• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 375
  • Last Modified:

IPSec breaks Network Neighborhood

We have 5 servers with a default "Request Security" IPSec policy enabled. It works reasonably well except it breaks Network Neighborhood. The servers do not appear in the list of machines when browsing from the client and from the server side when trying to explore the network, it states: "%Domain Name%  is not available. You might not have permission to use this network resource." I know that an exception list can be built for enabling this but do not have time to build a complete test network to get it worked out. I was hoping someone had already done the leg work and can help me out.
0
tuscany22
Asked:
tuscany22
  • 5
  • 4
1 Solution
 
ChiefITCommented:
IPsec is a tunneling (Point to Point) protocol.

That messes up the netbios broadcasts. If you want net neighborhood and other master browser reliant services to work again, you will have to configure a WINS server and use WINS on an IPsec environment.
0
 
tuscany22Author Commented:
Thanks for the response. I did have WINS set up on the domain controller but did not have the WINS server listed in the advanced TCP/IP options on the server. After enabling I can browse the network from the server, but still do not see the server from the client after I enable the WINS client on the client machine. Is there anthing else I should be doing to be able to see the server in network neighborhood? Thanks very much for your help.
0
 
ChiefITCommented:
Do the clients recognize the server as a WINS server?

Like on DNS, you should define what node is the WINS server for that client.

NIC configuration>>TCP/IP properties>>advanced button>>WINS tab

On each client, define the WINS server and see what you get.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
tuscany22Author Commented:
That is what I tried- sorry I did a bad job of explaining it. I went to both the IPSEC'd server and did that and also to a client machine. It did fix it from the server side- I can see all of the machines on the network except the other IPSEC'd servers, where before it would not even allow me to browse the domain. However, from the client after WINS is defined in advanced, I still cannot see the server. Crazy thing is I can see a Windows 2000 server that we have the same policy applied against it, but none of the 4 Windows 2003 boxes. That was true before I pointed the client to the WINS service enabled on the domain controller. Please let me know if there are some other things I should be looking at or if you need more information. Thanks!
0
 
ChiefITCommented:
At the client side location, do you see other clients, ... anything?
0
 
tuscany22Author Commented:
You bet- everything but the 4 IPSEC's machines. All of the other clients and servers. I only enabled one of the 4 windows 2003 machines. I will go try the other three and see if they pop up- I can't think of anything REALLY unusual I have done here except the server request policy, but it has been a good while since I set them up, and they have been working fine except for that. I am moving a large amount of client files to one of these servers where the users will be using mapped drives (bot a problem there) but every once in a while it will be necessary for them to save files or need to browse to the server independant of their mapped drives. Thanks again.
0
 
ChiefITCommented:
Here's the deal. The WINS database, needs a connection between the other site's master browsers. Then those site's master browsers will communicate with the domain master browser.

This article is an NT4 article. It will show you how to set up the browser service in the WINS/WAN configuration. WINS is routeable, while netbios broadcasts are not. So, WINS is an aid to netbios translation so that it can propogate over a VPN tunnel, across NAT, and maybe past IPsec tunneling.

So, I still think WINS will work for your IPsec computers. But, I am not certain. Please evaluate this article, because it explains how to route netbios in a WINS/WAN setup. This also explains the browser service to a T.

http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/net/chptr3.mspx?mfr=true
0
 
tuscany22Author Commented:
Sorry to take so long to get back to you. Been ill for a couple of days and got behind. I am looking it over now and will be back to you. It is interesting though. From the WINS server (the domain controller) which is on the same network as the server that is IPSEC'd, I can search for and see the server name listed in the WINS console (using the filter option, search for machine). It knows it is there. However, from the WINS server machine if I explore the network by browsing, I cannot see the server. I had thought it was maybe reliant on the fact that I cannot ping the servers when they have the IPSEC policy applied, but I CAN see the older Windows 2000 box, even though it has the same domain IPSEC policy applied, and I cannot ping that box either. I checked to see if its network configuration set up was any different and nothing pops out at me. I know there was some tightening of the IPSEC implementation from 2000 to 2003, so I will also take a look at the changes and see if there is an exception there that will help finish this up. Thanks again for your help. I would not have thought of a legacy service like WINS to solve this.
0
 
tuscany22Author Commented:
Went ahead and looked over the WINS article. Also took a look at the changes to the default behavior of IPSEC from 2000/XP to server 2003. By default all trafiic except IKE is filtered on Server 2003. See Microsoft Knowledge Base- http://support.microsoft.com/kb/810207. By modifying the HKLM\SYSTEM\CurrentControlSet\Services\IPSEC\Default Exemption key from a 3 (filter all but IKE) to a 1 it allows broadcast and multicast traffic to be unfiltered. This apparently lowers the security of the IPSEC implemenaion but allows the server to be browsed and also the server to browse the network. Tested from a couple of clients without and with the WINS cient enabled. Can see it from both. Thanks for the assistance with this issue. It forced me to think about the mechanisms that were being blocked by the IPSEC protocol.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now