Re: browsing over VPN
From: Bill Grant (not.available_at_online)
Date: 04/20/04
- Next message: Bill Grant: "Re: windows 2003 standard server NAT"
- Previous message: JD: "Windows 2003 AD Native and VPN"
- In reply to: Richard Prossor: "Re: browsing over VPN"
- Next in thread: Richard Prossor: "Re: browsing over VPN"
- Reply: Richard Prossor: "Re: browsing over VPN"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 20 Apr 2004 12:31:57 +1000
Just one point. Step 1 will enable Netbt on the RAS/VPN interface.
That is all you need. I would not enable Netbt on the external NIC. That
would enable hackers and others on the Internet access to your Netbios info
(which they don't need to know!). And you don't really need your public IP
registering in WINS. (Your remote clients use the RAS interface after
connection).
Exactly how a client behaves when you use it remotely and also on a LAN
connection varies. If it is running XP Pro it should behave sensibly. XP is
better than previous OSs in keeping things connection specific. But you will
probably still see "old" browser info when you change over. It takes a while
for browser info to settle down, because it relies on broadcasts and UDP
messages.
Richard Prossor" <richard.prossor@prossor.com> wrote in message
news:c601ae$fk6$1$8300dec7@news.demon.co.uk...
> Hi Bill
>
> Thanks for the reply - it is coming a little clearer now.
>
> To summarise: 830063 should be implemented after 292822 and this
introduces
> the following changes:
>
> 1) delete the registry value DisableNetbiosOverTcpip created after
applying
> 292822
> 2) enable Netbios over TCP/IP in WINS settings in advanced for the
External
> NIC
> 3) IP's for remote clients MUST be from a static pool in RRAS properties
>
> The result will be to enable browsing over VPN and proper logon from pre
> 2000 clients.
>
> Before I apply this, can you help me understand what happens in this
> scenario if a laptop which normally connects remotely then comes in to the
> office and connects directly to the internal network?
>
> Regards
>
> Richard
>
>
> "Bill Grant" <not.available@online> wrote in message
> news:u4Gx8cCJEHA.3288@TK2MSFTNGP09.phx.gbl...
> > The browsing problem with multihomed browsers goes back to NT
(where
> it
> > was known as the multihomed PDC problem). If Netbios binds to multiple
> > interfaces, the computer browser service gets confused, because it was
> > designed to only recognise one interface in each machine. The "fix" was
to
> > disable Netbios over TCP/IP on all but one interface, forcing the
browser
> > service to build a segment browse list on one interface only. Some other
> > machine then assumed the segment master browser role for the "other"
> > subnet(s), and the DMB was able to find the other browse masters (using
> > WINS) to build a combined browse list. See KB 191611 "Symptoms of
> Multihomed
> > Browsers".
> >
> > RRAS introduced another problem because the "internal" interface to
> > which the remotes (RAS or VPN clients) connect was also Netbios enabled
> and
> > created another case of a multihomed browser. DNS with dynamic
> registration
> > in W2k introduced a similar problem for DNS names. As outlined in
292822,
> > the Netbios fix was to disable Netbt on the internal interface. (The DNS
> fix
> > remains the same in 830063 as it was in 289735 and 292822).Obviously,
> > changes made from SP3 onwards have shown up problems with browsing (and
> > logon from legacy clients) with Netbt disabled on this interface.
> >
> > It appears that the current recommendation is to delete the registry
> > value DisableNetbiosOverTcpip to get around these problems. But this
will
> > require that the remotes do not use the same subnet as the LAN machines.
> > (The default is to use DHCP to issue IP addresses in the same subnet as
> the
> > LAN machines. The RRAS server does proxy ARP for the remote clients on
the
> > LAN). Having two IPs in the same subnet for the DMB would cause havoc
with
> > browsing. So you need to use a static pool of addresses in a different
IP
> > subnet for the remotes (and the internal interface).
> >
> > If the remotes are in a different subnet from the LAN machines, you
> will
> > need to enable IP routing on the RRAS server. If the RRAS server is not
> the
> > default gateway of the LAN machines, you may also need extra routing on
> the
> > LAN to actually get traffic for the remote client's subnet to the RRAS
> > router.
> >
> > I hope to set up a test rig soon to see just what is going on, now
> that
> > I am aware of the changes. It might explain some odd problems which have
> > come up lately in this newsgroup.
> >
> > Bill Grant
> > MVP - Networking
> > Sydney, NSW
> >
> > "Bill Grant" <not.available@online> wrote in message
> > news:#q111D3IEHA.2524@TK2MSFTNGP11.phx.gbl...
> > > Thanks. I will try to absorb what it is trying to say and get back
to
> > > you!
> > >
> > > "Richard Prossor" <richard.prossor@prossor.com> wrote in message
> > > news:c5liie$4bh$1$830fa795@news.demon.co.uk...
