[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] VPN Pool NAT



Steve,

I originally disabled my clients from becoming browser masters to force them
to goto the domain master browser to get the browse list. The clients do get
the list of NT domains but some populate with the machine names and some say
they are not available when you click, I have yet to find any commonality to
this. I agree whoever invented most of the MS networking should lose more
than their options, I guess they did extensive testing on their single LAN
lab !

thanks

Mark
----- Original Message -----
From: "Steve McNutt" <[email protected]>
To: <[email protected]>
Sent: Tuesday, June 25, 2002 1:58 AM
Subject: Re: [FW-1] VPN Pool NAT


Belive what you will.  However, there is a relationship, however
tenuous, between browser as implemented in NBT (NETBIOS over TCP/IP) and
WINS.

Without getting too deep into the details and order of operations, a
host, if it does not find a browsemaster on it's local subnet for it's
domain/workgroup, will become browsemaster and query WINS for a NETBIOS
1B record, which is a domain master browser. In NT land, this is always
the PDC. Once it retrieves the IP address of the domain master browser
from WINS, the new browsemaster will contact the PDC and let it know it
is a browsemaster and that the PDC should request a list of hosts from
it.  The browsemaster will also retrieve a list of all hosts in the
domain and a list of all domains/workgroups from the PDC.

The PDC for its part checks the WINS database every so often looking for
other 1B records besides it's own, this is how the PDC discovers other
domains.  It also polls all of the browsemasters for the list of hosts
on their respective subnets, and merges them into one big list.  Thus
the PDC learns about all of the hosts in it's domain, all domains on the
network, and passes this information to the browsemasters it serves.

If you want to assure maximum probability of success with browsing
remote networks using VPN client software, it is vital that the client
belong to a workgroup/domain that has a 1b record in the WINS database,
and is configured to be a potential browsemaster.  My own personal
opinion is that browser is a terrible protocol and the guy that devised
it should have had his stock options taken away :-).

-s

-----Original Message-----
From: David Gillett [mailto:[email protected]]
Sent: Monday, June 24, 2002 7:38 PM
To: [email protected]
Subject: Re: [FW-1] VPN Pool NAT

  No matter how many people seem to think so, I do not believe that
browsing and WINS are related, at least to the extent that getting one
to work makes much difference to the other.  (For one thing, WINS is
IP specific, browsing should work over/with IP, IPX, and NetBEUI.  You
can have machines show up in the browse list, with whom you cannot
connect for lack of a common transport protocol.)

  A browse client obtains the browse list from a browse master.  The
browse master (a) is on the same subnet as the client, and (b) is a
member of the same workgroup/domain as the client.
  That (b) is important!  For NT/2K(/XP?), the domain could be either
that that the machine is part of, or that the current user is logged
in to.  For 95/98(/ME?), it's the domain/workgroup specified in the
"Identification" tab of the machine's network settings.

David Gillett

> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[email protected]]On Behalf Of Mark
> Ward
> Sent: Monday, June 24, 2002 5:15 AM
> To: [email protected]
> Subject: [FW-1] VPN Pool NAT
>
>
> I am trying to get this working with Netbios for windows
> stuff. I have added
> the netbios_nat (true) to my objects.C and it does not work.
> However my VPN
> NAT Pool addresses are part of my encryption domain, is this
> correct ? With
> the netbios_nat off I can browse some domains but not others. My WINS
> servers have my real IP address from my SDL supplier.
>
>
> Has anybody got browsing with secureclinet and VPN NAT Pool working ?
>
> mapping drives, net views etc work fine
>
>
> thanks
>
> Mark

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================