telefunken
asked on
can't browse subnet computers on other side of a WatchGuard VPN tunnel
We have a main office running SBS 2003 server, WatchGuard "Edge" firewall/VPN endpoint. This main building is configured for 192.168.0.xxx subnet.
Our remote building has just 4 XP Pro machines connected to another WatchGuard "Edge" firewall/VPN endpoint. This location uses 192.168.1.xxx subnet.
We can ping machines between the 2 subnets and also NSLOOKUP seems to work both ways, but....can't browse between buildings/subnets.
The remote location runs a login.bat at startup and maps the drives correctly and connects to Exchange Server....no problem their.
Seems to be just a subnet browsing problem between the 2 buildings.
Our remote building has just 4 XP Pro machines connected to another WatchGuard "Edge" firewall/VPN endpoint. This location uses 192.168.1.xxx subnet.
We can ping machines between the 2 subnets and also NSLOOKUP seems to work both ways, but....can't browse between buildings/subnets.
The remote location runs a login.bat at startup and maps the drives correctly and connects to Exchange Server....no problem their.
Seems to be just a subnet browsing problem between the 2 buildings.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Fatal_Exception
Rob is correct.. but you will need 2 WINs servers for the best configuration, one on each subnet... but the easiest way for you to do this is by using the LMHosts file... which will simple with only 4 clients on the other side of the subnet...
To add to FE's comments, LMHosts works great, but requires static IP's, or DHCP reservations. If you go that route you can add to a logon script to update the LMHosts files on client machines, if you have a lot of them.
ASKER
A few questions about LMHOSTS:
* does anyone have a sample LMHOSTS? (i could modify for my network particulars?)
* once a LMHOSTS file is created...where on the workstation(s) should it be saved to?
* can local LMHOSTS files be created on the clients on the 192.168.0.0 subnet? (this is the main net with the SBS2003 and WINS and DNS servers)
Thanks. This is a bewildering subject for me.......
* does anyone have a sample LMHOSTS? (i could modify for my network particulars?)
* once a LMHOSTS file is created...where on the workstation(s) should it be saved to?
* can local LMHOSTS files be created on the clients on the 192.168.0.0 subnet? (this is the main net with the SBS2003 and WINS and DNS servers)
Thanks. This is a bewildering subject for me.......
LMHOSTS entries that designate who all the domain controllers are. This is done in the following convention:
199.199.199.1 ComputerName #PRE #DOM:DomainName
example:
Your domain name is "Globe", your PDC NetBIOS name is "Mongo", and you have other various backup domain controllers. Your LMHOSTS file would look like this:
199.199.199.1 "globe \0x1b" #PRE
199.199.199.1 mongo #PRE #DOM:globe
199.199.199.2 otherdc1 #PRE #DOM:globe
199.199.199.3 otherdc2 #PRE #DOM:globe
The lmhosts file is located here:
c:\%systemroot%\system32\d
or just type "%systemroot%\system32\dri
and, make sure you save it WITHOUT an extension!
199.199.199.1 ComputerName #PRE #DOM:DomainName
example:
Your domain name is "Globe", your PDC NetBIOS name is "Mongo", and you have other various backup domain controllers. Your LMHOSTS file would look like this:
199.199.199.1 "globe \0x1b" #PRE
199.199.199.1 mongo #PRE #DOM:globe
199.199.199.2 otherdc1 #PRE #DOM:globe
199.199.199.3 otherdc2 #PRE #DOM:globe
The lmhosts file is located here:
c:\%systemroot%\system32\d
or just type "%systemroot%\system32\dri
and, make sure you save it WITHOUT an extension!
BTW: that line is to find the DCs... you can substitute any computername for the PDC name...
ASKER
Sorry, but I'm not totally clear on which PC's need to have the LMHOSTS file addded. Is it ONLY for the machines on the remote subnet (192.168.1.xxx)?
