Configuring VPN Clients to Support Network Browsing

 

One of the primary reasons to setup a VPN server is to allow VPN clients to access shared resources on the internal network behind the ISA Server firewall/VPN server. There are a number of methods available that allow users to access shared resources on the corporate network. Some of these methods include:

 

• Mapped Network Drives

Users can access network file shares by mapping a network drive to specific share. The user can map the file share to a drive letter himself, or you can map a file share to a network drive via log on script.

 

• Universal Naming Convention Paths using the Run Command

If the user knows the computer name and share name containing the desired files, he can connect to the resource via a Universal Naming Convention (UNC) path. The UNC path is represented as \\Computer_name\Share_name where the Computer_name is the DNS or NetBIOS name of the computer and the Share_name is the name of the shared resource on that computer. The UNC path is enter into the Run command dialog box.

 

• Web browser

Network file shares can be mapped to Internet Information Server virtual directories and users may access files in these virtual directories using a Web browser. You can also use the Windows 2000/Windows Server 2003 WebDAV features to increase flexibility in Web based file access.

 

• Network browsing via Network Neighborhood or My Network Places

The most popular method of accessing file shares is via the My Network Places and Network Neighborhood applets. Users click on the domain name and then click on computer names within the domain. The shared resource is accessed within the contents of the computer name.

 

This ISA Server 2000 VPN Deployment Kit document contains information on how to configure ISA Server firewall/VPN server and VPN client computers to support Network browsing using the My Network Places or Network Neighborhood applets.

 

Configuring VPN Clients to Support Network Browsing

 

We will address the following issues In this ISA Server 2000 VPN Deployment Kit document:

 

• Configuring a a WINS infrastructure to support VPN client browsing
• Assigning a WINS server address to VPN clients
• Joining the VPN client the internal network domain
• Joining the VPN client to a workgroup with the same NetBIOS name of the internal network domain

 

 

Installing and Configuring a WINS Server and WINS Clients on the Internal Network

 

Successful network browsing on networks which multiple subnets depends on several factors:

 

• The NetBIOS interface (NetBIOS over TCP/IP or NetBT) must be enabled on all servers you want to appear in the browse list
• A Windows domain containing a Primary Domain Controller or PDC emulator
• Machines hosting shared resources are configured as WINS clients
• At least one WINS server

 

The details of the Windows Browser Service is beyond the scope of this ISA Server 2000 VPN Deployment Kit document. We recommend that you review Microsoft TechNet article The Windows NT Browser Service for a better understanding of how the browser service works.

 

The internal network to which the VPN connects requires at least one domain controller running as Primary Domain Controller or PDC emulator. In a Windows 2000 or Windows Server 2003 domain, the first domain controller in the domain is the PDC emulator. The PDC emulator collects the browse list information from the master browsers on each network segment and redistributes the collated results from all subnets.

 

You can to install a WINS server on any Windows 2000 or Windows Server 2003 machine on the network and configure all the network clients as WINS clients. The WINS clients register their NetBIOS names and IP address(es) with the WINS server. The WINS clients query the WINS server when they need to resolve NetBIOS names. Master browsers on each network segment use the WINS server to resolve the name of the PDC or PDC emulator, and the PDC or PDC emulator uses WINS to resolve the names of the segment master browsers.

 

WINS is never installed by default. Perform the following steps on a Windows 2000 or Windows Server 2003 server on the internal network:

 

1. Click Start and point to Control Panel. Click on the Add or Remove Programs command. In the Add or Remove Programs window, click the Add/Remove Windows Components button (figure 1).

 

Figure 1 (fig101)

 

2. In the Windows Components dialog box, select the Network Services option in the Components list (figure 2). Click the Details button.

 

Figure 2 (fig102)

 

3. In the Networking Services dialog box, put a checkmark in the Windows Internet Name Services (WINS) checkbox (figure 3). Click OK.

 

Figure 3 (fig103)

 

4. Click Next in the Windows Components dialog box (figure 4).

 

Figure 4 (fig104)

 

5. A progress bar appears in the Configuring Components dialog box as the components are configured (figure 5).

 

Figure 5 (fig105)

 

6. Click Finish in the Completing the Windows Components Wizard page (figure 6).

 

Figure 6 (fig106)

 

The next step is to configure the clients as WINS clients. The procedure varies with the operating system. The following steps work for Windows 2000, Windows XP and Windows Server 2003 clients:

 

1. Right click the My Network Places object on the desktop and click the Properties command (figure 7).

 

Figure 7 (fig108)

 

7. In the Network Connections dialog box, right click the network interface that you want to register as a WINS client and click the Properties command (figure 8).

