• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 637
  • Last Modified:

Set DNS when VPN into work

Hi,

I am using a Nortel Client to VPN into my office.  There doesn't seem to be any DNS available.  When I am logged in, I cannot access any external sites by name.  Ie www.yahoo.com doesn't work, but if I put all of the names in my host file, it does.

My question is: can I do something to my computer to point it to a root DNS server when I am using VPN?

Thanks...
0
a222493
Asked:
a222493
  • 16
  • 9
  • 7
  • +2
1 Solution
 
JConchieCommented:
If your office has a DNS server, it is probabely set up as a redirector, and you can use that ip address on the "virtual adapter" for the VPN.

If not, just go to start/run/cmd, to get to a command prompt and type in: ipconfig /all  

That will give you the settings on your physical nic and on the "virtual adapter" for the vpn.  The DNS IPs on the physical NIC will be the one's you have gotten from your DSL/Cable ISP......copy them down and use them on your vpn settings too.
0
 
a222493Author Commented:
Thanks JConchie,

But how do I "use them" on my vpn settings?
0
 
a222493Author Commented:
... The Nortel Client does not allow me to specify the DNS server.  Can I do this via command line?
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
JConchieCommented:
Not familar with the Norton client, we use Sonicwall.....but when you right click on "my network places", click properties.....you should see both "local area connection".....which is your physical NIC.....and some sort of VPN/virtual adaper...........if you do, right click on it and click properties,....then highlight "Internet Protocol (TCP/IP)"
and click the properties button....you can then manually enter the DNS addresses.

If you don't see any kind of virtual adapter, I would suggest a quick call to Norton, they can tell you how to set the DNS on the client.
0
 
JConchieCommented:
Got norton on the brain today..... :-)    everywhere, above, I said "Norton", substitute "Nortel"
0
 
jatcanCommented:
You must ask the administrator of the Nortel client to allow you to access outside the internal network while logged into the VPN, I beleive, if memory serves me correctly, you must configure this in the Nortel Contivity Client's Administration Module from the server iteself...not sure though...something about using the VPN gateway for externla networks or soem such thing, if memory servers me that is...

Jatcan
0
 
mikeleebrlaCommented:
you probably have the wrong gateway set,,,,, the link below (near the bottom) shows how to switch to the local gatway rather than the remote gateway for the windows 2000 VPN client... i know its not for nortel, but you need to find the nortel equivalent of this... b/c if nortel is like the windows client it is set to use the remote machine's gateway which is NOT what you want and it will prevent you from surfing the internet when the VPN is connected:

http://edserv05.its.yale.edu/ras/vpnwin2000.htm
0
 
jatcanCommented:
The nortel contivity client is ruled by the nortel contivy administration software. You need to ask someone who has admin access to the nortel contivy configuration program...I know this because I have used this.

Cheers,

Jatcan
0
 
a222493Author Commented:
Thanks jatcan.

1) I believe that I have access to the Nortel download site.  I am using V04_12.05 of the client software.  Can I download the configuration program?  I see the "Name Server" option, but it is disabled.

2) Is there no command line TCP/IP tool that I can use to set the DNS?

0
 
fletch72Commented:
A quick and easy solution is just to toss in an lmhost or host file on your machine, of course getting the nortel working is the best way to go but I thought I would toss this out there.  Depends on how many users you have.
0
 
a222493Author Commented:
I tried the host file, but the number of entries quickly became unmanageable just to get to Yahoo!!
0
 
fletch72Commented:
So you can do nothing at all, it isn't just browsing the internal network?  I know it was mentioned above but run an Ipconfig /all and see what IP, dns, gateway addresses you are getting for the nortel network adapter or however it shows up in there.  I would also say there should be an option to select "use remote gateway" or something like that.
What happens if you do a tracert to an internal system and then like yahoo or something?  
0
 
jatcanCommented:
OK-I am goig to say it one more time. Ask the nortel administrator. He/She should know where to set this option on the nortel device itself...you know, that Nortel VPN HARDWARE BOX in the server room? THATS where you will find access controls for the VPN. You WILL NOT find access controls or configuration controls on the client.

Jatcan
0
 
jatcanCommented:
Well, this is not 100% true, the client has been configured by a VPN admin and that option has been greyed out because they DO NOT want you to change it, having an external gateway for their internal VPN constitutes a security risk and most likley this sertup is by design and on putrpose. SO, you connect to the vpn, get your email and then disconnect from the bvpn to do your normal surfing...