Yesterday, I visited the remote building (about 10 miles away, and connected by the VPN tunnel) and observed the following while there:
* when I browse the network, I see ALL computers in the company listed by name (ie: both buildings and both subnets)
* if I try to actually open the shared resources on a computer that lives at the main location (192.168.0.xxx, WINS server subnet, DNS server subnet) it throws a red stop icon and says something like: "not available, you may not have access.....check with admin" etc.
* but, If I try to open shared resources on a machine in the same building (192.168.1.xxx subnet), I can see the shared printers and directories.
Big question: if I can go to the remote building and view the entire network, do I really need to implement LMHOSTS file? If not, what else would stop me from getting into the machines if I can already see that they exist?
Thanks for your patients with this guys....I've never had to dig very deeply into subnets until the VPN came along.
Yesterday, I visited the remote building (about 10 miles away, and connected by the VPN tunnel) and observed the following while there:
* when I browse the network, I see ALL computers in the company listed by name (ie: both buildings and both subnets)
* if I try to actually open the shared resources on a computer that lives at the main location (192.168.0.xxx, WINS server subnet, DNS server subnet) it throws a red stop icon and says something like: "not available, you may not have access.....check with admin" etc.
* but, If I try to open shared resources on a machine in the same building (192.168.1.xxx subnet), I can see the shared printers and directories.
Big question: if I can go to the remote building and view the entire network, do I really need to implement LMHOSTS file? If not, what else would stop me from getting into the machines if I can already see that they exist?
Thanks for your patients with this guys....I've never had to dig very deeply into subnets until the VPN came along.
No, if you can 'see' the remote computers, then you don't need LMHOSTS... I guess the question is are you logging in with the proper credentials (that are allowed on the remote systems..)?
ASKER
I'm logging on with the same creds in both locations. When I'm in the main building, I can browse for things like shared printers and shared folders on any computer that appears in the browse. The only difference is the subnet.
Go ahead and configure your LMHosts file on one of the remote clients and see if that helps you connect... also, I wonder if the Watchguard firewall is interfering here?
ASKER
LMhosts file has been setup on one of the clients on the remote subnet. Is there any way to verfiy that it is working correctly? I ran a nbtstat -c command but I only got the name and addy of the DC machine. Then I ran: nbtstat -RR (thinking that would maybe reload the LMHosts file, but.....no change in the results)
summary of where it stands:
from the remote subnet location (192.168.1.xxx): I can "see" all machines in both locations and hence both subnets. I can only open resources on the server (SBS2003). When I try to open resources on any other machine that appears in the browse list, I get a "location not found...you may not have access..." warning.
Im going to check on the WatchGuard and security settings on the workstations too.
summary of where it stands:
from the remote subnet location (192.168.1.xxx): I can "see" all machines in both locations and hence both subnets. I can only open resources on the server (SBS2003). When I try to open resources on any other machine that appears in the browse list, I get a "location not found...you may not have access..." warning.
Im going to check on the WatchGuard and security settings on the workstations too.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What is on the other side of the tunnel is it another watchguard ?
ASKER
yes. I have one WatchGuard "X Edge" on each end of the VPN tunnel.
ASKER
update:
After close inspection, I discovered a firewall "group policy" which was being sent to all clients by the SBS 2003 server. The policy told each client firewall to ONLY allow file and print sharing on its LOCAL subnet. I changed the GPO (Group Policy Object) to allow file and print sharing on: 192.168.1.0 and 192.168.0.0
I have more testing to do, but already the results are showing.
Thanks for the assistance! and the patients.
CAL
After close inspection, I discovered a firewall "group policy" which was being sent to all clients by the SBS 2003 server. The policy told each client firewall to ONLY allow file and print sharing on its LOCAL subnet. I changed the GPO (Group Policy Object) to allow file and print sharing on: 192.168.1.0 and 192.168.0.0
I have more testing to do, but already the results are showing.
Thanks for the assistance! and the patients.
CAL
Very good, and you are welcome!
FE
FE
Thanks telefunken,
Cheers,
--Rob
Cheers,
--Rob