DNS Remote access VPN

Unanswered Question
Jul 15th, 2009
User Badges:


Altho' generally using no-split-tunnelled RA vpn setups there are some instances where it is necessary. Some staff work extensively on a customer site and need access to our resources as well as those of the site.

It seems to me that the big sticking point in all this is DNS. If you assign a DNS svr via the group-policy then you have the same problem you would if you did not assign one and left it with the remote site's DHCP assigned svr.

For the no to IT literate it is very difficult to explain how to connect their Excahnge svr or file share while still being able to access local file shares and printers.

Anyone know of a way to overcome this problem? (Or if I have not explained it properly)

Any help much appreciated,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Wed, 07/15/2009 - 10:34
User Badges:
  • Purple, 4500 points or more

One way is to use SSLVPN (Cisco is headed that way anyway) and create a portal for your servers. TS & Citrix will work best.

Hope that helps.

m.surtees Wed, 07/15/2009 - 18:24
User Badges:

Hi Colin .. afraid it doesn't. SSL vpns require expensive licensing I believe (pls correct me if I'm wrong) and my Co. is a scrooge at the moment.

We have a TS but if all the required users jump on it at the same time it will die.

Re: Citrix see comments on $$ for SSL VPN

Thanks anyway.



m.surtees Thu, 07/16/2009 - 00:04
User Badges:

Fixed my own problem .. comes down to DNS suffixes.

group-policy POLICY-01 attributes


dns-server value x.x.x.x !# the DNS of home - i.e. to whom the vpn clients are connecting to


split-tunnel-policy tunnelspecified


default-domain value local.site.suffix !# customer site which RA have access to via split-tunnel

split-dns value home.company.suffix


As the site DNS is configured when a DHCP address is granted the configuration of the remote DNS just adds one. Then using first one and if necessary the other by virtue of the suffix it seems to fix all those user quirks like drive mappings and print servers etc with just the win friendly hostnames (not FQDN)

Does the trick at any rate.

Hope this is useful to someone else



This Discussion