Browsing over Site to Site VPN

Hi there.

I have a Site to Site VPN over L2TP setup as per the following...


WindowsXP1-----<TCP>-------SBS+ISA2004-1======L2TP=====WS2003+ISA2004-2------<TCP>------WindowsXP2


everything seems setup well.
The SBS and WS2003 are domain controllers, (same domain) and are
replicating excellently (including DNS) over the VPN link

Both servers can ping each other, and I can ping any machine on one side of
the VPN with any machine on the reverse side of the VPN, (eg, Ping
WindowsXP1 to WindowsXP2)
However I have a problem browsing the network.


I can browse (Start, Run, \\servername) to both servers from any workstation
on either side of the VPN, but If I try and browse a workstation on the
opposite side of the VPN (EG from WindowsXP1, try to browse \\WindowsXP2) I
get the error "\\WindowsXP2 The network path cannot be found". I this is NOT
name resolution, as I cannot browse by IP address either, (eg \\10.0.0.x)


What could be up with the ISA rtules to stop this happening? I have had a
test network setup and working correctly like this before, but I can't
remember what is different... I have changed just about every setting I
could find on the servers and ISA that I could think of!

Browsing is an NT legacy service and is not related to AD or DNS. It
depends on Netbios names and the computer browser service.

Browsing segmented networks or WANs usually requires WINS to enable the
browser sevice to build a network-wide browse list.

Casey wrote:
> Hi there.
>
> I have a Site to Site VPN over L2TP setup as per the following...
>
>
> WindowsXP1-----<TCP>-------SBS+ISA2004-1======L2TP=====WS2003+ISA2004-2------<TCP>------WindowsXP2
>
>
> everything seems setup well.
> The SBS and WS2003 are domain controllers, (same domain) and are
> replicating excellently (including DNS) over the VPN link
>
> Both servers can ping each other, and I can ping any machine on one
> side of the VPN with any machine on the reverse side of the VPN, (eg,
> Ping WindowsXP1 to WindowsXP2)
> However I have a problem browsing the network.
>
>
> I can browse (Start, Run, \\servername) to both servers from any
> workstation on either side of the VPN, but If I try and browse a
> workstation on the opposite side of the VPN (EG from WindowsXP1, try
> to browse \\WindowsXP2) I get the error "\\WindowsXP2 The network
> path cannot be found". I this is NOT name resolution, as I cannot
> browse by IP address either, (eg \\10.0.0.x)
>
> What could be up with the ISA rtules to stop this happening? I have
> had a test network setup and working correctly like this before, but
> I can't remember what is different... I have changed just about every
> setting I could find on the servers and ISA that I could think of!

Since I am using AD and DNS, why would I then need wins (Although bnoth
machines have WINS installed)

I can resolve the name easily enough, (nslookup and ping both work) so why
does it not use this to connect to the remote computer's share? and why does
it work for the servers, but not when going from a workstation in one
segment to a WS in another segment?

How do I tell WINS to enable the browser service to build a network-wide
computer list? Can I tell WINS to get this info from DNS?


"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> Browsing is an NT legacy service and is not related to AD or DNS. It
> depends on Netbios names and the computer browser service.
>
> Browsing segmented networks or WANs usually requires WINS to enable the
> browser sevice to build a network-wide browse list.
>
> Casey wrote:
>> Hi there.
>>
>> I have a Site to Site VPN over L2TP setup as per the following...
>>
>>
>> WindowsXP1-----<TCP>-------SBS+ISA2004-1======L2TP=====WS2003+ISA2004-2------<TCP>------WindowsXP2
>>
>>
>> everything seems setup well.
>> The SBS and WS2003 are domain controllers, (same domain) and are
>> replicating excellently (including DNS) over the VPN link
>>
>> Both servers can ping each other, and I can ping any machine on one
>> side of the VPN with any machine on the reverse side of the VPN, (eg,
>> Ping WindowsXP1 to WindowsXP2)
>> However I have a problem browsing the network.
>>
>>
>> I can browse (Start, Run, \\servername) to both servers from any
>> workstation on either side of the VPN, but If I try and browse a
>> workstation on the opposite side of the VPN (EG from WindowsXP1, try
>> to browse \\WindowsXP2) I get the error "\\WindowsXP2 The network
>> path cannot be found". I this is NOT name resolution, as I cannot
>> browse by IP address either, (eg \\10.0.0.x)
>>
>> What could be up with the ISA rtules to stop this happening? I have
>> had a test network setup and working correctly like this before, but
>> I can't remember what is different... I have changed just about every
>> setting I could find on the servers and ISA that I could think of!
>
>

DNS should be able to do the name resolution for you, as long as you
have set it up correctly. Can DNS resolve the name correctly? Does "nslookup
servername" give you the correct IP? If not, does it work if you use the
FQDN?

