Company DNS queries through SSL VPN tunnel from home?
Hi guys,
I've got a little lack of clarity. I would like to use a server share which is situated at the office server also at home.
The SSL VPN tunnel works and I could connect from home to that company server share by using server's IP address, i.e. \\192.168.21.234\data. But I would prefer to use the UNC path with server's name instead, like i.e. \\server1\data, but without forcing the entire traffic through the tunnel.
Company's DNS server address is transmitted when establishing the tunnel. All DNS queries from Zywall Tunnel are also allowed within the security policy control. And I'm also able to ping the DNS server at office from home.
But at home I have now two DNS servers, one from ISP and the other one from SSL VPN (Company). How could I setup the SSL VPN in USG110 that each VPN client is using Company's DNS server as seconds DNS, if it cannot resolve the company server name via ISP's DNS server?
All Replies
-
I've figured out that the DNS resolving for company shares through the SSL VPN tunnel works, if the DNS suffix of our local company domain is added to the DNS settings in Windows network adapter settings for the VPN adapter at home.
Is there an opportunity to set the DNS suffix in USG SSL VPN settings that this suffix is set automatically on all client machines when connecting?
0 -
In the meantime I've changed my server share mapping scripts in that way that I use FQDN like \\server1.company.local\share instead of \\server1\share. This mapped server drive could be resolved through the tunnel. And because the DNS suffix "company.local" is already available, there is no need to define it in DNS adapter settings at home.
Unfortunately with these FQDN names used in server shares, our Word serial letter functions don't longer work since Word wan't open connected serial word files from untrusted locations. Maybe it thinks that these files are originated from the Internet. Also changings in Word Trust Center didn't succeed.
Now we are back to drive mappings with \\server1\data so that our serial letters at office work again. But this causes that I have to set the DNS suffix "company.local" manually in the adapter settings of the VPN on each client computer.
0 -
The scenario seems similar like this thread
https://businessforum.zyxel.com/discussion/comment/12847#Comment_12847
The DNS query priority is based on the metric of interface, so try to make VPN interface metric small than "Ethernet".
0 -
Hi Jeremylin,
Thanks for your reply. But its not the problem to resolve the company names. This works now, either by mapping the shared drives by FQDN (i.e.: \\server1.company.local\share), or by adding the domain suffix (company.local) to the advanced DNS settings of the Windows VPN network adapter. Both has been tested succesfully. But the metric could be nevertheless interesting to shorten the response time of DNS queries. It seems that our company domain queries will be routed to ISP, and when without success, secondly routed through the tunnel to the other DNS server at company. This always takes about 5-7 seconds at the first time. Maybe it could be answered much faster, in case the DNS server at company will be asked at first. I will give it a try.
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight