Forum Discussion
Rusty_M_140798
Nimbostratus
NimbostratusExclude Lync Traffic From SSL VPN
I am trying to exclude Lync traffic from resolving over the VPN tunnel when established using split tunnling. Basically as this site describes: http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx
Looking under network access, and the network profile I have options to Exclude IP Addresses and DNS Addresses. I have done this for all of our external/internal connections but we still see Lync re-connect when VPN is started and stopped using internal address??
As a side note, our lync servers are on a subnet with other servers that need to be reached over the VPN a /24. I was able to subnet this out so that the lync servers are not even in the routing table. However the F5 has VIP address that directly connect to that subnet so I added thous address to the excluded space.
I cannot see what else I am missing or is there some other place or setting this should be set?
Rusty_M_140798This is related to this other post I started, the same solution worked for lync. The issue is with hosts file access.
https://devcentral.f5.com/questions/exclude-traffic-from-ssl-vpn
pspecht_152507I will post my question here because it is specifically about Lync.
Rusty, did you add static hosts for all your Lync addresses?
I am using this document for Lync access. https://technet.microsoft.com/en-us/library/gg398758.aspx
I am testing only with the internal records in the list, but I believe the Lync client caches the SVR record _sipinternaltls._tcp.domain address and keeps using it.
I do not want to block the internal IPs of the Lync servers, as I need RDP access to them over VPN, and dont want to RDP to another server to then RDP to the Lync servers.
- pspecht_152507I have this corrected "I believe" The Lync Client Configuration Information shows the inside user status as false now. we have split-brain DNS I have added the following static hosts to the Network Access List in the access policy lyncdiscoverinternal. - set to 1.1.1.1 so it times out _sipinternaltls._tcp. - set to 1.1.1.1 so it times out sip. - set to external IP I also have other external DNS records in there. not sure if they are needed or not. I believe the sip. was the key as that is resolved from the SVR records for _sip._tls. maybe someone else can chime in to verify the proper records to have.
- Lee_Payne_53457
Cirrostratus
we're looking to do the same thing, I've followed your instructions but it still hits the internal address (we block the external address from connecting at the moment so I can be sure when it works), which other external records did you have in there? I currently only have the three you specified.