• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 244
  • Last Modified:

Sharing resources across a VPN connection

Here is a quick description of the setup:

1) One group of networked remote computers all connecting to our server via VPN.

2) One group of networked local computers all connecting to our server via LAN.

All machines are running fully patched XP pro and are members of the same domain. The remote computers can all access shares on each other and the server. The local computers can all accress shares on each other and the server.

The problem - or rather the issue I would like to solve - is how to allow the local machines access to shares on the remote VPN clients. The message we get when attempting to create a network place is: "The folder you entered does not appear to be valid", and we cannot browse to the locations either - the VPN-connected client machines do not appear in the "MS Windows Network". However, we can ping any VPN-connected client machine by name and they will resolve just fine - which is what is confusing to me.

The goal here is to create a share on a remote machine that is accessible by any client - either remote or local to that machine (when they are connected via VPN to the server).

Let me know if you need any further details.  
0
PapaGut
Asked:
PapaGut
  • 16
  • 11
  • 8
  • +2
1 Solution
 
gvlobCommented:
Have you tried to connect to a share using the IP address instead of the name? If this works, then you have a name resolution problem. Your clients need to be able to register to the DNS server or the DHCP should register the clients when the IP address is given out.
0
 
PapaGutAuthor Commented:
The VPN is configured to register the client in DNS, and from where I sit (LAN with server), I can ping either the computer name or IP of the remote machine - just cannot connect to the share. Furthermore, the IP addresses of the remote machines are dynamic, so I know that the DNS records are being updated each time the client reconnects to the server.  
0
 
gvlobCommented:
Do you have a firewall set up? Are you filtering protocols on the VPN?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
PapaGutAuthor Commented:
There are two routers in place (one networking the remore machines, one networking the local ones including the server) - but the appropriate ports are open. I am not filtering protocols to the best of my knowledge. Would that not be confirmed by the fact that the remote clients can connect and share resources with the server through their router, and the local machines can do the same through the local one?
0
 
PapaGutAuthor Commented:
Also, I just had a remote client ping one of the local machines here by name - it resolved immediately.  
0
 
carl_legereCommented:
what kind of VPN
Why two routers, give a quick sketch eh?
0
 
gvlobCommented:
One for each side of the WAN I would suspect. Check out this article on the MS site:

http://support.microsoft.com/?kbid=817069
0
 
gvlobCommented:
Oops, sorry. Don't bother looking at the link, I forgot you were running XP.
0
 
PapaGutAuthor Commented:
correct gvlob - one on each side of the WAN.
0
 
gvlobCommented:
Do you have NetBIOS over TCP/IP enabled on the XP machines?
0
 
PapaGutAuthor Commented:
The following protocols are installed:

NWLink NetBIOS
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol
Internet Protocol (TCP/IP)

However, we do get an error message when the remote machine establishes the VPN:

One or more requested network protocols did not connect successfully. TCP/IP connected successfully. IPX/SPX or compatible CP reported error code 733....Press accept to use connection as is, or hang up to disconnect.

When this error appears, the user has been clicking accept and working as normal.

0
 
gvlobCommented:
Remove the NWLink protocols if you are not using Netware. Under TCP/IP advanced settings WINS tab, make sure the NetBIOS over TCP/IP enabled.
0
 
PapaGutAuthor Commented:
Done, as a point of interest, I had originally configured the machines in this way, then added the NWLink protocols as a search had suggested that the lack of NetBIOS could be causing the problem we are working on. Anyhow, I have bad news to report: I uninstalled the NWLink protocols on a local client, a remote client, and the server too - after restarting all three, we still cannot browse to a share on the remote machine (but we can still ping it by name from any machine, and the remote client can still access shares on the server). One more thing - we have been trying to add a network place both on a local client and on the local server to this VPN-connected remote machine - both without success.
0
 
gvlobCommented:
You don't need to have NWLink protocols for NetBIOS to work. All you have to do is enable it under the advanced settings of the TCP/IP porperties.  You did not state whether you checked this setting or not. In the mean time, I will try to think of something that may be of more help.
0
 
PapaGutAuthor Commented:
Sorry, to be clear: NetBIOS is now checked under the advanced settings of the TCP/IP properties on all three machines I mentioned. Thanks for your ongoing help.  
0
 
PapaGutAuthor Commented:
not an objection - but any suggestion on where I should perhaps repost to get this solved?
0
 
Jay_Jay70Commented:
what questioners often do is post a pointer question in another TA

for example you might want to put a 25 point question in the networking TA and include a link to here

usually opens up some fresh ideas
0
 
PapaGutAuthor Commented:
ok, please do not close for the moment, I will give that a try.
0
 
Rob WilliamsCommented:
Hi PapaGut, reading other posts most refer to naming issues, but I doubt that is the issue. As Carl asked earlier, could you advise how the VPN has been created? Are you using 2 hardware VPN routers, 1 router and software clients, or built in Windows VPN server. If a Windows VPN are you using RRAS at the main office. Perhaps this information will help to resolve. For the record, if not a VPN router-to-VPN router configuration it may not be possible to advertise the same share to all users in the same way.
0
 
gvlobCommented:
RobWill, PapaGut said in one of his posts that he has two routers connecting the sites. So, I'm under the assumption that the VPN is being done through them, although I probably should not have (I do know what happens when you assume things :-) ) PapaGut, have you tried to run a sniffer on both sides of the routers? This will at least let you know if the packets requesting the mapping even gets to the remote site.
0
 
PapaGutAuthor Commented:
I will do my best to describe the setup: The VPN is not hardware-based at any point. The multiple client machines at the remote location all use a simple software VPN connection to our main server, which is here at the same physical location that my client machine is at.

