Join Domain over Site to Site vpn

Hi Samuel,

After you follow DNS best practice, the link you provided will make more sense to you.

Cheers - Bob

UDP 389 didnt not response from remote site. Firewall automatic generate rules came up with green color 389 udp. 

SamuelIP,

Did you find the resolutions to the issue you stated?  I am having the same exact problem, but have not been able to pin-point what is the cause. I know for sure that it is the UTM causing the issue, as I have set up a test network eliminating the UTM IPsec site to site units and instead used Cisco routers and it works. I have followed all the suggestions and troubleshooting steps that have been mentioned on this forum.

Hi and welcome to the UTM Community!

What is "the same exact problem" that you're experiencing - joining a domain over a site-to-site IPsec tunnel?

Cheers - Bob

Thank you for replying Bob,

Yes, I am having issues joining PCs to a domain over an IPsec site-to-site VPN. Site “A” is where my Domain Controller/DNS server resides and Site “B” is my remote site. Site “B” PCs can ping the Domain Controller/DNS server and even use it as a DNS recursive server. I can see the traffic via Wireshark on the PC querying the DNS and then going out to the Internet. I have used PortQry UI tool using the IP address of the server to test DNS ports and the server answers back the queries provided by the tool, except for resolving the DNS IP address to its own internal FQDN. If I use the internal FQDN, the DNS sends out the query to its forwarder (UTM9) and resolves the Internal name to some obscure IP address.   When I try to add a PC to the domain from Site “B” I can see the query going to the domain/DNS server via Wireshark. The DNS then sends the query out to the forwarder to resolve.

At first, I thought that the problem was the DNS server, due to the symptoms described. As a test, I set up two back-to-back Cisco routers emulating a WAN connection. I then connected the Domain Controller/DNS server to one router’s LAN and a PC to the other router’s LAN. To my surprise, I was able to join the PC to the domain and surf the Internet. The results of my test infer that the Sophos UTM9s are interfering with joining PCs to the domain. I would greatly appreciate any help you can provide on this matter. Thanks in advance……

Site A - Domain

UTM9 ver 9.604-2

Configuration:

Network Services:

Network Services-> DNS->Global[Allowed Networks]  (DNS Internal)

Note: {DNS Internal is the IP address of Domain/DNS server}

Network Services-> DNS->DNS Forwarders (DNS Forwarders Group)

Note:{The DNS Forwarders Group consist of 64.6.64.6, 64.6.65.6, 8.8.4.4, and 8.8.8.8}

Network Services-> DNS->Request Routing   (dc.domainname.com->DNS Internal) and (2.168.192.in-addr.arps.->DNS Internal)

DHCP->  DNS parameter set to point to DNS Internal.

Note: {The DNS Internal forwarder is set to point to the UTM only}

Network Protection:

Network Protection ->Firewall Rules

Internal (Network) ---à Site B

Any, 53, 88, 123, 135, 137, 138, 139, 389, 445, 464, 636, 3268, 3269 and 49152-65535

Note: {Rule is at the top for “User created firewall rules” and Any is there for testing only}

Network Protection ->NAT

Site B to DNS Internal

Ports forwarded via NAT to DNS:

53, 88, 123, 135, 137, 138, 139, 389, 445, 464, 636, 3268, and 3269

Site-to-site VPN:

IPsec->Remote Gateway

Gateway type: Initiate connection, Gateway: SiteB Public IP Address, Preshared Key: set, Remote networks: SiteB network.

Advanced: nothing checked.

IPsec->Connections

Remote gateway: (Remote Gateways Name selected), Local interface: External(WAN), Policy: set, Local Networks: Internal(Network).  Automatic firewall rules checked. 

Site B – Remote Site

UTM9 ver 9.604-2

Site A - Domain

UTM9 ver 9.604-2

Configuration:

Network Services:

Network Services-> DNS->Global[Allowed Networks]  (DNS Internal)

Note: {DNS Internal is the IP address of Domain/DNS server}

Network Services-> DNS->DNS Forwarders (DNS Forwarders Group)

Note:{The DNS Forwarders Group consist of 64.6.64.6, 64.6.65.6, 8.8.4.4, and 8.8.8.8}

Network Services-> DNS->Request Routing   (dc.domainname.com->DNS Internal) and (2.168.192.in-addr.arps.->DNS Internal)

DHCP->  DNS parameter set to point to DNS Internal.

Note: {The DNS Internal forwarder is set to point to the UTM only}

Network Protection:

Network Protection ->Firewall Rules

Internal (Network) ---à Site A

Any, 53, 88, 123, 135, 137, 138, 139, 389, 445, 464, 636, 3268, 3269 and 49152-65535

Note: {Rule is at the top for “User created firewall rules” and Any is there for testing only}

Site-to-site VPN:

IPsec->Remote Gateway

Gateway type: Initiate connection, Gateway: SiteA Public IP Address, Preshared Key: set, Remote networks: SiteA network.