 

Figure 8 (fig109)

 

8. In the interface Properties dialog box, click the General tab and click the Internet Protocol (TCP/IP) entry in the This connection uses the following items list, then click the Properties button (figure 9).

 

Figure 9 (fig110)

 

9. In the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button (figure 10).

 

Figure 10 (fig111)

 

10. In the Advanced TCP/IP Settings dialog box, click the WINS tab. On the WINS tab (figure 11), click the Add button.

 

Figure 11 (fig111)

 

11. In the TCP/IP WINS Server dialog box, type in the IP address of the WINS server in the WINS server text box (figure 12). Click Add.

 

Figure 12 (fig113)

 

12. Click OK in the Advanced TCP/IP Settings dialog box (figure 13)

 

Figure 13 (fig114)

 

13. Click OK on the Internet Protocol (TCP/IP) Properties dialog box (figure 14).

 

Figure 14 (fig115)

 

14. Click Close in the interface Properties dialog box. (figure 15).

 

Figure 15 (fig116)

 

The WINS client will register its address in the WINS database when you restart the computer. You can use the nbtstat command to get the machine to register its address immediately:

 

1. Open a command prompt and type nbtstat –RR and press ENTER. This registers the WINS client’s NetBIOS names in the WINS database (figure 16).

 

Figure 16 (fig117)

 

2. Now let’s examine the NetBIOS names the WINS client registered in the WINS database. Click Start and point to Administrative Tools. Click on the WINS command (figure 17).

 

Figure 17 (fig118)

 

3. In the WIN console, expand the server name and right click on the Active Registrations node in the left pane of the console (figure 18). Click the Display Records command.

 

Figure 18 (fig119)

 

4. Click on the Record Owners tab in the Display Records dialog box. Click the Select Local button (figure 19).

 

Figure 19 (fig120)

 

5. You can see the WINS database entries in the right pane. Note the INTERNAL [1Bh] WINS database record. This is the record segment master browsers use to send their browse lists to the PDC or PDC emulator (figure 20).

 

Figure 20 (fig121)

 

 

Assigning a WINS Server Address to the VPN Clients

 

VPN clients use WINS to resolve NetBIOS names for hosts on the internal network. WINS makes it possible for VPN clients that are not configured with a primary domain name to resolve the names of computers on the internal network. There are two ways you can assign VPN clients a WINS server address:

 

• Bind a WINS server address to the internal interface of the ISA Server firewall/VPN server and configure RRAS to use that interface to assign name server addresses
• Install a DHCP server, create a DHCP scope, and then configure a DHCP option that assigns a WINS server address. A DHCP Relay Agent must be installed on the ISA Server firewall/VPN server

 

Please refer to ISA Server VPN Deployment Kit document Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options for instructions on how to configure DHCP support for VPN clients.

 

Please refer to ISA Server 2000 VPN Deployment Kit document Configuring the Windows Server 2003 ISA Server 2000/VPN Server for detailed information on how to configure RRAS to assign WINS server addresses to VPN clients.

 

When the VPN Client Belongs to the Internal Network Domain

 

There are no special configuration requirements when the VPN machine and the user are members of the internal network domain. The domain member VPN client has the following features and capabilities:

 

• The Primary Domain Name of the computer is set to the internal network domain
• The user has the option to log onto the machine and network using Dial-up networking
• The user will be able to browse to any machine on the internal network domain using My Network Places or Network Neighborhood
• When the user logs on to the network via Dial-up networking, the user’s log on credentials are valid on any domain machine; the user is not challenged for credentials when accessing network resources
• Log on scripts are delivered to the user when the user logs onto the computer and the network via Dial-up Networking

 

A computer can be joined to the domain while directly connected to the internal network, or when it is connected over a VPN link. We recommend that you join the computer to the domain while it is directly connected to the network. However, if this is not possible, you can use the following procedure to join the machine over a VPN connection:

 

       Note:
The ISA Server firewall/VPN server has already been configured according to the procedures in ISA Server 2000 VPN Deployment Kit article Configuring the Windows Server 2003 ISA Server 2000/VPN Server. The initial connection is via PPTP. The VPN client computer can be automatically assigned a certificate via autoenrollment when it joins the domain. Once the VPN client obtains a certificate, an L2TP/IPSec connection can be established.

 

Perform the following steps to join a computer to the domain over a VPN link:

 

1. Create the Dial-up Networking VPN connectoid that connects the VPN client computer to the ISA Server firewall/VPN server. Connect the non-domain member VPN client machine to the ISA Server firewall/VPN server using this connectoid (figure 6).

 

Figure 6 (fig206)

 

2. As soon as the VPN link is established, right click on the My Computer object on the desktop and click the Properties command (figure 7).

 

Figure 7 (fig207)

 

3. In the System Properties dialog box, click on the Network Identification tab. Note the current Full computer name and Workgroup. Click the Properties button.

 

Figure 8 (fig208)

 

4. In the Identification Changes dialog box, select the Domain option (figure 9). Type the name of the internal network domain in the text box under the Domain option. Note the Full computer name is WIN2K. This is only a host name, there is no domain name. This client will have problems qualifying unqualified requests.

 

This client will have a primary domain name assigned to it after it joins the domain. Please refer to ISA Server 2000 VPN Deployment Kit document Forcing Firewall Policy on VPN Clients  for more information about a machine’s Primary Domain Name. Click OK.

 

Figure 9 (fig209)

 

1. Type in a domain administrator name and password in the Domain Username and Password dialog box (figure 10). Click OK.

 

Figure 10 (fig210)

 

2. You will see a Network Identification dialog box saying Welcome to the domain once you successfully join the domain. Click OK (figure 11).

 

Figure 11 (fig211)

 

3. Click OK in the Network Identification dialog box informing that you must reboot the computer for the changes to take effect (figure 12).

 

Figure 12 (fig212)

 

4. Notice on the bottom of the System Properties dialog box the comment Changes will take effect after you restart this computer. Click OK (figure 13).

 

Figure 13 (fig213)

 

5. Click Yes in the System Settings Change dialog box. This will restart the computer (figure 14).

 

Figure 14 (fig214)

 

6. Log off and then log on again. This time log on with your domain account. Confirm that you are logging on to the domain by confirming that the domain appears in the Log on to drop down list box. Use a domain username and password. These credentials log you on to the computer as a domain user. Put a checkmark into the Log on using dial-up connection so that you connect to the domain through the VPN link (figure 23).

 

Figure 23 (fig223)

 

7. Click the Dial button in the Network and Dial-up Connections dialog box (figure 24). If there is more than one VPN connectoid configured on the computer, click the down arrow on the Choose a network connection drop down list box and select the VPN connection that connects you to the ISA Server firewall/VPN server.

 

Figure 24 (fig224)

 

8. Type in your domain User name and Password in the Connect Virtual Private Connection dialog box. Click Connect (figure 25).

 

Figure 25 (fig225)

 

When the desktop appears, the user is logged on and can access any network resources on the internal network for which the user has permission to access. The user will not be prompted for credentials when accessing network file shares.

 

When the VPN Client Does Not Belong to the Internal Network Domain

 

The VPN client computer that is not a member of the domain has the following default characteristics:

 

• The user logs into the local machine, not into the domain. The user does not log on using dial-up networking
• The Primary Domain Name of the computer is not automatically set to the internal network domain name. The non-domain client may have no primary domain name, or a primary domain name that is different from the internal network domain.
• The user will not be able to browse to machines on the internal network domain using My Network Places or Network Neighborhood
• When the user logs onto the local machine and then subsequently establishes a VPN connection, the user’s log on credentials are not valid on any machine in the internal network domain; the user will be challenged for credentials when accessing network resources
• Log on scripts are not delivered to the user when the user establishes the VPN connection after logging onto the local machine

 

The non-domain computer does not have the wide range of options available to the domain member computer. However, you can still take advantage of network browsing on the non-domain member machine. The only requirement is that you make the non-domain member computer a member of a workgroup with the same name as the NetBIOS name of the internal network domain.

