Some Windows VPN connections through ISA 2006 failing

Having successfully set up our company’s ISA 2006 Server, tested it from home and on a few mobile networks, I confidently distubuted the instructions to the staff of how to set up and gain acces to the VPN.

A few days later, I was sitting back and admiring my success, when i recieved a phone call from a user stating that they are connected to the VPN but cannot access our terminal server.

A bit confused, I asked the user to disconnect and then try again, walking me through what they were doing. The user was not doing anything wrong!

It’s connecting to the network but it cannot see the network.

An nslookup confirmed that the connecting device was trying to use their local broadband router as the primary name server – no wonder it cannot see the devices on our network!

I assumed that windows would change the binding order and place the VPN connection to the top of the list allowing it first choice for name resolution.

Aparrently i assumed wrong and it does not work like that!

After some research and googling, i found a solution to the problem in a form of the Microsoft KB311218 (http://support.microsoft.com/kb/311218) unfortunately the solution provided was not adequate for an end user and also ad to be used everytime the connection VPN was established. What i needed was a script that could do this on the fly and also some way of packaging it up in a user friendly way.

This lead me to Connection Manager Administration Kit (CMAK) which is something i was looking into for when I implemented IPsec, which was the next stage of the VPN rollout.

Basicly CMAK is a way for administrators to preconfigure VPN settings and package them up to a neat executable that end users can install without having to mess about with the settings. It also has the ability to run pre, post and disconnect scripts automatically making it ideal if I actually had the script to fix the problem.

I performed a search for CMAK scripts and KB311218. After a while I found an amazing script by Torgeir Bakken, a Microsift MVP in Scripting and WMI at http://www.ureader.com/message/89324.aspx it seemed to me that someone else was in the same boat as me back in 2005!

Here is the script:

Const HKLM = &H80000002

sComputer = “.”

Set oReg = GetObject(“winmgmts:{impersonationLevel=impersonate}!\\” _

& sComputer & “\root\default:StdRegProv”)

sKeyPath = “SYSTEM\CurrentControlSet\Services\Tcpip\Linkage”

sValueName = “Bind”

oReg.GetMultiStringValue HKLM, sKeyPath, sValueName, arValues

arValuesNew = Array()

For i = 0 To UBound(arValues)

If i = 0 Then

If LCase(arValues(i)) = “\device\ndiswanip” Then

‘ entry is alredy first in the list, no point in continuing

Exit For

Else

‘ put NdisWanIp in the first element in the new array

ReDim Preserve arValuesNew(0)

arValuesNew(0) = “\Device\NdisWanIp”

End If

End If

If LCase(arValues(i)) <> “\device\ndiswanip” Then

iCountNew = UBound(arValuesNew) + 1

ReDim Preserve arValuesNew(iCountNew)

arValuesNew(iCountNew) = arValues(i)

End If

Next

If UBound(arValuesNew) > -1 Then

oReg.SetMultiStringValue HKLM, sKeyPath, sValueName, arValuesNew

End If

By running this script, the VPN connection is placed at the top of the list. Excellent! Now just package it up with the rest of the settings using the CMAK and you are good to go!

A bit more searching and I found a tutorial that explians everything, and even uses the script, with step by step guides.The title is a bit misleading but the content is sound.

I discovered it a bit late but i’m glad i worked things out for myself. However, in the future i will probably just refer to this article as it takes the guesswork out of things.

http://www.isaserver.org/tutorials/work-around-VPN-clients-split-DNS.html

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.