WINS required for ISA 2006?

WINS required for ISA 2006? (Full Version)

All Forums >> [ISA 2006 General] >> Installation and Planning

Message

Swood -> WINS required for ISA 2006? (30.May2007 11:42:22 AM)
I was looking over the "Microsoft ISA Server 2006: Standard Edition Installation Guide" and noticed a curious mention of WINS under the Network Requirement section "Before installing ISA Server 2006, make sure that Domain Name System (DNS) and Microsoft Windows Internet Name Service (WINS) name resolution and routing are properly configured and functioning in your environment." ISA 2006 doesn't need WINS, does it?

Jason Jones -> RE: WINS required for ISA 2006? (30.May2007 5:37:25 PM)
Unless you are joining ISA to a Windows NT 4.0 domain (or maybe have Win2k/2k3 domains with trusts to NT4.0) , I see no reason why you would need WINS on the ISA server. I can't remember that last time I actually configured a WINS server on ISA, but then again I haven't use NT4.0 for a long, long time! [;)] Maybe it is a hang over from previous ISA versions or a Microsoft catch all if WINS is still present in a legacy environment??? Cheers JJ

Swood -> RE: WINS required for ISA 2006? (30.May2007 5:40:32 PM)
Whew! I was worried I would have to ressurect WINS!

Jason Jones -> RE: WINS required for ISA 2006? (30.May2007 6:05:45 PM)
Pretty sure you can just ignore it... Rest In Peace WINS! [;)]

elmajdal -> RE: WINS required for ISA 2006? (30.May2007 6:34:30 PM)
but why do i see lots of posts, that recommends installing a WINs server, specially when there is a problem with VPN Clients that can ping by IP but not by machine name !! Thanks, Tarek

Jason Jones -> RE: WINS required for ISA 2006? (30.May2007 6:44:29 PM)
I see no reason why WINS is required even for VPN clients. Maybe you can suggest why you think it is needed Tarek? Personally, I would say that WINS merely provides a leagcy name resolution service which has pretty much been superseeded by DNS now. If a ISA VPN clients are deployed correctly they should be using DNS and a default DNS domain name or domain suffix in order to resolve names. Adding WINS is just a way of getting name resolution to work if you have not done the DNS side of things properly. A lot of people just fallback to a WINS config as it is easier to get name resolution working as people don't always understand the basis of DNS and the need for a FQDN or domain name suffix. I am pretty sure Tom has done some articles on using a DHCP relay agent to provide DHCP options to ISA VPN clients - these options would normally include DNS domain name if done properly. Again the question is about "is WINS needed for ISA 2006" not "is WINS needed on VPN clients". Happy to be corrected if some *good* reasons for adding WINS to ISA interfaces can be shared... If someone wants to deploy WINS into a shiny new Win2k3 environment with DNS then fine, but I kinda think this is a step backwards, especially if you are doing it just to support ISA VPN clients which will deafult to using DNS for name resolution anyhow (assuming they have a correct DNS domain name via DHCP or correct have the correct domain name suffix). Personally I wouldn't do it, but that is just IMHO [8D] Cheers JJ

Jason Jones -> RE: WINS required for ISA 2006? (30.May2007 7:07:56 PM)
No WINS mentioned here [;)] http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html

Jason Jones -> RE: WINS required for ISA 2006? (30.May2007 7:13:12 PM)
Maybe something more definitive from Jim... http://groups.google.co.uk/group/microsoft.public.isa.configuration/browse_thread/thread/ff96140adc249ec7/fd05722e53c8a09e?lnk=st&q=isa+server+wins&rnum=30&hl=en#fd05722e53c8a09e

elmajdal -> RE: WINS required for ISA 2006? (31.May2007 6:41:38 AM)
Hi Jason, Its been long since we saw you here, where have you been all this time !! quote: I see no reason why WINS is required even for VPN clients. Maybe you can suggest why you think it is needed Tarek? Personally, I would say that WINS merely provides a leagcy name resolution service which has pretty much been superseeded by DNS now. Well this is what I would like to know , is its really needed for VPN Clients ? quote: Again the question is about "is WINS needed for ISA 2006" not "is WINS needed on VPN clients". Sure WINS is not needed at all for ISA Server itself, its Network Interfaces. But as WINS was mentioned in this post, and VPN is one of the features provided by ISA, that’s why I asked the question. Maybe Tom can shed some light on this issue as I see some posts regarding this matter : http://forums.isaserver.org/m_2002043431/mpage_1/key_wins/tm.htm#2002044158 http://forums.isaserver.org/m_2002006262/mpage_1/tm.htm http://forums.isaserver.org/m_2002020694/mpage_1/key_wins/tm.htm#2002020721 Thanks, Tarek

elmajdal -> RE: WINS required for ISA 2006? (31.May2007 6:51:40 AM)
Something from Tom,[:D] quote: WINS servers : The ISA firewall can use an internal network WINS server to aid VPN clients access to internal network resources using a single label, NetBIOS name. Source : http://www.isaserver.org/tutorials/2004rightstart.html

