[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Need help setting up network share on desktop in remote office

Posted on 2008-11-18
Medium Priority
Last Modified: 2012-05-05

I'm attempting to setup a share on an enduser's desktop in a remote office for the purpose of hosting documents that are scanned from a MFP at my company's headquarters location.  While this sounds easy enough, I'm running into some problems seeing the network share outside of the particular satellite office where this desktop is located and am running out of ideas.  All the permissions are setup correctly, I can ping the desktop in the remote office (and vice-versa) and I can read/write to the shares from the office where the desktop is located.  I can't see shares setup on desktops in our headquarters location from these remote offices so perhaps what I'm trying to do isn't even possible through normal conventions?  Perhaps I just have to elevate the desktop's role somehow through AD?

Here's some more info on our network setup:
- Each location has at least one domain controller running Windows Server 2003 and AD replication occurs hourly
- Our company's different locations are connected via site-to-site VPN, each office has an AT&T MIS T1 capable of moving ~1.5 MB/s downstream
- DNS records are comprehensive and replicate properly between locations
- All of our company's endusers use XP on their desktops with SP2 or SP3

Any feedback would be much appreciated...
Question by:methodology
  • 4
  • 2
LVL 20

Expert Comment

ID: 22990935
Can you ping the name of one of the remote PC's?

Do you get a reply?

What happens when you click on start and then run and then type \\remote_machine_name and hit ok?

Do you have firewalls on in either location?  Do you have hardware firewalls in either location?

LVL 63

Assisted Solution

SysExpert earned 150 total points
ID: 22990954
Are yo allowing GRE 43 and other MS share protocols through the routers/ VPN ?
I hope this helps !
LVL 20

Expert Comment

ID: 22990987
Yes, You are on the same path I am on SE.  I think that the TCP and UDP ports for AD are not being allowed through the FW policies.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 22998167
MightySW: I can successfully ping the remote PC.  When I try to access it via Run or in the location bar, I eventually get a message notifying me that the host cannot be found.

I think you guys are on the right track with respect to firewalls.  We use Cisco PIX firewalls; 501s at the satellite offices and a 515 at our headquarters location (sorry I left that out).  All of our routers are managed devices (inherent of AT&T MIS services) and I would assume that they come configured to support a variety of popular network environments, including AD (but I could be wrong about that).

Like you guys are saying, I'm thinking that my problem is most likely a case of not enabling the right protocols/having the right ports open.  My understanding of Cisco PIX firewall configurations is very limited (bare with me) so is it the fixup protocol commands that I should be focusing on?  If that's the case, I'm using the following fixups:

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723  (this is used for GRE 47, same as GRE 43?)
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

What else should I be using?  TiA!!
LVL 20

Accepted Solution

MightySW earned 600 total points
ID: 22999586
Doesn't look like you are passing all AD traffic.

Fixup: (on both Pix's)

TCP  636-636
TCP 3268-3269
TCP 88-88
UDP 88-88
TCP 445-445
UDP 135-139
UDP 389-389

Also ensure that you have file and print services checked on the machines that you are trying to reach.

Author Comment

ID: 23000519

I'm kind of thinking I might need to use the access-list command to open those ports; what protocol or application should I be assigning to those port openings?  Please correct me if I'm wrong--my logic is based on various sources of documentation, including this page:


So should I be able to implement the following?

access-list 101 permit tcp any host any host eq 636
access-list 101 permit tcp any host any host eq 3268
access-list 101 permit tcp any host any host eq 3269
access-list 101 permit udp any host any host eq 389

Or do I need to implement one-to-one address translation for the desktop in the remote office, assign it a static IP address, and implement the following?

access-list 101 permit tcp any host desktop.outside.ip.address eq 636
access-list 101 permit tcp any host desktop.outside.ip.address eq 3268
access-list 101 permit tcp any host desktop.outside.ip.address eq 3269
access-list 101 permit udp any host desktop.outside.ip.address eq 389

I'm starting to wish I also tagged this post as a firewall issue.  Thanks guys...
LVL 20

Expert Comment

ID: 23000556
Well, actually just do a show access-group and it should be the permit all and the proceeded by the deny all for the internal interface outbound (Egress).  If this is true then you don't need to create object groups etc for the AD commands going out, but you will  need them coming in.  They should travel from client to client without any issues.  You should check the log by doing a show log.  If you need other Cisco command assistance then be sure to do a search on here or as you said, repost.  Personally I would be sure that your routing was sufficient and stable before you started troubleshooting.  I am fairly good with a PIX but I am a little rusty as I am a Juniper man now :)  I haven't used a PIX in over 4 years now and it is pretty hands on for me.  I know that you will have to (should) create object groups and then add them to a network service and then bind that network service to the access-group that you create.  This is where it gets dicey as you will have to create another access-group and if you don't know what you are doing then you will kill your link all together.  

Perhaps someone else could chime in on this one or you could repost to the firewall section and be sure to ask how to create access-lists and groups to pass active directory between a 515 and a 506.

Good luck and Hope this helps.  

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question