Intranet page will not display via VPN

2010-10-12

Question

_{Tuesday, October 12, 2010 3:11 AM}

I have a new Intranet web server running Windows Server 2008 R2. The Intranet site name is different from server host name. Here's the problem:

When I am on the corp network to access the Intranet site, it works either using the DNS CNAME alias for the Intranet site, or using a DNS host record with a separate IP. But the site will not display if I VPN into the network. I can ping the Intranet site either by its IP or by DNS name via VPN. Network Diag in IE didn't detect any issue.

I don't have the same problem with other web servers running Windows Server 2003. I also have other 2 web servers running Win2008 R2, and I am not using alias or host record for them. 1 has problem, the other has no issue.

Thanks and regards.

All replies (30)

_{Tuesday, October 12, 2010 12:12 PM}

Hello,

When you connect to your company via VPN are you using gateway from company? By the way when you connect to your company via VPN did you take a ip adress same with site?

Best Regards.

Fatih

_{Wednesday, October 13, 2010 2:56 AM}

In addition to Faith's suggestion, if you created a zone based on the FQDN of the intranet site and create a blank hostname under it with the site's IP and eliminated the CNAME, does it work?

I realize this is all DNS based, but curious, are you using WINS?

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Wednesday, October 13, 2010 5:56 AM}

Hi,

Thanks for posting here.

You mentioned that there is no problem to ping internal DNS name and IP address when VPN connected ,beside the network connectivity and name resolution, another thought is the bowser.

What’s the IE version running on your client ?

What’s the browser promoted when failed access this site?

What if use another browser to access this intranet via VPN?

If you are using IE, please try clean all cookies and temporary files , restart the computer , connect the VPN and try again:

You receive an error message in Internet Explorer: "Internet Explorer cannot display the webpage"

http://support.microsoft.com/kb/956196

Thanks.

Tiger Li

TechNet Subscriber Support in forum

If you have any feedback on our support, please contact [email protected]

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

_{Thursday, October 14, 2010 4:03 AM}

Thanks, everyone, for your help.

The VPN is Citrix Netscaler. I use IE 8, it says: "Internet Explorer cannot display the webpage". I ran diag, it says: "Troubleshooting couldn't identify the problem."

As Tiger suggested, I ran Safari, it says: "Safari can’t open the page “http://site.my.org/” because the server where this page is located isn’t responding." (Then again, I can ping the site name and IP address with no issue.) Safari correctly displays another one of my Intranet sites running on Windows Server 2003, as I said before, but not on site running on Windows Server 2008 R2.

This issue is occurring on everyone's computer, not just on a few of mine. I don't use WINS, but I still have WINS. Will WINS affect this?

I have already eliminated the CNAME, and now use A record with a dedicated IP address. Still nothing can make it work.

Thanks and regards.

_{Thursday, October 14, 2010 4:44 AM}

Have you allowed traffic between the intranet subnets and the VPN client subnet in Netscaler? If not sure, you would need to consult the docs on how-to.

WINS actually wouldn't have anything to do with what's going on here, rather WINS resolves NetBIOS names (single name) to IP addresses, and is an excellent solution to allow VPN clients to connect using single names, as well as have Network Neighborhood browsing support.

Regards,
Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Thursday, October 14, 2010 6:37 AM}

Hi,

Please perform " tracert <intranet web site address>" and " pathping <intranet web site address>" on client when VPN connected and post the result here.

Have you set any restriction such soure address limitation on that web server or IIS?

Meanwhile, you might also like to capture the traffic when access intranet through VPN via network monitor.

Network Monitor 3.4

http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f

Thank.

Tiger Li

TechNet Subscriber Support in forum
If you have any feedback on our support, please contact [email protected]

_{Friday, October 15, 2010 8:37 AM}

Hi ,

If there is any update on this issue, please feel free to let us know.

We are looking forward to your reply.

Thanks.

