Apple Event: May 7th at 7 am PT
Hi there,
I have a problem using a proxy server trough a vpn connection on the iphone (3GS and 4, iOS 5.0.1).
VPN works fine, but the iphone doesn't use the proxy settings given for the vpn-connection. I tried to set them manually or
via proxy pac, nothing works. There is no problem to use a proxy server via wifi, but for vpn it doesn't work. Can anybody help me please?
iPhone 4, iOS 5.0.1
Hi, I have exactly the same symptom, did you manage to resolve the issue? I have found if I put the PROXY on the WiFi conneciton and then connect the VPN, the proxy is used (but obviously nothing else works).
Have also tried PAC and Manual proxy config on the VPN definition. No success.
Actually. Scratch this request. I appear to have got to the bottom of this. The proxy is only used on a split tunnel for domains you decalre as being serviced by the VPN. This is done on the ASA device with the split-dns command. Just list the domains the tunnel will be used for. I had that change made on the AS and it works as expected.
There's a fair explanation of the parameter in the ASA CLI configuration guide.
Hey, thank you for your suggestion 🙂
I'll try this on Monday and tell you if it also worked for me.
One thing to add. Although it's working for me, the first request after the conneciton auto-dials fails. It would appear the DNS is going out on internet proper. However, if I refresh the page it goes via the proxy and all subsequent pages are OK until the tunnel drops and then the same thing happens.
We currently dont have a DNS server allocated and also have a different domain name for the clients than the domain the tunnel is servicing - will see if I can resolve tomorrow, but just for your info at moment.
If you start the tunnel and then access the page - all works 1st time.
GREAT.....it works 🙂
Even at 1st time.
But, isn't it possible to use wildcards in the split-dns value list? I need to set something like "*.something.com"...just "something.com" doesn't work.
Have to look at this....
Hm, looks as if only the first domain in the list is beeing used to be resolved through the tunnel...
I've entered a list separated with spaces, as described in the cisco howto.
Does this work in your setup?
Fortunately I only have one domain name at present :-)
I though the wildcard was implied - so any host in the domain you enter uses the tunnel.
In terms of your conenction, do you supply DNS server to the client as well? At the moment I don't but might add them in to see if that's why the first query fails
wonder if you could share your config with any sensitive stuff removed?
Hmpf....my mistake ( should'nt do such configs when telephone is ringing all the time 😉 ).
It works now. I have a list of domains separated with spaces and all are being used through the tunnel. And you're right, I don't need wildcards, just something like "domainname.com".
Oh yes, and I supply DNS server to the client and even the proxy-server.
Do you also give proxy-server? I'm not sure if the client then first is going out to internet for DNS...
But, just try it with setting the DNS server, but don't forget to add its ip address to the split tunneling 😉
not you have me inteersted 🙂
When you say supply the proxy-server - do you mean as part of the tunnel definition on the phone, or as a parameter on the VPN conneciton like split-dns?
I supply it as part of the VPN config on the phone - how do you do it?
I tried both setups and - actually - both are working 🙂
You can manually set the proxy on the iphone, but then it's importat the ASA is configured not to modify client proxy settings.
Now I've configured the ASA to supply the proxy server ip and port (and here again, also add the proxy server ip to split tunneling).
Need the commands?
Sorry to be a pain, can you share the line of the config that pushes the proxy to the client? Can't find it in the manual
no problem 🙂
it's in the group policy attributes.
msie-proxy server value [ip address]:[port]
msie-proxy method use-server
Hmm, might be the difference. I'm trying to connect iPhones. Did try these settings but didn't help with the 1st connect problem.
Thanks anyway.
Just for me to understand:
If you start the tunnel manually, then everything works fine.
But if the tunnel starts via auto-dial the first try is unsuccessful? Maybe it's just something like a timeout problem, if the tunnel does'nt come up fast enough?
How do you configure auto-dial vpn on the iphone? Do you use the anyconnect client?
I can't find this option in the "normal" ipsec client on the phone...
proxy through vpn-connection