> > > > Hi Bill
> > > >
> > > > thanks for your reply
> > > >
> > > > the link is here
> > > >
> > > >
> > >
> >
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;830063&Product=win20
> > > 00
> > > >
> > > > there is a specific note in the article which says:
> > > >
> > > > Note Virtual private network (VPN) clients may not be able to browse
> the
> > > > network, but the VPN clients can access resources if the domain
> > controller
> > > > is a multihomed computer that is running as the domain master
browser.
> > > >
> > > > Regards
> > > >
> > > > Richard
> > > >
> > > >
> > > > "Bill Grant" <not.available@online> wrote in message
> > > > news:OAqb$GsIEHA.700@TK2MSFTNGP09.phx.gbl...
> > > > > That looks OK. Netbios over TCP/IP is disabled on the PPP
> adapter.
> > > > >
> > > > > Problems can arise if more than one interface tries to build a
> > > segment
> > > > > browse list. The browser software has no way to merge browse lists
> if
> > > the
> > > > > interfaces are on the same machine. Consequently you can get
browser
> > > > > failures and browser elections being forced. That is why KB 292822
> > > > > recommends diabling Netbt on the RAS interface.
> > > > >
> > > > > Your system is working correctly with 192.0.0.7 acting as your
> > > segment
> > > > > browser and your DMB. It is also recognising the existence of
> another
> > > > > domain, with DMB at 172.16.0.9 (presumably one of the dialup
> machines
> > is
> > > > in
> > > > > a domain called pointprogress).
> > > > >
> > > > > I can't find KB 830063. In what circumstances does it
recommend
> > > > deleting
> > > > > DisableNetbiosOverTcpip ?
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > "Richard Prossor" <richard.prossor@prossor.com> wrote in message
> > > > > news:c5j00e$80m$1$8302bc10@news.demon.co.uk...
> > > > > > I am not quite sure what you mean in this reply. WINS currently
> has
> > an
> > > > > > entries for Master browser as below:
> > > > > >
> > > > > > Record name Type
> > > > > > IP address State Static Owner
> > > > > > PROSSORNT [1Bh] Domain Master Browser
192.0.0.7
> > > > > > Active 192.0.0.7
> > > > > > POINTPROGRESS [1Bh] Domain Master Browser 172.16.0.9
> > > > > > Active 192.0.0.7
> > > > > >
> > > > > > RRAS is configured to use a static pool and give out IP's in the
> > range
> > > > > > 172.16.0.1 to 172.16.0.50.
> > > > > >
> > > > > > I attach below the ipconfig /all from the Server. I hope this
> helps
> > > > > >
> > > > > > Regards
> > > > > >
> > > > > > Richard
> > > > > >
> > > > > >
> > > > > >
> > > > > > Microsoft Windows 2000 [Version 5.00.2195]
> > > > > > (C) Copyright 1985-2000 Microsoft Corp.
> > > > > >
> > > > > > Z:\>ipconfig /all
> > > > > >
> > > > > > Windows 2000 IP Configuration
> > > > > >
> > > > > > Host Name . . . . . . . . . . . . : prossornt01
> > > > > > Primary DNS Suffix . . . . . . . :
> prossorsnt.prossors.com
> > > > > > Node Type . . . . . . . . . . . . : Hybrid
> > > > > > IP Routing Enabled. . . . . . . . : Yes
> > > > > > WINS Proxy Enabled. . . . . . . . : No
> > > > > > DNS Suffix Search List. . . . . . :
> prossorsnt.prossors.com
> > > > > > prossors.com
> > > > > >
> > > > > > Ethernet adapter Internal NIC:
> > > > > >
> > > > > > Connection-specific DNS Suffix . :
> prossorsnt.prossors.com
> > > > > > Description . . . . . . . . . . . : Broadcom NetXtreme
> > Gigabit
> > > > > > Ethernet
> > > > > > Physical Address. . . . . . . . . : 00-10-18-02-17-8C
> > > > > > DHCP Enabled. . . . . . . . . . . : No
> > > > > > IP Address. . . . . . . . . . . . : 192.0.0.7
> > > > > > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > > > > > Default Gateway . . . . . . . . . :
> > > > > > DNS Servers . . . . . . . . . . . : 192.0.0.7
> > > > > > Primary WINS Server . . . . . . . : 192.0.0.7
> > > > > >
> > > > > > Ethernet adapter External NIC:
> > > > > >
> > > > > > Connection-specific DNS Suffix . :
> > > > > > Description . . . . . . . . . . . : Intel(R) PRO/100
> Network
> > > > > > Connection
> > > > > > Physical Address. . . . . . . . . : 00-06-5B-3D-6D-22
> > > > > > DHCP Enabled. . . . . . . . . . . : No
> > > > > > IP Address. . . . . . . . . . . . : 80.176.221.154
> > > > > > Subnet Mask . . . . . . . . . . . : 255.255.255.252
> > > > > > Default Gateway . . . . . . . . . : 80.176.221.153
> > > > > > DNS Servers . . . . . . . . . . . : 192.0.0.7
> > > > > >
> > > > > > PPP adapter RAS Server (Dial In) Interface:
> > > > > >
> > > > > > Connection-specific DNS Suffix . :
> > > > > > Description . . . . . . . . . . . : WAN (PPP/SLIP)
> Interface
> > > > > > Physical Address. . . . . . . . . : 00-53-45-00-00-00
> > > > > > DHCP Enabled. . . . . . . . . . . : No
> > > > > > IP Address. . . . . . . . . . . . : 172.16.0.1
> > > > > > Subnet Mask . . . . . . . . . . . : 255.255.255.255
> > > > > > Default Gateway . . . . . . . . . :
> > > > > > DNS Servers . . . . . . . . . . . : 127.0.0.1
> > > > > > NetBIOS over Tcpip. . . . . . . . : Disabled
> > > > > >
> > > > > > Z:\>
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > "Bill Grant" <not.available@online> wrote in message
> > > > > > news:u4F5ZfcIEHA.3968@TK2MSFTNGP12.phx.gbl...
