Re: browsing over VPN
From: Bill Grant (not.available_at_online)
Date: 04/17/04
- Next message: janderson_at_optonline.net: "My little sister giving a handjob"
- Previous message: Bill Grant: "Re: Port Routing with two gateways is it possible"
- In reply to: Bill Grant: "Re: browsing over VPN"
- Next in thread: Richard Prossor: "Re: browsing over VPN"
- Reply: Richard Prossor: "Re: browsing over VPN"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 17 Apr 2004 12:50:41 +1000
The browsing problem with multihomed browsers goes back to NT (where it
was known as the multihomed PDC problem). If Netbios binds to multiple
interfaces, the computer browser service gets confused, because it was
designed to only recognise one interface in each machine. The "fix" was to
disable Netbios over TCP/IP on all but one interface, forcing the browser
service to build a segment browse list on one interface only. Some other
machine then assumed the segment master browser role for the "other"
subnet(s), and the DMB was able to find the other browse masters (using
WINS) to build a combined browse list. See KB 191611 "Symptoms of Multihomed
Browsers".
RRAS introduced another problem because the "internal" interface to
which the remotes (RAS or VPN clients) connect was also Netbios enabled and
created another case of a multihomed browser. DNS with dynamic registration
in W2k introduced a similar problem for DNS names. As outlined in 292822,
the Netbios fix was to disable Netbt on the internal interface. (The DNS fix
remains the same in 830063 as it was in 289735 and 292822).Obviously,
changes made from SP3 onwards have shown up problems with browsing (and
logon from legacy clients) with Netbt disabled on this interface.
It appears that the current recommendation is to delete the registry
value DisableNetbiosOverTcpip to get around these problems. But this will
require that the remotes do not use the same subnet as the LAN machines.
(The default is to use DHCP to issue IP addresses in the same subnet as the
LAN machines. The RRAS server does proxy ARP for the remote clients on the
LAN). Having two IPs in the same subnet for the DMB would cause havoc with
browsing. So you need to use a static pool of addresses in a different IP
subnet for the remotes (and the internal interface).
If the remotes are in a different subnet from the LAN machines, you will
need to enable IP routing on the RRAS server. If the RRAS server is not the
default gateway of the LAN machines, you may also need extra routing on the
LAN to actually get traffic for the remote client's subnet to the RRAS
router.
I hope to set up a test rig soon to see just what is going on, now that
I am aware of the changes. It might explain some odd problems which have
come up lately in this newsgroup.
Bill Grant
MVP - Networking
Sydney, NSW
"Bill Grant" <not.available@online> wrote in message
news:#q111D3IEHA.2524@TK2MSFTNGP11.phx.gbl...
> Thanks. I will try to absorb what it is trying to say and get back to
> you!
>
> "Richard Prossor" <richard.prossor@prossor.com> wrote in message
> news:c5liie$4bh$1$830fa795@news.demon.co.uk...
> > Hi Bill
> >
> > thanks for your reply
> >
> > the link is here
> >
> >
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;830063&Product=win20
> 00
> >
> > there is a specific note in the article which says:
> >
> > Note Virtual private network (VPN) clients may not be able to browse the
> > network, but the VPN clients can access resources if the domain
controller
> > is a multihomed computer that is running as the domain master browser.
> >
> > Regards
> >
> > Richard
> >
> >
> > "Bill Grant" <not.available@online> wrote in message
> > news:OAqb$GsIEHA.700@TK2MSFTNGP09.phx.gbl...
> > > That looks OK. Netbios over TCP/IP is disabled on the PPP adapter.
> > >
> > > Problems can arise if more than one interface tries to build a
> segment
> > > browse list. The browser software has no way to merge browse lists if
> the
> > > interfaces are on the same machine. Consequently you can get browser
> > > failures and browser elections being forced. That is why KB 292822
> > > recommends diabling Netbt on the RAS interface.
