So I create an NC Resource Policy. For example I just want to give users access to say 192.168.1.0/24 on port 3389.
Ok, so i create the access policy (tcp://192.168.1.0/24:3389)
Next, I create the NC Connection Profile in which I create the dhcp pool & enter the dns settings for NC users, so they can connect to hosts in the 192.168.1.0/24 by name. I also create the NC Server side config, containing the NC Server IP Address.
Finally, I create the Split Tunneling Policy, where I add the 192.168.1.0/24
This all works.
What is baffling me is that users are able to create a terminal services connection to our two DNS servers (192.168.10.10/11), which I configured in the NC Connection profile. These servers are clearly not in the 192.168.1.x/24 subnet.
Could anyone tell me why this is happening?
Can you see what you see in the client routing-table?
A trace route from client computer (NC client) will tell if the traffic to DNS servers is reaching out to the IVE and then getting forwarded.
On the DNS configuration, do you have the option to auto-allow DNS enabled? That option allows this behavior.
Do the users map to any other roles that have different ACLs applied?