Internal and external IP resolution

Short Version:

Is there a way that I can configure Windows XP clients so that when they
connect to our internal network over the VPN (RRAS) their DNS cache will
clear and my internal DNS servers will move up to the top of the list of
servers they use to resolve IP addresses?

Long Version:

We are having some inconvinient problems regarding name resolution when
people are working remotely. Specifically with Outlook clients connecting
to our Exchange Server when connecting via the VPN. I am posting here
because it is more of a networking issue than Exchange/Outlook.

Here is the senerio.

1. We have had our internal network setup since 2000 with the same domain
name OURDOMAIN.COM.
2. We have on the network our Exchange 2003 server (upgraded years ago from
5.5) MAILSERVER.OURDOMAIN.COM.
3. Outlook clients are configured to connect to MAILSERVER
(mailserver.ourdomain.com)
4. We also have registered on the Internet our domain OURDOMAIN.COM
5. So we don't get rejected by overly aggressive SPAM filters like crummy
Comcast and Verizon who think they own the Internet we have to have our mail
server setup so they can reverse lookup and see that the sending IP and DNS
name match up so we have MAILSERVER.OURDOMAIN.COM setup in our ISPs DNS list
as something that can be reverese looked up.
6. Yes, the Exchange Server is locked down tight against open relays, etc.
7. Our internal network is 192.168.0.x.
8. We have setup a VPN server to allow remote access.

Now here is the problem. Users can get their mail without issue on the
network. If they go on the road and directly connect to the VPN and then
fire up Outlook they get the right internal IP for MAILSERVER.OURDOMAIN.COM
(192.X.X.X) however if they just decide to bang out a few emails in Outlook
and connect later to send them they cannot because Outlook already caused
Windows to check for MAILSERVER.OURDOMAIN.COM and it resolved to the
external IP address of the Exchange server.

To protect the Exchange server I have my firewalls configured to only accept
Port 25 from a limited amount of IP addresses from my Anti-spam service and
I naturally can't just open up connections to the for direct connections for
Outlook clients to the Exchange server because I have no idea where in the
world the users may be at any moment.

Is there a way that I can configure Windows XP clients so that when they
connect to our internal network over the VPN their DNS cache will clear and
my internal DNS servers will move up to the top of the list of servers they
use to resolve IP addresses?

JN <(E-Mail Removed)> wrote:
> Short Version:
>
> Is there a way that I can configure Windows XP clients so that when
> they connect to our internal network over the VPN (RRAS) their DNS
> cache will clear and my internal DNS servers will move up to the top
> of the list of servers they use to resolve IP addresses?
>
> Long Version:
>
> We are having some inconvinient problems regarding name resolution
> when people are working remotely. Specifically with Outlook clients
> connecting to our Exchange Server when connecting via the VPN. I am
> posting here because it is more of a networking issue than
> Exchange/Outlook.
> Here is the senerio.
>
> 1. We have had our internal network setup since 2000 with the same
> domain name OURDOMAIN.COM.
> 2. We have on the network our Exchange 2003 server (upgraded years
> ago from 5.5) MAILSERVER.OURDOMAIN.COM.
> 3. Outlook clients are configured to connect to MAILSERVER
> (mailserver.ourdomain.com)
> 4. We also have registered on the Internet our domain OURDOMAIN.COM
> 5. So we don't get rejected by overly aggressive SPAM filters like
> crummy Comcast and Verizon who think they own the Internet we have to
> have our mail server setup so they can reverse lookup and see that
> the sending IP and DNS name match up so we have
> MAILSERVER.OURDOMAIN.COM setup in our ISPs DNS list as something that
> can be reverese looked up. 6. Yes, the Exchange Server is locked down
> tight against open
> relays, etc. 7. Our internal network is 192.168.0.x.
> 8. We have setup a VPN server to allow remote access.
>
> Now here is the problem. Users can get their mail without issue on
> the network. If they go on the road and directly connect to the VPN
> and then fire up Outlook they get the right internal IP for
> MAILSERVER.OURDOMAIN.COM (192.X.X.X) however if they just decide to
> bang out a few emails in Outlook and connect later to send them they
> cannot because Outlook already caused Windows to check for
> MAILSERVER.OURDOMAIN.COM and it resolved to the external IP address
> of the Exchange server.
> To protect the Exchange server I have my firewalls configured to only
> accept Port 25 from a limited amount of IP addresses from my
> Anti-spam service and I naturally can't just open up connections to
> the for direct connections for Outlook clients to the Exchange server
> because I have no idea where in the world the users may be at any
> moment.
> Is there a way that I can configure Windows XP clients so that when
> they connect to our internal network over the VPN their DNS cache
> will clear and my internal DNS servers will move up to the top of the
> list of servers they use to resolve IP addresses?


