heartbomb

Hi,

My organization just now started to use VPN as means to access our local network from different places.

Everything works fine except for one detail:

The VPN clients cannot access the LAN besides the VPN server. They can see and access shared folders in the server, but they can't access other folders in other computer.

the server is running win2k and the client is running XP.

Before anything:
1. Yes, I have enabled "Allow clients to access LAN" in the TCP/IP protocol of Incoming connections properties
2. clients can login, they can access the shared folders in the VPN server, they can even PING the other computers in the LAN, but they still cannot open shared folders.
3. I have checked the help on Routing and remote access console, which has a topic "clients cannot access the LAN past the server". I tried the three things described there but I still can't have the clients access the other computer.


Any suggestions?

Thanks again.

frontline

when connected to the vpn can you map a drive with the name \\domain\shared folder? If you try this do you get an error message?

as a side note, dunno if i asked you this before but did you ever play eq? I knew a guy with the name. If I asked you before please forgive me.

heartbomb

I don't know enough about vpn administration to offer much insight here, but I want to give a little input. My company uses vpn so that we can work from home, but 2 points come to mind. The onsite machines we connect to have to be in the local HOSTS file, and they have to be explicitly made available by our infrastructure group.

Many of us have wanted to connect to our development machines on the work lan, but can't do it. I've got shared folders to people at work, but can't map to them from home. VPN doesn't automatically open your access quite the same as being on the lan, because it could allow a little too much freedom for ill-intentioned behavior. There is a possible workaround until you get configured though. If you can remote desktop into the vpn box, you should be able to see everything as if you were on the local network. You can then bring files onto that machine for access. Obviously this is not a permanent fix, but it might be useful to know.

frontline

I don't think that is completely on the mark, Variable. You need a machine name too. The "whack whack" indicates the machine on your local network. For example: "\\myMachine\sharedFolder". The domain is used when connecting to the vpn for initial authentication, i.e.: "DOMAIN\username"

heartbomb

Yep, should be computername not domain. I think the problem is that his credentials are wrong. So he would connect to a share and then use domain\user. Dunno why I said domain instead of computer name.

frontline

You mentioned that the client machine is running XP. Is it XP home? As I recall you have to establish a domain account in order to authenticate. Some of the advanced settings in the security tab of Internet Properties should allow you to configure so that you're prompted when trying to connect. This sounds reasonable too because the vpn credentials don't necessarily match your lan credentials. I'll take a look and post back the section that I think is relevant.

frontline

Just browsing by and seen this thread, If youre VPN server is windows 2000 and it is the DNS and WINS server for your network then this is probably your problem....


http://support.microsoft.com/defaul...kb;en-us;292822

Pangea33 I would say whoever setup your VPN didnt set it up right if you are using HOSTS files (this is no way security related). To get around that do a

\\ipaddress\sharename
The VPN should open it up just like you where sitting on the LAN when configured correctly. If they want to block something they should use egress (outbound) ACLs.

heartbomb

Here are the settings I was thinking of:

Internet Properties - Security Settings - User Authentication - Logon - Prompt for username and password

Those machines should probably be set up in the Local Intranet or Trusted zone, and you can precede your username with the appropriate domain.

heartbomb

I think you miss understood me, I refered to this comment that when setup correctly a VPN should act like you are part of the network (shouldnt need hosts files or anything special, should be transparent to the end user), but they can intentionaly block access to certain machines or LAN segments for security if they feel they dont want VPN connections to access these resources.

frontline

Thanks a lot for the info, Juniper. Obviously I am an amateur when it comes to this stuff, but definitely want to know more. I wasn't under the impression that the HOSTS file adds security, but I gave ignorant information. I just pinged a machine by name and the IP came back. If you have the time to enlighten me a little further I would appreciate it.

We use the host entries for the webdev and staging machines. They're in a pod environment, so the actual name resolves to a switch that routes traffic to one of the boxes. Would that make a difference? Not sure how shared folders work in that case. I do know they're currently set up with the file structure duplicated on every machine in the pod. Yeah, that reads as horribly as I feared it would. I'm in the process of trying to convince TPTB that all binary files should be converted to base64 text, and saved as CLOBs on our powerful db servers. All webservers can have access to the files in one location, or redundant locations using transaction logs.

Additionally, the developer boxes are on a different internal class B than the webdev machines. 10.16 vs 10.18, and I don't currently know my cryptic pc name to ping it. Could that be an intentional technique to keep us from those machines, or should we have full LAN access?

Sorry if these are stupid questions. I appreciate your feedback.