SSL VPN, Host Name Resolution and unidentified network

Franc
Franc Posts: 27  Freshman Member
First Comment Friend Collector First Anniversary
edited April 2021 in Security
Hi,
I succesful do an SSL VPN. From the External PC I access to all the Site Network but I have two problem to fix about the host resolution in both ways.

1) in the external PC Windows explorer doesn't show the Site Netwrok Computers. To surfing the network shares I have to digit the IP address: No host name resolution. Windows 10 pro doesn't recognize the network: unidentified network.

2) The Site Network doesn't have acces to the External PC, ping doesn't work either.

On VPN setting I have enabled, Network Extension, NetBIOS broadcast, No IP Overlap, I setted up to get access to all LAN SUBNET.  I don't have a WINS server, LAN computers are not in windows domain.
All devices have a static IP address.

One of my doubt is about the DNS value on VPN setting, I tried with Zywall address, Server address but nothing.

Any suggestion?
Thanks and best regards



All Replies

  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Answer First Comment Third Anniversary
    As my experience, for no host name resolution, just create the PTR record on DNS page.(FQDP with IP), and select Zywall as DNS server on SSL vpn page.
      

    Also, select subnet which can be accessed by vpn client on network list.

  • Franc
    Franc Posts: 27  Freshman Member
    First Comment Friend Collector First Anniversary
    Thanks for your reply. I Tried but it doesn't work.
    I think it is a DNS problem because if I manually modify the windows HOSTS file it works.

  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    edited April 2020
    Environment:
    • Windows Domain where the Domain Controller is also assigned as local DNS server
    • Client SSL VPN to USG110 (no site-to-site VPN)
    • No Full Tunnel Mode, since VPN clients shouldn't route their entire internet traffic through the tunnel to avoid blocking of company bandwith ressources
    • DNS queries allowed in USG security policy from VPN zone to LAN zone
    Firstly the VPN clients were not able to resolve names from LAN machines. These names read i.e. \\server1 or \\server2. Server names were properly added to the local company DNS but were not reachable by name from VPN clients. The problem was that neither the ISP DNS nor the Company DNS were able to resolve this name. Only FQDN can be resolved. We've added our company domain suffix (i.e. domain.local) to the TAP VPN network adapter settings at the VPN client machines, so that the DNS query reads server1.domain.local. This could be resolved by our company DNS and the servers were reachable by name also from VPN clients. Works fine and our VPN users have full access to company LAN ressources.

    But the opposite way, resolving and accessing the VPN clients from Company LAN still doesn't work. Most probably this is available for Site-to-Site VPNs only. Normally for that case an additional route has to be set, showing the gateway for queries from LAN to VPN tunnel. But the USG should know its connected zones and route automatically by itself. Further I wouldn't be able to set a route to the same network range since reserved IP addresses from our local LAN segment will be assigned to the VPN clients. Here I need a clue.

Security Highlight