We have a special situation where Juniper Network Connect is used as VPN connection. When the VPN starts it creates the network adapter. When the vpn closes the network adapter disappears. Each time the Juniper Network Connect vpn creates the adapter, the Win7 x64 pc automatically adds our internal DNS server as the DNS server for the vpn adapter. This causes an issue because some servers inside the vpn have an external address that is different than their internal address, so basically our internal dns server correctly resolves the external IP, but because the IP is resolved to the external IP, the packets never try to cross the vpn and instead try to traverse the WAN. wich fails miserably. I have changed the adpater manually to auto detect dns, but each time the service stops the adapter disappears and gets recreated the next time it runs.
DNS Server resolves external address,when vpn dns should resolve internal address
domain-name-systemjunipernetworkingvpn
Best Answer
We use a Juniper SA box as well (with Network Connect for some clients/users).
First off, you shouldn't be manually changing anything on the virtual adapter itself, everything should be controlled by the Juniper SA box (using Central Manager).
The NIC that is created is the tunnel nic that sets up the new default route, IP, etc. (the Juniper Network Connect Virtual Adapter to be specific).
It should be setting up the default route when you connect to go through that interface and thus tunnel through the Juniper SA appliance.
If you are allowing split-tunneling however, then you might run into your issue, but seems odd. Sounds more like a DNS issue where you should be resolving the VPN to the internal IP of the server and not the external IP. You seem to say that they get the external IP but they should be connecting to an internal server inside the LAN. So really DNS should be telling them to go to the internal IP that is local to the VPN subnet, and not to an external IP address.
That said, if it truly is a Network Connect issue and not a matter of DNS resolution, then the solution should lie in the SA central manager, under "Resource Policies, Network Connect", especially if you have a split-tunneling policy setup under there. Check the profiles setup under there as well (Network Connect Connection Profiles) to make sure they are correct.
Finally, check under the user Roles for that group and the Network Connect options as shown in the screenshot below:
This isn't to say that one way is correct over another. You'll need to decide which settings are right for your deployment.