Name resolution and browsing are quite different functions. And the
computer browser service will not use DNS.


Casey wrote:
> Since I am using AD and DNS, why would I then need wins (Although
> bnoth machines have WINS installed)
>
> I can resolve the name easily enough, (nslookup and ping both work)
> so why does it not use this to connect to the remote computer's
> share? and why does it work for the servers, but not when going from
> a workstation in one segment to a WS in another segment?
>
> How do I tell WINS to enable the browser service to build a
> network-wide computer list? Can I tell WINS to get this info from DNS?
>
>
> "Bill Grant" <not.available@online> wrote in message
> news:(E-Mail Removed)...
>> Browsing is an NT legacy service and is not related to AD or DNS.
>> It depends on Netbios names and the computer browser service.
>>
>> Browsing segmented networks or WANs usually requires WINS to
>> enable the browser sevice to build a network-wide browse list.
>>
>> Casey wrote:
>>> Hi there.
>>>
>>> I have a Site to Site VPN over L2TP setup as per the following...
>>>
>>>
>>> WindowsXP1-----<TCP>-------SBS+ISA2004-1======L2TP=====WS2003+ISA2004-2------<TCP>------WindowsXP2
>>>
>>>
>>> everything seems setup well.
>>> The SBS and WS2003 are domain controllers, (same domain) and are
>>> replicating excellently (including DNS) over the VPN link
>>>
>>> Both servers can ping each other, and I can ping any machine on one
>>> side of the VPN with any machine on the reverse side of the VPN,
>>> (eg, Ping WindowsXP1 to WindowsXP2)
>>> However I have a problem browsing the network.
>>>
>>>
>>> I can browse (Start, Run, \\servername) to both servers from any
>>> workstation on either side of the VPN, but If I try and browse a
>>> workstation on the opposite side of the VPN (EG from WindowsXP1, try
>>> to browse \\WindowsXP2) I get the error "\\WindowsXP2 The network
>>> path cannot be found". I this is NOT name resolution, as I cannot
>>> browse by IP address either, (eg \\10.0.0.x)
>>>
>>> What could be up with the ISA rtules to stop this happening? I have
>>> had a test network setup and working correctly like this before, but
>>> I can't remember what is different... I have changed just about
>>> every setting I could find on the servers and ISA that I could
>>> think of!

Downlevel clients? They won't use DNS for name resolution
or to find an SMB (segment master browser) to broadcast its
NetBIOS name in order to appear in the browse list. Browsing
across subnets requires NetBIOS broadcasts e.g., you can't have
anything blocking NetBIOS for starters and you must have at
least 1 DMB (domain master browser) to gather the list from all
segments.

Immediately after a failed attempt or "network path not found"
error open a dos prompt and run nbtstat -c. What do you see?
It may not be name resolution like you said it may be that something
is blocking NetBIOS.

"Casey" <(E-Mail Removed)> wrote in message news:
> Since I am using AD and DNS, why would I then need wins (Although bnoth
> machines have WINS installed)
>
> I can resolve the name easily enough, (nslookup and ping both work) so why
> does it not use this to connect to the remote computer's share? and why
> does it work for the servers, but not when going from a workstation in one
> segment to a WS in another segment?
>
> How do I tell WINS to enable the browser service to build a network-wide
> computer list? Can I tell WINS to get this info from DNS?
>

Yes. DNS can resolve the name correctly.
The 2 servers are domain controllers in the same site, and are using AD to
replicate DNS data. In the case of
WindowsXP1-----<TCP>-------SBS+ISA2004-1======L2TP=====WS2003+ISA2004-2------<TCP>------WindowsXP2

I can resolve WindowsXP2 from WindowsXP1. And ping it! I just can't connect
to a share.
However, I CAN connect to a share on either of the domain controllers. (This
side of the VPN and the other side.)


