Total Pageviews

Friday, 31 July 2015

Solving the Mystery of the VPN/RAS/Web Proxy Client


An issue that came up often a couple of months ago involved problems with web browsing for RAS and VPN clients. The issue was that when a RAS or VPN client dialed into the network, the client was not able to browse the web. This was a big problem because its not realistic to expect the RAS or VPN clients to disconnect from the network in order to access web sites.

Configuring the Gateway

One solution to this problem is to configure the Dial-up Networking (DUN) Connectoid (the icon you click to start up the connection) to not use the default gateway on the remote network. This prevents the default behavior of RAS clients of obtaining a second gateway with a lower metric pointing to the RAS or virtual connection.
The route print seen below shows what happens to the routing table when you allow the VPN client to use the default gateway on the remote network.
C:\>route print

Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 40 05 37 c6 18 ...... DEC DC21041 PCI Ethernet Adapter
0x3 ...00 02 d0 6e 9c 80 ...... NdisWan Adapter
0x4 ...00 01 50 5f 9c 80 ...... NdisWan Adapter
0x5 ...00 00 00 00 00 00 ...... NdisWan Adapter
Active Routes:
Network DestinationNetmaskGatewayInterfaceMetric
0.0.0.00.0.0.0192.168.1.181192.168.1.1811
0.0.0.0 
0.0.0.0 
xxx.44.41.123
xxx.44.41.123
2
127.0.0.0
255.0.0.0 
127.0.0.1
127.0.0.1
1
192.168.1.0
255.255.255.0
192.168.1.2
192.168.1.2
2
192.168.1.0
255.255.255.0
192.168.1.181
192.168.1.181
1
192.168.1.2
255.255.255.255
127.0.0.1
127.0.0.1 
1
192.168.1.181
255.255.255.255
127.0.0.1
127.0.0.1
1
192.168.1.255
255.255.255.255
192.168.1.2
192.168.1.2
1
xxx.44.41.0
255.255.255.0
xxx.44.41.123
xxx.44.41.123
2
xxx.44.41.123
255.255.255.255
127.0.0.1
127.0.0.1
1
xxx.44.41.255
255.255.255.255
xxx.44.41.123
 xxx.44.41.123
1
xxx.87.141.201
255.255.255.255
xxx.44.41.123
xxx.44.41.123
1
224.0.0.0
224.0.0.0
 192.168.1.2
192.168.1.2
1
224.0.0.0
224.0.0.0
192.168.1.181
192.168.1.181
1
224.0.0.0 
224.0.0.0
xxx.44.41.123
xxx.44.41.123
1
255.255.255.255
255.255.255.255 
192.168.1.2
192.168.1.2
1
Note the top two entries in the routing table with the network destination 0.0.0.0. These represent gateway addresses for packets with undefined routes. Notice that the IP address assigned to the VPN client is the new gateway address and has a Metric of 1. The previous gateway address, assigned by the ISP for the dial up connection, now has a Metric of 2. This makes the VPN gateway the preferred gateway.
If you uncheck the option to Use the default gateway on the remote network, then the ISP gateway would have a Metric of 1 and the VPN gateway would have a metric of 2. This would make the ISP gateway the preferred gateway and Internet bound requests would go through the ISP rather than through the VPN and to the internal network.
Note that for a direct dial-in connection, there won't be a gateway assigned by an ISP. However, if the RAS client computer is attached to another network at the time it dials up the corporate RAS server, the metric on the existing gateway will be increased by 1, and the gateway assigned by the dial-up RAS server will be the preferred gateway.
Get the Book!

Changing the Gateway Settings

How to change the gateway settings varies with the operating system. On a Windows 2000 computer, you can change it by performing the following steps:
  1. In the Network and Dial-up Connections window, right click the connectoid for the VPN or RAS connection and click Properties.
  2. In the Properties dialog box, click the Networking tab.
  3. In the Networking tab, double click on the Internet Protocol (TCP/IP) entry.
  4. In the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.
  5. In the Advanced TCP/IP Settings dialog box (seen below) the General tab contains the Use default gateway on remote network checkbox. The default is to have this checked. If you want to use the default gateway assigned by the ISP instead, remove the checkmark from the checkbox.

