RE: [leaf-user] Windows VPN newbie

[Steven Peck]

Esoteric Windows browsing stuff GACK.

Windows Network Neighborhood uses Microsoft's NetBuei in a broadcast mode.
It uses 'Browse Masters' on each subnet etc.  This stuff doesn't travel
across a router at all without a lot of specific help from the router (Cisco
routers can do this, but it consumes bandwidth - don't think LEAF can).  You
will need a WINS srver on at least one end and all the workstations on both
ends will have to point to this.  I believe you can imitate a WINS server
with SAMBA, but I don't use SAMBA.  As an alternative, if you have an LMHOST
file configured on EACH PC's name and ip address on the network, then Network
Neighborhood should work across the VPN with no additional network services
(SAMBA WINS).  

-sp

 -Original Message-
 From: Neil Schneider [mailto:[EMAIL PROTECTED]
 Sent: Monday, June 23, 2003 4:29 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [leaf-user] Windows VPN newbie
 Importance: Low
 
 
 I have network neighborhood browsing working across subnets, 
 through a VPN
 tunnel. It required two SAMBA pdcs, one on each subnet. Cross 
 subnet browsing, 
 as has been stated before, requires a pdc on each subnet with 
 wins  support 
 turned on, and remote browse sync set up. Once I had two 
 SAMBA servers, it
 was relatively painless.
 
 begin quoting S Mohan :
  Windows network neighbourhood browsing is based on Netbios. It works
  fine on a homogenous Windows LAN and Samba. I could not get 
 it working
  across LANs bridged using TCP/IP. I once (in 1999) had a 
 TCP/IP RAS box
  for inbound dial up connectivity to a LAN. Browsing did not work.
  However, using the dial in facility to a modem on the NT 
 server running
  NT RAS services gave this facility. No change on client or 
 server side.
  
  I doubt if you can achieve what you want over IPSEC links. 
 Will stand
  corrected if any one else had been able to get it working.
   
  Mohan
  
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Charles
  Steinkuehler
  Sent: Saturday, June 21, 2003 10:13 AM
  To: Jaime Nebrera Herrera
  Cc: [EMAIL PROTECTED]
  Subject: Re: [leaf-user] Windows VPN newbie
  
  
  Jaime Nebrera Herrera wrote:
 Hi all,
   
 I want to stablish a net to net VPN using Bering as a 
 gateway. On 
   both ends
   will have windows machines :(
   
 They want to see both nets as a whole, with all 
 computers (remember 
   windows)
   showing in the explorer, so they can access a shared hard 
 disk from
  both 
   sites.
   
 I want to do this the easiest and cheapest way. Options 
 considering:
   
 1) If possible use only one PC on each end. I dont 
 know if they 
   have a WNT
   or W200 server that could act as a WINS server, but 
 adding a linux (or
  a 
   couple of) just for WINS is not desirable unless there is 
 no other way
  
   (higher price and complexity).
   
 2) How bad isfor security adding WINS (samba) in the gateway?
   
 3) Even better, is really necesary to have a WINS 
 service? I know 
   that for
   IP services (http, ftp) there is no need for it, but the user just
  want to 
   see the whole as if there was no separation in the middle :)
  
  A WINS server gets you name resolution, but it does *NOT* provide 
  cross-subnet browsing (the official term for what you 
 describe you're 
  wanting), although it's typically a required piece of most 
 cross-subnet 
  browsing setups.
  
 4) What option is better, PPTP or FreeSWAN? Remember, 
 both in the
   gateway/firewall. Do I need WINS if I use PPTP?
  
  FreeS/WAN is better (from a security standpoint).  Using 
 PPTP may work 
  easier for browsing, but I've never tried to set this up, 
 so I'm not 
  sure what features/limitations PPTP provides (other than a 
 pretty much 
  guaranteed lack of security from anyone actually interested 
 in reading 
  your data...PPTP will secure you from the idly curious, but 
 not anyone 
  actually wanting to break into your VPN).
  
 I know this are very basic questions, is there any good online 
   documentation
   about this topics?
   
 Very thankful in advance. Regards.
  
  I'm not a windows networking guru, but have been through enough of 
  trying to link remote windows networks to help out with a 
 few issues.
  
