VPN client name resolution

The most common problem reported with a VPN client is ” I cannot browse the remote network”. Most often if one thinks about the need to browse over a VPN connection, you quickly realize it is seldom necessary at all. You are using a VPN to access a known remote resource to which the location is well documented.  It can easily be accessed using the IP address or computer name.


 


Within the confines of a LAN, NetBIOS name broadcasts are the primary method for registering and resolving of names, for browsing purposes. Because broadcast packets are not routable, they are not forwarded over the VPN, and thus browsing is not possible.  With the exception of a few routers offering services to forward NetBIOS information over the VPN tunnel, the only possibility for browsing the remote network is using two WINS servers as outlined in option 3 below.


 


There are numerous ways to access a remote machine as listed below. All will work, however for the simplest and most reliable solution use the IP address. If you want to access a remote network using names, by choice, or because the resource is on a device with a dynamic IP, I would recommend you jump to the last option, and use DNS.


 


  1. IP address
  2. LMHOSTS files  (HOST Files)
  3. WINS (Windows Internet Name Service)
  4. DNS (Domain Name Service)

 


1) Most often the resource is located on a server with a static IP and therefore it can easily be accessed using a combination of the machine IP and the share name, such as \\192.168.123.123\SharName  This is very simple, reliable, and does not rely on other services or applications. Should you need to map a drive, that too can be easily done at a command line or in a script using   Net Use Z: \\192.168.123.123\ShareName


 


2) Assuming again the remote device is using a static IP, dependable name resolution  to allow access such as \\ServerName\ShareName can be done with the LMHosts file.  Located in %systemroot%\syetem32\drivers\etc folder, the LMHosts file is a list stored on the local computer basically mapping NetBIOS (computer) names to IP addresses.  Though this works extremely well, it requires maintaining an updated name/IP list. There is also the Hosts file which is similar, but it is intended for DNS Fully Qualified Domain Names, rather than NetBIOS names. The LMHosts file, is a simple text file, but it has  very specific configuration rules. See the following Microsoft documents for details:



 


3) If you have A WINS server located at the RRAS server site, it can be used for dynamic NetBIOS name resolution (i.e. it does not rely on static IP’s). In order to do so the VPN client needs two options configured.


    • The client must be assigned the WINS server IP address. This can be done manually on the client, or assigned through DHCP by the RRAS server. If using DHCP, the RRAS server will not supply the WINS address from the DHCP scope options. The WINS server IP must be assigned to the RRAS server’s network adapter, and it will then be inherited by the VPN client when it connects.
    • On the VPN client’s network adapter , under TCP/IP properties, advanced, WINS, you also need to enable NetBIOS over TCP/IP.

 WINS is also your only option for browsing the remote network. In order for this to work, you will need replicating WINS servers configured at both ends of the VPN tunnel. Browsing is still not 100% reliable using the two WINS server option.



 


4) All Windows 2000 and 2003 active directory environments have DNS configured. Thus, for name resolution of devices with dynamic IP’s, it is generally the best bet. Again there are two requirements for using DNS:


    • Like WINS, the client must be assigned the DNS server IP address. This can be done manually on the client, or assigned through DHCP by the RRAS server. Once again if using DHCP, the RRAS server will not supply the DNS address from the DHCP scope options. The DNS server IP must be assigned to the RRAS server’s network adapter, and it will then be inherited by the VPN client when it connects.
    • On the VPN client’s network adapter, under TCP/IP properties, advanced, DNS, you also need to add the domain DNS suffix, such as MyDomain.local in the “DNS suffix for this connection” box.


 


Hopefully at least one of these options will assist you with name resolution using your VPN client.

5 thoughts on “VPN client name resolution”

  1. V informative notes, thsnks!

    On the brute force method, using plain IP, does this assume then that there are no conflicts, ie same IP on the local and remote networks? ( for clarification, that would not be a problem it they use different subnets – 192.168.2.x and 192.168.5.x – but would be if both are on 2 say )

  2. Correct. Both client and host sites must use different subnets. If they are the same, none of the above solutions will help, as that is a routing issue, not a name resolution issue.

  3. Hi.
    A lot of thanks for this informative effort..
    I am trying to connect three laptops through internet over vpn for the purpose of multiplayer gaming and file sharing, etc, while all three systems are supposed to be logged on by administrator users present and using those systems (like as sharing files and networking in LAN)..
    but the problem occures where in win7 client vpn configuration, it requires host computer’s IP address, which is not static or its name.. while on providing the name of host system the windows tries to connect, shows: verifying username and password, then: port open, then: connecting via WAN Miniport (PPTP)..,

    then

    error 868 “unable to resolve host name… etc”

    or if i provide an IP address, got from http://www.whatismyip.com, it shows: verifying username and password, then: port open, then: connecting via WAN Miniport (PPTP)..

    and then

    error 800 “…because the attempted vpn tunnels failed…”

    so, i couldn’t connect successfully…
    any suggestion will be highly appreciated..!!

    thanx

  4. Hello Abidi.

    This is really outside of the scope of the article, but I would do your initial setup and testing using the current IP, and once configured you will need to subscribe to a DDNS (Dynamic Domain Name service) to access the PC at anytime regardless of IP changes. http://www.no-ip.com and http://www.dyndns.com offer this service for free.

    The current 868 error issue is as it states, it cannot resolve the FQDN, but more importantly the 800 error you are receiving when accessing with the IP means absolutely no ‘handshaking’ is taking place. In other words your connection is completely blocked. This can be due to the wrong IP, no port forwarding configured, the ISP may block the port. The first step would be to confirm the VPN works by connecting from the same LAN. You can then deal with router forwarding, ISP’s etc. The following site may be helpful in confirming the proper configuration of host and client, though it doesn’t deal with port forwarding.

    Best of luck with your project.

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>