Solved

SBS 2003 - when someone VPN, server gets additional IP and client application get confuses multiple IPs

Posted on 2010-09-08
12
319 Views
Last Modified: 2012-05-10
I have recently enabled Incoming VPN connections on SBS 2003. The problem is when the user dials in. The server gets an additional IP address fpr the VPN tunneling which is fine. But it also creates a another DNS record under the server name with the additional IP.

So for example: servername.domain.local

servername - 192.168.0.1
servername - 192.168.0.2

On the client workstations. The application querys the servername's DNS and gets the second IP address. But the server core applications are listening on the first IP address. This causes havok within the network.

How can we disable in a way that the VPN or DNS server does not create this additional record so it will only have one [A] record.

At the moment I'm deleting the host record manually and modifying the workstations hosts record.. but I can't do this everyday.

Thanks
0
Comment
Question by:CBM Corporate
  • 5
  • 5
  • 2
12 Comments
 
LVL 20

Expert Comment

by:wolfcamel
Comment Utility
perhaps re-run the internet wizard on sbs,
the vpned workstation should get the dns record for the ip it connected with
0
 
LVL 9

Expert Comment

by:rfportilla
Comment Utility
Uhh, this is internal to how the VPN works.  It needs those additional dns listings to route traffic back to the VPN clients.  However, those dns listings should have the VPN client's names, so what you are saying doesn't make sense.  

Try the following.  

First, make sure that the server's only using IP addresses that are needed.  Check the networking properties.

Second, if this is a multihomed computer (more than one network card), make sure you have your services listening on the correct IP address for the correct network card.

Third, make sure that the DNS entry is correct.  Actually go into your DNS server and remove extra entries.  You can also disable your network configuration from updating DNS also.  

Fourth, you could try setting up your services to listen on all ports so it wouldn't matter which one the client connected to.

Let me know if this helps.
0
 

Author Comment

by:CBM Corporate
Comment Utility
There is no additional IP addresses configured with the primary adaptor. The second network card does not have an IP address and is disabled. (HP ML350 G5 server).

I just went into the DNS configuration and saw it was listening on all IP addresses. I will change it and select it only to listen on the primary IP address. See how it goes.

I wish I could enable the services to listen all. But not in this particular environment.

BTW, The actual client workstations are the actual workstations inside the network. Not the VPN clients.

Thanks
0
 
LVL 9

Expert Comment

by:rfportilla
Comment Utility
ahh, I just caught something else.  I should read these posts twice.  THe VPN IP is an added IP.  Of course.

Another thing to try.  Is your software dependent on the DNS name?  What I mean is that if you can add a CName to your DNS and configure your clients to go to your Cname, that would work and is generally a better solution anyway.  That way if you ever have to change servers you can just repoint the CName and not have to adjust clients again.
0
 

Author Comment

by:CBM Corporate
Comment Utility
When the VPN client dials in, it grabs the DHCP IP address ie: 192.168.1.100 (default gateway is off). In the server itself. The PPP RAS server adaptor gets assigned 192.168.1.87 which the DNS server creates servername -> 192.168.1.87 [A] record. So it's like a round robin thing.. when the client workstations query the servername, it returns 192.168.1.87 as the servername record instead of 192.168.1.125 :(

Server ipconfig

PPP adapter RAS Server (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   IP Address. . . . . . . . . . . . : 192.168.1.87
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :

Ethernet adapter Server Local Area Connection:

   Connection-specific DNS Suffix  . :
   IP Address. . . . . . . . . . . . : 192.168.1.125 ** main IP address
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.3

If only I could prevent it from automatically creating the [A] record servername -> 192.168.1.87 so that the other workstations will only return servername -> 192.168.1.125

I just remotely logged in. Setting DNS to listen only on the primary IP didn't make any difference.. saw a servername -> 192.168.1.87 record.
0
 
LVL 20

Expert Comment

by:wolfcamel
Comment Utility
it really shouldnt be doing this..have you rerun the internet wizard in sbs?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 9

Expert Comment

by:rfportilla
Comment Utility
Setting the server to only listen on the one IP doesn't have anything to do with it.  I think your best option is to use the CNAME.  I like that design best anyway.  Create a CNAME with an address like 192.168.1.201, give it a name like customapp.server.local (whatever your local server and domain are) and point your clients to that domain name.  Problem solved.  I like this solution best because, like I said before, if you upgrade that server or move those services, you can just update the DNS entry and have everyone point to the right place.

@Wolfcamel, I think this is by Microsoft design.  They create an IP for the virtual connection and insert a dns record at the same time.  It's just strange that the software isn't listening on all ports correctly.
0
 
LVL 9

Expert Comment

by:rfportilla
Comment Utility
Darn, i'm not thinking.  You don't want a CNAME.  CNAME is for pointing to another domain, or an alias.  You want another A record pointing to 192.168.1.125 with a new name specific to your application.

0
 

Author Comment

by:CBM Corporate
Comment Utility
The client workstation or application/Microsoft services will query the host name "servername" in this case. It will not query another hostname so creating a custom [A] record will not do anything.

Hmm I wonder if I can prioritize the lookup order for the second DNS entry. That may do the trick..

Thanks
0
 
LVL 9

Expert Comment

by:rfportilla
Comment Utility
"The client workstation or application/Microsoft services will query the host name..."

You would have to reconfigure the client one time to point to the new a record.  I think it is worth doing one time to never have to do it again.  You don't even need to do it all at once, just create the record and transition a few at a time or create a policy to update the setting.
0
 

Accepted Solution

by:
CBM Corporate earned 0 total points
Comment Utility
Still did not find a proper way. At the end I just modified all the workstations c:\windows\system32\drivers\etc\hosts file and added the server hostname and IP address.
0
 

Author Closing Comment

by:CBM Corporate
Comment Utility
Still did not find a proper way. At the end I just modified all the workstations c:\windows\system32\drivers\etc\hosts file and added the server hostname and IP address.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now