Solved

Windows XP VPN Server - Firewall and NetBIOS resolution

Posted on 2006-11-29
9
624 Views
Last Modified: 2010-04-12
I have a client that doesn't have the budget for a server so they're using an XP Pro box as a file "server". They do have a static IP through an Actiontec DSL modem. I've managed to setup their XP file server as a VPN server and it works... but, I'm missing a few things I'm hoping I can get answers to from Experts.

I can get VPN to connect just fine. But, I only get to shares if I turn off the Windows XP firewall and use the  UNC "\\IP address\share" convention. I can't get NetBIOS UNC ("\\server") to do anything. I tried adding an LMHOSTS file in the "Windows\system32\drivers\etc" folder, but it doesn't seem to have done anything (with or without the firewall on). So, I know I'm missing an exception.

Port 1723 is forwarded at the Actiontec to the XP server. GRE is enabled. The XP firewall has "Incoming Connection VPN (PPTP)" checked and configured to use TCP 1723, as well.  I also have TCP Ports 139 and 445, as well as UDP ports 137 and 138 open on the Windows XP firewall and have them configured for "any" computer, not just PCs in the same Subnet.

So... I've narrowed it down to a Windows XP firewall configuartion issue, since it mostly works when I turn off the XP firewall... but, I must be missing both an exception and something else for NetBIOS name resolution over PPTP.

Any thoughts?  
0
Comment
Question by:philodendrin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
9 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18038377
If you do not have any DNS or WINS servers available you are pretty well limited to connecting by IP, or using the LMHosts file. The latter actually works very well. It needs to be installed on each client/connecting computer. An outline of its use:
An option is to use the LMHosts file which creates a table of IP's and computer names. LMHosts is located in the Windows directory under c:\Windows (or WINNT)\System32\Drivers\Etc\LMHosts.sam , instructions are included within the file. Any line starting with # is just a comment and is ignored. Open the file with Notepad and add entries for your computers as below;
192.168.0.101      CompName       #PRE
Hit enter when each line is complete (important), then save the file without a file extension. To be sure there is no extension ,when saving enclose in quotations like "LMHosts". Now when you try to connect to a computer name it should find it as it will search the LMHosts file for the record before connecting.
More details regarding LMHosts file:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnfd_lmh_qxqq.mspx?mfr=true

As for the Windows Firewall, you should only need to enable the File and Printer Sharing Exception (included TCP 139 & 445 and UDP 138 & 139, except check the scope options and set to allow all computers for each port, under the edit button.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18038384
Sorry above ports should read TCP 139 & 445 and UDP 137 & 138  (memory lapse)
0
 

Author Comment

by:philodendrin
ID: 18038534
Rob,

If you read my posting again, you'll see that I already have the ports you suggested open and configured for "all"... not just "subnet". So, I'm still stumped on that one.

I didn't realize that you needed that LMHOSTS file on both the server and the client. I created the file on the client and it worked like a charm... so, thanks for that one.

Still no luck on the firewall issue. If I turn off the XP firewall... all is well. If I turn it on, even with TCP 139, 445 and UDP 137, 138 I get denied access to shares. Very strange.

 
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 77

Accepted Solution

by:
Rob Williams earned 125 total points
ID: 18038699
>>"you'll see that I already have the ports you suggested open and configured for "all"... "
Sorry obviously more than just a "memory lapse"  :-)

>>"I didn't realize that you needed that LMHOSTS file on both the server and the client."
LMHosts only needs to be on the client machines. No need on VPN server end.

With the firewall enabled, and those ports open, can the VPN still connect ?, and if so does connecting by IP work?
If you can't connect we may need to look at other ports.

If you can connect by IP but not NetBIOS name, try enabling NetBIOS over TCP/IP on the WINS tab of the network adapters advanced properties.
You shouldn't need to, but try enabling both TCP  & UDP for all 135-139, 445, and 593, at least as a test.
0
 

Author Comment

by:philodendrin
ID: 18038758
To simplify and elaborate on the problem...

I can "connect" to VPN regardless (firewall on or off). Once connected, I can't ping the local IP address of the VPN server if the server's XP firewall is on. Nor can I get to shares via UNC... by IP or name.

With the firewall off... UNC with IP works without anything extra and now that I understand LMHOSTS... UNC via NetBIOS also works as long as the server's firewall is off. I can also ping the local IP of the server without issue when the server's XP firewall is off.

I'll try your test suggestion... and report back.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18038881
OK, thanks let us know how it goes. Ping is blocked by the firewall by default. There is a whole set of rules for ping (ICMP requests) on the advanced tab of the firewalls properties control panel (ICMP "settings" button). Though no need to configure that.

Do you kneed the firewall enabled? I agree it is a good idea, but most disable it when behind a hardware firewall/router and running a VPN. Wrong attitude, I know.
--Rob
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

634 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question