Expanding Windows NT domain logon validation and network browsing through Ipsec tunnels.



The symptoms :

You set up your Win9x workstation with PGPnet or another Win32 Ipsec software to connect to your LAN and you can't browse your network or even logon to your NT domain ?

You have connected your LANs together with two Freeswan IPSec gateways and the workstations on each LAN cant see each others through newtwork browsing ?

And you don't understand why because everyone can ping each others ?

I will explain what and why it doesn't works and what you can do to achieve this.



The problem :

Logon validation and network browsing is basicly done via broadcasts on Microsofts networks.

When your are on your LAN and type your username and password to logon, your workstation does a broadcast that ask a domain controller to respond to your request.

The same process occurs when you try to browse the network, your workstation does a broadcast to reach a master browser on your local LAN.

The key concept to understand here is that broadcast does NOT get through any router.

There is not a single difference between expanding NT domains across routers and Ipsec tunnels.

They are both made of routing devices blocking all broadcast, and by the same way your logon and browsing requests.



The solution :

Microsofts solved that problem with a WINS server.

When you configure you NT domain with a WINS server on your LAN, and configure your workstations to use it (via DHCP or manually), logon validation and network browsing is done via a point-to-point process.

A WINS server is a bit like a DNS, but it "learns" dynamicly the IP addresses of the workstations NetBios names that are configured to use it. It also knows the IP addresses of all domain controllers and master/backup browsers.

So you have to configure your Roadwarriors or remote LAN workstations to use that WINS server.



Example :

My laptop connects to the internet via a modem and use PGPnet to establish a tunnel with my corporate LAN.

My domain controller is also a WINS server and all local workstaions are configured to use it.

Now I want to logon to my NT domain and browse the network.

My primary WINS server IP address is 192.168.0.30

My secondary WINS server IP address is 192.168.0.31

My Microsoft Network configuration :









My dial-up entry configuration :










My logon sequence :

  1. I boot my laptop.

  2. I cancel at the logon screen.

  3. I connect to the internet with my DUN entry.

  4. I enter my userame and password (the tunnel is established at that time).

  5. I'm logged in ;).



NOTES :

The WINS server must be on the same network as the protected subnet.

Your domain controller(s) must be configured to use the WINS server in its TCP-IP parameters.