"Bill Grant" <not.available@online> wrote in message
news:%(E-Mail Removed)...
> DNS should be able to do the name resolution for you, as long as you
> have set it up correctly. Can DNS resolve the name correctly? Does
> "nslookup servername" give you the correct IP? If not, does it work if you
> use the FQDN?
>
> Name resolution and browsing are quite different functions. And the
> computer browser service will not use DNS.
>
>
> Casey wrote:
>> Since I am using AD and DNS, why would I then need wins (Although
>> bnoth machines have WINS installed)
>>
>> I can resolve the name easily enough, (nslookup and ping both work)
>> so why does it not use this to connect to the remote computer's
>> share? and why does it work for the servers, but not when going from
>> a workstation in one segment to a WS in another segment?
>>
>> How do I tell WINS to enable the browser service to build a
>> network-wide computer list? Can I tell WINS to get this info from DNS?
>>
>>
>> "Bill Grant" <not.available@online> wrote in message
>> news:(E-Mail Removed)...
>>> Browsing is an NT legacy service and is not related to AD or DNS.
>>> It depends on Netbios names and the computer browser service.
>>>
>>> Browsing segmented networks or WANs usually requires WINS to
>>> enable the browser sevice to build a network-wide browse list.
>>>
>>> Casey wrote:
>>>> Hi there.
>>>>
>>>> I have a Site to Site VPN over L2TP setup as per the following...
>>>>
>>>>
>>>> WindowsXP1-----<TCP>-------SBS+ISA2004-1======L2TP=====WS2003+ISA2004-2------<TCP>------WindowsXP2
>>>>
>>>>
>>>> everything seems setup well.
>>>> The SBS and WS2003 are domain controllers, (same domain) and are
>>>> replicating excellently (including DNS) over the VPN link
>>>>
>>>> Both servers can ping each other, and I can ping any machine on one
>>>> side of the VPN with any machine on the reverse side of the VPN,
>>>> (eg, Ping WindowsXP1 to WindowsXP2)
>>>> However I have a problem browsing the network.
>>>>
>>>>
>>>> I can browse (Start, Run, \\servername) to both servers from any
>>>> workstation on either side of the VPN, but If I try and browse a
>>>> workstation on the opposite side of the VPN (EG from WindowsXP1, try
>>>> to browse \\WindowsXP2) I get the error "\\WindowsXP2 The network
>>>> path cannot be found". I this is NOT name resolution, as I cannot
>>>> browse by IP address either, (eg \\10.0.0.x)
>>>>
>>>> What could be up with the ISA rtules to stop this happening? I have
>>>> had a test network setup and working correctly like this before, but
>>>> I can't remember what is different... I have changed just about
>>>> every setting I could find on the servers and ISA that I could
>>>> think of!
>
>

> Immediately after a failed attempt or "network path not found"
> error open a dos prompt and run nbtstat -c. What do you see?

I tried it from the machine that is in the second subnet, to a machine in
the first subnet. Gandalf is the server name is the First subnet.

I see the following.


NetBIOS Remote Cache Name Table

Name Type Host Address Life [sec]
------------------------------------------------------------
GANDALF <20> UNIQUE 10.0.0.4 525
GANDALF.IVVAUST<52> UNIQUE 10.0.0.4 197


"Michael Giorgio - MS MVP" <(E-Mail Removed)> wrote in
message news:%23$(E-Mail Removed)...
> Downlevel clients? They won't use DNS for name resolution
> or to find an SMB (segment master browser) to broadcast its
> NetBIOS name in order to appear in the browse list. Browsing
> across subnets requires NetBIOS broadcasts e.g., you can't have
> anything blocking NetBIOS for starters and you must have at
> least 1 DMB (domain master browser) to gather the list from all
> segments.
>
> Immediately after a failed attempt or "network path not found"
> error open a dos prompt and run nbtstat -c. What do you see?
> It may not be name resolution like you said it may be that something
> is blocking NetBIOS.
>
> "Casey" <(E-Mail Removed)> wrote in message news:
>> Since I am using AD and DNS, why would I then need wins (Although bnoth
>> machines have WINS installed)
>>
>> I can resolve the name easily enough, (nslookup and ping both work) so
>> why does it not use this to connect to the remote computer's share? and
>> why does it work for the servers, but not when going from a workstation
>> in one segment to a WS in another segment?
>>
>> How do I tell WINS to enable the browser service to build a network-wide
>> computer list? Can I tell WINS to get this info from DNS?
>>
>
>

FIXED

It turns out that the local Windows XP firewall was allowing "localsubnet
through its Group Policy, (and by consequence, disallowing any other traffic
from any other subnets...)

changed the policy to allow anything from 10.x.x.x and it works like a
dream!


