Forum Discussion
Skype split tunneling - adding external DNS entry to internal DNS servers
Hi,
Yes you need to add lyncdiscover pointing to your public IP address, but your clients will still try to connect direct to your FrontEnd servers so you have to rewrite the dns names for those to 127.0.0.1. You also have to make sure that your VPN clients get the public IP for web services as dialin and meet. And make sure that you can lookup the dns name for edge public services (access, av and webconf).
Cisco calls this rewrite for DNS doctoring, this will make the client lookup the public IP adresses instead of internal and for servernames and lyncdiscoverinternal lookup 127.0.0.1. This will force the client to use public IP addresses. Of cource you should also block TCP/UDP traffic to your Skype servers from VPN clients.
Thanks. We have looked into DNS doctoring but our network team would prefer not to implement it hence wondering if we could just add the lyncdiscover record to our internal AD DNS servers, and by preventing clients from reaching the internal addresses over VPN (using client firewalls) force Skype external.
We are not using Server 2016 DNS yet so don't have the options that offers for split tunnel scenarios so we wouldn't be able to change the other internal address resolutions (such as those you suggest need to resolve to 127.0.0.1) so not sure if this would work? If it is simply name resolution that the client goes on, and lyncdiscoverinternal would still resolve then we wouldn't be able to try this, but if we could rely on the Skype client trying internal, failing and then going external it could be an option??
Thanks
Mark
Skype client will try with lyncdiscoverinternal.<domain> before lyncdiscover.<domain> so there you will hit the first problem if you don't do DNS doctoring or use separated DNS for VPN and internal.
So if you can block lyncdiscoverinternal, point lyncdiscover to public IP, point meet etc to public addresses and block access to internal servers it should work for you.
- Thanks. Will test out.
Mark