Solved

can't browse subnet computers on other side of a WatchGuard VPN tunnel

Posted on 2006-10-25
18
944 Views
Last Modified: 2008-01-09
We have a main office running SBS 2003 server, WatchGuard "Edge" firewall/VPN endpoint.  This main building is configured for 192.168.0.xxx subnet.

Our remote building has just 4 XP Pro machines connected to another WatchGuard "Edge" firewall/VPN endpoint.  This location uses 192.168.1.xxx subnet.

We can ping machines between the 2 subnets and also NSLOOKUP seems to work both ways, but....can't browse between buildings/subnets.

The remote location runs a login.bat at startup and maps the drives correctly and connects to Exchange Server....no problem their.

Seems to be just a subnet browsing problem between the 2 buildings.

0
Comment
Question by:telefunken
  • 8
  • 6
  • 3
  • +1
18 Comments
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 100 total points
ID: 17804469
Browsing requires NetBIOS. The best solution for this is to enable a WINS server and make sure your clients are assigned the WINS server IP in their DHCP configuration. If that is not an option try enabling NetBIOS over TCP/IP under the WINS tab of the various network adapters. Also make sure the firewalls are not blocking NetBIOS. Some units have a "block NetBIOS broadcast" option.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 17805447
Rob is correct..  but you will need 2 WINs servers for the best configuration, one on each subnet...  but the easiest way for you to do this is by using the LMHosts file...  which will simple with only 4 clients on the other side of the subnet...
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 17805460
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17805558
To add to FE's comments, LMHosts works great, but requires static IP's, or DHCP reservations. If you go that route you can add to a logon script to update the LMHosts files on client machines, if you have a lot of them.
0
 

Author Comment

by:telefunken
ID: 17819824
A few questions about LMHOSTS:
*  does anyone have a sample LMHOSTS?  (i could modify for my network particulars?)
*  once a LMHOSTS file is created...where on the workstation(s) should it be saved to?
*  can local LMHOSTS files be created on the clients on the 192.168.0.0 subnet? (this is the main net with the SBS2003 and WINS and DNS servers)

Thanks.  This is a bewildering subject for me.......
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 17819947
LMHOSTS entries that designate who all the domain controllers are. This is done in the following convention:

199.199.199.1  ComputerName   #PRE  #DOM:DomainName

example:

Your domain name is "Globe", your PDC NetBIOS name is "Mongo", and you have other various backup domain controllers. Your LMHOSTS file would look like this:
   199.199.199.1   "globe       \0x1b"  #PRE
   199.199.199.1   mongo      #PRE  #DOM:globe
   199.199.199.2   otherdc1   #PRE  #DOM:globe
   199.199.199.3   otherdc2   #PRE  #DOM:globe

The lmhosts file is located here:

c:\%systemroot%\system32\drivers\etc

or just type "%systemroot%\system32\drivers\etc" in the Run Line without the quotes..

and, make sure you save it WITHOUT an extension!
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 17819964
BTW:  that line is to find the DCs...  you can substitute any computername for the PDC name...
0
 

Author Comment

by:telefunken
ID: 17844727
Sorry, but I'm not totally clear on which PC's need to have the LMHOSTS file addded.  Is it ONLY for the machines on the remote subnet (192.168.1.xxx)?

Yesterday, I visited the remote building (about 10 miles away, and connected by the VPN tunnel) and observed the following while there:
*  when I browse the network, I see ALL computers in the company listed by name (ie:  both buildings and both subnets)
*  if I try to actually open the shared resources on a computer that lives at the main location (192.168.0.xxx, WINS server subnet, DNS server subnet) it throws a red stop icon and says something like:  "not available, you may not have access.....check with admin" etc.
*  but, If I try to open shared resources on a machine in the same building (192.168.1.xxx subnet), I can see the shared printers and directories.

Big question:  if I can go to the remote building and view the entire network, do I really need to implement LMHOSTS file?  If not, what else would stop me from getting into the machines if I can already see that they exist?

Thanks for your patients with this guys....I've never had to dig very deeply into subnets until the VPN came along.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 17846931
No, if you can 'see' the remote computers, then you don't need LMHOSTS...  I guess the question is are you logging in with the proper credentials (that are allowed on the remote systems..)?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:telefunken
ID: 17851187
I'm logging on with the same creds in both locations.  When I'm in the main building, I can browse for things like shared printers and shared folders on any computer that appears in the browse.  The only difference is the subnet.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 17854751
Go ahead and configure your LMHosts file on one of the remote clients and see if that helps you connect...  also, I wonder if the Watchguard firewall is interfering here?
0
 

Author Comment

by:telefunken
ID: 17884309
LMhosts file has been setup on one of the clients on the remote subnet.  Is there any way to verfiy that it is working correctly?  I ran a nbtstat -c command but I only got the name and addy of the DC machine.  Then I ran:  nbtstat -RR (thinking that would maybe reload the LMHosts file, but.....no change in the results)

summary of where it stands:
from the remote subnet location (192.168.1.xxx):  I can "see" all machines in both locations and hence both subnets.  I can only open resources on the server (SBS2003).  When I try to open resources on any other machine that appears in the browse list, I get a "location not found...you may not have access..." warning.

Im going to check on the WatchGuard and security settings on the workstations too.
0
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 400 total points
ID: 17886072
Yes, that seems to be the only other place where a problem could exist, in my estimation...
0
 
LVL 4

Expert Comment

by:LBACIS
ID: 17888624
What is on the other side of the tunnel is it another watchguard ?
0
 

Author Comment

by:telefunken
ID: 17906755
yes.  I have one WatchGuard "X Edge" on each end of the VPN tunnel.
0
 

Author Comment

by:telefunken
ID: 17914211
update:

After close inspection, I discovered a firewall "group policy" which was being sent to all clients by the SBS 2003 server.  The policy told each client firewall to ONLY allow file and print sharing on its LOCAL subnet.  I changed the GPO (Group Policy Object) to allow file and print sharing on:  192.168.1.0 and 192.168.0.0

I have more testing to do, but already the results are showing.  

Thanks for the assistance! and the patients.

CAL
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 17914329
Very good, and you are welcome!

FE
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17916094
Thanks  telefunken,
Cheers,
--Rob
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now