Is your internal domain name in AD, ourdomain.com ?
Your VPN users should be receiving only your internal IP addresses for DNS,
dynamically assigned when they connect.
However, since you have Exchange 2003, why would you not just use RPC over
HTTP? That uses SSL, connects over 443, doesn't open you up to relay issues
or spam.
Using VPN just for mail access is silly in this day & age ;-)

"JN" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Short Version:
>
> Is there a way that I can configure Windows XP clients so that when they
> connect to our internal network over the VPN (RRAS) their DNS cache will
> clear and my internal DNS servers will move up to the top of the list of
> servers they use to resolve IP addresses?
>
> Long Version:
>
> We are having some inconvinient problems regarding name resolution when
> people are working remotely. Specifically with Outlook clients connecting
> to our Exchange Server when connecting via the VPN. I am posting here
> because it is more of a networking issue than Exchange/Outlook.
>
> Here is the senerio.
>
> 1. We have had our internal network setup since 2000 with the same domain
> name OURDOMAIN.COM.
> 2. We have on the network our Exchange 2003 server (upgraded years ago
> from 5.5) MAILSERVER.OURDOMAIN.COM.
> 3. Outlook clients are configured to connect to MAILSERVER
> (mailserver.ourdomain.com)
> 4. We also have registered on the Internet our domain OURDOMAIN.COM
> 5. So we don't get rejected by overly aggressive SPAM filters like crummy
> Comcast and Verizon who think they own the Internet we have to have our
> mail server setup so they can reverse lookup and see that the sending IP
> and DNS name match up so we have MAILSERVER.OURDOMAIN.COM setup in our
> ISPs DNS list as something that can be reverese looked up.
> 6. Yes, the Exchange Server is locked down tight against open relays,
> etc.
> 7. Our internal network is 192.168.0.x.
> 8. We have setup a VPN server to allow remote access.
>
> Now here is the problem. Users can get their mail without issue on the
> network. If they go on the road and directly connect to the VPN and then
> fire up Outlook they get the right internal IP for
> MAILSERVER.OURDOMAIN.COM (192.X.X.X) however if they just decide to bang
> out a few emails in Outlook and connect later to send them they cannot
> because Outlook already caused Windows to check for
> MAILSERVER.OURDOMAIN.COM and it resolved to the external IP address of the
> Exchange server.
>
> To protect the Exchange server I have my firewalls configured to only
> accept Port 25 from a limited amount of IP addresses from my Anti-spam
> service and I naturally can't just open up connections to the for direct
> connections for Outlook clients to the Exchange server because I have no
> idea where in the world the users may be at any moment.
>
> Is there a way that I can configure Windows XP clients so that when they
> connect to our internal network over the VPN their DNS cache will clear
> and my internal DNS servers will move up to the top of the list of servers
> they use to resolve IP addresses?
>
>


It sounds like VPN server is giving the clients an external DNS server in
it's IP configuration. It MUST only provide internal DNS addresses.

I also agree with Lanwench's assessment.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among
responding engineers.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
(E-Mail Removed)
http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

The internal DNS server is correctly resolving names with internal IP
addresses. The problem is that if the user for any reason looks for
MAILSERVER.OURDOMAIN.COM while off the network "before" connecting
internally the name will naturally be resolved by an external DNS from the
ISP and will naturally resolve it to the external IP. If they boot up and
correctly connect to the VPN before firing up Outlook or addressing
MAILSERVER.OURDOMAIN.COM, the IP will be resolved properly by our internal
DNS to 192.x.x.x

Example 1:

Boot up at home
Fire up Outlook
Outlook checks if MAILSERVER.OURDOMAIN.COM is available
MAILSERVER.OURDOMAIN.COM is resolve as 65.x.x.x
Connect to VPN
Open Outlook again
Computer checks DNS cache for server, still resolves to 65.x.x.x

Example 2:

Boot up at home
Connect to VPN
Fire up Outlook
Outlook checks if MAILSERVER.OURDOMAIN.COM is available
MAILSERVER.OURDOMAIN.COM is resolved as 192.168.x.x
Outlook functions fine.