> > >
> > > Your system is working correctly with 192.0.0.7 acting as your
> segment
> > > browser and your DMB. It is also recognising the existence of another
> > > domain, with DMB at 172.16.0.9 (presumably one of the dialup machines
is
> > in
> > > a domain called pointprogress).
> > >
> > > I can't find KB 830063. In what circumstances does it recommend
> > deleting
> > > DisableNetbiosOverTcpip ?
> > >
> > >
> > >
> > >
> > >
> > > "Richard Prossor" <richard.prossor@prossor.com> wrote in message
> > > news:c5j00e$80m$1$8302bc10@news.demon.co.uk...
> > > > I am not quite sure what you mean in this reply. WINS currently has
an
> > > > entries for Master browser as below:
> > > >
> > > > Record name Type
> > > > IP address State Static Owner
> > > > PROSSORNT [1Bh] Domain Master Browser 192.0.0.7
> > > > Active 192.0.0.7
> > > > POINTPROGRESS [1Bh] Domain Master Browser 172.16.0.9
> > > > Active 192.0.0.7
> > > >
> > > > RRAS is configured to use a static pool and give out IP's in the
range
> > > > 172.16.0.1 to 172.16.0.50.
> > > >
> > > > I attach below the ipconfig /all from the Server. I hope this helps
> > > >
> > > > Regards
> > > >
> > > > Richard
> > > >
> > > >
> > > >
> > > > Microsoft Windows 2000 [Version 5.00.2195]
> > > > (C) Copyright 1985-2000 Microsoft Corp.
> > > >
> > > > Z:\>ipconfig /all
> > > >
> > > > Windows 2000 IP Configuration
> > > >
> > > > Host Name . . . . . . . . . . . . : prossornt01
> > > > Primary DNS Suffix . . . . . . . : prossorsnt.prossors.com
> > > > Node Type . . . . . . . . . . . . : Hybrid
> > > > IP Routing Enabled. . . . . . . . : Yes
> > > > WINS Proxy Enabled. . . . . . . . : No
> > > > DNS Suffix Search List. . . . . . : prossorsnt.prossors.com
> > > > prossors.com
> > > >
> > > > Ethernet adapter Internal NIC:
> > > >
> > > > Connection-specific DNS Suffix . : prossorsnt.prossors.com
> > > > Description . . . . . . . . . . . : Broadcom NetXtreme
Gigabit
> > > > Ethernet
> > > > Physical Address. . . . . . . . . : 00-10-18-02-17-8C
> > > > DHCP Enabled. . . . . . . . . . . : No
> > > > IP Address. . . . . . . . . . . . : 192.0.0.7
> > > > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > > > Default Gateway . . . . . . . . . :
> > > > DNS Servers . . . . . . . . . . . : 192.0.0.7
> > > > Primary WINS Server . . . . . . . : 192.0.0.7
> > > >
> > > > Ethernet adapter External NIC:
> > > >
> > > > Connection-specific DNS Suffix . :
> > > > Description . . . . . . . . . . . : Intel(R) PRO/100 Network
> > > > Connection
> > > > Physical Address. . . . . . . . . : 00-06-5B-3D-6D-22
> > > > DHCP Enabled. . . . . . . . . . . : No
> > > > IP Address. . . . . . . . . . . . : 80.176.221.154
> > > > Subnet Mask . . . . . . . . . . . : 255.255.255.252
> > > > Default Gateway . . . . . . . . . : 80.176.221.153
> > > > DNS Servers . . . . . . . . . . . : 192.0.0.7
> > > >
> > > > PPP adapter RAS Server (Dial In) Interface:
> > > >
> > > > Connection-specific DNS Suffix . :
> > > > Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
> > > > Physical Address. . . . . . . . . : 00-53-45-00-00-00
> > > > DHCP Enabled. . . . . . . . . . . : No
> > > > IP Address. . . . . . . . . . . . : 172.16.0.1
> > > > Subnet Mask . . . . . . . . . . . : 255.255.255.255
> > > > Default Gateway . . . . . . . . . :
> > > > DNS Servers . . . . . . . . . . . : 127.0.0.1
> > > > NetBIOS over Tcpip. . . . . . . . : Disabled
> > > >
> > > > Z:\>
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > "Bill Grant" <not.available@online> wrote in message
> > > > news:u4F5ZfcIEHA.3968@TK2MSFTNGP12.phx.gbl...
