original post, we (except Herb) seem to be
missing
: : the
: : : point. What he really wants to do is resolve the name of the remote
: client
: : : from the LAN end. This requires the remote client to register its name
: and
: : : VPN IP address correctly in WINS and/or DNS.
: : :
: : : Registering in WINS should work as long as the client gets the
: correct
: : : WINS address. The problem with registering "transient" connections in
: WINS
: : : is that they hang around for quite a while after the user disconnects.
: : :
: : : One suggestion I have seen (and tried in a test setup) uses DDNS.
: : : Create a zone for the remotes (say remotes.mydomain.com ) and set the
: : client
: : : to register in DNS with this suffix. The zone should, at any time,
have
: : : entries for all currently connected remote clients.
: : :
: : : "Ace Fekay [MVP]"
: : : message : : : > In : : : > ptwilliams in <[email protected]> posted their thoughts, then I
: : offered
: : : > mine
: : : > > >You mean lowest numeric for the preferred "interface", right?
: : : > > (So what we really need to do is bump the cost up on the hardware
: : : > > NICs so that they will always be greater.)
: : : > >
: : : > > Yes, I always use highest - but I meant highest as in highest
: : : > > priority - lowest number in reality ;-)
: : : > >
: : : > >
: : : > > >I don't think this is dynamic though when the interfaces are
: : : > > added; is that correct or not? At least not for NEW
"registration"
: : : > > -- it will start using that DNS for resolution and will register
: : : > > there if we Re-Register DNS (or WINS) but it won't just do it
: without
: : : > > prompting I think.
: : : > >
: : : > > I honestly don't know!! I guess it depends on the DNS
Registration
: : : > > settings, and the aging settings...but I'm not sure.
: : : > >
: : : > > I see what you are saying, and this is perhaps not dynamic enough;
: : : > > but with a little effort it certainly works. The issue is, as you
: : : > > imply, for non-admin users... :-(
: : : > >
: : : > >
: : : >
: : : > As with anything else, something to be tested. I've heard of so many
: : : > different solutions, its hard to say what's best. But whatever works
: is
: : : what
: : : > I say!
: : : > :)
: : : >
: : : > --
: : : > Regards,
: : : > Ace
: : : >
: : : > Please direct all replies ONLY to the Microsoft public newsgroup so
: all
: : : > can benefit.
: : : >
: : : > This posting is provided "AS-IS" with no warranties and confers no
: : : > rights.
: : : >
: : : > Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
: : : > Microsoft Windows MVP - Active Directory
: : : >
: : : > HAM AND EGGS: A day's work for a chicken; A lifetime commitment for
a
: : : > pig. --
: : : > =================================
: : : >
: : : >
: : :
: : :
: :
: :
: :
:
:
:
 
T

Thomas W Shinder [MVP]

Hi Ace,

LOL! Guess it doesn't hurt to ask :)
--
Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


"Ace Fekay [MVP]"
message : In : Thomas W Shinder [MVP] in <[email protected]> posted their thoughts,
then
: I offered mine
: <snip>
:
: > I'll post it to the www.isaserver.org site (No, don't ask me to do it
: > for VPC too :)
: >
: > Thanks!
: >
:
: I was just going to ask that...
: :)
:
: --
: Regards,
: Ace
:
: Please direct all replies ONLY to the Microsoft public newsgroup so all
: can benefit. This posting is provided "AS-IS" with no warranties and
: confers no rights.
:
: Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
: Microsoft Windows MVP - Active Directory
:
: HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
: pig. --
: =================================
:
:
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Force W2KAD 2k/2K3 to append DNS suffix to VPN Clients 1
VPN + AD + DNS 7
My vpn-clients don't register in DNS 1
Authentication Errors when accessing Win2k domain across VPN 3
VPN DNS ISSUES 3
DNS order in XP on a VPN connection (not using VPN DNS servers) 1
external vpn clients connect but dns is resolving with external dn 4
DNS resolves wrong when vpn connects 5

Top