As far as RPC over HTTPS I was under the assuption that I had to have the
Exchange Server as the Global Catalog. My network has a W2K DC, and the
W2k3 Exchange 2003 member server. I did not think I could get RPC over
HTTPs to work with this setup.



"Ace Fekay [Microsoft Certified Trainer]" <(E-Mail Removed)>
wrote in message news:O$(E-Mail Removed)...
> "JN" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Short Version:
>>
>> Is there a way that I can configure Windows XP clients so that when they
>> connect to our internal network over the VPN (RRAS) their DNS cache will
>> clear and my internal DNS servers will move up to the top of the list of
>> servers they use to resolve IP addresses?
>>
>> Long Version:
>>
>> We are having some inconvinient problems regarding name resolution when
>> people are working remotely. Specifically with Outlook clients
>> connecting to our Exchange Server when connecting via the VPN. I am
>> posting here because it is more of a networking issue than
>> Exchange/Outlook.
>>
>> Here is the senerio.
>>
>> 1. We have had our internal network setup since 2000 with the same
>> domain name OURDOMAIN.COM.
>> 2. We have on the network our Exchange 2003 server (upgraded years ago
>> from 5.5) MAILSERVER.OURDOMAIN.COM.
>> 3. Outlook clients are configured to connect to MAILSERVER
>> (mailserver.ourdomain.com)
>> 4. We also have registered on the Internet our domain OURDOMAIN.COM
>> 5. So we don't get rejected by overly aggressive SPAM filters like
>> crummy Comcast and Verizon who think they own the Internet we have to
>> have our mail server setup so they can reverse lookup and see that the
>> sending IP and DNS name match up so we have MAILSERVER.OURDOMAIN.COM
>> setup in our ISPs DNS list as something that can be reverese looked up.
>> 6. Yes, the Exchange Server is locked down tight against open relays,
>> etc.
>> 7. Our internal network is 192.168.0.x.
>> 8. We have setup a VPN server to allow remote access.
>>
>> Now here is the problem. Users can get their mail without issue on the
>> network. If they go on the road and directly connect to the VPN and then
>> fire up Outlook they get the right internal IP for
>> MAILSERVER.OURDOMAIN.COM (192.X.X.X) however if they just decide to bang
>> out a few emails in Outlook and connect later to send them they cannot
>> because Outlook already caused Windows to check for
>> MAILSERVER.OURDOMAIN.COM and it resolved to the external IP address of
>> the Exchange server.
>>
>> To protect the Exchange server I have my firewalls configured to only
>> accept Port 25 from a limited amount of IP addresses from my Anti-spam
>> service and I naturally can't just open up connections to the for direct
>> connections for Outlook clients to the Exchange server because I have no
>> idea where in the world the users may be at any moment.
>>
>> Is there a way that I can configure Windows XP clients so that when they
>> connect to our internal network over the VPN their DNS cache will clear
>> and my internal DNS servers will move up to the top of the list of
>> servers they use to resolve IP addresses?
>>
>>
>
>
> It sounds like VPN server is giving the clients an external DNS server in
> it's IP configuration. It MUST only provide internal DNS addresses.
>
> I also agree with Lanwench's assessment.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup/forum to benefit from collaboration
> among responding engineers.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
> (E-Mail Removed)
> http://twitter.com/acefekay
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>