Tiger Li

TechNet Subscriber Support in forum
If you have any feedback on our support, please contact [email protected]

_{Monday, October 18, 2010 2:37 AM}

Thanks for the follow-up Network Monitor captured a lot of data, and I don't know how to analyze it.

This is what's happening. I did the Intranet site migration. The old site runs IIS on Windows Server 2003; and the new site runs IIS on Windows Server 2008 R2. I am doing the web page redirect from the old site's homepage to the new site's homepage.

When on the local network, the redirect works with no issue; whereas via VPN connection, the redirect is stuck on the redirect page on Windows Server 2003. Also, via the VPN connection, if I type the new URL directly, IE cannot display the page, cannot detect any problem either.

Thanks for your help, and let's close the issue.

_{Monday, October 18, 2010 8:16 AM}

Hi,

Thanks for update.

Which address is set redirect to on old IIS server ? internal or external address of new host ?

Thanks.

Tiger Li

_{Monday, October 18, 2010 1:09 PM}

In addition to Tiger's question about the URL name, are you using the NetBIOS (computername) of the machine in the URL, such as http://webServerName ?

Also, when the Intranet site was migrated, were any parts of the web application in the Intranet's site hardcoded with gotos referencing the old web server name?

Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, October 18, 2010 2:05 PM}

I use FQDN. But I have tried every possible way to enter the URL, NetBIOS, FQDN or simply IP address; but none works via VPN. When I ping the server using NetBIOS, FQDN or IP, they all work.

Per Netscaler administrator, Netscaler uses split DNS, and I haven't seen any name resolution problem.

To answer Tiger's question, this is the redirect code using FQDN running on the old Intranet site homepage: <meta http-equiv="refresh" content="0; url=http://NewIntranetSiteName.my.org">

Thanks for keeping looking into this.

_{Monday, October 18, 2010 2:41 PM}

How does split DNS work? Is that a combo of internal and external DNS servers in a VPN client config?

Have you tried configuring a redirect directly in IIS instead of using a redirect asp (assuming this is ASP)?

I use the following in a default.asp page for my Exchange redirects, which work fine.

<% response.redirect("https://mail.myPublicDomainName.com/owa")%%)>

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, October 18, 2010 3:26 PM}

My understanding of the Netscaler split DNS is that during a VPN session, the external naming resolution is taken care of by the ISP's DNS server; whereas internal naming by the corp's internal DNS server.

My problem is not web page redirect, or DNS. My problem is when I am on VPN I cannot open the Intranet site running on Windows Server 2008 R2's IIS. Neither redirect nor typing the new site name (host or FQDN) works.

Thanks and regards.

_{Monday, October 18, 2010 4:32 PM}

Not sure what that means, but it appears that Netscaler is using an ISP's DNS somewhere?

Just an FYI, any VPN solutions I've designed for small or large companies, I've always used the internal DNS while VPN is connected. The VPN (RRAS) interface is set to the top of the binding order. In the VPN, I set it to not use the remote gateway (the corp gateway so local internet traffic doesn't traverse the VPN). In Cisco, they call that Split-Tunneling. But it has nothing to do with DNS, rather how traffic is routed depending on where you're going. DNS is all done at corp while connected so it provides internal names and will forward outside resolution to the ISP (based on your DNS forwarders).

Then if the problem is soley that you can't connect to the intranet site while over VPN, then it's starting to sound like a firewall port block issue in the VPN. By rights, any VPN connection should be able to access the same things as if they were on the LAN in the office.

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Tuesday, October 19, 2010 3:38 AM}

Hi ,

Thanks for update.

After you mentioned that you had set redirection on your server , what I thought that this might the root cause of issue.

What I want said in my last post : the new server address that you were set redirect to on old server should be resolved and accessible from VPN client or internet .

Please try access http://NewIntranetSiteName.my.org on VPN client and check if it would resolvable or accessible.

Meanwhile, for set redirect I prefer IIS to program.

