1 A information collection
Analysis the last TSM Agent collection terminal log, observing the network connection of two processes:
Notice: the VPN client is as ActiveX control way to exist in the browser process.
Use netstat to check the network connection conditions (part) :
Proto Local Address Foreign Address State PID
TCP 127.0.0.1:1912 127.0.0.1:4040 ESTABLISHED 1928
TCP 127.0.0.1:4040 127.0.0.1:1912 ESTABLISHED 3296
TCP 127.0.0.1:4040 0.0.0.0:0 LISTENING 3296
TCP 192.168.1.2:1914 18.104.22.168:443 ESTABLISHED 3296
TCP 192.168.1.2:1972 22.214.171.124:443 ESTABLISHED 3296
TCP 192.168.1.2:2025 126.96.36.199:443 ESTABLISHED 3296
TCP 192.168.1.2:2028 188.8.131.52:443 ESTABLISHED 3296
TCP 192.168.1.2:2030 184.108.40.206:443 ESTABLISHED 3296
2 B network connection analysis
VPN user TSM Agent is not directly connect to TSM Server, but make two routing transition, totally includes the following five steps.
Step 1: the user use VPN dial-up access intranet;
Step 2: TSM Agent send the authentication request message to TSM Server;
Step 3: TSM Agent message is intercepted by the VPN client (127.0.0.1). VPN client do not directly forward message to TSM Server, but encapsulate TSM Agent message into a SSL message again;
Step 4: VPN client send this message to SSL VPN Server (220.127.116.11);
Step 5: VPN Server resolve message, forwarding to TSM Server. TSM Server process the authentication request, reply the corresponding message.
From the above steps we can find that the problem is in Step 3, all the message that terminal computer send to the intranet will be intercepted by the VPN client, the source address is replaced to 127.0.0.1 by VPN. Therefore, as for TSM Agent, the received address is also 127.0.0.1, rather than the actual distribution NAT address 192.168.1.2.
When most of the VPN client set up VPN tunnel, will get the virtual IP address distributed by VPN Server, will not overlap. In this kind of VPN application, TSM Agent does not appear problem that all IP is 127.0.0.1.