> > > > > > > The browser service should only use one interface of the
> > server.
> > > So
> > > > > you
> > > > > > > need to disable Netbios over TCP/IP on both the public NIC and
> the
> > > > RRAS
> > > > > > > internal interface. Only the server's LAN NIC should appear in
> > WINS
> > > > > > > associated with the name of the server. After you have made
the
> > > > registry
> > > > > > > changes, check WINS to make sure it hasn't retained any old
> > entries.
> > > > The
> > > > > > > domain master browser entry <domainname 1b> should show the
> LAN
> > > NIC
> > > > > IP
> > > > > > > address of the server only.
> > > > > > >
> > > > > > > "Richard Prossor" <richard.prossor@prossor.com> wrote in
message
> > > > > > > news:c5gj9k$g1k$1$8300dec7@news.demon.co.uk...
> > > > > > > > thanks for your reply
> > > > > > > >
> > > > > > > > the RRAS server is also a WINS server. The setting is as you
> > > > describe.
> > > > > > > Using
> > > > > > > > IPconfig the VPN'ed client shows DNS and WINS referring to
the
> > > > server.
> > > > > > > >
> > > > > > > > Regards
> > > > > > > >
> > > > > > > > Richard
> > > > > > > >
> > > > > > > >
> > > > > > > > "Danny Slye - [MSFT}" <dslye@online.microsoft.com> wrote in
> > > message
> > > > > > > > news:wu%23cOO4HEHA.3772@cpmsftngxa06.phx.gbl...
> > > > > > > > > I have had good success with following 292822 to prevent
the
> > RAS
> > > > > > adapter
> > > > > > > > > from registering NBT and breaking browsing\name resolution
> on
> > > the
> > > > > LAN.
> > > > > >
> > > > > > > In
> > > > > > > > > order for vpn clients to browse reliably they have to get
a
> > WINS
> > > > > > server
> > > > > > > > > assigned to them from the RAS server. Make sure that the
> RRAS
> > > > > server
> > > > > > is
> > > > > > > > > configured as a WINS client and the IP properties of the
RAS
> > > > server
> > > > > is
> > > > > > > > > configured to "use the following adapter to obtain DHCP,
> DNS,
> > > WINS
> > > > > > > > > addresses for dialup clients", set the adapter to the
> internal
> > > > > > adapter.
> > > > > > > > > --------------------
> > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >I have a problem browsing over VPN. I have two Microsoft
> > > articles
> > > > > > which
> > > > > > > > > seem
> > > > > > > > > >to be in conflict with each other with regard to
> > > > > > > DisableNetBiosoverTcpip
> > > > > > > > > >settings in the registry on a computer with two network
> cards
> > > (in
> > > > > my
> > > > > > > case
> > > > > > > > > >SBS2k).
> > > > > > > > > >
> > > > > > > > > >Can anyone help on which is right?
> > > > > > > > > >
> > > > > > > > > >KB292822 requires you to set up a registry key
> > > > > > DisableNetBIOSoverTcpip.
> > > > > > > > > >
> > > > > > > > > >KB830063 advises you to delete this registry key.
> > > > > > > > > >
> > > > > > > > > >Regards
> > > > > > > > > >
> > > > > > > > > >Richard
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > __
> > > > > > > > > Danny Slye
> > > > > > > > > Microsoft Support Professional
> > > > > > > > > MCSE
> > > > > > > > >
> > > > > > > > > This posting is provided "AS IS" with no warranties and
> > confers
> > > no
> > > > > > > rights.
> > > > > > > > > Please reply to the newsgroup so that others may benefit.
> > > Thanks!
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Bill Grant: "Re: windows 2003 standard server NAT"
- Previous message: JD: "Windows 2003 AD Native and VPN"
- In reply to: Richard Prossor: "Re: browsing over VPN"
- Next in thread: Richard Prossor: "Re: browsing over VPN"
- Reply: Richard Prossor: "Re: browsing over VPN"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
