MS Office exclusion

Got a problem with Viscosity or need help? Ask here!

n8chavez

Posts: 19
Joined: Sat Aug 15, 2015 3:53 pm

Post by n8chavez » Thu May 05, 2016 9:12 am
I was wondering if anyone has ever had the issue where, when connected to a vpn, MSOffice cannot connect to some of its services. As detailed https://redmondmag.com/articles/2014/03 ... ation.aspx, Office uses NLA to verify internet connective. VPNs interfere with that. Is there any way to exclude that from a VPN?

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Thu May 05, 2016 9:18 am
Hi n8chavez,

Please see the following:
https://www.sparklabs.com/support/kb/ar ... lications/

Regards.
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

n8chavez

Posts: 19
Joined: Sat Aug 15, 2015 3:53 pm

Post by n8chavez » Thu May 05, 2016 9:26 am
Right. But I don't think it's as easy as all that. How do I find out what IP NLA uses, since it's not a destination?

The below information makes it seem like you can just exclude the NCSI IP address; 10.7.64.24. But I'm not sure that's right.
For the customer reported issues, the third party VPN clients in use happen to not define a default gateway. This may display as a default gateway of 0.0.0.0 in the ipconfig output. This is not really an issue for typical networking. Customers may notice that they can get to network resources, and they do have connectivity to the internet. The problem here is that NCSI depends on the default gateway to decide if it should “probe” the network connection to decide if it has an internet connection. The way that NCSI probes the network is it attempts to connect to www.msftncsi.com and retrieve a file called ncsi.txt. If it can retrieve that file, it marks the connection as having internet access. When the VPN adapter connection connects, and NCSI detects that a connection was made on an adapter interface. NCSI will attempt to probe the connection, but since there is no default gateway on the VPN adapter it attempts to send the probe packets out the adapter with a default gateway and that fails since the VPN connection is active. When this probe attempt fails, NCSI marks the adapter as having LOCAL connectivity. Office 2013 is checking for INTERNET connectivity before attempting to connect to the online functionality such as online pictures or F1 HELP resources.

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Thu May 05, 2016 9:39 am
Hi n8chavez,

There are a few technical articles on MSDN about NLA, it also looks like there are ways to setup your own NLA respondent on your server. You'll need to look at how your VPN routes traffic (is it routing all traffic to the server, are you using a split tunnel, could you be using a split tunnel if you are routing all traffic?), and what factors are preventing this system from working correctly.

If the issue is network identification and the requirement of a default gateway (A default gateway is required or all TUN connections will be classed as a public network on Windows), you can look at pushing a default gateway for your clients.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
4 posts Page 1 of 1