Forum Discussion

MSE8000rob_3129's avatar
MSE8000rob_3129
Icon for Nimbostratus rankNimbostratus
Mar 08, 2017

Split tunnel VPN Skype for Business - rewriting DNS

Hi,

 

We are deploying an F5 VPN and have and existing SfB environment. We need to enable a split tunnel so external users don't register to the internal SfB server but resister to the SfB Edge server. When the server DNS is queried the result gives the internal server.

 

We need to intercept the request and return with the SfB Edge server. How can this be done? Is this using iRules or is this a standard feature of the F5?

 

Thanks.

 

application delivery
BIG-IP
devops
dns
iRules
rewrite dns
skype for business
split tunnel
vpn

1 Reply

Sort By
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Mar 08, 2017

    Hi MSE8000rob,

    you may want to implement a Split-DNS setup, so that VPN clients will get a slightly different DNS resulution.

    For Windows clients, you can make use of F5s 

    Static Hosts
    feature (click me), to selectively overwrite the DNS name resolution for your SfB server to reflect the IP of your Edge-SfB server.

    For everything else you can either:

    1. Deploy a DNS-Forwarder/Cache for your VPN clients (e.g. another Windows DNS) forwarding DNS-Request to your internal DNS Servers, while providing a additonal DNS zone for 
      your-sbf-hostname.domain.tld
      including an 
      ""
      (empty) or 
      *
      (wildcard) A-Record reflecting the Edge-SfB IP adress.
    2. Use a DNS-Service enabled (requires DNS Server licenses) Virtual Server infront of your internal DNS Servers and point the VPN clients to this Virtual IP. Then apply an iRule to this VS to overwrite DNS request/responses for 
      your-sbf-hostname.domain.tld
      to match the IP of your Edge-SfB server.

    Cheers, Kai