1 00:00:00,240 --> 00:00:03,070 Name resolution is one of the most critical aspects for Always 2 00:00:03,070 --> 00:00:07,110 On VPN and arguably any Windows‑based system, 3 00:00:07,110 --> 00:00:10,340 but name resolution is obviously very critical to Always On 4 00:00:10,340 --> 00:00:12,570 VPN because if we can't resolve those names, 5 00:00:12,570 --> 00:00:14,900 we're not going to be able to access those resources. 6 00:00:14,900 --> 00:00:20,240 So it's vital that Always On VPN clients be configured with the correct DNS 7 00:00:20,240 --> 00:00:25,190 servers and those DNS servers be reachable. Now, by default, 8 00:00:25,190 --> 00:00:29,540 Windows Always On VPN clients are assigned the DNS server 9 00:00:29,540 --> 00:00:32,340 that is assigned to the VPN server. 10 00:00:32,340 --> 00:00:36,660 So whatever DNS servers are configured on the VPN server, 11 00:00:36,660 --> 00:00:39,170 if you have a single network interface, it's the only interface, 12 00:00:39,170 --> 00:00:42,750 but if it's a multi‑homed server, it would be on the internal interface. 13 00:00:42,750 --> 00:00:48,140 Whatever servers are defined there are automatically given to the VPN client. 14 00:00:48,140 --> 00:00:50,870 So it's not assigned with DHCP or anything like that. 15 00:00:50,870 --> 00:00:54,880 It's just a function of the VPN server giving that to the VPN 16 00:00:54,880 --> 00:00:58,470 client. And this is the recommended configuration, and 17 00:00:58,470 --> 00:01:00,810 honestly, it works well in most scenarios. 18 00:01:00,810 --> 00:01:01,450 However, 19 00:01:01,450 --> 00:01:07,180 there are some times when it doesn't work correctly or as expected. For example, 20 00:01:07,180 --> 00:01:13,620 if the VPN server itself has DNS servers assigned that are not using DNS 21 00:01:13,620 --> 00:01:16,900 servers that are capable of resolving internal or, 22 00:01:16,900 --> 00:01:21,970 you know, Active Directory hostnames, then obviously that's not going to work. 23 00:01:21,970 --> 00:01:25,840 The most common scenarios that you'll run into for this will be if 24 00:01:25,840 --> 00:01:30,140 the VPN server is joined to a perimeter or DMZ network and it's not 25 00:01:30,140 --> 00:01:32,610 joined to a domain. In that scenario, 26 00:01:32,610 --> 00:01:38,850 the VPN server may very well be using public DNS servers or maybe DNS 27 00:01:38,850 --> 00:01:43,240 servers that are in the perimeter or DMZ network, but still are not capable 28 00:01:43,240 --> 00:01:47,450 of resolving internal hostnames in the Active Directory namespace that 29 00:01:47,450 --> 00:01:49,230 those clients are going to need to get to. 30 00:01:49,230 --> 00:01:53,340 So in that scenario, we need something to address that. 31 00:01:53,340 --> 00:01:58,210 That's where the Name Resolution Policy Table, or NRPT, comes into play. 32 00:01:58,210 --> 00:02:03,230 The NRPT provides policy‑based name resolution request 33 00:02:03,230 --> 00:02:06,600 routing for DNS requests on an endpoint. 34 00:02:06,600 --> 00:02:10,380 DirectAccess administrators will be intimately familiar with the NRPT 35 00:02:10,380 --> 00:02:13,600 because it was a required component of DirectAccess. 36 00:02:13,600 --> 00:02:15,890 DirectAccess didn't function without it. 37 00:02:15,890 --> 00:02:18,990 However, in Always On VPN it is optional. 38 00:02:18,990 --> 00:02:21,180 When the NRPT is enabled, 39 00:02:21,180 --> 00:02:25,510 we can route name resolution requests for specific domain 40 00:02:25,510 --> 00:02:29,560 name spaces or even individual hosts within a domain to 41 00:02:29,560 --> 00:02:32,240 specific DNS servers. For example, 42 00:02:32,240 --> 00:02:36,740 we could route the entire corp.example.net namespace to our 43 00:02:36,740 --> 00:02:39,000 internal Active Directory DNS servers. 44 00:02:39,000 --> 00:02:43,090 Or alternatively, we could forward the name resolution request 45 00:02:43,090 --> 00:02:48,460 for a specific host, like app1.corp.example.net, and we would 46 00:02:48,460 --> 00:02:51,340 route that to a specific DNS server. 47 00:02:51,340 --> 00:02:55,900 You do have the option of specifying a proxy server 48 00:02:55,900 --> 00:02:58,730 to go along with the NRPT entry. 49 00:02:58,730 --> 00:03:01,450 And while this might sound interesting, 50 00:03:01,450 --> 00:03:06,310 I will caution you that it is quite limited in actual usefulness 51 00:03:06,310 --> 00:03:08,640 because it only works with Internet Explorer. 52 00:03:08,640 --> 00:03:12,700 So unless you're still using IE for everything, this is probably 53 00:03:12,700 --> 00:03:14,950 not going to be an important feature for you. 54 00:03:14,950 --> 00:03:18,610 You can define a proxy server for the NRPT entry, 55 00:03:18,610 --> 00:03:22,240 but all modern web browsers will simply ignore it, 56 00:03:22,240 --> 00:03:28,040 and that includes Microsoft Edge, the new Chromium edge browser from Microsoft. 57 00:03:28,040 --> 00:03:29,870 So it only works with Internet Explorer, 58 00:03:29,870 --> 00:03:32,140 so probably going to be of limited value there. 59 00:03:32,140 --> 00:03:35,690 And finally, one critical point about the NRPT. 60 00:03:35,690 --> 00:03:38,600 The Name Resolution Policy Table is not supported 61 00:03:38,600 --> 00:03:40,850 for use with the device tunnel. 62 00:03:40,850 --> 00:03:44,230 This is only supported to use on the user tunnel. 63 00:03:44,230 --> 00:03:46,080 So, in this scenario, 64 00:03:46,080 --> 00:03:51,470 if you need to resolve hostnames over the device tunnel and the VPN server 65 00:03:51,470 --> 00:03:56,190 is not configured with DNS servers capable of resolving internal hostnames, 66 00:03:56,190 --> 00:03:58,840 using the NRPT is unfortunately not an option. 67 00:03:58,840 --> 00:04:10,000 You'll have to assign DNS servers on the VPN server that are capable of resolving whatever hostnames you need your endpoints to resolve.