Cheers,

Jatcan
0
 
jatcanCommented:
You KNOW though, if they haven't blocked access....OK, you may be able to surf by configuring your web browser to use an internal proxy server...so, when yuo are connected to the lan via the VPN, open up IE, and click tools, internet options, then connections tab, then lan settings button near the bottom, type in the proxy server address for your internal network here, click OK, then apply, ok, and test.

This assumes that the administrators have given access to remote users to surf the web via proxy servers...

Cheers,

Jatcan
0
 
jatcanCommented:
This means that the speed of your VPN is the speed of your surfing. SO, if you use highspeed at home but need to vpn through dial up, then while conected to the vpn you have dialup speeds.

J
0
 
a222493Author Commented:
I never resolved this issue.  If no one has anything else to add, I'd like to request the moderator to close this question and refund the points.
0
 
jatcanCommented:
If you are not the admin of the Nortel VPN switch and/or you do not have administrative permissions on the vpn server/switch, then you can't change the DNS settings, you have to request that change from the domain administrator. That is the answer and the resolution. The issue IS resolved, ask your administrator,,,,,I've worked with this particular client and I couldn't change it either, until the administrator gave me permission to do so....

J
0
 
jatcanCommented:
I beleive what you are proposing is referred to as "split tunnelling" and it poses a security risk to the network/domain. Not being able to access the internet while connected to a VPN is a standard policy to prevent your machine from acting as a router through/around the firewall. It is a secuity risk to allow you access to the internet while connected through the VPN. If you are a knowledgable user the admin may allow you access, or if your job depends on having that internet access simultaneous with the domain connection, again it may be allowed. You should ask.

Cheers,

Jatcan


0
 
a222493Author Commented:
jatcan,

I need a more specific answer.  "Ask the nortel administrator" does NOT solve my problem.  The nameserver option is greyed out on my client.  I don't think that I need "permissions on the vpn server/switch" to change my client configuration.  

What exactly does the administrator need to give me to do this?
0
 
JConchieCommented:
Please refer to my comments above....all you need to resolve this is to manually put the ip address of your internal DNS server into the dns settings of the local connection on the client machine.....and to make sure that your internal DNS server is set up as a redirector for internet name resolution.

Eveything else about nortel configuration is a red herring and is leading in completely the wrong direction.  This is a simple DNS/name resolution issue .....and can be simply solved.
0
 
jatcanCommented:
Try JConchie's suggestion. The DNS is most likley NOT setup as a redirector, internal/external DNS, but go ahead and try it. He IS right, I just don't think that the domain is setup that way. Might be though-who knows until ya try.

The administrator can give permissions to set dns within the Nortel Contivity Client. The administrator can also give you permission to change your local DNS settings, something that users do not have by default.

As far as a DNS issue goes, I don't think so, it is more likely a routing issue...but I may not be knowledgeable enough as of this moment about DNS to say for sure. JConchie may be right, I may be way off base here, it has been over 2 years since I even thought about this situation. It has been that long since I faced it. I beleive the VPN conection cause's your gateway to become local host.

OK-so for example, on linux (because it is what I am using) if I had a local network of 192.168.8.X and a VPN external network connection of 10.1.0.0 I would perform the following command in the terminal:


route add -net 0.0.0.0 gw 192.168.8.4

This would cause all local network traffic to pass through the gateway 192.168.8.X instead of the gateway 10.1.0.X

On windows I am not sure how to do it, but I beleive it CAN be done, but not without you having local administrator priveleges. Again, contact your administrator.

Cheers,

J
0
 
jatcanCommented:
I hope the problem gets resolved, or that it already has been.

Cheers and good luck,

J
0
 
JConchieCommented:
Modelo,
Absent any feedback from the questioner, I would object to the point refund.  There were a number of specific suggestions...including mine....as ways to deal with the issue.....and no feedback of the nature of " I tried that and this happened.  Kind of hard to help someone who does'nt respond.
0
 
jatcanCommented:
My guess is that the questioner is a user and needs to ask the admin...my deepest appolgies if I am wrong.

J
0
 
a222493Author Commented:
I'm not trying to be cheap about points, and I appreciate feedback.  I'm just trying to play be the rules of the board.

I am a user but also an administrator/developer for my domain.  Another agency in our organization controls the VPN Nortel switch and the configuration/distribution of the Nortel Client.  I/we don't have direct access to the people who created the customized Nortel Client, so I can't just "ask the administrator".
 
