I have an account. We suggested they use an isp vpn which is really a private network site to site connection. Not really a vpn in a traditional sense. Remote office can see the server just fine once I add the the route entry route add -p 192.168.9.0 mask 255.255.255.0 192.168.10.254. The main office is 192.168.10.x. The router private ip is 192.168.10.254. I can see my application server also after I add the same statement from the command prompt.
I add the 192.168.9.0 to 254 or 255 in ISA 2004.
They challenge is this. They work from a share on a XP workstation. I goof around for a while with no luck. I also cannot browse the main office from network neighborhood. I download the XP Tools from Microsoft. http://www.microsoft.com/downloads/details.aspx?FamilyID=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en Fuzzy recollection here. I think I entered netdiag -status to see what machine was acting as the browse master. I turn off the Computer Browser service on all the remote workstations. I now can see all the machines at the main office. I cannot see the shares on the important machine or on a test machine.
We discovered that if we make a vpn connection to the public name of the server first we can see the shares on the XP workstation.
We call Microsoft and we describe the situation. Unfortunately we used the term vpn to describe the isp provided private network. We means that I was not the only person on the call. (Not really relevant but I did not want you to think I have a split personality.) I tried real hard on numerous occasions to get Microsoft to stop focussing on that isp vpn. They wanted me to do stuff in ISA to terminate the vpn connetion that was not really a vpn connection. They do some network tracing and the last comment is "That is odd. That connection is being dropped rather abruptly." Well a slight paraphrase but that was the gyst of it. I sent the traces off. My support person was ready to go home as was I. I start the call again the next day with a different tech. Once again we are off on a tangent with the vpn in ISA.
I get some wild hair idea to look for firewall settings. I see no Trend firewall running which is good from a troubleshooting perspective. I discover that you can turn on logging in the XP firewall. I make a connection from the remote office and I see it in the log being blocked. I make the vpn or I try from a computer inside the main office and it goes right through. So now I have a strong suspicion that the XP firewall is the problem. I see no where to change the setting in XP to allow traffic from the remote office network.
Google xp firewall group policy and I get this http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2apa.mspx Inside of this is the excerpt.
| • |
Scope
The Scope parameter specifies the addresses from which the traffic is allowed. Type * to specify traffic originating from any source IPv4 address or a comma separated list of sources. The sources can be LocalSubnet to specify traffic originating from a directly reachable IPv4 address or one or more IPv4 addresses or IPv4 address ranges separated by commas. IPv4 address ranges typically correspond to subnets. For IPv4 addresses, type the IPv4 address in dotted decimal notation. For IPv4 address ranges, you can specify the range using a dotted decimal subnet mask or a prefix length. When you use a dotted decimal subnet mask, you can specify the range as an IPv4 network ID (such as 10.47.81.0/255.255.255.0) or by using an IPv4 address within the range (such as 10.47.81.231/255.255.255.0). When you use a network prefix length, you can specify the range as an IPv4 network ID (such as 10.47.81.0/24) or by using an IPv4 address within the range (such as 10.47.81.231/24). The following is an example list of sources:
Note This command is shown on multiple lines for better readability; enter them as a single line. LocalSubnet,10.91.12.56,10.7.14.9/255.255.255.0,10.
116.45.0/255.255.255.0,172.16.31.11/24,172.16.111.0/24 I open the group policy editor and I make a new group policy called XP Firewall Remote networks. If I screw things up it is real easy to delete what I did. Once I added the remote network I ran gpupdate/force on my test machine. I could now see the shares on my test machine. Later that night I did the gpupdate/force on the machine I needed to get to and it now works. Sorry for the weird wide entries. When I pasted the Microsoft excerpt everything started getting way too wide. |
Posted
May 15 2006, 11:16 PM
by
jim