Please let me know how to identify if RRAS is being used, and thanks so far.
0
 
PapaGutAuthor Commented:
gvlob - it goes like this: multiple clients at a remote location networked through a router which in turn is connected to a broadband modem. The setup at the other end is almost identical, except that one of the machines is a server. So, the VPN runs through two routers during an active connection between remote client and server. Furthermore, the establishment of the connection is no problem at all - and files can be retrieved from shares on the the server. My issue is with accessing a share on one of those remote machines while it is connected, which we cannot do from any of the local clients including the server itself.

In terms of a sniffer - I have not used that approach at all, and would need some assistance as to what to look for.

To recap a bit, a local client machine (local to the server) can ping any connected remote client while the VPN is present, either by IP or name, but cannot connect to a share on that machine.

Does that help?    
0
 
Rob WilliamsCommented:
gvlob,  router does not = VPN. Assuming will get you every time. :-)

I assume :-)  then the VPN connection is established using the Windows VPN client? Can you confirm.
To check if using RRAS either check the services management console to see if the service is enabled or under administrative tools open the Routing An Remote Access Management Console.

If this is the case the connection you are using is really intended as a uni-directional connection. Remote client to server. When the remote user connects they are assigned a temporary IP address. To connect to that user (which is not the intended design) you would have to use that IP. Because it is changing and not even always connected it would be virtually impossible to map a share in this way. If you have multiple users connecting from a remote site you really should consider setting up a hardware VPN solution. A Cisco PIX unit would probably be ideal and the best choice but if looking for a more affordable solution I would consider the Linksys RV042:
http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US%2FLayout&cid=1123638171618&pagename=Linksys%2FCommon%2FVisitorWrapper
You could set up 2 of these for about $250 US each with no additional licenses or support contracts.
A site-to-site solution will allow shares in either direction very easily. It also eliminates the hassles of having to manually connect to the remote site each time the user logs on.
0
 
gvlobCommented:
Well, kudos to you RobWill, you hit the nail right on the head (and I guess I did make an @$% out of myself BIG :-) ). That is your problem right there PapaGut. Your remote sight clients are connecting to your server using software clients. If these clients are set up using Add New Network Connection in the networking window and if your server is not using any VPN software that you installed, then you probably are using RRAS.

In order for the clients on the server site to be able to connect to a share on the remote site, you have to run RRAS on the remote site, which means you need a server in the remote site. I would use your routers to set up the VPN connection, if possible. If not, it may be cheeper to get two small firewalls at each site that have VPN capability. This would cost you around $400 to $700 each site depending on the # of users. This will also give you some security, which it sounds like you currently need.

Please give RobWill the points.

Late again!!
0
 
Rob WilliamsCommented:
Thanks gvlob, however I hardly think "I guess I did make an @$% out of myself BIG".
Valid points above, but minor over-site with connection.

PapaGut , not the answer you wanted I'm sure, but does it explain the situation and what you will need to do?
0
 
PapaGutAuthor Commented:
thanks a lot - I would rather know why I am experiencing a problem than struggling to solve something that really can't be solved.

One last question - if my network is adjusted as you described, would an additional remote user - one that is outside of the two clusters of client machines (for example on a laptop during travel), be able to connect to a share on their machine, not the server, while on the road?
0
 
gvlobCommented:
PapaGut, please do yourself and your company a big favor and add firewalls to both branches. RobWill's router recomendation is a good one. Good luck.
0
 
gvlobCommented:
Your client would connect to the Router with a VPN client which would give him access to the branch, or even both depending on your setup.
0
 
PapaGutAuthor Commented:
thanks, that sounds like the answer. Thank-you to both of you for your help.
0
 
Rob WilliamsCommented:
>>"would an additional remote user - one that is outside of the two clusters of client machines (for example on a laptop during travel), be able to connect to a share on their machine, not the server, while on the road? "

With most VPN routers yes. The routers allow you to create site-to-site tunnels between 2 hardware routers, but they also allow you to connect remotely via a software client supplied by the manufacture of the router. You may want to look at this carefully if you need this feature, as it involves licensing. Some VPN routers do not include any licenses to do this, you have to purchase as an additional cost. Others such as the Cisco Pix 501 include 10 licenses but you cannot increase that. More expensive Cisco's will allow larger numbers of mobile users. The Linksys, as I recall allows 30 (maybe 50 with firmware upgrade), and can be increased for a minimal cost. It all depends on the number of users you expect to have.
As for connecting to a computer other than the server, that is the beauty of a hardware solution. All resources on the network are available to anyone connected by VPN, whether hardware or software client, unless you set up filtering to block them.
--Rob
0
 
Rob WilliamsCommented:
Thanks PapaGut for the points. Good luck with it. Look at the Cisco's. If they are within your budget they are by far the best and have very good customer support. Although I have had great luck with the Linksys, customer support is almost non-existent.
--Rob
0
 
PapaGutAuthor Commented:
ideal! Thank-you!
0
 
Rob WilliamsCommented:
Just a note about possible problems:
-should it be a requirement, you will still have problems connecting to a user who is connected via a software client. I assume the software client is just for mobile users to connect to the 2 offices, and it will not be an issue.
-the mobile client will be able to connect to either office, but not both simultaneously  
0
 
PapaGutAuthor Commented:
Thanks for the detail, yes, it would be for the mobile client to be able to access shares on the server which is at location A, and their own machine, which is at location B - but would not have to work in the opposite direction, so it looks like this is the solution for me. I think the balance of security and increased access will be well worth the $$.

Thanks again.
0
 
Rob WilliamsCommented:
Very welcome. Good luck.
--Rob
0
 
PapaGutAuthor Commented:
adjusted the points to include the question that was posted in another topic area.
0
 
Rob WilliamsCommented:
Thanks PapaGut,
--Rob
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 16
  • 11
  • 8
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now