Perhaps I am not explaining myself well, if so, I apologize.  I’ll give it one more try.

Occasionally when I VPN into my office network using my Nortel Client, a DNS server does not get assigned. (I know this because names are not resolved, and an Ipconfig /all revails not DNS assignment).  I don’t know why this happens only once in a while, but it does.  To solve the problem, I’d like to do one of two things:

1)  Use the command line on my client machine to add a DNS server (I don't think that this can be done)

2) Configure the Nortel client software to always point to a particular DNS server by specifying it in the client interface.  

(By the way, trying to track down the person/entity that could debug the real problem of why a dns server is not being specified would be next to impossible.  Therefore, I’d like to solve it at least for myself and my local organization.)

I think that my only real option is option #2 above.  The problem is that the textbox on the Nortel client has been disabled (grayed out).  I would assume that this was accomplished by some kind of Nortel Toolkit/configuration utility.  I think that if such a toolkit exists, I can download it from the Nortel site.  I have access through our organization.  So my real question would be simply:  Am I correct about the toolkit?  What is it called?  How do I use it?

JConchie, I did respond to your original posts.  Your response to me was "Not familiar with the Nortel client", which is what I ultimately needed/need help with.
0
 
a222493Author Commented:
BTW,

I have local domain administrator privileges, and my platforms are all Windows (XP, 2000)...


0
 
JConchieCommented:
"JConchie, I did respond to your original posts.  Your response to me was "Not familiar with the Nortel client", which is what I ultimately needed/need help with."

Then you obviously havn't read the whole thread.  eg:  "Please refer to my comments above....all you need to resolve this is to manually put the ip address of your internal DNS server into the dns settings of the local connection on the client machine.....and to make sure that your internal DNS server is set up as a redirector for internet name resolution.

Eveything else about nortel configuration is a red herring and is leading in completely the wrong direction.  This is a simple DNS/name resolution issue .....and can be simply solved."
 
0
 
jatcanCommented:
Ok this:

Another agency in our organization controls the VPN Nortel switch and the configuration/distribution of the Nortel Client.  I/we don't have direct access to the people who created the customized Nortel Client, so I can't just "ask the administrator".

And this:

I think that my only real option is option #2 above.  The problem is that the textbox on the Nortel client has been disabled (grayed out).  I would assume that this was accomplished by some kind of Nortel Toolkit/configuration utility.  I think that if such a toolkit exists, I can download it from the Nortel site.  I have access through our organization.  So my real question would be simply:  Am I correct about the toolkit?  What is it called?  How do I use it?

Tell me exactly what I have been trying to tell you for the WHOLE period of time this question has spanned.

YOU HAVE TO CONTACT SOMEONE WHO HAS ADMINISTRATIVE RIGHTS ON THE NORTEL CONTIVITY SWITCH!!!!!!!!!!! THAT PERSON CAN SET THE SWITCH's CLIENT permissions settings to allow clients to configure/change their own DNS server, it is set to disabled by default and THAT IS WHY THE SETTINGS ARE GREYED OUT!!!!!!

You know what? Whatever, I gave you the answer, the only answer that will work 100% for sure. I really do not care one whit about the points. Just contact the nortel switchs administrator and ask him/her....

or, if you have local admin rights then do this to see if it all works out right:

netsh interface ip set dns "Local Area Connection" static 192.168.x.x

OK the "Local Area Connection" is the name of the network connection in which you want to set a dns, this will set your dns to be static while leaving the IP/subnet and gateway to be obtained using dhcp...if the adaptor connection is named "Local Area Connection 1" or 2 or 3 or whatever, replace it in my command to match yours....the IP address in my command should be changed to reflect the DNS server you DO want to use...


now all that above will not work if the default route is the gateway of the VPN connection....so you also have to do this command:

route add 0.0.0.0 mask 0.0.0.0 192.168.x.x

The 192.168.x.x should reflect your normal gateway IP when you are NOT connected to the VPN....

Have fun.

John



0
 
jatcanCommented:
Oh yeah, add the route AFTER you have connected to the VPN because while yuo are NOT connected assumedly you DO have the default route for local IP traffic...

Now I am done, completely, if these two things do not work, then again, one last time, you need an administrator who has access to the HARDWARE Nortel switch...sorry, this is frustrating.

