Finally got a call back from eSoft tech support (firewall vendor). Their firewall rules are hierarchical so where a rule falls in the pecking order matters. Turns out the "webaccess" rule came before the "VPN" rule. As such, the internal webserver address was passed to the web proxy and failed because external DNS servers don't have our internal addresses.
Once the webaccess rule was placed below the VPN rule, everything started working. On an interesting related matter, the internal webserver in question was our WSUS 3.0 server. Sure enough when the rules were re-ordered, I could get the informational webpage from the WSUS server to come up on the remote PC but windows update still wasn't working. Checking the %windows%\windowsupdate.log file showed that the PC was successfully contacting the WSUS server and identifying the appropriate udpates to install but the PC failed to download the updates. A "DnldMgr Error 0x80072efd occurred while downloading update" error was at the end of the log. An error with numerous possible causes. Here's what I had to do on the remote PCs to get it working... * Stop the automatic updates service. * Stop the Background and Intelligent Transfer (BIT) service. * Delete the contents of the %windows%\SoftwareDistribution directory * Flush the DNS cache (ipconfig /flushdns) * Re-start the BIT service * Re-initialize windows update (wuauclt /resetauthorization /detectnow) I had to do a lot of searching to stumble on this procedure to re-initialize the PC's windows update state so I'm noting it here in the hopes it saves someone else a lot of grief trying to setup remote PCs to update from a local WSUS server. ---------------------- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com _____ From: Ziots, Edward [mailto:ezi...@lifespan.org] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Wed, 16 Mar 2011 09:21:04 -0500 Subject: RE: R: DNS Issue Ok, therefore from the local site you don’t have an issue getting to the server on the local site. >From the Remote-Site it is filtered, which means you either have a routing >issue or an ACL which is dropping traffic to web server ( why you are seeing >the port 80 filtered) I would review the ACL’s on the VPN ( Source/Dest IP’s/Ports) on traffic coming from the remote-site to the local site. Are there other remote sites that can access this web-server? ( If so look at the ACL’s for that site to ascertain what is different accordingly) Also do you know a port that is open from the remote site to the local site to that server, that could be used as a test for source port. ( like port 25, 22,23, 445, 139) Basically the syntax would be the following form the “remote site” Nmap –sS –P0 –g Source_port –p 80 Local_web_Server_ip If you want to look at a debugged output the command would be the following: Nmap –sS –P0 –g Source_port –p 80 -d Local_web_Server_ip If you get a good connection to the server you should see the following come back: Scanned at 2011-03-16 10:19:11 Eastern Daylight Time for 1s PORT STATE SERVICE REASON 80/tcp open http syn-ack Final times for host: srtt: 0 rttvar: 5000 to: 100000 HTH Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Bob Hartung [mailto:bhart...@wiscoind.com] Sent: Wednesday, March 16, 2011 10:03 AM To: NT System Admin Issues Subject: RE: R: DNS Issue Thanks. Handy utility. I used NMAP, both on the local LAN and on the remote site. Local PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.0 Remote PORT STATE SERVICE VERSION 80/tcp filtered http The help file shows... filtered Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. This is indeterminate but suggests that the firewall may be interfering. Still waiting for the firewall tech support to get back to me. ---------------------- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com _____ From: Ziots, Edward [mailto:ezi...@lifespan.org] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Wed, 16 Mar 2011 07:43:10 -0500 Subject: RE: R: DNS Issue Is you want to see if port 80/433 is open on the end-point device a simple NMAP command will tell you this ( If there is an acl on the router/VPN) it will show ( Filtered) Nmap –sS –P0 –p 80,443 IP_ADDRESS_OF_Server Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Kim Longenbaugh [mailto:k...@colonialsavings.com] Sent: Tuesday, March 15, 2011 11:43 AM To: NT System Admin Issues Subject: RE: R: DNS Issue That verifies routing is good. Check the logs for your VPN device to see what’s happening to the http traffic. It’s likely being dropped or blocked. From: Bob Hartung [mailto:bhart...@wiscoind.com] Sent: Tuesday, March 15, 2011 10:39 AM To: NT System Admin Issues Subject: RE: R: DNS Issue Here's a sample trace... C:\>tracert win2k8-1 Tracing route to win2k8-1.wiscoind.local [172.16.1.6] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms InstagateAL.wiscoind.local [172.17.1.2] 2 * * * Request timed out. 3 * * * Request timed out. 4 71 ms 65 ms 65 ms win2k8-1.wiscoind.local [172.16.1.6] ---------------------- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com _____ From: Cameron Cooper [mailto:ccoo...@aurico.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Tue, 15 Mar 2011 10:37:01 -0500 Subject: RE: R: DNS Issue Tracert the IP and see where it’s routed. We have a separate LAN that connects via VPN and in order for the PCs to access exchange we placed a persistent route in the route tables that point all email traffic through the VPN. Thank you, _____________________________ Cameron Cooper System Administrator | CompTIA A+ Certified Phone: 847-890-4021 | Fax: 847-255-1896 ccoo...@aurico.com | www.aurico.com From: Bob Hartung [mailto:bhart...@wiscoind.com] Sent: Tuesday, March 15, 2011 10:30 AM To: NT System Admin Issues Subject: Re: R: DNS Issue I answered to quick. When you say the routing, I'm not sure what you mean. The webserver's address is resolved through AD. And the individual subnets are sites in AD. ---------------------- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com _____ From: HELP_PC [mailto:g...@enter.it] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Tue, 15 Mar 2011 10:26:11 -0500 Subject: R: DNS Issue Is the routing distributed by the DHCP server ? GuidoElia HELPPC _____ Da: Bob Hartung [mailto:bhart...@wiscoind.com] Inviato: martedì 15 marzo 2011 16.19 A: NT System Admin Issues Oggetto: DNS Issue I have two locations connected via VPN. The main location LAN is 172.16.x.x and the remote location is 172.17.x.x. I'd like users on the 172.17.x.x end to access a webserver on the 172.16.x.x end but it doesn't work and I'm not sure why. The users at the 172.17.x.x end have their Win2003 server as their DNS server. I can ping both the webserver's name and IP address from the 172.17.x.x PCs without problem. The webserver's name resolves to the IP address. All our servers and users are members of a single domain, just on different subnets. What am I missing? ---------------------- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin