Configuring VPN Clients to Support Network Browsing

 

One of the primary reasons to setup a VPN server is to allow VPN clients to access shared resources on the internal network behind the ISA Server firewall/VPN server. There are a number of methods available that allow users to access shared resources on the corporate network. Some of these methods include:

 

Users can access network file shares by mapping a network drive to specific share. The user can map the file share to a drive letter himself, or you can map a file share to a network drive via log on script.

 

If the user knows the computer name and share name containing the desired files, he can connect to the resource via a Universal Naming Convention (UNC) path. The UNC path is represented as \\Computer_name\Share_name where the Computer_name is the DNS or NetBIOS name of the computer and the Share_name is the name of the shared resource on that computer. The UNC path is enter into the Run command dialog box.

 

Network file shares can be mapped to Internet Information Server virtual directories and users may access files in these virtual directories using a Web browser. You can also use the Windows 2000/Windows Server 2003 WebDAV features to increase flexibility in Web based file access.

 

The most popular method of accessing file shares is via the My Network Places and Network Neighborhood applets. Users click on the domain name and then click on computer names within the domain. The shared resource is accessed within the contents of the computer name.

 

This ISA Server 2000 VPN Deployment Kit document contains information on how to configure ISA Server firewall/VPN server and VPN client computers to support Network browsing using the My Network Places or Network Neighborhood applets.

 

Configuring VPN Clients to Support Network Browsing

 

We will address the following issues In this ISA Server 2000 VPN Deployment Kit document:

 

 

 

Installing and Configuring a WINS Server and WINS Clients on the Internal Network

 

Successful network browsing on networks which multiple subnets depends on several factors:

 

 

The details of the Windows Browser Service is beyond the scope of this ISA Server 2000 VPN Deployment Kit document. We recommend that you review Microsoft TechNet article The Windows NT Browser Service for a better understanding of how the browser service works.

 

The internal network to which the VPN connects requires at least one domain controller running as Primary Domain Controller or PDC emulator. In a Windows 2000 or Windows Server 2003 domain, the first domain controller in the domain is the PDC emulator. The PDC emulator collects the browse list information from the master browsers on each network segment and redistributes the collated results from all subnets.

 

You can to install a WINS server on any Windows 2000 or Windows Server 2003 machine on the network and configure all the network clients as WINS clients. The WINS clients register their NetBIOS names and IP address(es) with the WINS server. The WINS clients query the WINS server when they need to resolve NetBIOS names. Master browsers on each network segment use the WINS server to resolve the name of the PDC or PDC emulator, and the PDC or PDC emulator uses WINS to resolve the names of the segment master browsers.

 

WINS is never installed by default. Perform the following steps on a Windows 2000 or Windows Server 2003 server on the internal network:

 

  1. Click Start and point to Control Panel. Click on the Add or Remove Programs command. In the Add or Remove Programs window, click the Add/Remove Windows Components button (figure 1).

 

Figure 1 (fig101)

 

  1. In the Windows Components dialog box, select the Network Services option in the Components list (figure 2). Click the Details button.

 

Figure 2 (fig102)

 

  1. In the Networking Services dialog box, put a checkmark in the Windows Internet Name Services (WINS) checkbox (figure 3). Click OK.

 

Figure 3 (fig103)

 

  1. Click Next in the Windows Components dialog box (figure 4).

 

Figure 4 (fig104)

 

  1. A progress bar appears in the Configuring Components dialog box as the components are configured (figure 5).

 

Figure 5 (fig105)

 

  1. Click Finish in the Completing the Windows Components Wizard page (figure 6).

 

Figure 6 (fig106)

 

The next step is to configure the clients as WINS clients. The procedure varies with the operating system. The following steps work for Windows 2000, Windows XP and Windows Server 2003 clients:

 

  1. Right click the My Network Places object on the desktop and click the Properties command (figure 7).

 

Figure 7 (fig108)

 

  1. In the Network Connections dialog box, right click the network interface that you want to register as a WINS client and click the Properties command (figure 8).

 

Figure 8 (fig109)

 

  1. In the interface Properties dialog box, click the General tab and click the Internet Protocol (TCP/IP) entry in the This connection uses the following items list, then click the Properties button (figure 9).

 

Figure 9 (fig110)

 

  1. In the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button (figure 10).

 

Figure 10 (fig111)

 

  1. In the Advanced TCP/IP Settings dialog box, click the WINS tab. On the WINS tab (figure 11), click the Add button.

 

Figure 11 (fig111)

 

  1. In the TCP/IP WINS Server dialog box, type in the IP address of the WINS server in the WINS server text box (figure 12). Click Add.

 

Figure 12 (fig113)

 

  1. Click OK in the Advanced TCP/IP Settings dialog box (figure 13)

 

Figure 13 (fig114)

 

  1. Click OK on the Internet Protocol (TCP/IP) Properties dialog box (figure 14).

 

Figure 14 (fig115)

 

  1. Click Close in the interface Properties dialog box. (figure 15).

 

Figure 15 (fig116)

 

The WINS client will register its address in the WINS database when you restart the computer. You can use the nbtstat command to get the machine to register its address immediately:

 

  1. Open a command prompt and type nbtstat ĖRR and press ENTER. This registers the WINS clientís NetBIOS names in the WINS database (figure 16).

 

Figure 16 (fig117)

 

  1. Now letís examine the NetBIOS names the WINS client registered in the WINS database. Click Start and point to Administrative Tools. Click on the WINS command (figure 17).

 

Figure 17 (fig118)

 

  1. In the WIN console, expand the server name and right click on the Active Registrations node in the left pane of the console (figure 18). Click the Display Records command.

 

Figure 18 (fig119)

 

  1. Click on the Record Owners tab in the Display Records dialog box. Click the Select Local button (figure 19).

 

Figure 19 (fig120)

 

  1. You can see the WINS database entries in the right pane. Note the INTERNAL [1Bh] WINS database record. This is the record segment master browsers use to send their browse lists to the PDC or PDC emulator (figure 20).

 

Figure 20 (fig121)

 

 

Assigning a WINS Server Address to the VPN Clients

 

VPN clients use WINS to resolve NetBIOS names for hosts on the internal network. WINS makes it possible for VPN clients that are not configured with a primary domain name to resolve the names of computers on the internal network. There are two ways you can assign VPN clients a WINS server address:

 

 

Please refer to ISA Server VPN Deployment Kit document Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options for instructions on how to configure DHCP support for VPN clients.

 

Please refer to ISA Server 2000 VPN Deployment Kit document Configuring the Windows Server 2003 ISA Server 2000/VPN Server for detailed information on how to configure RRAS to assign WINS server addresses to VPN clients.

 

When the VPN Client Belongs to the Internal Network Domain

 

There are no special configuration requirements when the VPN machine and the user are members of the internal network domain. The domain member VPN client has the following features and capabilities:

 

 

A computer can be joined to the domain while directly connected to the internal network, or when it is connected over a VPN link. We recommend that you join the computer to the domain while it is directly connected to the network. However, if this is not possible, you can use the following procedure to join the machine over a VPN connection:

 

*       Note:
The ISA Server firewall/VPN server has already been configured according to the procedures in ISA Server 2000 VPN Deployment Kit article Configuring the Windows Server 2003 ISA Server 2000/VPN Server. The initial connection is via PPTP. The VPN client computer can be automatically assigned a certificate via autoenrollment when it joins the domain. Once the VPN client obtains a certificate, an L2TP/IPSec connection can be established.

 

Perform the following steps to join a computer to the domain over a VPN link:

 

  1. Create the Dial-up Networking VPN connectoid that connects the VPN client computer to the ISA Server firewall/VPN server. Connect the non-domain member VPN client machine to the ISA Server firewall/VPN server using this connectoid (figure 6).

 

Figure 6 (fig206)

 

  1. As soon as the VPN link is established, right click on the My Computer object on the desktop and click the Properties command (figure 7).

 

Figure 7 (fig207)

 

  1. In the System Properties dialog box, click on the Network Identification tab. Note the current Full computer name and Workgroup. Click the Properties button.

 

Figure 8 (fig208)

 

  1. In the Identification Changes dialog box, select the Domain option (figure 9). Type the name of the internal network domain in the text box under the Domain option. Note the Full computer name is WIN2K. This is only a host name, there is no domain name. This client will have problems qualifying unqualified requests.

 

This client will have a primary domain name assigned to it after it joins the domain. Please refer to ISA Server 2000 VPN Deployment Kit document Forcing Firewall Policy on VPN Clientsfor more information about a machineís Primary Domain Name. Click OK.

 

Figure 9 (fig209)

 

  1. Type in a domain administrator name and password in the Domain Username and Password dialog box (figure 10). Click OK.

 

Figure 10 (fig210)

 

  1. You will see a Network Identification dialog box saying Welcome to the domain once you successfully join the domain. Click OK (figure 11).

 

Figure 11 (fig211)

 

  1. Click OK in the Network Identification dialog box informing that you must reboot the computer for the changes to take effect (figure 12).

 

Figure 12 (fig212)

 

  1. Notice on the bottom of the System Properties dialog box the comment Changes will take effect after you restart this computer. Click OK (figure 13).

 

Figure 13 (fig213)

 

  1. Click Yes in the System Settings Change dialog box. This will restart the computer (figure 14).

 

Figure 14 (fig214)

 

  1. Log off and then log on again. This time log on with your domain account. Confirm that you are logging on to the domain by confirming that the domain appears in the Log on to drop down list box. Use a domain username and password. These credentials log you on to the computer as a domain user. Put a checkmark into the Log on using dial-up connection so that you connect to the domain through the VPN link (figure 23).

 

Figure 23 (fig223)

 

  1. Click the Dial button in the Network and Dial-up Connections dialog box (figure 24). If there is more than one VPN connectoid configured on the computer, click the down arrow on the Choose a network connection drop down list box and select the VPN connection that connects you to the ISA Server firewall/VPN server.

 

Figure 24 (fig224)

 

  1. Type in your domain User name and Password in the Connect Virtual Private Connection dialog box. Click Connect (figure 25).

 

Figure 25 (fig225)

 

When the desktop appears, the user is logged on and can access any network resources on the internal network for which the user has permission to access. The user will not be prompted for credentials when accessing network file shares.

 

When the VPN Client Does Not Belong to the Internal Network Domain

 

The VPN client computer that is not a member of the domain has the following default characteristics:

 

 

The non-domain computer does not have the wide range of options available to the domain member computer. However, you can still take advantage of network browsing on the non-domain member machine. The only requirement is that you make the non-domain member computer a member of a workgroup with the same name as the NetBIOS name of the internal network domain.

 

We recommend you make the following changes to the non-domain member computer:

 

 

Perform the following steps to join the non-domain VPN client machine to a workgroup with the same name as the internal network domain:

 

  1. Log onto the non-domain VPN client computer as an administrator. Right click the My Computer object on the desktop and click the Properties command (figure 25)

 

Figure 25 (fig301)

 

  1. In the System Properties dialog box, click on the Network Identification tab. Note this machine is a member of the WORKGROUP workgroup. The NetBIOS name for the internal network domain we want this client to connect to is INTERNAL. We want this VPN client machine to join a workgroup named INTERNAL. Click the Properties command (figure 26).

 

Figure 26 (fig302)

 

  1. In the Identification Changes dialog box (figure 27), select the Workgroup option and type the NetBIOS name of the domain in the text box under the Workgroup option. Click OK.

 

Figure 27 (fig303)

 

  1. Click OK in the Network Identification dialog box welcoming you to the new workgroup (figure 28).

 

Figure 28 (fig304)

 

  1. Click OK in the Network Identification dialog box informing you that you must restart your computer (figure 29).

 

Figure 29 (fig305)

 

  1. Note on the Network Identification tab that you are informed that Changes will take effect after you restart this computer. Click OK (figure 30).

 

Figure 30 (fig306)

 

  1. Click Yes in the System Settings Change dialog box that asks if you want to restart your computer (figure 31).

 

Figure 31 (fig307)

 

 

Log on to the computer as an administrator. The next step is to create or change the primary DNS suffix for the VPN client computer. The primary DNS suffix is appended to all unqualified DNS queries. The internal network domain that this computer connects to is internal.net, so we will change the primary DNS suffix to internal.net.

 

1.       Open the System Properties dialog box and click the Network Identification tab. Note that the machine now belongs to the INTERNAL Workgroup. Also note that the Full computer name is WIN2K.We need to add the internal.net domain name to this computerís name. Click the Properties button (figure 32).

 

Figure 32 (fig308)

 

2.       On the Identification Changes dialog box, click the More button (figure 33).

 

Figure 33 (fig309)

 

3.       On the DNS Suffix and NetBIOS Computer Name dialog box (figure 34), type in the domain name of the internal network in the Primary DNS suffix of this computer text box. Make sure the Change primary DNS suffix when domain membership changes checkbox is enabled. This will allow the primary DNS suffix to change if this machine is joined to a domain. Click OK.

 

Figure 34 (fig310)

 

4.       Click OK in the Identification Changes dialog box (figure 35).

 

Figure 35 (fig311)

 

5.       Click OK in the Network Identification dialog box that informs you that you must reboot the computer for the changes to take effect (figure 36).

 

Figure 36 (fig312)

 

6.       Note on the bottom of the Network Identification tab on the System Properties dialog box the comment change will take effect after you restart this computer. Click OK (figure 37).

 

Figure 37 (fig313)

 

 

7.       Click Yes on the System Settings Change dialog box (figure 38). The computer will restart and the machine will have the new primary DNS suffix.

 

Figure 38 (fig314)

 

 

Notes on VPN Client Authentication Settings