Advanced: nothing checked.

IPsec->Connections

Remote gateway: (Remote Gateways Name selected), Local interface: External(WAN), Policy: set, Local Networks: Internal(Network).  Automatic firewall rules checked. 

Thank you for replying Bob,

Yes, I am having issues joining PCs to a domain over an IPsec site-to-site VPN. Site “A” is where my Domain Controller/DNS server resides and Site “B” is my remote site. Site “B” PCs can ping the Domain Controller/DNS server and even use it as a DNS recursive server. I can see the traffic via Wireshark on the PC querying the DNS and then going out to the Internet. I have used PortQry UI tool using the IP address of the server to test DNS ports and the server answers back the queries provided by the tool, except for resolving the DNS IP address to its own internal FQDN. If I use the internal FQDN, the DNS sends out the query to its forwarder (UTM9) and resolves the Internal name to some obscure IP address.   When I try to add a PC to the domain from Site “B” I can see the query going to the domain/DNS server via Wireshark. The DNS then sends the query out to the forwarder to resolve.

At first, I thought that the problem was the DNS server, due to the symptoms described. As a test, I set up two back-to-back Cisco routers emulating a WAN connection. I then connected the Domain Controller/DNS server to one router’s LAN and a PC to the other router’s LAN. To my surprise, I was able to join the PC to the domain and surf the Internet. The results of my test infer that the Sophos UTM9s are interfering with joining PCs to the domain. I would greatly appreciate any help you can provide on this matter. Thanks in advance……

Site A - Domain

UTM9 ver 9.604-2

Configuration:

Network Services:

Network Services-> DNS->Global[Allowed Networks]  (DNS Internal)

Note: {DNS Internal is the IP address of Domain/DNS server}

Network Services-> DNS->DNS Forwarders (DNS Forwarders Group)

Note:{The DNS Forwarders Group consist of 64.6.64.6, 64.6.65.6, 8.8.4.4, and 8.8.8.8}

Network Services-> DNS->Request Routing   (dc.domainname.com->DNS Internal) and (2.168.192.in-addr.arps.->DNS Internal)

DHCP->  DNS parameter set to point to DNS Internal.

Note: {The DNS Internal forwarder is set to point to the UTM only}

Network Protection:

Network Protection ->Firewall Rules

Internal (Network) ---à Site B

Any, 53, 88, 123, 135, 137, 138, 139, 389, 445, 464, 636, 3268, 3269 and 49152-65535

Note: {Rule is at the top for “User created firewall rules” and Any is there for testing only}

Network Protection ->NAT

Site B to DNS Internal

Ports forwarded via NAT to DNS:

53, 88, 123, 135, 137, 138, 139, 389, 445, 464, 636, 3268, and 3269

Site-to-site VPN:

IPsec->Remote Gateway

Gateway type: Initiate connection, Gateway: SiteB Public IP Address, Preshared Key: set, Remote networks: SiteB network.

Advanced: nothing checked.

IPsec->Connections

Remote gateway: (Remote Gateways Name selected), Local interface: External(WAN), Policy: set, Local Networks: Internal(Network).  Automatic firewall rules checked. 

Site B – Remote Site

UTM9 ver 9.604-2

Site A - Domain

UTM9 ver 9.604-2

Configuration:

Network Services:

Network Services-> DNS->Global[Allowed Networks]  (DNS Internal)

Note: {DNS Internal is the IP address of Domain/DNS server}

Network Services-> DNS->DNS Forwarders (DNS Forwarders Group)

Note:{The DNS Forwarders Group consist of 64.6.64.6, 64.6.65.6, 8.8.4.4, and 8.8.8.8}

Network Services-> DNS->Request Routing   (dc.domainname.com->DNS Internal) and (2.168.192.in-addr.arps.->DNS Internal)

DHCP->  DNS parameter set to point to DNS Internal.

Note: {The DNS Internal forwarder is set to point to the UTM only}

Network Protection:

Network Protection ->Firewall Rules

Internal (Network) ---à Site A

Any, 53, 88, 123, 135, 137, 138, 139, 389, 445, 464, 636, 3268, 3269 and 49152-65535

Note: {Rule is at the top for “User created firewall rules” and Any is there for testing only}

Site-to-site VPN:

IPsec->Remote Gateway

Gateway type: Initiate connection, Gateway: SiteA Public IP Address, Preshared Key: set, Remote networks: SiteA network.

Advanced: nothing checked.

IPsec->Connections

Remote gateway: (Remote Gateways Name selected), Local interface: External(WAN), Policy: set, Local Networks: Internal(Network).  Automatic firewall rules checked.