> > > > > The browser service should only use one interface of the
server.
> So
> > > you
> > > > > need to disable Netbios over TCP/IP on both the public NIC and the
> > RRAS
> > > > > internal interface. Only the server's LAN NIC should appear in
WINS
> > > > > associated with the name of the server. After you have made the
> > registry
> > > > > changes, check WINS to make sure it hasn't retained any old
entries.
> > The
> > > > > domain master browser entry <domainname 1b> should show the LAN
> NIC
> > > IP
> > > > > address of the server only.
> > > > >
> > > > > "Richard Prossor" <richard.prossor@prossor.com> wrote in message
> > > > > news:c5gj9k$g1k$1$8300dec7@news.demon.co.uk...
> > > > > > thanks for your reply
> > > > > >
> > > > > > the RRAS server is also a WINS server. The setting is as you
> > describe.
> > > > > Using
> > > > > > IPconfig the VPN'ed client shows DNS and WINS referring to the
> > server.
> > > > > >
> > > > > > Regards
> > > > > >
> > > > > > Richard
> > > > > >
> > > > > >
> > > > > > "Danny Slye - [MSFT}" <dslye@online.microsoft.com> wrote in
> message
> > > > > > news:wu%23cOO4HEHA.3772@cpmsftngxa06.phx.gbl...
> > > > > > > I have had good success with following 292822 to prevent the
RAS
> > > > adapter
> > > > > > > from registering NBT and breaking browsing\name resolution on
> the
> > > LAN.
> > > >
> > > > > In
> > > > > > > order for vpn clients to browse reliably they have to get a
WINS
> > > > server
> > > > > > > assigned to them from the RAS server. Make sure that the RRAS
> > > server
> > > > is
> > > > > > > configured as a WINS client and the IP properties of the RAS
> > server
> > > is
> > > > > > > configured to "use the following adapter to obtain DHCP, DNS,
> WINS
> > > > > > > addresses for dialup clients", set the adapter to the internal
> > > > adapter.
> > > > > > > --------------------
> > > > > > >
> > > > > > > >
> > > > > > > >I have a problem browsing over VPN. I have two Microsoft
> articles
> > > > which
> > > > > > > seem
> > > > > > > >to be in conflict with each other with regard to
> > > > > DisableNetBiosoverTcpip
> > > > > > > >settings in the registry on a computer with two network cards
> (in
> > > my
> > > > > case
> > > > > > > >SBS2k).
> > > > > > > >
> > > > > > > >Can anyone help on which is right?
> > > > > > > >
> > > > > > > >KB292822 requires you to set up a registry key
> > > > DisableNetBIOSoverTcpip.
> > > > > > > >
> > > > > > > >KB830063 advises you to delete this registry key.
> > > > > > > >
> > > > > > > >Regards
> > > > > > > >
> > > > > > > >Richard
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > > __
> > > > > > > Danny Slye
> > > > > > > Microsoft Support Professional
> > > > > > > MCSE
> > > > > > >
> > > > > > > This posting is provided "AS IS" with no warranties and
confers
> no
> > > > > rights.
> > > > > > > Please reply to the newsgroup so that others may benefit.
> Thanks!
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: janderson_at_optonline.net: "My little sister giving a handjob"
- Previous message: Bill Grant: "Re: Port Routing with two gateways is it possible"
- In reply to: Bill Grant: "Re: browsing over VPN"
- Next in thread: Richard Prossor: "Re: browsing over VPN"
- Reply: Richard Prossor: "Re: browsing over VPN"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
