Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 962
  • Last Modified:

can't browse subnet computers on other side of a WatchGuard VPN tunnel

We have a main office running SBS 2003 server, WatchGuard "Edge" firewall/VPN endpoint.  This main building is configured for 192.168.0.xxx subnet.

Our remote building has just 4 XP Pro machines connected to another WatchGuard "Edge" firewall/VPN endpoint.  This location uses 192.168.1.xxx subnet.

We can ping machines between the 2 subnets and also NSLOOKUP seems to work both ways, but....can't browse between buildings/subnets.

The remote location runs a login.bat at startup and maps the drives correctly and connects to Exchange Server....no problem their.

Seems to be just a subnet browsing problem between the 2 buildings.

0
telefunken
Asked:
telefunken
  • 8
  • 6
  • 3
  • +1
2 Solutions
 
Rob WilliamsCommented:
Browsing requires NetBIOS. The best solution for this is to enable a WINS server and make sure your clients are assigned the WINS server IP in their DHCP configuration. If that is not an option try enabling NetBIOS over TCP/IP under the WINS tab of the various network adapters. Also make sure the firewalls are not blocking NetBIOS. Some units have a "block NetBIOS broadcast" option.
0
 
Fatal_ExceptionCommented:
Rob is correct..  but you will need 2 WINs servers for the best configuration, one on each subnet...  but the easiest way for you to do this is by using the LMHosts file...  which will simple with only 4 clients on the other side of the subnet...
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Rob WilliamsCommented:
To add to FE's comments, LMHosts works great, but requires static IP's, or DHCP reservations. If you go that route you can add to a logon script to update the LMHosts files on client machines, if you have a lot of them.
0
 
telefunkenAuthor Commented:
A few questions about LMHOSTS:
*  does anyone have a sample LMHOSTS?  (i could modify for my network particulars?)
*  once a LMHOSTS file is created...where on the workstation(s) should it be saved to?
*  can local LMHOSTS files be created on the clients on the 192.168.0.0 subnet? (this is the main net with the SBS2003 and WINS and DNS servers)

Thanks.  This is a bewildering subject for me.......
0
 
Fatal_ExceptionCommented:
LMHOSTS entries that designate who all the domain controllers are. This is done in the following convention:

199.199.199.1  ComputerName   #PRE  #DOM:DomainName

example:

Your domain name is "Globe", your PDC NetBIOS name is "Mongo", and you have other various backup domain controllers. Your LMHOSTS file would look like this:
   199.199.199.1   "globe       \0x1b"  #PRE
   199.199.199.1   mongo      #PRE  #DOM:globe
   199.199.199.2   otherdc1   #PRE  #DOM:globe
   199.199.199.3   otherdc2   #PRE  #DOM:globe

The lmhosts file is located here:

c:\%systemroot%\system32\drivers\etc

or just type "%systemroot%\system32\drivers\etc" in the Run Line without the quotes..

and, make sure you save it WITHOUT an extension!
0
 
Fatal_ExceptionCommented:
BTW:  that line is to find the DCs...  you can substitute any computername for the PDC name...
0
 
telefunkenAuthor Commented:
Sorry, but I'm not totally clear on which PC's need to have the LMHOSTS file addded.  Is it ONLY for the machines on the remote subnet (192.168.1.xxx)?

Yesterday, I visited the remote building (about 10 miles away, and connected by the VPN tunnel) and observed the following while there:
*  when I browse the network, I see ALL computers in the company listed by name (ie:  both buildings and both subnets)
*  if I try to actually open the shared resources on a computer that lives at the main location (192.168.0.xxx, WINS server subnet, DNS server subnet) it throws a red stop icon and says something like:  "not available, you may not have access.....check with admin" etc.
*  but, If I try to open shared resources on a machine in the same building (192.168.1.xxx subnet), I can see the shared printers and directories.

Big question:  if I can go to the remote building and view the entire network, do I really need to implement LMHOSTS file?  If not, what else would stop me from getting into the machines if I can already see that they exist?

Thanks for your patients with this guys....I've never had to dig very deeply into subnets until the VPN came along.
0
 
Fatal_ExceptionCommented:
No, if you can 'see' the remote computers, then you don't need LMHOSTS...  I guess the question is are you logging in with the proper credentials (that are allowed on the remote systems..)?
0
 
telefunkenAuthor Commented:
I'm logging on with the same creds in both locations.  When I'm in the main building, I can browse for things like shared printers and shared folders on any computer that appears in the browse.  The only difference is the subnet.
0
 
Fatal_ExceptionCommented:
Go ahead and configure your LMHosts file on one of the remote clients and see if that helps you connect...  also, I wonder if the Watchguard firewall is interfering here?
0
 
telefunkenAuthor Commented:
LMhosts file has been setup on one of the clients on the remote subnet.  Is there any way to verfiy that it is working correctly?  I ran a nbtstat -c command but I only got the name and addy of the DC machine.  Then I ran:  nbtstat -RR (thinking that would maybe reload the LMHosts file, but.....no change in the results)

summary of where it stands:
from the remote subnet location (192.168.1.xxx):  I can "see" all machines in both locations and hence both subnets.  I can only open resources on the server (SBS2003).  When I try to open resources on any other machine that appears in the browse list, I get a "location not found...you may not have access..." warning.

Im going to check on the WatchGuard and security settings on the workstations too.
0
 
Fatal_ExceptionCommented:
Yes, that seems to be the only other place where a problem could exist, in my estimation...
0
 
LBACISCommented:
What is on the other side of the tunnel is it another watchguard ?
0
 
telefunkenAuthor Commented:
yes.  I have one WatchGuard "X Edge" on each end of the VPN tunnel.
0
 
telefunkenAuthor Commented:
update:

After close inspection, I discovered a firewall "group policy" which was being sent to all clients by the SBS 2003 server.  The policy told each client firewall to ONLY allow file and print sharing on its LOCAL subnet.  I changed the GPO (Group Policy Object) to allow file and print sharing on:  192.168.1.0 and 192.168.0.0

I have more testing to do, but already the results are showing.  

Thanks for the assistance! and the patients.

CAL
0
 
Fatal_ExceptionCommented:
Very good, and you are welcome!

FE
0
 
Rob WilliamsCommented:
Thanks  telefunken,
Cheers,
--Rob
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 8
  • 6
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now