 

We recommend you make the following changes to the non-domain member computer:

 

• Join the machine to a workgroup with the same name as the internal network domain
• Configure the machine with a primary DNS suffix so that it can resolve unqualified internal network host names via DNS queries

 

Perform the following steps to join the non-domain VPN client machine to a workgroup with the same name as the internal network domain:

 

1. Log onto the non-domain VPN client computer as an administrator. Right click the My Computer object on the desktop and click the Properties command (figure 25)

 

Figure 25 (fig301)

 

2. In the System Properties dialog box, click on the Network Identification tab. Note this machine is a member of the WORKGROUP workgroup. The NetBIOS name for the internal network domain we want this client to connect to is INTERNAL. We want this VPN client machine to join a workgroup named INTERNAL. Click the Properties command (figure 26).

 

Figure 26 (fig302)

 

3. In the Identification Changes dialog box (figure 27), select the Workgroup option and type the NetBIOS name of the domain in the text box under the Workgroup option. Click OK.

 

Figure 27 (fig303)

 

4. Click OK in the Network Identification dialog box welcoming you to the new workgroup (figure 28).

 

Figure 28 (fig304)

 

5. Click OK in the Network Identification dialog box informing you that you must restart your computer (figure 29).

 

Figure 29 (fig305)

 

6. Note on the Network Identification tab that you are informed that Changes will take effect after you restart this computer. Click OK (figure 30).

 

Figure 30 (fig306)

 

7. Click Yes in the System Settings Change dialog box that asks if you want to restart your computer (figure 31).

 

Figure 31 (fig307)

 

 

Log on to the computer as an administrator. The next step is to create or change the primary DNS suffix for the VPN client computer. The primary DNS suffix is appended to all unqualified DNS queries. The internal network domain that this computer connects to is internal.net, so we will change the primary DNS suffix to internal.net.

 

1.       Open the System Properties dialog box and click the Network Identification tab. Note that the machine now belongs to the INTERNAL Workgroup. Also note that the Full computer name is WIN2K.  We need to add the internal.net domain name to this computer’s name. Click the Properties button (figure 32).

 

Figure 32 (fig308)

 

2.       On the Identification Changes dialog box, click the More button (figure 33).

 

Figure 33 (fig309)

 

3.       On the DNS Suffix and NetBIOS Computer Name dialog box (figure 34), type in the domain name of the internal network in the Primary DNS suffix of this computer text box. Make sure the Change primary DNS suffix when domain membership changes checkbox is enabled. This will allow the primary DNS suffix to change if this machine is joined to a domain. Click OK.

 

Figure 34 (fig310)

 

4.       Click OK in the Identification Changes dialog box (figure 35).

 

Figure 35 (fig311)

 

5.       Click OK in the Network Identification dialog box that informs you that you must reboot the computer for the changes to take effect (figure 36).

 

Figure 36 (fig312)

 

6.       Note on the bottom of the Network Identification tab on the System Properties dialog box the comment change will take effect after you restart this computer. Click OK (figure 37).

 

Figure 37 (fig313)

 

 

7.       Click Yes on the System Settings Change dialog box (figure 38). The computer will restart and the machine will have the new primary DNS suffix.

 

Figure 38 (fig314)

 

 

Notes on VPN Client Authentication Settings

 

• When testing VPN client connections to internal network resources, confirm that all accounts with the same name have different passwords. If there are duplicate account names (such as “administrator”) in the domain or the local SAM’s of any of the machines, then make sure the passwords are different or you come to spurious conclusions
• If the local account on the VPN client computer that the user uses to log onto the local VPN client machine has the same user name and password as a domain account on the internal network to, then the user will be able to access resources located on a domain controller. The user will not be able to access resources on a member server in the same domain.
• It doesn’t matter if the non-domain computer user logs on using domain credentials via dial-up networking to the domain. The credentials used to log onto the local machine will not be good on the internal network. The VPN client machine must be a domain member, and the user must log on with domain credentials onto the local computer.
• If the computer is a member of the internal network domain and the user logs on to the domain via dial-up networking, then the user will be able to access network resources with domain credentials and will not be challenged for credentials. However, the user will only be able to access resources on the local computer that is part of his profile folders. The user is not allowed access to other folders on the local machine while logged in to the domain.