[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Can't access internal sites

Posted on 2011-10-28
15
Medium Priority
?
225 Views
Last Modified: 2012-05-12
Hello experts.
   Some of our employee's are having problems accessing our internal sites from outside the office.  The problem is isolated to a single region, and most likely a single ISP.  For some reason none of the internal sites will open but the ones on the www will work.  I can ping the internal sites and it does resolve to the correct ip.  This problem is happening on any computer that is in their region unless it is on the domain.  nslookup just goes to server unknown for the site. I am not sure why this problem is happening now because these sites were working before and it is odd that the sites do not open even from public computers.  I would appreciate any help you can give me.

Adele
0
Comment
Question by:dillonconsulting
  • 8
  • 3
  • 2
  • +2
15 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 37047555
Is your VPN server assigning your clients internal nameservers for their DNS?  Or are you talking about the external IP of your internal sites is not resolving?  

Not quite sure what you are asking.  If you could provide some sort of examples or output from nslookup, that would help a lot.
0
 

Author Comment

by:dillonconsulting
ID: 37048104
it is just trying to access one of our websites that requires a username and password when she does a nslookup she gets the server unknown message.
0
 
LVL 7

Expert Comment

by:elawad
ID: 37050624
we really need some clarifications, how are they trying to access the wevsite from the internet or from your internal network ?? and from where its working. the nslookup that is resolving unknown address if its from inside you can resolve it by creating reverse lookup zone in your internal DNS server.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 3

Expert Comment

by:Kuleaze
ID: 37051934
Relying solely on what you've provided for information makes this a difficult question to answer. Company computers can ping internal resources from outside the network, but won't resolve when typing in the name?? You say ping tests resolve to the correct IP's - have you tried putting the IP in the browser? If that works, you've isolated the issue to DNS. If you're able to ping the IP's, then your VPN is working - if you have one. You say public computers can't even access internal sites, but should they be able to??

Like the others, more information would be helpful. Have you done traceroutes? Who manages your DNS? Have there been any network changes recently? The fact that you can ping, but can't access through site name leads me to believe the issue is with DNS, but I'm taking a shot in the dark. I also noticed the problem is not happening when the computer is on the domain, do you have a local DNS, or is it possible someone has changed permissions in the domain somehow? Again, just throwing ideas out there to help you supply us more info.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 37052643
We are not asking you the right questions to properly troubleshoot this?

When you say you can't contact internal sites, do you mean mapped drives and file shares or do you mean web sites?

The reason I ask this is because of how the Windows Redirector Service works.

If you try to map to a site with a Universal Naming Convention path of "Computername", the redirector service will query the Netbios Name Server.

If you map to a site using the Fully Qualified Domain Name (Computername.domain.name) the redirector service will query the Domain Name Service database (DNS)

If you map to the remote site via IP address, then the redirector service uses an ARP resolution to translate that into a MAC address.

Out of the three means to create a UNC path, only one is routeable. This means it will go through a VPN tunnel. That method is by IP address..

Netbios and DNS are not routable. How you input the UNC path determines what protocol you are using. Netbios is queried by the redirector service only if the path name is less than 15 charactors and does NOT have a period. DNS is queried by the redirector service if it is more than 15 charactors and/or has a period in the name.

To get DNS to work, your clients have to register themselves within DNS, and every remote site needs a copy of those DNS registrations by the use of ZONE TRANSFERS.

To get NetBIOS to work, your clients have to register within WINS database, and each site will need to have WINS replications between the site WINS Servers...

NOTE: Ping is NOT necessarily a conclusive test of connectivity. Many companies and including ISPs deny ICMP echo as a security measure to prevent from ping sweeps and the ping of death DDoS attacks.

