MiCollab Clients - VPN Split Tunnel and Corporate DNS 1

[danramirez]

Hi,

After a few changes to the firewall MiCollab is working, PC Client registers and Softphone is able to make/receive calls, all this as Teleworkers using MBG on the DMZ.

However, it does not work when remote users have their corporate VPN up. Note they are using Fortigate SSL VPN with Split Tunnel (i.e. only traffic over the VPN is traffic to corporate resources, rest of Web traffic goes out locally from everyone's home router), and the other thing is they use corporate DNS server while VPN is up.

Having corporate DNS forces that all micollab, mbg and mivb FQDNs are resolved locally to the local IP addresses.

When having the VPN up MiCollab PC Client registers and it can start a call, user listens to ringback. But when call is answered at the other end it does not establish. User keeps listening to ringback and far end hears nothing.

It's like the signal back is not able to reach the PC Softphone within MiCollab Client. Most likely signal and media are using one route but return signal is using differnet path.

Have you come across this scenario in the past? any hint to resolve this?

Firewall Policies are according to MBG Eng. Guidelines. And as I said before, everything works fine when as pure teleworkers using MBG, without VPN.

Cheers,

daniel

http://www.hatkanatelecom.com

 

[jpruder]

Have vpn networks been added to trusted?

 

[danramirez]

yes, already done that.
I was thinking to add a static route on the mbg, but it doesn't make sense as MBG is on the DMZ and it has a gateway IP

http://www.hatkanatelecom.com

 

[jpruder]

I would modify the host file on one of these users to point to the external address to see if that works.

 

[danramirez]

Oh yes, that works. But I should find a way to do that automatically, they have about 800 vpn/micollab users.

I am exploring the firewall, apparently there is a way to also do split dns on the firewall so when vpn sets up it tells the client that for certain fqdns to use that and that address

i'll let you know

http://www.hatkanatelecom.com

 

[jpruder]

You need to isolate what name is the problem

 

[danramirez]

Good point. Without testing I think it is the MBG FQDN in the corporate firewall.

By the way, I have added a FQDN for the border gateway which on the internet it translates to the firewall external IP, then that IP is port forwarded to the local IP of the MBG on the DMZ. Only forwarded ports as per MBG eng guidelines.

That same FQDN exists in the corporate DNS Server which translates to the local IP address of the MBG on the DMZ.

Is this entry really required on the corporate DNS server?

Also, when initially configured the MBG I set it to use the corporate DNS to resolve names.

I’ll do some testing during the day and come back with findings

Thank you very much

http://www.hatkanatelecom.com

 

[jpruder]

From what I read as to how the push works, it always needs to go to the external address. I never have the mbg resolve to an internal, if they require some name for management, I add an addition host name to it.

 

[danramirez]

removed MBG name in the corporate DNS and all sorted!
cheers all
have a nice Easter

http://www.hatkanatelecom.com

 

[Nneemesis]

In the client's configuration in the lap there is a button that changes the conecction when you tried from outside (Internet) and when you are in the local network (LAN).
As the VPN simulate like if you are attached to the local network (LAN) you have to make the change with this button in the client's configuration, try to enable and disable.
Enable when you are trying to conecct from internet and disable when you make VPN or try to connect in the LAN.
Good luck.

 

[danramirez]

Nneemeis, can you be more specific on where that option is?

Is that in the PC Client itself?

Is it the Teleworker Option?

http://www.hatkanatelecom.com

 

[Nneemesis]

in the PC client and of course is the Teleworker option.
Good luck