  First of all, I suggest trying to setup a subnet-subnet 
 IPSec VPN link 
  between your two firewalls.  This reduces the problem to 
 getting windows
  
  boxes to talk to each other across a router.  There are two 
 aspects of 
  the windows portion of the problem:
  
  1) Sharing network resources across subnets
  
  2) Browsing network resources across subnets
  
  Note that these are *VERY* differnet problems.  Browsing on 
 MS networks 
  typically works by using broadcast traffic, which won't 
 pass through 
  your router/firewall/VPN appliance.  Drive mapping, 
 however, can be done
  
  directly using IP addresses, DNS names (if you have entries for the 
  system(s) in a zone

Re: [leaf-user] Windows VPN newbie

[Neil Schneider]

I have network neighborhood browsing working across subnets, through a VPN
tunnel. It required two SAMBA pdcs, one on each subnet. Cross subnet browsing, 
as has been stated before, requires a pdc on each subnet with wins  support 
turned on, and remote browse sync set up. Once I had two SAMBA servers, it
was relatively painless.

begin quoting S Mohan :
 Windows network neighbourhood browsing is based on Netbios. It works
 fine on a homogenous Windows LAN and Samba. I could not get it working
 across LANs bridged using TCP/IP. I once (in 1999) had a TCP/IP RAS box
 for inbound dial up connectivity to a LAN. Browsing did not work.
 However, using the dial in facility to a modem on the NT server running
 NT RAS services gave this facility. No change on client or server side.
 
 I doubt if you can achieve what you want over IPSEC links. Will stand
 corrected if any one else had been able to get it working.
  
 Mohan
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Charles
 Steinkuehler
 Sent: Saturday, June 21, 2003 10:13 AM
 To: Jaime Nebrera Herrera
 Cc: [EMAIL PROTECTED]
 Subject: Re: [leaf-user] Windows VPN newbie
 
 
 Jaime Nebrera Herrera wrote:
Hi all,
  
I want to stablish a net to net VPN using Bering as a gateway. On 
  both ends
  will have windows machines :(
  
They want to see both nets as a whole, with all computers (remember 
  windows)
  showing in the explorer, so they can access a shared hard disk from
 both 
  sites.
  
I want to do this the easiest and cheapest way. Options considering:
  
1) If possible use only one PC on each end. I dont know if they 
  have a WNT
  or W200 server that could act as a WINS server, but adding a linux (or
 a 
  couple of) just for WINS is not desirable unless there is no other way
 
  (higher price and complexity).
  
2) How bad isfor security adding WINS (samba) in the gateway?
  
3) Even better, is really necesary to have a WINS service? I know 
  that for
  IP services (http, ftp) there is no need for it, but the user just
 want to 
  see the whole as if there was no separation in the middle :)
 
 A WINS server gets you name resolution, but it does *NOT* provide 
 cross-subnet browsing (the official term for what you describe you're 
 wanting), although it's typically a required piece of most cross-subnet 
 browsing setups.
 
4) What option is better, PPTP or FreeSWAN? Remember, both in the
  gateway/firewall. Do I need WINS if I use PPTP?
 
 FreeS/WAN is better (from a security standpoint).  Using PPTP may work 
 easier for browsing, but I've never tried to set this up, so I'm not 
 sure what features/limitations PPTP provides (other than a pretty much 
 guaranteed lack of security from anyone actually interested in reading 
 your data...PPTP will secure you from the idly curious, but not anyone 
 actually wanting to break into your VPN).
 
I know this are very basic questions, is there any good online 
  documentation
  about this topics?
  
Very thankful in advance. Regards.
 
 I'm not a windows networking guru, but have been through enough of 
 trying to link remote windows networks to help out with a few issues.
 
 First of all, I suggest trying to setup a subnet-subnet IPSec VPN link 
 between your two firewalls.  This reduces the problem to getting windows
 
 boxes to talk to each other across a router.  There are two aspects of 
 the windows portion of the problem:
 
 1) Sharing network resources across subnets
 
 2) Browsing network resources across subnets
 
 Note that these are *VERY* differnet problems.  Browsing on MS networks 
 typically works by using broadcast traffic, which won't pass through 
 your router/firewall/VPN appliance.  Drive mapping, however, can be done
 
 directly using IP addresses, DNS names (if you have entries for the 
 system(s) in a zone file or in your hosts file), WINS name, etc.
 
 If you can get by with manually mapping drives instead of browsing (ie 
 manually typing in an IP or computer name rather than clicking the 
 proper computer from a tree view with the mouse), what you want is very 
 simple...just get the VPN link running, and type \\192.168.1.44 (or 
 whatever the appropriate far-end IP is) when you're trying to map a 
 network drive or printer.
 
 If, however, you want to browse to the remote resouce, you have a much
 
 bigger problem.  The official microsoft way to do this is to run 2K 
 server (probably .net server by now) on *EACH* subnet.  You eliminate 
 the server install on one side of the network if you have all systems 
 log into the same domain controller (requires a WINS server for name 
 resolution, and proper configuration of the remote systems so they know 
 how to find the WINS server on the far subnet...this can be setup via 
 dhcp, so it's really not too bad).  The Microsoft site has a lot more 
 info on what's required to implement this in the approved way...a 
 search for cross subnet browsing

RE: [leaf-user] Windows VPN newbie

[S Mohan]

Windows network neighbourhood browsing is based on Netbios. It works
fine on a homogenous Windows LAN and Samba. I could not get it working
across LANs bridged using TCP/IP. I once (in 1999) had a TCP/IP RAS box
for inbound dial up connectivity to a LAN. Browsing did not work.
However, using the dial in facility to a modem on the NT server running
NT RAS services gave this facility. No change on client or server side.

