Solved

Windows XP VPN Server - Firewall and NetBIOS resolution

Posted on 2006-11-29
9
595 Views
Last Modified: 2010-04-12
I have a client that doesn't have the budget for a server so they're using an XP Pro box as a file "server". They do have a static IP through an Actiontec DSL modem. I've managed to setup their XP file server as a VPN server and it works... but, I'm missing a few things I'm hoping I can get answers to from Experts.

I can get VPN to connect just fine. But, I only get to shares if I turn off the Windows XP firewall and use the  UNC "\\IP address\share" convention. I can't get NetBIOS UNC ("\\server") to do anything. I tried adding an LMHOSTS file in the "Windows\system32\drivers\etc" folder, but it doesn't seem to have done anything (with or without the firewall on). So, I know I'm missing an exception.

Port 1723 is forwarded at the Actiontec to the XP server. GRE is enabled. The XP firewall has "Incoming Connection VPN (PPTP)" checked and configured to use TCP 1723, as well.  I also have TCP Ports 139 and 445, as well as UDP ports 137 and 138 open on the Windows XP firewall and have them configured for "any" computer, not just PCs in the same Subnet.

So... I've narrowed it down to a Windows XP firewall configuartion issue, since it mostly works when I turn off the XP firewall... but, I must be missing both an exception and something else for NetBIOS name resolution over PPTP.

Any thoughts?  
0
Comment
Question by:philodendrin
  • 4
  • 2
9 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18038377
If you do not have any DNS or WINS servers available you are pretty well limited to connecting by IP, or using the LMHosts file. The latter actually works very well. It needs to be installed on each client/connecting computer. An outline of its use:
An option is to use the LMHosts file which creates a table of IP's and computer names. LMHosts is located in the Windows directory under c:\Windows (or WINNT)\System32\Drivers\Etc\LMHosts.sam , instructions are included within the file. Any line starting with # is just a comment and is ignored. Open the file with Notepad and add entries for your computers as below;
192.168.0.101      CompName       #PRE
Hit enter when each line is complete (important), then save the file without a file extension. To be sure there is no extension ,when saving enclose in quotations like "LMHosts". Now when you try to connect to a computer name it should find it as it will search the LMHosts file for the record before connecting.
More details regarding LMHosts file:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnfd_lmh_qxqq.mspx?mfr=true

As for the Windows Firewall, you should only need to enable the File and Printer Sharing Exception (included TCP 139 & 445 and UDP 138 & 139, except check the scope options and set to allow all computers for each port, under the edit button.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18038384
Sorry above ports should read TCP 139 & 445 and UDP 137 & 138  (memory lapse)
0
 

Author Comment

by:philodendrin
ID: 18038534
Rob,

If you read my posting again, you'll see that I already have the ports you suggested open and configured for "all"... not just "subnet". So, I'm still stumped on that one.

I didn't realize that you needed that LMHOSTS file on both the server and the client. I created the file on the client and it worked like a charm... so, thanks for that one.

Still no luck on the firewall issue. If I turn off the XP firewall... all is well. If I turn it on, even with TCP 139, 445 and UDP 137, 138 I get denied access to shares. Very strange.

 
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 77

Accepted Solution

by:
Rob Williams earned 125 total points
ID: 18038699
>>"you'll see that I already have the ports you suggested open and configured for "all"... "
Sorry obviously more than just a "memory lapse"  :-)

>>"I didn't realize that you needed that LMHOSTS file on both the server and the client."
LMHosts only needs to be on the client machines. No need on VPN server end.

With the firewall enabled, and those ports open, can the VPN still connect ?, and if so does connecting by IP work?
If you can't connect we may need to look at other ports.

If you can connect by IP but not NetBIOS name, try enabling NetBIOS over TCP/IP on the WINS tab of the network adapters advanced properties.
You shouldn't need to, but try enabling both TCP  & UDP for all 135-139, 445, and 593, at least as a test.
0
 

Author Comment

by:philodendrin
ID: 18038758
To simplify and elaborate on the problem...

I can "connect" to VPN regardless (firewall on or off). Once connected, I can't ping the local IP address of the VPN server if the server's XP firewall is on. Nor can I get to shares via UNC... by IP or name.

With the firewall off... UNC with IP works without anything extra and now that I understand LMHOSTS... UNC via NetBIOS also works as long as the server's firewall is off. I can also ping the local IP of the server without issue when the server's XP firewall is off.

I'll try your test suggestion... and report back.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18038881
OK, thanks let us know how it goes. Ping is blocked by the firewall by default. There is a whole set of rules for ping (ICMP requests) on the advanced tab of the firewalls properties control panel (ICMP "settings" button). Though no need to configure that.

Do you kneed the firewall enabled? I agree it is a good idea, but most disable it when behind a hardware firewall/router and running a VPN. Wrong attitude, I know.
--Rob
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now