Problem with DNS Lookup behind XP Firewall

[Richard Tubb]

Hi,

We've recently rolled out Windows XP SP2 to our remote users and have
enabled the XP Firewall on all network connections, including the VPN
connection to the main office.

We are now experiencing problems wherein users can't access PC's on the
remote domain by name, only by IP address, when connected via VPN. Turning
off the XP Firewall for the VPN immediately solves this problem - so the
issue appears to be with DNS lookup through the XP Firewall.

Is there a way to add an exception to the firewall to allow these lookups?
File and Print Sharing is enabled on all Firewall entries and incoming ICMP
exceptions are enabled.

I'm a little baffled as why this setup doesn't work, but would be grateful
for any advice from somebody with more experience of Firewalls! Am I wrong
to try and firewall the VPN connection in the first place?

Regards,

Richard Tubb.
www.netlinktrading.co.uk

 

[Sooner Al]

My solution, on a small SOHO LAN, is to use a host file on my remote PC to map IP addresses to a
name. Note this is a work group environment. Hopefully one of the other MVPs or another
knowledgeable person can be of further assistance...

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

 

[Robin Walker]

We've recently rolled out Windows XP SP2 to our remote users and have
enabled the XP Firewall on all network connections, including the VPN
connection to the main office.

We are now experiencing problems wherein users can't access PC's on
the remote domain by name, only by IP address, when connected via
VPN. Turning off the XP Firewall for the VPN immediately solves this
problem - so the issue appears to be with DNS lookup through the XP
Firewall.

My guess is that this is not a DNS problem, but a NetBIOS one. DNS lookups
are not blocked by Windows Firewall.

Maybe you should check that the "scope" of the File & Print Sharing
Exception in Windows Firewall includes explicitly:
(a) the subnets in use in your office LAN;
(b) the subnet ranges you allocate for VPN connections.

Do not rely on the default "My network (subnet) only" scope.

 

[Chris Priede]

I'm a little baffled as why this setup doesn't work...

I agree with Robin's explanation, but think you should try to fix the VPN
first.

If you investigate, you will likely find that name resolution through DNS
never worked -- because your VPN connection doesn't push the internal DNS
servers and / or the correct DNS suffix to the clients. When it worked, the
resolution was working through NetBIOS broadcasts.

Getting DNS to work over the VPN would be preferable for the long term. If
not possible, Robin's suggestions should restore the service as well.

 

[Guest]

hi richard

XP firewall should not be activatre on VPN connexion, it interfears with
sharing objects. This is what microsft is higly recommanding.

Go on technet and search for ICF and VPN

Hope it helps

Serge
MCP

 

[Rebecca Chen [MSFT]]

Yes.

You should not enable Internet Connection Firewall on virtual private
networking (VPN) connections, which are typically used to securely log in
to a corporate network. You should not enable ICF on client computers that
are part of a large company or school network with a server-client
structure. ICF will interfere with file and printer sharing in these
scenarios.

This is detailed in the following article:

Use the Internet Connection Firewall
http://www.microsoft.com/windowsxp/using/networking/learnmore/icf.mspx

Any update, let us get in touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.