I doubt if you can achieve what you want over IPSEC links. Will stand
corrected if any one else had been able to get it working.
 
Mohan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charles
Steinkuehler
Sent: Saturday, June 21, 2003 10:13 AM
To: Jaime Nebrera Herrera
Cc: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Windows VPN newbie


Jaime Nebrera Herrera wrote:
   Hi all,
 
   I want to stablish a net to net VPN using Bering as a gateway. On 
 both ends
 will have windows machines :(
 
   They want to see both nets as a whole, with all computers (remember 
 windows)
 showing in the explorer, so they can access a shared hard disk from
both 
 sites.
 
   I want to do this the easiest and cheapest way. Options considering:
 
   1) If possible use only one PC on each end. I dont know if they 
 have a WNT
 or W200 server that could act as a WINS server, but adding a linux (or
a 
 couple of) just for WINS is not desirable unless there is no other way

 (higher price and complexity).
 
   2) How bad isfor security adding WINS (samba) in the gateway?
 
   3) Even better, is really necesary to have a WINS service? I know 
 that for
 IP services (http, ftp) there is no need for it, but the user just
want to 
 see the whole as if there was no separation in the middle :)

A WINS server gets you name resolution, but it does *NOT* provide 
cross-subnet browsing (the official term for what you describe you're 
wanting), although it's typically a required piece of most cross-subnet 
browsing setups.

   4) What option is better, PPTP or FreeSWAN? Remember, both in the
 gateway/firewall. Do I need WINS if I use PPTP?

FreeS/WAN is better (from a security standpoint).  Using PPTP may work 
easier for browsing, but I've never tried to set this up, so I'm not 
sure what features/limitations PPTP provides (other than a pretty much 
guaranteed lack of security from anyone actually interested in reading 
your data...PPTP will secure you from the idly curious, but not anyone 
actually wanting to break into your VPN).

   I know this are very basic questions, is there any good online 
 documentation
 about this topics?
 
   Very thankful in advance. Regards.

I'm not a windows networking guru, but have been through enough of 
trying to link remote windows networks to help out with a few issues.

First of all, I suggest trying to setup a subnet-subnet IPSec VPN link 
between your two firewalls.  This reduces the problem to getting windows

boxes to talk to each other across a router.  There are two aspects of 
the windows portion of the problem:

1) Sharing network resources across subnets

2) Browsing network resources across subnets

Note that these are *VERY* differnet problems.  Browsing on MS networks 
typically works by using broadcast traffic, which won't pass through 
your router/firewall/VPN appliance.  Drive mapping, however, can be done

directly using IP addresses, DNS names (if you have entries for the 
system(s) in a zone file or in your hosts file), WINS name, etc.

If you can get by with manually mapping drives instead of browsing (ie 
manually typing in an IP or computer name rather than clicking the 
proper computer from a tree view with the mouse), what you want is very 
simple...just get the VPN link running, and type \\192.168.1.44 (or 
whatever the appropriate far-end IP is) when you're trying to map a 
network drive or printer.

If, however, you want to browse to the remote resouce, you have a much

bigger problem.  The official microsoft way to do this is to run 2K 
server (probably .net server by now) on *EACH* subnet.  You eliminate 
the server install on one side of the network if you have all systems 
log into the same domain controller (requires a WINS server for name 
resolution, and proper configuration of the remote systems so they know 
how to find the WINS server on the far subnet...this can be setup via 
dhcp, so it's really not too bad).  The Microsoft site has a lot more 
info on what's required to implement this in the approved way...a 
search for cross subnet browsing should turn up lots of info.

Samba servers can help mitigate a lot of the problems incurred due to 
the artificial limitations of Microsoft's software (you'd think they 
want to sell tons of copies of their server software or something), but 
I wouldn't suggest running Samba on your firewalls, and it doesn't sound

like you have extra boxes lying around to turn into server systems.

All of the above reflects what I've picked up trying to get my windows 
box

[leaf-user] Windows VPN newbie

[Jaime Nebrera Herrera]

  Hi all,

  I want to stablish a net to net VPN using Bering as a gateway. On both ends 
will have windows machines :(

  They want to see both nets as a whole, with all computers (remember windows) 
showing in the explorer, so they can access a shared hard disk from both 
sites.

  I want to do this the easiest and cheapest way. Options considering:

  1) If possible use only one PC on each end. I dont know if they have a WNT 
or W200 server that could act as a WINS server, but adding a linux (or a 
couple of) just for WINS is not desirable unless there is no other way 
(higher price and complexity).

