RVL200 - Can't browse internal network with SSL VPN connection

Unanswered Question

I have an RVL200 that I installed into our network last week.  I setup a total of three SSL VPN users.  All three users can SSL VPN into the network, but cannot browse any of the servers inside the network.  With the SSL VPN established, the client can ping everything inside the network and can access devices via an IP address, but cannot resolve anything on the inside network.  DNS is setup on the RVL200. However the DHCP addresses it assigns to the VPN client doesn't contain any of the DNS information.

Without having to update the hosts files on client computers, how can we actually configure this VPN to be a true extension of the corporate network for our users?  Is there something I'm missing?  It is running the latest firmware 1.1.7 (although this firmware is actually quite old).

Please advise if anyone else has experienced this and what the solution/fix is.

Thanks,

Nick

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Te-Kai Liu Wed, 03/31/2010 - 08:42

Virtual Passage supports Windows Workgroups. To resolve NetBIOS names over SSL VPN, the admin has to configure a WINS Server on the DHCP page of RVL200, and the remote user's PC has to configure its TCP/IP Property to point to this WINS Server.

The above was copied straight from the release note of firmware 1.1.7.

DHCP is disabled on the RVL200.  I can't use it as a DHCP server inside the network.  We are using a Windows server inside the network for DHCP, as it's also assigning specific DHCP parameters to IP phones that the RLV200 cannot do.  The RVL200 is strictly used for SSL VPN access by our users and sits in parallel to our firewall.

On the RVL200 in the DHCP tab, DHCP is disabled.  In the SSL VPN tab, Virtual Passage sub tab, there is a range of 5 private IP addresses.  Those are the IP addresses that are dynamically assigned to each Virtual Passage client.  When I SSL VPN into the device, I dynamically get one of those IP addresses assigned to my Virtual Passage, I can ping every device on the network without a problem, and I can access the devices via IP address.  I just can't resolve the names.

I need VPN access for my users so that they can access the servers inside the network.  NETBIOS is really for WINS resolution.  I need internal DNS to be assigned to the Virtual Passage.  For example, my users need to access the company intranet.  The URL is http://intranet.mycompany.com.  It's IP address (private IP address inside the network) can be pinged, but the name cannot be resolved.  I need internal DNS to resolve that name so that the user can get to that internal website by name.

I don't want to have to configure every client manually.  It needs to be done through DHCP.  Does anyone else have this problem and how did you work around this?  Your advise will be appreciated.

Thanks,

Nick

Alejandro Gallego Wed, 03/31/2010 - 20:02

You bring up a very good point that seems to get missed some times. More and more of our users have internal servers and domains running IP assignment services but this seems to get overlooked.

Unfortunately all I have is two possible solutions:

1. Configure your Windows server to be a PPTP or IPSec end point (may not be a practical solution; hence the reason for your router purchase)

2. Create a GPO to push manually configured DNS servers. You would assign two IPs, one (Primary) your internal DNS; Two (Secondary) your external DNS server such as OpenDNS 208.67.222.222 (I love these guys!!!)

Aside from that, can't think of any other way to easily push out this configuration. The other thing I just realized, since the SSL VPN creates a virtual adapter will we still send our DNS querries accross the tunnel???

On a side note:

when a windows client tries to access network shares via UNC path, it will try to resolve NetBIOS first, then will move over to DNS for resolution. In your case with the website, well.... DNS as you already know. (just a side note)

SOLUTION FOUND!

Again, my intent was to use the RVL200 as a standalone SSL VPN box for remote access into my network, not as a firewall and DHCP server.

As it turns out, your remote SSL VPN connections (virtual passage interfaces) "WILL NOT" be assigned internal DNS or WINS information unless DHCP is enabled on the RVL200.  But if one has another DHCP server inside the network (such as a Windows DHCP server), then turning on DHCP on the RVL200 will cause DHCP conflicts.  But not enabling it on the RVL200 causes the remote SSL VPN tunnel (virtual passage interface on the client) to not work properly because it doesn't have any internal DNS/WINS servers assigned.  Although there was no official fix for this, there is a workaround that I came up with that seems to solve my dilema.

The workaround is to "ENABLE" DHCP on the RVL200, but to reduce the DHCP range to just 1 IP address (for example 192.168.x.254).  I then went into reservations and created a reservation for a fake MAC address (for this example BAD000000000) and made sure that the one any only IP address in that range is reserved for that fake MAC address.  Since there's only one IP address in the DHCP pool and that address has been reserved, the RVL200's DHCP server will never assign IP addresses to the internal network, therefore will never conflict with the Windows DHCP server.  But because DHCP has now been enabled on the RVL200, the virtual passage (SSL VPN connection) WILL be assigned the internal DSN and WINS IP addresses for internal resolution.

Hope this helps.