Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
WINS required for ISA 2006?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
WINS required for ISA 2006? - 30.May2007 11:42:22 AM
|
|
|
Swood
Posts: 47
Joined: 17.Mar.2003
From: Santa Ana, California
Status: offline
|
I was looking over the "Microsoft ISA Server 2006: Standard Edition Installation Guide" and noticed a curious mention of WINS under the Network Requirement section
"Before installing ISA Server 2006, make sure that Domain Name System (DNS) and Microsoft Windows Internet Name Service (WINS) name resolution and routing are properly configured and functioning in your environment."
ISA 2006 doesn't need WINS, does it?
|
|
|
|
|
RE: WINS required for ISA 2006? - 30.May2007 5:40:32 PM
|
|
|
Swood
Posts: 47
Joined: 17.Mar.2003
From: Santa Ana, California
Status: offline
|
Whew! I was worried I would have to ressurect WINS!
|
|
|
|
|
RE: WINS required for ISA 2006? - 30.May2007 6:34:30 PM
|
|
|
elmajdal
Posts: 5074
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
but why do i see lots of posts, that recommends installing a WINs server, specially when there is a problem with VPN Clients that can ping by IP but not by machine name !!
Thanks,
Tarek
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: WINS required for ISA 2006? - 31.May2007 9:00:24 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi Tarek,
please note that we do not actually need Wins for VPN clients if we provide them a correct Domain Name suffix(on the PPP adapter: Connection-specific DNS Suffix) using DHCP which will update also the Windows IP configuration(the DNS Suffix Search List).
To do this we must enable the DHCP relay on ISA, create some access rules and of course configure the DHCP server to deliver this settings.
please read this:
http://www.isaserver.org/tutorials/2004dhcprelay.html
Note that we can specify a static range and exclude this range from, say, the Internal network(if there is located the DHCP server)and still deliver DHCP options to VPN clients using a scope defined for this range.
If we only configure from ISA's panel the clients to get IP addresses using DHCP they will never get the DHCP options. This is why we need that DHCP relay.
if a VPN client is member of a workgroup he will try to use the DNS server configured by DHCP but will append another dns suffix from his DNS Suffix Search List to his DNS query and thus the DNS server will not know how to resolve its query.
If you do not want to do so you can simply specify on the VPN client the right DNS suffix.
what I have observed using DHCP relay, is that sometimes the DHCPINFORM packets sent by the VPN client are dropped as spoofed by ISA. Disabling IP spoofing on ISA does resolves this issue and the clients will get the require info. Otherwise on the client side we would not get them and thus cannot access resources by names. If you cannot access like so run an ipconfig all and make sure you spot there the DNS Suffix Search List in Windows IP Configuration and the Connection-specific DNS Suffix on the PPP adapter. I do not know why this(spoof packets) happens. Maybe Jason knows.
Best regards!
< Message edited by justmee -- 31.May2007 9:13:50 AM >
|
|
|
|
|
RE: WINS required for ISA 2006? - 31.May2007 9:46:13 AM
|
|
|
ITEngineer
Posts: 258
Joined: 3.Feb.2006
Status: offline
|
Hi all, i faced a problem with pinging machines in my LAN from a VPN connection, and i failed all time until i was advised by Tshin to install a WINS server, and when i installed the WINS server i was able to ping by hostname, FQDN and by IP, before installing WINS , i was only able to ping by IP & FQDN , whats your comments on this issue ??
|
|
|
|
|
RE: WINS required for ISA 2006? - 31.May2007 9:57:37 AM
|
|
|
Jason Jones
Posts: 2154
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
quote:
ORIGINAL: elmajdal
Hi Jason,
Its been long since we saw you here, where have you been all this time !!
quote:
I see no reason why WINS *is required* even for VPN clients. Maybe you can suggest why you think it is needed Tarek? Personally, I would say that WINS merely provides a leagcy name resolution service which has pretty much been superseeded by DNS now.
Well this is what I would like to know , is its really needed for VPN Clients ?
quote:
Again the question is about "is WINS needed for ISA 2006" not "is WINS needed on VPN clients".
Sure WINS is not needed at all for ISA Server itself, its Network Interfaces.
But as WINS was mentioned in this post, and VPN is one of the features provided by ISA, that's why I asked the question.
Maybe Tom can shed some light on this issue as I see some posts regarding this matter :
http://forums.isaserver.org/m_2002043431/mpage_1/key_wins/tm.htm#2002044158
http://forums.isaserver.org/m_2002006262/mpage_1/tm.htm
http://forums.isaserver.org/m_2002020694/mpage_1/key_wins/tm.htm#2002020721
Thanks,
Tarek
Hi Tarek,
I have been lurking, but not posting much. I tend to spend a lot of time contributing in my spare time, but what with an ill wife and a small baby, this is kinda difficult at times! Work has also been pretty full-on what with ForeFront AV, IAG and ISA 2006 I have been up to my eyeballs in consultancy! 
Trying to contribute when I can! 
Cheers
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: WINS required for ISA 2006? - 1.Jun.2007 5:07:59 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hey guys check this fix to the spoofing problems:
http://forums.isaserver.org/fb.aspx?m=2002037138
Ben actually contacted Microsoft and obtain a solution for this problem.
which is to add this value to the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray\Debug\FWSRV]
"FWS_PNP_IPHELPER_QUITE_PERIOD"=dword:000005dc
or copy the bellow lines to a Notepad file and save it as ".reg" and double-click it:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray\Debug]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray\Debug\FWSRV]
"FWS_PNP_IPHELPER_QUITE_PERIOD"=dword:000005dc
Doing so only one of the two DHCPINFOTM packets sent by the VPN client will be declared as spoofed by ISA. The other one will make it and the DHCP options will be obtain.
Best regards!
|
|
|
|
|
RE: WINS required for ISA 2006? - 3.Jun.2007 7:17:27 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hey guys,
I thought I'd put my two cents in here.
I use WINS for my VPN clients because I get lazy and don't want to deal with DHCP relay sometimes. This is mostly for simple single segment networks and since WINS takes care of itself, it doesn't really add much overhead. Of course, Win2003 is supposed to support local subnet NetBIOS broadcasting for VPN clients, but I've never confirmed if it actually works and what might be required on the ISA Firewall to make it work, if we can make it work at all since ISA likes to block broadcasts :)
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