  1. Click OK a bunch of times. The Connectoid will be ready to use with the new settings.
Not using the default gateway on the remote network represents a security risk. The reason is that it has the potential of allowing Internet intruders access to the internal network through a VPN client. Since the VPN client is connected to the Internet and the internal network at the same time, it has the practical effect of being like a user on the internal network with a modem attached to his computer. You wouldn't allow this on your internal network, and you shouldn't allow it on your VPN clients either.
You might want to allow the VPN client to take advantage of the Web Proxy service on the internal network. This allows you to track access for your VPN and RAS clients. If the VPN clients do not use the Web Proxy service while connected to your network, then you don't know what Internet content they are accessing while connected by the VPN.
Solving the Problem for RAS and VPN Clients
To solve the problem, we need to allow the RAS and VPN clients to use the default gateway on the remote network. The next step is to configure the browser to support use of the Web Proxy service on the internal network.
This is the step which has caused all the pain and suffering. Typically, when you set up a machine to use the Web Proxy service when connected to the network, you would perform the following steps:
  1. In Internet Explorer 5.x, click the Tools menu and then click the Internet Options command.
  2. Click on the Connections tab and you'll see what appears below.


  1. Click on the LAN Settings button and you'll see what appears below. For a network attached machine you would enter the IP address of the internal interface of the ISA Server in the proxy server address text box (as seen in the dialog box below).

If you set up the browsers on the RAS and VPN clients using these steps, attempts to connect to the ISA Server Web Proxy service will fail.
The problem is that although RAS and VPN clients are supposed to be like directly connected internal network clients, the fact is that they are not. They are dial-up clients. Therefore, the browser has to be configured to support the use of the Web Proxy service for the dial up connection. Creating LAN connection settings won't work for RAS and VPN clients.

Configuring the Browsers to Support Web Proxy through RAS/VPN Connections


To configure the browser so that RAS and VPN clients can connect to the Web Proxy service on the internal network, perform the following steps:
  1. In Internet Explorer 5.x, click the Tools menu and then click the Internet Options command.
  2. Click on the Connections tab and you'll see what appears below. This time, do not click on the LAN Settingsbutton. Our RAS or VPN client is not directly connected to the LAN, it is connected through a dial-up link. Therefore, in the list of dial-up connections in the Dial-up settings frame, click the RAS or VPN connection that is used to connect to the internal network. Then click Settings.


  1. In this example, I clicked on the Exeter VPN connection and clicked Settings. This brings up the Exeter VPN Settings dialog box as seen below. Put in the IP address of the ISA Server's internal interface and port8080 in the Address and Port text boxes (as seen in the figure below). Note that you do not need to enter Dial-up settings credentials in order for this to work.

  1. Click OK a couple of times, and you're ready to connect.
Its that easy! The key here is that you configure the browser so that the dial-up connection is used to connect to the Web Proxy service. The mistake most of us made was that we assumed the VPN or RAS client was configured like a client directly connected to the internal network.
Note that a VPN client usually dials up to an ISP before creating the VPN connection. Be sure to make the proxy configuration changes to the VPN dial-up connection, and not to the ISP dial up connection. If you are using a direct dial-in RAS client that connects to a dial-in server, you make the proxy configuration settings apply to the RAS connection used to dial in to the server.
Finally, it is interesting to note that these configuration requirements seem specific for Internet Explorer 5.x. We have tested Internet Explorer 4.01 and Opera, and both of these clients were able to use the network proxy settings, even when RAS or VPN client connections were made. Thus, we can consider this a special "feature" of Internet Explorer 5.x.

Summary

It is important that RAS and VPN clients use the default gateway on the remote network when dialing into the corporate network. In order to allow the browser on the VPN or RAS client to use the Web Proxy service on the internal network, you must change the configuration of the browser's proxy settings. Instead of configuring the browser to use the LAN to connect to the ISA Server Web Proxy service, you must configure the dial-up connection used to connect to the network. Once the dial-up connection is configured to use the internal interface of the ISA Server as its proxy address, the VPN or RAS user will be able to use the Web Proxy service on the ISA Server to connect to the Internet.
I hope you found this article interesting and/or useful. If you have questions or comments about the information contained in this article, please post a message in the Web Proxy forum, or write to me at tshinder@isaserver.organd place the name of the article in the subject line of the message. Thanks! -Tom.

from http://www.isaserver.org/tutorials/Solving_the_Mystery_of_the_VPNRASWeb_Proxy_client.htm