tuscany22
asked on
IPSec breaks Network Neighborhood
We have 5 servers with a default "Request Security" IPSec policy enabled. It works reasonably well except it breaks Network Neighborhood. The servers do not appear in the list of machines when browsing from the client and from the server side when trying to explore the network, it states: "%Domain Name% is not available. You might not have permission to use this network resource." I know that an exception list can be built for enabling this but do not have time to build a complete test network to get it worked out. I was hoping someone had already done the leg work and can help me out.
ASKER
Thanks for the response. I did have WINS set up on the domain controller but did not have the WINS server listed in the advanced TCP/IP options on the server. After enabling I can browse the network from the server, but still do not see the server from the client after I enable the WINS client on the client machine. Is there anthing else I should be doing to be able to see the server in network neighborhood? Thanks very much for your help.
Do the clients recognize the server as a WINS server?
Like on DNS, you should define what node is the WINS server for that client.
NIC configuration>>TCP/IP properties>>advanced button>>WINS tab
On each client, define the WINS server and see what you get.
Like on DNS, you should define what node is the WINS server for that client.
NIC configuration>>TCP/IP properties>>advanced button>>WINS tab
On each client, define the WINS server and see what you get.
ASKER
That is what I tried- sorry I did a bad job of explaining it. I went to both the IPSEC'd server and did that and also to a client machine. It did fix it from the server side- I can see all of the machines on the network except the other IPSEC'd servers, where before it would not even allow me to browse the domain. However, from the client after WINS is defined in advanced, I still cannot see the server. Crazy thing is I can see a Windows 2000 server that we have the same policy applied against it, but none of the 4 Windows 2003 boxes. That was true before I pointed the client to the WINS service enabled on the domain controller. Please let me know if there are some other things I should be looking at or if you need more information. Thanks!
At the client side location, do you see other clients, ... anything?
ASKER
You bet- everything but the 4 IPSEC's machines. All of the other clients and servers. I only enabled one of the 4 windows 2003 machines. I will go try the other three and see if they pop up- I can't think of anything REALLY unusual I have done here except the server request policy, but it has been a good while since I set them up, and they have been working fine except for that. I am moving a large amount of client files to one of these servers where the users will be using mapped drives (bot a problem there) but every once in a while it will be necessary for them to save files or need to browse to the server independant of their mapped drives. Thanks again.
Here's the deal. The WINS database, needs a connection between the other site's master browsers. Then those site's master browsers will communicate with the domain master browser.
This article is an NT4 article. It will show you how to set up the browser service in the WINS/WAN configuration. WINS is routeable, while netbios broadcasts are not. So, WINS is an aid to netbios translation so that it can propogate over a VPN tunnel, across NAT, and maybe past IPsec tunneling.
So, I still think WINS will work for your IPsec computers. But, I am not certain. Please evaluate this article, because it explains how to route netbios in a WINS/WAN setup. This also explains the browser service to a T.
http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/net/chptr3.mspx?mfr=true
This article is an NT4 article. It will show you how to set up the browser service in the WINS/WAN configuration. WINS is routeable, while netbios broadcasts are not. So, WINS is an aid to netbios translation so that it can propogate over a VPN tunnel, across NAT, and maybe past IPsec tunneling.
So, I still think WINS will work for your IPsec computers. But, I am not certain. Please evaluate this article, because it explains how to route netbios in a WINS/WAN setup. This also explains the browser service to a T.
http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/net/chptr3.mspx?mfr=true
ASKER
Sorry to take so long to get back to you. Been ill for a couple of days and got behind. I am looking it over now and will be back to you. It is interesting though. From the WINS server (the domain controller) which is on the same network as the server that is IPSEC'd, I can search for and see the server name listed in the WINS console (using the filter option, search for machine). It knows it is there. However, from the WINS server machine if I explore the network by browsing, I cannot see the server. I had thought it was maybe reliant on the fact that I cannot ping the servers when they have the IPSEC policy applied, but I CAN see the older Windows 2000 box, even though it has the same domain IPSEC policy applied, and I cannot ping that box either. I checked to see if its network configuration set up was any different and nothing pops out at me. I know there was some tightening of the IPSEC implementation from 2000 to 2003, so I will also take a look at the changes and see if there is an exception there that will help finish this up. Thanks again for your help. I would not have thought of a legacy service like WINS to solve this.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That messes up the netbios broadcasts. If you want net neighborhood and other master browser reliant services to work again, you will have to configure a WINS server and use WINS on an IPsec environment.