Configuring HTTP Redirection in IIS 7

http://technet.microsoft.com/en-us/library/cc732969(WS.10).aspx

please check above settings and post back.

Thanks

Tiger Li

TechNet Subscriber Support in forum

If you have any feedback on our support, please contact [email protected]

_{Tuesday, October 19, 2010 3:54 AM}

Thanks for the suggestions.

The Intranet IIS server is being maintained by external developers, therefore I have to keep the site and page redirect using the HTML header. But I am glad that I've just learned that I can do it in IIS too.

As I said, if I type http://NewIntranetSiteName.my.org on VPN client, the page will not display, but the diag detects no issue, and ping site, FQDN and IP all work. No firewall is enabled on the IIS server.

I did another test, trying to RDP into a few of the Windows 2008 R2 servers via VPN. Some work even with firewall on, some don't even with firewall off.

I will try a bit more. If I find anything I will report back.

Thanks a lot!

_{Tuesday, October 19, 2010 7:40 AM}

Hi,

Thanks for update

Meanwhile you might also like to consult with external developers to check the new IIS settings .

IIS trace logging might a good methord.

Enable Trace Logging for Failed Requests (IIS 7)

http://technet.microsoft.com/en-us/library/cc725786(WS.10).aspx

Thanks.

Tiger Li

TechNet Subscriber Support in forum
If you have any feedback on our support, please contact [email protected]

_{Tuesday, October 19, 2010 2:29 PM}

Fat Frog,

I agree with Tiger.

You need to consult with the external devs on this, ify ou haven't done so prior to your intentions of moving the site to a new server. My feeling is no matter how you redirect it, whether through an ASP page, within IIS, etc, it won't work.

This all depends on how the webapp was designed. If it uses a root reference from the wwwroot in the actual HTML, ASP pages or compiled apps, then you can move it from machine to machine. If the references within the web app are hard coded to the servername that it was intended to run on, then the need to be manually changed.

For example, if this is a website designed with a .Net application, you can take a look at the web.config file under the c:\inetpub\www folder. WIth .Net sites, this file controls the flow. Copy it so you don't lose the original, but search through it for the old server's name in the file.

If this is a Java based site, or anything else, then I'm not sure how it's setup. You would have to look through the various HTML files to find if there are references to the old server's URL.

There may also be other references in the compiled application itself that you can't change without the original code in Visual Studio (if .Net based), which the devs own, hence back to the requirement that you need to consult with the devs.

Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Friday, October 22, 2010 1:44 AM}

Hi,

If there is any update on this issue, please feel free to let us know.

We are looking forward to your reply.

Thanks.

Tiger Li

TechNet Subscriber Support in forum
If you have any feedback on our support, please contact [email protected]

_{Friday, October 22, 2010 3:01 AM}

Thanks for the follow-up. Please treat the issue as "closed".

Apart from the web issue, I also found another issue on the same server that may be related. When I connect to the network via VPN, I cannot RDP into this particular server, even though RDP has been enabled; but I don't have the same issue while on the network, or with other Windows Server 2008 R2 servers.

Thanks and regards.

_{Friday, October 22, 2010 6:19 AM}

Hi Fat Frog,

It appears to possibly be a routing issue through the VPN, or a firewall issue through the VPN. Either the RDP port is blocked across the VPN, or the machine may be on a different subnet that hasn't been trusted or a route set for VPN traffic.

I hope you can find out what the problem is.

Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Friday, October 22, 2010 1:02 PM}

Thank you, Ace.

The firewall has been turned off on the server. This box is running on one of the blades, and there are other Windows Server 2008 R2 servers in the same enclosure, sharing the same block of IP addresses on the same subnet. So far I have only seen VPN connection issue on this web server.

Thanks and regards.

_{Friday, October 22, 2010 3:03 PM}

Looking at the RDP settings (in Computer Properties, Remote settings), is there a subnet restriction?

