Azure VPN Client with Trusted Detection Network - Cross Domains - Validating Limitations

Veera Ragavan 46 Reputation points
2023-07-04T05:35:59.4633333+00:00

Hello Experts,

The following scenario, and Would like to get advice from you all...

  • Azure AD Domain, DNS 1 : 123.Local
  • Azure AD Domain, DNS2 : ABC.COM
  • Both AD Domain are getting report to Single Microsoft Tenant called - XYZ.COM
  • Two Way Trust, Azure AD Health Status is Green in the Domain, AD, and Sync Level

Target Area: Client OS - End Points:

  1. Windows 10/11 from 123.Local with AAD Domain Join, Using Azure VPN Client + Profile and all the INTRANET Services are with in 123.Local
  2. Windows 10/11 from ABC.com with AAD Domain Join, Using Azure VPN Client + Profile, and most of the INTRANET Services are with ABC.com
  3. Hence for the Clients from ABC.com are required to Set the "Trusted Network Detection" to use the ABC.com, Also the Same Clients do not have any issues with Reporting to Intune or Azure VPN
  4. We are having the Azure VPN Auto Connect, Which means - If the Client with INTRANET - With help of the TND Settings, the Client should not do "Auto Connect"
  5. If the Client reports to INTERNET - Client Should have the Auto Connect with Azure VPN
  6. The Work Flow is Completely Fine for the Devices from DNS1 which is 123.Local
  7. The Work Flow is not Working as Expected for the Clients from DNS2 which is ABC.com
  8. We do not have any issue's with AD Objects, or Device Management (With Intune from the Tenant XZY.com)
  9. We also have the Azure VPN Configuration Profiles from Intune, and also with Azure VPN Client
  10. We have taken the highest Possiblities (So far) to set the DNS Suffix Search, TND Settings, etc., Still the Clients from the ABC.com performs the Auto Connect with Azure VPN regardless of Internet and Intranet

Questions:

So far, We could not find a Clear Article about the Mixed Domain/Trusted Domain

  1. Is there Possiblities to use the TND with 2 Different Domains B. We are yet to force the Set-DnsClientGlobalSetting for both ABC.COM, and 123.Local and Validate.

If any one knows the answer for Question (A) can be helpful.

Regards,

Veera

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,609 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,797 questions
Microsoft Intune Application management
Microsoft Intune Application management
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Application management: The process of creating, configuring, managing, and monitoring applications.
972 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,418 questions
0 comments No comments
{count} votes

Accepted answer
  1. Limitless Technology 44,551 Reputation points
    2023-07-04T14:22:22.1166667+00:00

    Hello Veera,

    Thank you for your question and for reaching out with your question today.

    It seems like you're facing some challenges with the Trusted Network Detection (TND) settings and the workflow for clients from different domains in an Azure AD environment. While I'll do my best to provide some guidance based on the information provided, please note that troubleshooting complex scenarios like this often requires in-depth knowledge of your specific environment and configurations. It's always recommended to consult with a qualified IT professional or Microsoft support for precise guidance tailored to your situation.

    Regarding your questions:

    A. Using Trusted Network Detection (TND) with two different domains:

    Trusted Network Detection (TND) in Azure VPN allows you to specify domain suffixes that will be considered trusted networks, enabling clients to bypass automatic VPN connection when connected to these networks. However, TND typically works on a per-domain basis and is associated with a single domain.

    In your scenario, where you have clients from two different domains (123.Local and ABC.com), you may face challenges with TND because it's designed to work with a single domain suffix. As a result, you may not be able to directly achieve the desired behavior with TND alone.

    B. Setting the DNSClientGlobalSetting for both ABC.com and 123.Local:

    Setting the DNSClientGlobalSetting can help ensure that the DNS suffixes are configured correctly on the client machines. This can impact the domain resolution and potentially affect the behavior of TND. You can try configuring the DNSClientGlobalSetting for both domains (ABC.com and 123.Local) to see if it improves the situation. Ensure that you validate and test the behavior thoroughly after making the changes.

    In complex scenarios like yours, where multiple domains are involved, it's crucial to have a thorough understanding of the network topology, DNS configuration, trust relationships, and Azure AD settings. Consider engaging with Microsoft support or an experienced IT professional who can analyze your specific environment, configurations, and requirements to provide tailored guidance.

    Additionally, documenting and sharing detailed logs, error messages, and specific configurations with the support team can help them understand the situation better and provide more accurate assistance.

    Remember, troubleshooting complex scenarios often requires a hands-on approach, and it's essential to have a comprehensive understanding of your specific environment to find the best solution.

    I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

    If the reply was helpful, please don’t forget to upvote or accept as answer.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.