"Casey" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Yes. DNS can resolve the name correctly.
> The 2 servers are domain controllers in the same site, and are using AD to
> replicate DNS data. In the case of
> WindowsXP1-----<TCP>-------SBS+ISA2004-1======L2TP=====WS2003+ISA2004-2------<TCP>------WindowsXP2
>
> I can resolve WindowsXP2 from WindowsXP1. And ping it! I just can't
> connect to a share.
> However, I CAN connect to a share on either of the domain controllers.
> (This side of the VPN and the other side.)
>
>
> "Bill Grant" <not.available@online> wrote in message
> news:%(E-Mail Removed)...
>> DNS should be able to do the name resolution for you, as long as you
>> have set it up correctly. Can DNS resolve the name correctly? Does
>> "nslookup servername" give you the correct IP? If not, does it work if
>> you use the FQDN?
>>
>> Name resolution and browsing are quite different functions. And the
>> computer browser service will not use DNS.
>>
>>
>> Casey wrote:
>>> Since I am using AD and DNS, why would I then need wins (Although
>>> bnoth machines have WINS installed)
>>>
>>> I can resolve the name easily enough, (nslookup and ping both work)
>>> so why does it not use this to connect to the remote computer's
>>> share? and why does it work for the servers, but not when going from
>>> a workstation in one segment to a WS in another segment?
>>>
>>> How do I tell WINS to enable the browser service to build a
>>> network-wide computer list? Can I tell WINS to get this info from DNS?
>>>
>>>
>>> "Bill Grant" <not.available@online> wrote in message
>>> news:(E-Mail Removed)...
>>>> Browsing is an NT legacy service and is not related to AD or DNS.
>>>> It depends on Netbios names and the computer browser service.
>>>>
>>>> Browsing segmented networks or WANs usually requires WINS to
>>>> enable the browser sevice to build a network-wide browse list.
>>>>
>>>> Casey wrote:
>>>>> Hi there.
>>>>>
>>>>> I have a Site to Site VPN over L2TP setup as per the following...
>>>>>
>>>>>
>>>>> WindowsXP1-----<TCP>-------SBS+ISA2004-1======L2TP=====WS2003+ISA2004-2------<TCP>------WindowsXP2
>>>>>
>>>>>
>>>>> everything seems setup well.
>>>>> The SBS and WS2003 are domain controllers, (same domain) and are
>>>>> replicating excellently (including DNS) over the VPN link
>>>>>
>>>>> Both servers can ping each other, and I can ping any machine on one
>>>>> side of the VPN with any machine on the reverse side of the VPN,
>>>>> (eg, Ping WindowsXP1 to WindowsXP2)
>>>>> However I have a problem browsing the network.
>>>>>
>>>>>
>>>>> I can browse (Start, Run, \\servername) to both servers from any
>>>>> workstation on either side of the VPN, but If I try and browse a
>>>>> workstation on the opposite side of the VPN (EG from WindowsXP1, try
>>>>> to browse \\WindowsXP2) I get the error "\\WindowsXP2 The network
>>>>> path cannot be found". I this is NOT name resolution, as I cannot
>>>>> browse by IP address either, (eg \\10.0.0.x)
>>>>>
>>>>> What could be up with the ISA rtules to stop this happening? I have
>>>>> had a test network setup and working correctly like this before, but
>>>>> I can't remember what is different... I have changed just about
>>>>> every setting I could find on the servers and ISA that I could
>>>>> think of!
>>
>>
>
>

When name resolution is correct, its almost always something
blocking the necessary traffic. Thanks for the update.

"Casey" <(E-Mail Removed)> wrote in message news:
> FIXED
>
> It turns out that the local Windows XP firewall was allowing "localsubnet
> through its Group Policy, (and by consequence, disallowing any other
> traffic from any other subnets...)
>
> changed the policy to allow anything from 10.x.x.x and it works like a
> dream!