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Friday, October 22, 2010 4:11 PM}

Of the two selections under the Remote Desktop, the "less secure" is selected: Allow connections from computers running any version of Remote Desktop. (The other choice is "Allow connections only from computers running Remote Desktop with Network Level Authentication.

Thanks and regards.

_{Friday, October 22, 2010 6:08 PM}

I was thinking more on the lines that if RDP is enabled via a GPO, you can control which subnets can access it, but not from the GUI. But as long as it's enabled and using less secure to at least eliminate that possibility, then at least that part is ok.

And all the machines are on the same subnet and the others allow RDP to them. Hmm.

Unless there's something blocking RDP to this machine in the firewall/VPN device, the local firewall on the machine is blocking it, the server's Network Connections window shows "No Internet" or Public, or something other than Work or Private for Network Location Awareness (NLA), or the gateway is incorrect in it's NIC (which would cause the "No Internet NLA", too), I'm fresh out of ideas.

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Friday, October 22, 2010 7:13 PM}

Fat Frog, Ace, Tiger, et el,

I haven't read all the replies, but the initial problem caught my attention, so forgive me for jumping in the middle of this. I have seen this issue all to much when ICMP / MTU Path discovery is not working properly in the environment. I would look at this article for some troubleshooting advice for determining if this is the issue, and how to fix it.

http://networkadminkb.com/kb/Knowledge%20Base/Windows2003/Troubleshooting%20MTU%20Path%20Discovery%20issues%20over%20a%20VPN%20Tunnel.aspx

Good luck, hope you find this information usefull.

_{Friday, October 22, 2010 8:20 PM}

Thanks for the article.

The firewall on the web server that I am having issue with has been turned off; and the other Windows Server 2008 R2 blades within the same enclosure are fine even with firewall turned on.

I may open a support case with PSS if I have access to a public network during the day. Or I can set up an RDP to a home computer using Live Mesh, in order for PSS to troubleshoot. But I will be away for 3 weeks; so I will not have anything to report back until then.

Thank you all for your support.

_{Friday, October 22, 2010 11:15 PM}

That's a nice article from Gunner. That mayhelp with another thread regarding MTU issues.

Frog, I hope you can get to the bottom of this. If PPS figures it out, please do post what it was.

Thanks,

Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Saturday, February 5, 2011 7:26 PM}

I started this, and I'd like to follow it up and finally close it, even though the issue has yet been resolved, (and I have spoken with Microsoft Product Support Service).

This is not a Microsoft issue, but rather an issue related to the NIC teaming on HP blade servers running on Windows Server 2008 (R2). The issue goes away when the teaming is dissolved, and this issue doesn't happen on Windows Server 2003 with NIC teaming.

What's interesting is that, the BGInfo tool (part of the PSTools) cannot get the server's IP address when NICs are teamed. This may say something about the NICs or the NIC drivers that come from HP.

Thanks.

_{Sunday, February 6, 2011 1:21 AM}

Thank you for the update. Interesting teaming is the issue. The thought never occured to ask if teaming was in place. I'm sure that Microsoft PSS may have provided docs on it, but to update others reading this thread, teaming is actually not supported by Microsoft on any server version. I realize that it works under 2003 and not 2008, which more than likely points to a driver issue, as you've implied, but overall it's suggested to not use teaming. Here are a couple links for others to read up on.

If Microsoft PSS provided any links regarding not using teaming other than KB278431 below, please do post them for us. - Thanks.

Teamed network cards for domain controllers? (Thread Answered by a great write-up by Jared Crandall, former Microsoft Support Engineer)
http://social.technet.microsoft.com/Forums/en/winserverDS/thread/f5dea401-5a3b-4ddb-8bb8-8d2b2e2db55b

Using teaming adapters with network load balancing may cause network problems
http://support.microsoft.com/kb/278431

Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Share via

Intranet page will not display via VPN

Question

All replies (30)

Additional resources