Cheers,

John
0
 
a222493Author Commented:
JConchie,

I don't agree that this is not a Nortel issue.
When you say: "all you need to resolve this is to manually put the IP address of your internal DNS server into the DNS settings of the local connection on the client machine.....and to make sure that your internal DNS server is set up as a redirector for internet name resolution"

I am working out of my house and VPNing into work.  I don't have an internal DNS server!!!    My laptop is configured to use my service providers DNS machines.  My understanding of how VPN works, is that once connected, this virtual adapter's settings (DNS) are now used, and the adapter's settings like "Local Area 1"'s settings are ignored.

John,
Are you suggesting that the VPN Switch administrator has to perform some action on the switch that would ungray the textbox on my client software?  That just doesn't sound right...  I was expecting something like the tool that is used to customize Internet Explorer.  You can use this tool to disable a lot of the user settings (like homepage) then generate a new ie.exe to be distributed.

As for your other suggestion with the Local Adapter, I’ll give them a try tonight when I get home…

Thanks for the additional thought.
0
 
JConchieCommented:
You are VPNing into your LAN at work....you need to be able to do name resolution on that Lan in order to reach any of it's resources.....hence you need to be using the internal dns on that Lan.
0
 
jatcanCommented:
a222493:

I beleive that this is the case, the administrator of the Nortel Contivity client has to enable (or disable) a setting from the nortel contivity console(I beleive it is software installed onto a "security-confirmed" server as opposed to a setting on the switch itself) which controls the hardware switch and the software clients...you are using tokens are you not? and SecureID cards? Maybe not, thats the system that was setup at a major OEM I used to work for... I was a technician on the client side and needed to make this change within the Nortel Contivity client, the box's were greyed out, I asked the administrator, who also was administrator of the Nortel Switch, to change this for me and he gave me "permission" to do it myself...meaning he UN-GREYED... the DNS setings on the Nortel Contivity client so I could change them myself..The Norton System Console is similar, you can enable or disable certain features or settings in the client as well as the server. I beleive the add route and static DNS was what I did to get around another administrator who was not so nice to me:-) wouldn't let me surf while I copied files from a network share:-)

I am not sure if the above will work or not, I beleive this is how I got around it last time, not sure...I AM sure that you'll let me know though:-)

John

PS: I found this and it is just weird, had to show you, just in case, a peice of another thread from another forum.:
==========
If I have the TIP open (i.e. the input panel "bar" is displayed) and launch
my Nortel Contivity VPN client (version 4.65.32), the Passcode field is
missing. That is, the word "Passcode" appears, but the actual white field
into which characters can be typed is not there - just grey. Other fields and text appear fine.

==========

The user has installed Tablet Edition 2005 and has an open TIP bar docked to the top of his screen, when he docks the TIP bar to the bottom or sides of the screen this behaviour does not occur..just in case you have Tablet Edition 2005....(Sheepish grin...)

I hope this resolves your issue since you have to contend with admins from an outside company, been there, done that, as most of us have...they got their policy's that THEY got to follow to right?

Cheers,

J
0
 
jatcanCommented:
And this:

(By the way, trying to track down the person/entity that could debug the real problem of why a dns server is not being specified would be next to impossible.  Therefore, I’d like to solve it at least for myself and my local organization.)

Makes me suspect that you work for the Canadian Government...LOL

Cheers,

J
0
 
jatcanCommented:
The way that the built in VPN connection of Windows XP "allows" internet traffic (As shown in the picture from the university link posted by JConchie) is because it keeps the OS's default route to the internet gateway the same as before VPN connection establishment; as opposed to changing it to the VPN's gateway (the default on both XP and Nortels VPN client's), the same thing is/can be done by the Nortel Contivity client and when one cannot surf from home then it has not allowed that, and/or the DNS servers cannot be reached in a timely manner over that slow dialup connection, and all requests for internet traffic are timing out...either way, if you have local admin privileges you should be able to statically setup your ISP's dns servers, and route add the default route back into service once the vpn connection has been established...I really, really think thats how I did it...ah well, I'm done either way, Hope it works. Just for fun, setup the DNS static, connect to the VPN then try and surf, to see if JConchie is correct(I am curious) and if you still cannot surf, add the default route back like I said, then try it again......I'm not being a smart ass here, I really can't remember if setting local conection to sue static dns will work or not--it just does not make any sense to me if it does work is all---and JConchie will have a bit of explaining to do....:-)

Cheers,

John
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 16
  • 9
  • 7
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now