We've recently rolled out Windows XP SP2 to our remote users and have enabled the XP Firewall on all network connections, including the VPN connection to the main office.
We are now experiencing problems wherein users can't access PC's on the remote domain by name, only by IP address, when connected via VPN. Turning off the XP Firewall for the VPN immediately solves this problem - so the issue appears to be with DNS lookup through the XP Firewall.
Is there a way to add an exception to the firewall to allow these lookups? File and Print Sharing is enabled on all Firewall entries and incoming ICMP exceptions are enabled.
I'm a little baffled as why this setup doesn't work, but would be grateful for any advice from somebody with more experience of Firewalls! Am I wrong to try and firewall the VPN connection in the first place?
My solution, on a small SOHO LAN, is to use a host file on my remote PC to map IP addresses to a name. Note this is a work group environment. Hopefully one of the other MVPs or another knowledgeable person can be of further assistance...
-- Al Jarvi (MS-MVP Windows Networking)
Please post *ALL* questions and replies to the news group for the mutual benefit of all of us... The MS-MVP Program - http://mvp.support.microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights...
"Richard Tubb" <rich...@netlinktrading.co.uk> wrote in message
> We've recently rolled out Windows XP SP2 to our remote users and have enabled the XP Firewall on > all network connections, including the VPN connection to the main office.
> We are now experiencing problems wherein users can't access PC's on the remote domain by name, > only by IP address, when connected via VPN. Turning off the XP Firewall for the VPN immediately > solves this problem - so the issue appears to be with DNS lookup through the XP Firewall.
> Is there a way to add an exception to the firewall to allow these lookups? File and Print Sharing > is enabled on all Firewall entries and incoming ICMP exceptions are enabled.
> I'm a little baffled as why this setup doesn't work, but would be grateful for any advice from > somebody with more experience of Firewalls! Am I wrong to try and firewall the VPN connection in > the first place?
Richard Tubb wrote: > We've recently rolled out Windows XP SP2 to our remote users and have > enabled the XP Firewall on all network connections, including the VPN > connection to the main office.
> We are now experiencing problems wherein users can't access PC's on > the remote domain by name, only by IP address, when connected via > VPN. Turning off the XP Firewall for the VPN immediately solves this > problem - so the issue appears to be with DNS lookup through the XP > Firewall.
My guess is that this is not a DNS problem, but a NetBIOS one. DNS lookups are not blocked by Windows Firewall.
Maybe you should check that the "scope" of the File & Print Sharing Exception in Windows Firewall includes explicitly: (a) the subnets in use in your office LAN; (b) the subnet ranges you allocate for VPN connections.
Do not rely on the default "My network (subnet) only" scope.
Richard Tubb wrote: > I'm a little baffled as why this setup doesn't work...
I agree with Robin's explanation, but think you should try to fix the VPN first.
If you investigate, you will likely find that name resolution through DNS never worked -- because your VPN connection doesn't push the internal DNS servers and / or the correct DNS suffix to the clients. When it worked, the resolution was working through NetBIOS broadcasts.
Getting DNS to work over the VPN would be preferable for the long term. If not possible, Robin's suggestions should restore the service as well.
> We've recently rolled out Windows XP SP2 to our remote users and have > enabled the XP Firewall on all network connections, including the VPN > connection to the main office.
> We are now experiencing problems wherein users can't access PC's on the > remote domain by name, only by IP address, when connected via VPN. Turning > off the XP Firewall for the VPN immediately solves this problem - so the > issue appears to be with DNS lookup through the XP Firewall.
> Is there a way to add an exception to the firewall to allow these lookups? > File and Print Sharing is enabled on all Firewall entries and incoming ICMP > exceptions are enabled.
> I'm a little baffled as why this setup doesn't work, but would be grateful > for any advice from somebody with more experience of Firewalls! Am I wrong > to try and firewall the VPN connection in the first place?
You should not enable Internet Connection Firewall on virtual private networking (VPN) connections, which are typically used to securely log in to a corporate network. You should not enable ICF on client computers that are part of a large company or school network with a server-client structure. ICF will interfere with file and printer sharing in these scenarios.
|
