Windows Explorer Browsing Across VPN

We have a head office connected to a remote office using a site-to-site VPN (Sonicwall TZ210 at each end).

Subnet at head office is (  This subnet hosts MS small business server, network printers, NAS, etc.  MS SBS provides DNS for both offices but DHCP only for the head office.

Subnet at remote office is (  This subnet only has clients on it (apart from a Netgear WAP controller which also provdes DHCP for the remote site).

We have established a site-to-site VPN between the two sites (no NAT implemented).  This works fine in that clients on the remote site can access resources on the head office site by both IP and URL.  However users at each site cannot see the resources in the other site using Windows Explorer.

What would we need to do to get global visibility of both sites' resources in Windows Explorer?


Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wyliecoyoteukIT directorCommented:
As far as I remember, Windows browsing uses Netbios, which is not routable.
The remote PCs would have to have an IP in the same subnet as the PCs that they were browsing.
This is usually achieved in single node VPNs running across NAT routers by creating a Virtual IP address as the endpoint of the tunnel.

wyliecoyoteukIT directorCommented:
You could always give them the same subnet, but then you have to have only one DHCP server, and the Sonicwall may need to be configured to pass NetBIOS broadcasts.
mcsweenSr. Network AdministratorCommented:
In your VPN configuration click on the Advanced tab and check the box "Enable Windows Networking (NetBIOS) Broadcasts".

Make sure you check this box at each end of the VPN.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

mcsweenSr. Network AdministratorCommented:
BTW - Enabling the broadcasts will allow this to work across subnets; you do not have to change your subnetting.
The best way is to have a second server on the remove LAN whcih has a secondary copy of the Zone from teh primary site,  however , if you have no server you will have to configure the Name resolution manually for each of the machines there.

there should be a file called LMHOSTS.SAM
edit thir file with notepad or whatever
there is plenty of examples in the file,
but you need a #PRE #DOM entry for you SBS server and just normal entries for all your other servers
save the file and the rename to remove the .SAM extension (must hav no extension)
You can get windows to ready the file with the command
or just reboot
BTW this only works on TCP/IP

Murat RaymondCIOCommented:
Is your SBS Premium or Standard?
Fred MarshallPrincipalCommented:
Yes, you will need to get the netbios traffic going over the vpn.

I've made it work that way - you end up with a single master browser computer for the whole set of sites.  That may be fine.

I've read that this can't work.  So, I avoid it because I'd rather have something working that I understand.

You say "Windows Explorer" and I'm not sure what you mean by that:
With netbios traffic enabled you should see all the devices in My Network Places.
Without netbios traffic enabled you won't have site-to-site device name service and there will be a Master Browser for each site and a list for each site.

Nonetheless, you can still access computers this way:
And, you can map shared folders on these computers.
And, you can set up shortcuts on the desktop to open these computers and/or folders on them.
mcsweenSr. Network AdministratorCommented:
All you are going to need to do is check a box on each end of the VPN.  Any domain member (server or workstation) at each site will act as a master browser for that subnet after an election which will happen automatically with no configuration or setup on your part.  The master browser is going to broadcast to discover other systems on the network.
NAKBrooksAuthor Commented:
Thanks for the flurry of responses. Just woken up this side of the pond so will look them through when I get in and see where that leaves me.
NAKBrooksAuthor Commented:
OK,. Rebooted a few things and now it seems to work!  Will keep an eye on it.  Thanks for responses.
You can weigh your options. ALL Experts on this post have posted valid information.

Netbios is not routeable without help.Here are a few options.

1) LMHOST/WINS server- WINS and adding an LMHOST record between site master browsers allows you to prevent excessive Netbios broadcasts over a VPN connection. If this is a secure VPN connection through a IPsec tunel, I would definately consider an LMHOST or WINS servers. The way this works is clients send out a netbios broadcast every 15 minutes. The domain server with FSMO roles collects information from these netbios broadcasts, including netbios to an IP address, (netbios resolution). Since the domain server has all that information, (much like the DNS server will have DNS resolution), why broadcast all netbios over a vpn connection and have only ONE domain master browser for all Sites? Why not share each site's master browser list, with the domain master?

2) Allowing VPN broadcasts between sites- This option creates excessive traffic. Allowing all netbios broadcasts is pretty excessive traffic over a VPN. It's not recommended.

3) Vendor hardware/software configurations- The demand for ability to share Common Information File Shares and Server Message Block Shares has caused most network manufacturers to provide a means to share CIFS shares over SMB protocol. SONIC WALL is one of the best. It's also the most secure means to share this information. I would either google search or call Sonic tech support on "CIFS SMB Sonic Wall".
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocols

From novice to tech pro — start learning today.