"JN" <(E-Mail Removed)> wrote in message
news:OP$SA%(E-Mail Removed)...
> The internal DNS server is correctly resolving names with internal IP
> addresses. The problem is that if the user for any reason looks for
> MAILSERVER.OURDOMAIN.COM while off the network "before" connecting
> internally the name will naturally be resolved by an external DNS from the
> ISP and will naturally resolve it to the external IP. If they boot up and
> correctly connect to the VPN before firing up Outlook or addressing
> MAILSERVER.OURDOMAIN.COM, the IP will be resolved properly by our internal
> DNS to 192.x.x.x
>
> Example 1:
>
> Boot up at home
> Fire up Outlook
> Outlook checks if MAILSERVER.OURDOMAIN.COM is available
> MAILSERVER.OURDOMAIN.COM is resolve as 65.x.x.x
> Connect to VPN
> Open Outlook again
> Computer checks DNS cache for server, still resolves to 65.x.x.x
>
> Example 2:
>
> Boot up at home
> Connect to VPN
> Fire up Outlook
> Outlook checks if MAILSERVER.OURDOMAIN.COM is available
> MAILSERVER.OURDOMAIN.COM is resolved as 192.168.x.x
> Outlook functions fine.
>
> As far as RPC over HTTPS I was under the assuption that I had to have the
> Exchange Server as the Global Catalog. My network has a W2K DC, and the
> W2k3 Exchange 2003 member server. I did not think I could get RPC over
> HTTPs to work with this setup.

First, RPC over HTTPS, also known as Outlook Anywhere, works whether
Exchange is on a DC or not, but HIGHLY preferable, and HIGHLY recommended to
not be on a DC. It sounds like you're ok in this department. But you will
need a public certificate for the Exchange server. Since you have Exchange
2003, that's easy. You just need a simple certificate that you can get at
GoDaddy, Verisign, Digicert, etc. I like Digicert, but that's up to you. Go
into Exchange's Windows Add/Remove, add components, Networking, and add RPC
server. Follow the following links to configure it:

How can I configure RPC over HTTP/S on Exchange 2003 (single ...RPC over
HTTP/S is a cool method for connecting your Outlook 2003 client to the
corporate Exchange Server 2003 from the Internet or WAN, without the need
....
http://www.petri.co.il/how-can-i-con...r-scenario.htm

Configure Outlook 2003 to use RPC over HTTP/SHow can I configure Outlook
2003 to use RPC over HTTP/S? RPC over HTTP/S is a cool method for connecting
your Outlook 2003 client to the corporate Exchange.
http://www.petri.co.il/configure_out..._over_http.htm

As for the other local DNS cache issue, it looks like a chicken before the
egg, or vice versa issue. Normally when a VPN is connected, the VPN
connection goes to the top of the binding order. Funny, I've haven't had
this issue with any of my customers, but then again, their internal and
external names are different.

One way to get around it is a batch file saved on the desktop to run a
simple "ipconfig /flushdns." Just instruct them to double click on it after
they connect. There are other methods to reset the DNS eligible resolver
list, but that is not needed here, because as I said above, the VPN becomes
the default connection that the resolver service will use the DNS entries on
it to be queried first, so it wouldn't matter to reset the list.

Oh, I wanted to comment on the "[...[ aggressive SPAM filters like crummy
Comcast and Verizon who think they own the Internet [...]" comment. It's
actually the fact they use various RBLs, one of which is the SORBS list,
which is pretty stringent. I've had to deal with SORBS once in the past at a
place I worked that put us on their list when one user's credentials were
hijacked and his account sent out over 20,000 emails over night. Of course,
without saying, it prevented us from sending to AOL, Verizon, Comcast and a
few others. We went through their process to clean it up. If you are having
problems sending to these domains, and others, I would suggest to check if
your IP is on the SORBS list at www.sorbs.net. I would also check to see if
you are on other RBLs just in case, as well as make sure you have a valid
and correct SPF configured (http://old.openspf.org/wizard.html).

RBL Checks:

On an RBL? Find out why. Free tool. Instant, no registration required.
http://www.MXToolbox.com

MSRBL - Multi RBL CheckerMulti-RBL Check. Enter the IP address below to
check listings in multiple RBLs. ... Checking RBLs (This may take upto a
minute to process) ...
http://checker.msrbl.com

Multi-RBL checker, Multi-DNSBL lookupMulti DNS blacklist (DNSBL), Real-time
Blackhole List (RBL) lookup :. Whois · Traceroute · Link Popularity · RBL
Check Close ...
http://cqcounter.com/rbl_check/

I hope that helps.

Ace