Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

MiCollab Clients - VPN Split Tunnel and Corporate DNS 1

Status
Not open for further replies.

danramirez

Programmer
Oct 25, 2009
1,135
ES
Hi,

After a few changes to the firewall MiCollab is working, PC Client registers and Softphone is able to make/receive calls, all this as Teleworkers using MBG on the DMZ.

However, it does not work when remote users have their corporate VPN up. Note they are using Fortigate SSL VPN with Split Tunnel (i.e. only traffic over the VPN is traffic to corporate resources, rest of Web traffic goes out locally from everyone's home router), and the other thing is they use corporate DNS server while VPN is up.

Having corporate DNS forces that all micollab, mbg and mivb FQDNs are resolved locally to the local IP addresses.

When having the VPN up MiCollab PC Client registers and it can start a call, user listens to ringback. But when call is answered at the other end it does not establish. User keeps listening to ringback and far end hears nothing.

It's like the signal back is not able to reach the PC Softphone within MiCollab Client. Most likely signal and media are using one route but return signal is using differnet path.

Have you come across this scenario in the past? any hint to resolve this?

Firewall Policies are according to MBG Eng. Guidelines. And as I said before, everything works fine when as pure teleworkers using MBG, without VPN.

Cheers,

daniel




 
I would modify the host file on one of these users to point to the external address to see if that works.
 
Oh yes, that works. But I should find a way to do that automatically, they have about 800 vpn/micollab users.

I am exploring the firewall, apparently there is a way to also do split dns on the firewall so when vpn sets up it tells the client that for certain fqdns to use that and that address

i'll let you know

 
Good point. Without testing I think it is the MBG FQDN in the corporate firewall.

By the way, I have added a FQDN for the border gateway which on the internet it translates to the firewall external IP, then that IP is port forwarded to the local IP of the MBG on the DMZ. Only forwarded ports as per MBG eng guidelines.

That same FQDN exists in the corporate DNS Server which translates to the local IP address of the MBG on the DMZ.

Is this entry really required on the corporate DNS server?

Also, when initially configured the MBG I set it to use the corporate DNS to resolve names.

I’ll do some testing during the day and come back with findings

Thank you very much

 
From what I read as to how the push works, it always needs to go to the external address. I never have the mbg resolve to an internal, if they require some name for management, I add an addition host name to it.
 
In the client's configuration in the lap there is a button that changes the conecction when you tried from outside (Internet) and when you are in the local network (LAN).
As the VPN simulate like if you are attached to the local network (LAN) you have to make the change with this button in the client's configuration, try to enable and disable.
Enable when you are trying to conecct from internet and disable when you make VPN or try to connect in the LAN.
Good luck.
 
in the PC client and of course is the Teleworker option.
Good luck
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top