Outlook 2003, VPN and Split Tunnel - Network

This is a discussion on Outlook 2003, VPN and Split Tunnel - Network ; I know I'm not the first to have this issue, but I'm hoping that someone out there has come up with a workable solution to this issue. Here is whats happening. Remote client (laptop or home users) uses VPN to ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Outlook 2003, VPN and Split Tunnel

  1. Outlook 2003, VPN and Split Tunnel

    I know I'm not the first to have this issue, but I'm hoping that someone out
    there has come up with a workable solution to this issue. Here is whats
    happening.

    Remote client (laptop or home users) uses VPN to connect to corporate
    network. New IP and DNS info is given which disables access to local LAN
    resources (ie printer, other network devices). So that if a person in this
    situation needs to print or use one of this other home network devices he
    would have to disconnect the VPN to do so.

    Now enters Split tunneling, where VPN network traffic is sent over the
    VPN and local LAN access is permitted. Now the problem with this scenario is
    mainly with outlook and AD/DNS. For example, I'm at home, I VPN into the
    corporate network using Split Runnel. I can use my home network resources
    (hopefully I'm smart enough to be on a different IP Scheme than the corporate
    LAN). Now comes the trouble. Outlook 2003 uses an FQDN for its server name
    in the exchange profile. So to the VPN connection this looks like internet
    traffic which it routes through my default gateway on the home LAN out to my
    ISP. This of cource won't bring back anything useful from a Public DNS
    server while trying to access my Corporate LAN exchange server. Obvious
    solutions to this include a HOST file modification (which I DO NOT want to
    do). I could also add a public DNS record for the Exchange Server using a
    non routable IP address of the internal LAN IP for the server, this would
    effectively allow me to get to outlook, but not a best practice by any means.
    The other problem with this is other servers on the corporate LAN. Anytime
    I try to resolve a host name on the corporate lan that gets translated into
    an FQDN will end up trying to go through my Home ISP.

    So as you can see, I'm at a difficult place either way I go, I either
    disable split tunnel and force users not to be able to use their home
    network, or enable split tunnel and end up having to do so many workarounds
    and have issues with DNS that its not worth the trouble. Does anyone have a
    good solution to this? We need to be able to map drives and network
    resources both at home and on the corporate lan through VPN. Any ideas or
    solutions to this problem would grealy be appreciated.

    My initial questions would be:
    could a route statement on the computer be used to alleviate the problem of
    VPN traffic using a FQDN being routed through my ISP? Also, are there any
    real issues with adding public DNS records with private non routable internal
    IP records?

    Thanks
    Joe

  2. RE: Outlook 2003, VPN and Split Tunnel

    I have a few more thoughts to add to this issue. I think these might work,
    but wanted to run them by everyone else.

    Possible solutions:

    1. Don't use the same domain name for internal DNS as external public dns,
    this may ease the VPN problems distinguishing internal from external, but
    make sure the internal dns domain is a .loc or .local or something definately
    not even possibly routable on a public dns system. I would think if you do
    this it should prevent VPN problems accessing corporate lan resources, and
    still allow you to access your home lan resources as long as split tunnel is
    enabled.

    How does that sound, does it make sense to anyone?



    "ACE-Joe" wrote:

    > I know I'm not the first to have this issue, but I'm hoping that someone out
    > there has come up with a workable solution to this issue. Here is whats
    > happening.
    >
    > Remote client (laptop or home users) uses VPN to connect to corporate
    > network. New IP and DNS info is given which disables access to local LAN
    > resources (ie printer, other network devices). So that if a person in this
    > situation needs to print or use one of this other home network devices he
    > would have to disconnect the VPN to do so.
    >
    > Now enters Split tunneling, where VPN network traffic is sent over the
    > VPN and local LAN access is permitted. Now the problem with this scenario is
    > mainly with outlook and AD/DNS. For example, I'm at home, I VPN into the
    > corporate network using Split Runnel. I can use my home network resources
    > (hopefully I'm smart enough to be on a different IP Scheme than the corporate
    > LAN). Now comes the trouble. Outlook 2003 uses an FQDN for its server name
    > in the exchange profile. So to the VPN connection this looks like internet
    > traffic which it routes through my default gateway on the home LAN out to my
    > ISP. This of cource won't bring back anything useful from a Public DNS
    > server while trying to access my Corporate LAN exchange server. Obvious
    > solutions to this include a HOST file modification (which I DO NOT want to
    > do). I could also add a public DNS record for the Exchange Server using a
    > non routable IP address of the internal LAN IP for the server, this would
    > effectively allow me to get to outlook, but not a best practice by any means.
    > The other problem with this is other servers on the corporate LAN. Anytime
    > I try to resolve a host name on the corporate lan that gets translated into
    > an FQDN will end up trying to go through my Home ISP.
    >
    > So as you can see, I'm at a difficult place either way I go, I either
    > disable split tunnel and force users not to be able to use their home
    > network, or enable split tunnel and end up having to do so many workarounds
    > and have issues with DNS that its not worth the trouble. Does anyone have a
    > good solution to this? We need to be able to map drives and network
    > resources both at home and on the corporate lan through VPN. Any ideas or
    > solutions to this problem would grealy be appreciated.
    >
    > My initial questions would be:
    > could a route statement on the computer be used to alleviate the problem of
    > VPN traffic using a FQDN being routed through my ISP? Also, are there any
    > real issues with adding public DNS records with private non routable internal
    > IP records?
    >
    > Thanks
    > Joe


  3. Re: Outlook 2003, VPN and Split Tunnel

    Your post is not related to ipsec and you would be better served by posting
    in a general networking and/or dns newsgroup. Having said that I think your
    options may be to use a hosts file or to make sure that the needed host dns
    records exist on your internal dns server and that your computer is using it
    because if it uses an ISP dns server then you will not be able to resolve
    the needed dns names. You may find nslookup helpful in
    troubleshooting/tweaking your problem. --- Steve


    "ACE-Joe" wrote in message
    news:91CC673B-986C-4A35-80AC-9C0F741D95E3@microsoft.com...
    >I know I'm not the first to have this issue, but I'm hoping that someone
    >out
    > there has come up with a workable solution to this issue. Here is whats
    > happening.
    >
    > Remote client (laptop or home users) uses VPN to connect to corporate
    > network. New IP and DNS info is given which disables access to local LAN
    > resources (ie printer, other network devices). So that if a person in
    > this
    > situation needs to print or use one of this other home network devices he
    > would have to disconnect the VPN to do so.
    >
    > Now enters Split tunneling, where VPN network traffic is sent over the
    > VPN and local LAN access is permitted. Now the problem with this scenario
    > is
    > mainly with outlook and AD/DNS. For example, I'm at home, I VPN into the
    > corporate network using Split Runnel. I can use my home network resources
    > (hopefully I'm smart enough to be on a different IP Scheme than the
    > corporate
    > LAN). Now comes the trouble. Outlook 2003 uses an FQDN for its server
    > name
    > in the exchange profile. So to the VPN connection this looks like
    > internet
    > traffic which it routes through my default gateway on the home LAN out to
    > my
    > ISP. This of cource won't bring back anything useful from a Public DNS
    > server while trying to access my Corporate LAN exchange server. Obvious
    > solutions to this include a HOST file modification (which I DO NOT want to
    > do). I could also add a public DNS record for the Exchange Server using a
    > non routable IP address of the internal LAN IP for the server, this would
    > effectively allow me to get to outlook, but not a best practice by any
    > means.
    > The other problem with this is other servers on the corporate LAN.
    > Anytime
    > I try to resolve a host name on the corporate lan that gets translated
    > into
    > an FQDN will end up trying to go through my Home ISP.
    >
    > So as you can see, I'm at a difficult place either way I go, I either
    > disable split tunnel and force users not to be able to use their home
    > network, or enable split tunnel and end up having to do so many
    > workarounds
    > and have issues with DNS that its not worth the trouble. Does anyone have
    > a
    > good solution to this? We need to be able to map drives and network
    > resources both at home and on the corporate lan through VPN. Any ideas or
    > solutions to this problem would grealy be appreciated.
    >
    > My initial questions would be:
    > could a route statement on the computer be used to alleviate the problem
    > of
    > VPN traffic using a FQDN being routed through my ISP? Also, are there any
    > real issues with adding public DNS records with private non routable
    > internal
    > IP records?
    >
    > Thanks
    > Joe




+ Reply to Thread