question

Saxe6769 avatar image
0 Votes"
Saxe6769 asked Saxe6769 answered

VPN Clients do not use a certain DP point

We implemented AOVPN with 2 tunnels, one for device and one for user. Via device tunnel access is only allowed to a DP point inside the VPN net, only user tunnels allows access to our domain and internal things like MP and DP. So if a user is connected and user tunnel works it can download all software via software center but its not using the DP inside VPN net, its using a DP inside domain net.

If client is connected to VPN device tunnel i can ping the DP inside VPN net.

I created two boundaries with type VPN (one for device and one for user) and added those two boundaries to a boundary group, in this group i added the vpn DP as site system server.

If i check Windows Firewall log on the vpn DP i cant see any connections made to it.


What can i do to troubleshoot?

mem-cm-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Saxe6769 avatar image
0 Votes"
Saxe6769 answered

I installed this server completely new and made it a domain member and now it works as MP and DP. Thanks for your help.


one more questions, may you can help, may not :)

i created two boundaries for vpn tunnels, one for device and one for user and that they should use the server in VPN network.
but is this setting checking only for existing VPN connection name or is is really checking if the connection is also active?

If any of the VPN devices is coming back to on-prem then the vpn connection is still present (but not active) and then it should not use
the MP/DP in VPN network but MP/DP in domain network.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AllenLiu-MSFT avatar image
0 Votes"
AllenLiu-MSFT answered AllenLiu-MSFT commented

Hi, @Saxe6769
Thank you for posting in Microsoft Q&A forum.

We may try to start from checking LocationServices.log on client, LocationServices.log records the client activity for locating management points, software update points, and distribution points.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @AllenLiu-MSFT,

this is the locationservices.log if only device tunnel is up and running (i replaced servername with servername.fqdn.fqdn.fqdn and domain name also)

126472-locationservices-devicetunnel.log


device tunnel has no access to internal domain services and also not to MP inside domain. Only access to DP in vpn net is possible. Ping to ip and dns is OK.



This is the locationservice.log if user tunnel is up and running, then all domain services are reachable and also the MP inside domain:

126482-locationservices.log


0 Votes 0 ·

Hi, @Saxe6769

device tunnel has no access to internal domain services and also not to MP inside domain. Only access to DP in vpn net is possible. Ping to ip and dns is OK.

As we can see in the log "Failed to retrieve Default Management Points from lookup MP(s)", the clients can not communicate with MP, so there will be no DP assigned to clients. Why do you set the device tunnel cannot access MP?

0 Votes 0 ·

Hi @AllenLiu-MSFT


As we can see in the log "Failed to retrieve Default Management Points from lookup MP(s)", the clients can not communicate with MP, so there will be no DP assigned > to clients. Why do you set the device tunnel cannot access MP?

because if someone gets access to device the device tunnel will connect and i dont want to have access to the internal domain at device tunnel level. So i need a MP in the VPN net as well?










0 Votes 0 ·

Hi, @Saxe6769

Yes, I think an accessible MP is required.

0 Votes 0 ·
Saxe6769 avatar image
0 Votes"
Saxe6769 answered AllenLiu-MSFT commented

there seems no way to install the MP role on a non domain member server

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We can not install MP on a non-domain member server.

0 Votes 0 ·
Saxe6769 avatar image
1 Vote"
Saxe6769 answered

If any of the VPN devices is coming back to on-prem then the vpn connection is still present (but not active) and then it should not use
the MP/DP in VPN network but MP/DP in domain network.

looks like that it works as expected... on prem the default MP is in use

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.