NOTE: A URL is handled differently than a UNC path. The Universal Resource Locator (URL) is handled by a DNS query. If clients from remote sites are having problems with a URL (WEB PAGE), this is a DNS related problem and it means your clients are going to DNS servers OUTSIDE your domain for DNS resolution. This simply means that computers are going to an ISP DNS server instead of your DNS server, to find your internal web page DNS pointer record.
0
 

Author Comment

by:dillonconsulting
ID: 37060032
elawad:
  The problem is happening when they try to access the site from the internet ONLY when they try when they are logged in at the office and are on the domain it works,
0
 

Author Comment

by:dillonconsulting
ID: 37060044
Kuleaze:
  I have tried putting the ip in the browser but It would not route to the page. The VPN is not working but only for the people that can not open the internal websites.  They are in Yellowknife.  The VPN works for all users not in Yellowknife. The same goes for the inside dillon page and the webmail page.  Only users in Yellowknife can not open these pages.  

Yes public computers are able to open inside dillon but they are prompted for a username and password.  I have talked to our network admin and yes there have been changes to the switch in our yellowknife office.  
0
 

Author Comment

by:dillonconsulting
ID: 37060050
ChiefIT:

I mean websites not mapped drives.  
0
 
LVL 3

Expert Comment

by:Kuleaze
ID: 37060645
Hmm, ok so there have been changes! What changes were made? Can someone from Yellowknife do a "show ip route ?.?.?.?" with the question marks being the IP of the internal address you're trying to reach? This will tell you if there is a route to the device. You can use the same command to check for a route to the VPN as well. I would actually start there first.

Give us an update when you find out the changes that were made - I'm willing to bet it has something to do with the static route.
0
 
LVL 7

Expert Comment

by:elawad
ID: 37060938
so lets narrow things down, what i have understand from your posts is that you have let say http://website.com that is on your company and users in some areas when they try to access it they can not reach the page those users are trying to reach the page without being connected through VPN to your internal network, moreover; when you do "nslookup yourwebsite name " from one of those users pc and from outside the company you didnt get resolved the up address. If what i said is correct the problem then is in your ISP public DNS which is not resolving you internal website public ip address.
0
 

Author Comment

by:dillonconsulting
ID: 37064200
Kuleaze:
   There have been changes to the switch in our Yellowknife office but I am not sure if users would need to access that switch to access our internal sites because they are hosted in our London (Ontario) office.

elawad:
   it may be the dns ip address I tried to use the google DNS ip's but she could not route at all
 


0
 
LVL 3

Expert Comment

by:Kuleaze
ID: 37066637
Ok, so there isn't a VPN set up between the two sites?? I agree with elawad, clarification of your issue needs to be addressed. Do we know what changes were made to the device. So now the hosting of the site is now in London?? But you say that all can connect to the site in question, only no one from Yellowfish can, yes??? If this is the case, why do you think that the users in Yellowfish wouldn't exit out their own switch to access the site in question?? Does this not make sense that changes were made and now users are having problems?? Also, users outside of Yellowfish can access the login screen of the site, so do you have internal DNS located at Yellowfish?? This would explain why this site only is effected? The device changes should also be looked at, considering everything worked prior to that, yes??
0
 

Author Comment

by:dillonconsulting
ID: 37070862
We have a VPN site and that is not working for the people in Yellowknife either.  VPN access is not required to access the sites that require a username and password.  I know that there were problems with switch and  the firmware was upgraded but that is all I know about the changes.  Hosting of the sites are always done in London it is our main office.  That's right only people in Yellowknife can not access the sites.  The sites are not accessible from computers that are not in the office.  The ones that are using the switch and are in the office can get to these sites.  I am still waiting to confirm if the problem started at exactly the same time.  
0
 

Accepted Solution

by:
dillonconsulting earned 0 total points
ID: 37078561
Well it looks like the problems is likely with the ISP the ip's from the nslookup are 5 years old.  
0
 

Author Closing Comment

by:dillonconsulting
ID: 37337131
Problem is with ISP
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
There are a few different ways to preview your site before DNS resolves it to your (mt) Media Temple server.  The Plesk platform makes it easy.  See the following guide to learn how.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question