Need help setting up network share on desktop in remote office

Posted on 2008-11-18
Last Modified: 2012-05-05

I'm attempting to setup a share on an enduser's desktop in a remote office for the purpose of hosting documents that are scanned from a MFP at my company's headquarters location.  While this sounds easy enough, I'm running into some problems seeing the network share outside of the particular satellite office where this desktop is located and am running out of ideas.  All the permissions are setup correctly, I can ping the desktop in the remote office (and vice-versa) and I can read/write to the shares from the office where the desktop is located.  I can't see shares setup on desktops in our headquarters location from these remote offices so perhaps what I'm trying to do isn't even possible through normal conventions?  Perhaps I just have to elevate the desktop's role somehow through AD?

Here's some more info on our network setup:
- Each location has at least one domain controller running Windows Server 2003 and AD replication occurs hourly
- Our company's different locations are connected via site-to-site VPN, each office has an AT&T MIS T1 capable of moving ~1.5 MB/s downstream
- DNS records are comprehensive and replicate properly between locations
- All of our company's endusers use XP on their desktops with SP2 or SP3

Any feedback would be much appreciated...
Question by:methodology
    LVL 20

    Expert Comment

    Can you ping the name of one of the remote PC's?

    Do you get a reply?

    What happens when you click on start and then run and then type \\remote_machine_name and hit ok?

    Do you have firewalls on in either location?  Do you have hardware firewalls in either location?

    LVL 63

    Assisted Solution

    Are yo allowing GRE 43 and other MS share protocols through the routers/ VPN ?
    I hope this helps !
    LVL 20

    Expert Comment

    Yes, You are on the same path I am on SE.  I think that the TCP and UDP ports for AD are not being allowed through the FW policies.

    Author Comment

    MightySW: I can successfully ping the remote PC.  When I try to access it via Run or in the location bar, I eventually get a message notifying me that the host cannot be found.

    I think you guys are on the right track with respect to firewalls.  We use Cisco PIX firewalls; 501s at the satellite offices and a 515 at our headquarters location (sorry I left that out).  All of our routers are managed devices (inherent of AT&T MIS services) and I would assume that they come configured to support a variety of popular network environments, including AD (but I could be wrong about that).

    Like you guys are saying, I'm thinking that my problem is most likely a case of not enabling the right protocols/having the right ports open.  My understanding of Cisco PIX firewall configurations is very limited (bare with me) so is it the fixup protocol commands that I should be focusing on?  If that's the case, I'm using the following fixups:

    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723  (this is used for GRE 47, same as GRE 43?)
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69

    What else should I be using?  TiA!!
    LVL 20

    Accepted Solution

    Doesn't look like you are passing all AD traffic.

    Fixup: (on both Pix's)

    TCP  636-636
    TCP 3268-3269
    TCP 88-88
    UDP 88-88
    TCP 445-445
    UDP 135-139
    UDP 389-389

    Also ensure that you have file and print services checked on the machines that you are trying to reach.

    Author Comment


    I'm kind of thinking I might need to use the access-list command to open those ports; what protocol or application should I be assigning to those port openings?  Please correct me if I'm wrong--my logic is based on various sources of documentation, including this page:

    So should I be able to implement the following?

    access-list 101 permit tcp any host any host eq 636
    access-list 101 permit tcp any host any host eq 3268
    access-list 101 permit tcp any host any host eq 3269
    access-list 101 permit udp any host any host eq 389

    Or do I need to implement one-to-one address translation for the desktop in the remote office, assign it a static IP address, and implement the following?

    access-list 101 permit tcp any host desktop.outside.ip.address eq 636
    access-list 101 permit tcp any host desktop.outside.ip.address eq 3268
    access-list 101 permit tcp any host desktop.outside.ip.address eq 3269
    access-list 101 permit udp any host desktop.outside.ip.address eq 389

    I'm starting to wish I also tagged this post as a firewall issue.  Thanks guys...
    LVL 20

    Expert Comment

    Well, actually just do a show access-group and it should be the permit all and the proceeded by the deny all for the internal interface outbound (Egress).  If this is true then you don't need to create object groups etc for the AD commands going out, but you will  need them coming in.  They should travel from client to client without any issues.  You should check the log by doing a show log.  If you need other Cisco command assistance then be sure to do a search on here or as you said, repost.  Personally I would be sure that your routing was sufficient and stable before you started troubleshooting.  I am fairly good with a PIX but I am a little rusty as I am a Juniper man now :)  I haven't used a PIX in over 4 years now and it is pretty hands on for me.  I know that you will have to (should) create object groups and then add them to a network service and then bind that network service to the access-group that you create.  This is where it gets dicey as you will have to create another access-group and if you don't know what you are doing then you will kill your link all together.  

    Perhaps someone else could chime in on this one or you could repost to the firewall section and be sure to ask how to create access-lists and groups to pass active directory between a 515 and a 506.

    Good luck and Hope this helps.  

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
    Synchronize a new Active Directory domain with an existing Office 365 tenant
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now