Hi,
I have encountered this problem with my costumer where they connect through VPN from Denmark (another domain), to their HQ in Sweden, and when they do their Outlook stop working. And when they disconnect from the VPN it starts working again.
Therefor I wonder if it is some kind of firewall problem? Do I need to allow their domain maybe?
Do you have any ideas what to do?
Solved! Go to solution.
What kind of VPN are they using? It is a full-tunnel VPN? Also, is this a third party tunnel or a client VPN?
Are they able to ping, tracert the necessary Exchange server when they're on the VPN connection?
Can you run a pcap to see what the traffic does when they're on the VPN and trying to use Outlook/O365?
A full tunnel VPN. It's a L2TP VPN through Windows.
I will look into doing some pcap.
One more thought:
When connected to the VPN, can end users nslookup/dig the mail server's name? The autodiscover record's name?
Outlook will throw a fit if you're blocking 443 to the autodiscover server.
Assuming full tunnel and MX-based content filtering, check if webmail is being blocked on the content filter. Check the event log for potential hits if so. If that's blocking it, you'll need to allow your mail serv.
Is Exchange in the MS Cloud, or is it at a local server?
Having put everything to do with Office/Exchange/OneDrive at a Cloud location, we have discovered that life has become simpler all round.
I'm guessing you have full tunnel VPN at the customer and the IP address ranges given out for the VPN clients in Denmark don't have a rule on the internet firewall in Sweden that allows them out to Office 365. Either that or the subnet given to the VPN clients in Denmark has no route on the firewall in Sweden.
Otherwise please follow the troubleshooting steps above.
As it is on site Exchange then please ignore the internet firewall comment, it shouldn't be the issue. With the VPN disconnected how do they access the Exchange server in Sweden from Denmark?
Ah, so subnet overlap is bad. Makes traffic flow go weird.
So I would:
1. Change them to a unique subnet for the client VPN.
2. If still problem, set them up as split-tunnel if they're on Win10. I have scripts in my signature that you're welcome to grab and butcher.
3. Verify again that nslookup/dig is resolving to the correct IP for their mailserv.
Split-tunnel will allow their local traffic (internet, LAN) to split off and go where it normally goes. Saves you overhead on your link.
As far as I am concerned
192.168.2.0/24 (192.168.2.0 - 192.168.2.255)
and
192.168.3.0/24 (192.168.3.0 - 192.168.3.255) is OK
but
either 192.168.2.0/24 or 192.168.3.0/24
and 192.168.2.0/23 (192.168.2.0 - 192.168.3.255) is not OK
This only become a problems for me when I deliberately want to treat two separate subnets (eg 192.168.2.0/24 and 192.168.3.0/24) as a single supernet (eg 192.168.2.0/23). very often, I wish to deal with /24 networks at the micro level and /23 networks at the macro level, but very few switches and routers allow this.
@LoxPontus wrote:
So having VPN network for example 192.168.3.0/24 and LAN network 192.168.2.0/24 is not good?
I'm a little confused. Is your VPN "three" and their LAN "two"?
If so, no subnet overlap. But your end user's traffic is all going over your tunnel because you've got them on a full tunnel client VPN. You said mail serv is on-prem for your remote users? Full tunnel = they need to use the mail serv's public IP.
If your VPN is "two" and their LAN is "two", or three/three, then that's overlap and that's bad.
I will ask them to do that and see the outcome.
A lot of help here, and I appreciate it! A lot of questions from you and I dont know if I have answered all of them. It´s been an intensive couple of days.
But the thing is, we have kind of concluded that it is not a DNS problem. But perhaps a firewall problem.
Do I need to open some ports for Office365 over VPN? Because the only rule that is set up today for the VPN network is: "Allow - Any Protocol - Source: [VPN Network] - Src port: Any - Dest: [LAN Network] - Dest port: Any"
And then there is two other rules including soruce "Any" on port 25,443 towards local server.
How do the client IP addresses compare to the exchange server's IP address.
If the clients and exchange server are both in Denmark and you are doing a client VPN full tunnel to Sweden then it locks you out of anything not on the same subnet and can lock you out of anything local at all. Can they access any local resources when the VPN is connected, printers, other servers etc.?