  2) How bad isfor security adding WINS (samba) in the gateway?

  3) Even better, is really necesary to have a WINS service? I know that for 
IP services (http, ftp) there is no need for it, but the user just want to 
see the whole as if there was no separation in the middle :)

  4) What option is better, PPTP or FreeSWAN? Remember, both in the 
gateway/firewall. Do I need WINS if I use PPTP?

  I know this are very basic questions, is there any good online documentation 
about this topics?

  Very thankful in advance. Regards.

-- 
Jaime Nebrera - [EMAIL PROTECTED]



---
This SF.Net email is sponsored by: INetU
Attention Web Developers  Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Windows VPN newbie

[Charles Steinkuehler]

Jaime Nebrera Herrera wrote:
  Hi all,

  I want to stablish a net to net VPN using Bering as a gateway. On both ends 
will have windows machines :(

  They want to see both nets as a whole, with all computers (remember windows) 
showing in the explorer, so they can access a shared hard disk from both 
sites.

  I want to do this the easiest and cheapest way. Options considering:

  1) If possible use only one PC on each end. I dont know if they have a WNT 
or W200 server that could act as a WINS server, but adding a linux (or a 
couple of) just for WINS is not desirable unless there is no other way 
(higher price and complexity).

  2) How bad isfor security adding WINS (samba) in the gateway?

  3) Even better, is really necesary to have a WINS service? I know that for 
IP services (http, ftp) there is no need for it, but the user just want to 
see the whole as if there was no separation in the middle :)
A WINS server gets you name resolution, but it does *NOT* provide 
cross-subnet browsing (the official term for what you describe you're 
wanting), although it's typically a required piece of most cross-subnet 
browsing setups.

  4) What option is better, PPTP or FreeSWAN? Remember, both in the 
gateway/firewall. Do I need WINS if I use PPTP?
FreeS/WAN is better (from a security standpoint).  Using PPTP may work 
easier for browsing, but I've never tried to set this up, so I'm not 
sure what features/limitations PPTP provides (other than a pretty much 
guaranteed lack of security from anyone actually interested in reading 
your data...PPTP will secure you from the idly curious, but not anyone 
actually wanting to break into your VPN).

  I know this are very basic questions, is there any good online documentation 
about this topics?

  Very thankful in advance. Regards.
I'm not a windows networking guru, but have been through enough of 
trying to link remote windows networks to help out with a few issues.

First of all, I suggest trying to setup a subnet-subnet IPSec VPN link 
between your two firewalls.  This reduces the problem to getting windows 
boxes to talk to each other across a router.  There are two aspects of 
the windows portion of the problem:

1) Sharing network resources across subnets

2) Browsing network resources across subnets

Note that these are *VERY* differnet problems.  Browsing on MS networks 
typically works by using broadcast traffic, which won't pass through 
your router/firewall/VPN appliance.  Drive mapping, however, can be done 
directly using IP addresses, DNS names (if you have entries for the 
system(s) in a zone file or in your hosts file), WINS name, etc.

If you can get by with manually mapping drives instead of browsing (ie 
manually typing in an IP or computer name rather than clicking the 
proper computer from a tree view with the mouse), what you want is very 
simple...just get the VPN link running, and type \\192.168.1.44 (or 
whatever the appropriate far-end IP is) when you're trying to map a 
network drive or printer.

If, however, you want to browse to the remote resouce, you have a much 
bigger problem.  The official microsoft way to do this is to run 2K 
server (probably .net server by now) on *EACH* subnet.  You eliminate 
the server install on one side of the network if you have all systems 
log into the same domain controller (requires a WINS server for name 
resolution, and proper configuration of the remote systems so they know 
how to find the WINS server on the far subnet...this can be setup via 
dhcp, so it's really not too bad).  The Microsoft site has a lot more 
info on what's required to implement this in the approved way...a 
search for cross subnet browsing should turn up lots of info.

Samba servers can help mitigate a lot of the problems incurred due to 
the artificial limitations of Microsoft's software (you'd think they 
want to sell tons of copies of their server software or something), but 
I wouldn't suggest running Samba on your firewalls, and it doesn't sound 
like you have extra boxes lying around to turn into server systems.

All of the above reflects what I've picked up trying to get my windows 
box to gracefully talk to the home office network across a subnet-subnet 
VPN, but does not necessarily represent the best, or necessarily even 
appropriate way to do this in the microsoft world...I'm a linux 
networking guy, and know just enough microsoft networking to keep my 
2KPro desktop linked to the internet and the home office.

--
Charles Steinkuehler
[EMAIL PROTECTED]


---
This SF.Net email is sponsored by: INetU
Attention Web Developers  Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php

leaf-user mailing list: [EMAIL PROTECTED]