justmee -> RE: WINS required for ISA 2006? (31.May2007 9:00:24 AM)
Hi Tarek, please note that we do not actually need Wins for VPN clients if we provide them a correct Domain Name suffix(on the PPP adapter: Connection-specific DNS Suffix) using DHCP which will update also the Windows IP configuration(the DNS Suffix Search List). To do this we must enable the DHCP relay on ISA, create some access rules and of course configure the DHCP server to deliver this settings. please read this: http://www.isaserver.org/tutorials/2004dhcprelay.html Note that we can specify a static range and exclude this range from, say, the Internal network(if there is located the DHCP server)and still deliver DHCP options to VPN clients using a scope defined for this range. If we only configure from ISA's panel the clients to get IP addresses using DHCP they will never get the DHCP options. This is why we need that DHCP relay. if a VPN client is member of a workgroup he will try to use the DNS server configured by DHCP but will append another dns suffix from his DNS Suffix Search List to his DNS query and thus the DNS server will not know how to resolve its query. If you do not want to do so you can simply specify on the VPN client the right DNS suffix. what I have observed using DHCP relay, is that sometimes the DHCPINFORM packets sent by the VPN client are dropped as spoofed by ISA. Disabling IP spoofing on ISA does resolves this issue and the clients will get the require info. Otherwise on the client side we would not get them and thus cannot access resources by names. If you cannot access like so run an ipconfig all and make sure you spot there the DNS Suffix Search List in Windows IP Configuration and the Connection-specific DNS Suffix on the PPP adapter. I do not know why this(spoof packets) happens. Maybe Jason knows. Best regards!

ITEngineer -> RE: WINS required for ISA 2006? (31.May2007 9:46:13 AM)
Hi all, i faced a problem with pinging machines in my LAN from a VPN connection, and i failed all time until i was advised by Tshin to install a WINS server, and when i installed the WINS server i was able to ping by hostname, FQDN and by IP, before installing WINS , i was only able to ping by IP & FQDN , whats your comments on this issue ??

Jason Jones -> RE: WINS required for ISA 2006? (31.May2007 9:48:50 AM)
It would have worked if you would have used the correct dns domain name or domain name suffix. WINS is an easy fix, but not really required... It looks like this is a grey area, IMHO WINS should be avoided in preference for name resolution provided by DNS. Maybe we will all have to agree to disagree! [8D] JJ

Jason Jones -> RE: WINS required for ISA 2006? (31.May2007 9:57:37 AM)
quote: ORIGINAL: elmajdal Hi Jason, Its been long since we saw you here, where have you been all this time !! quote: I see no reason why WINS is required even for VPN clients. Maybe you can suggest why you think it is needed Tarek? Personally, I would say that WINS merely provides a leagcy name resolution service which has pretty much been superseeded by DNS now. Well this is what I would like to know , is its really needed for VPN Clients ? quote: Again the question is about "is WINS needed for ISA 2006" not "is WINS needed on VPN clients". Sure WINS is not needed at all for ISA Server itself, its Network Interfaces. But as WINS was mentioned in this post, and VPN is one of the features provided by ISA, that's why I asked the question. Maybe Tom can shed some light on this issue as I see some posts regarding this matter : http://forums.isaserver.org/m_2002043431/mpage_1/key_wins/tm.htm#2002044158 http://forums.isaserver.org/m_2002006262/mpage_1/tm.htm http://forums.isaserver.org/m_2002020694/mpage_1/key_wins/tm.htm#2002020721 Thanks, Tarek Hi Tarek, I have been lurking, but not posting much. I tend to spend a lot of time contributing in my spare time, but what with an ill wife and a small baby, this is kinda difficult at times! Work has also been pretty full-on what with ForeFront AV, IAG and ISA 2006 I have been up to my eyeballs in consultancy! [&:] Trying to contribute when I can! [:)] Cheers JJ

justmee -> RE: WINS required for ISA 2006? (31.May2007 9:58:50 AM)
Hi ITEngineer, I think we ended up hijacking a little bit this thread but anyway let's discuss this further[:)]. I hope Swood does not mind. if you have time please read my previous post with attention. What you are calling by name must be resolved to a FQDN. To do so when the VPN client forwards the DNS query to the DNS Server specified by your DHCP server will append to this the DNS suffix it will find in the DNS Suffix Search List. You can have a Primary DNS suffix set on the VPN client(right click on My Computer....). Any other DNS suffix will be append to that list and also to your PPP adapter. For this to be done you msut use DHCP relay on ISA with the rules specified in Tom's article. if it's not working check ISA's logs for the DHCP(request) and see what's happening with it. I said that I have noticed that sometimes this packet might be dropped as spoofed by ISA with no other errors shows in the Alert tab or in the Event Viewer. I do not know why this happens. You can disable IP Spoofing on ISA and resolves this. Maybe other forums members know why. Best regards!

justmee -> RE: WINS required for ISA 2006? (1.Jun.2007 5:07:59 AM)
Hey guys check this fix to the spoofing problems: http://forums.isaserver.org/fb.aspx?m=2002037138 Ben actually contacted Microsoft and obtain a solution for this problem. which is to add this value to the registry: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray\Debug\FWSRV] "FWS_PNP_IPHELPER_QUITE_PERIOD"=dword:000005dc or copy the bellow lines to a Notepad file and save it as ".reg" and double-click it: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray\Debug] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray\Debug\FWSRV] "FWS_PNP_IPHELPER_QUITE_PERIOD"=dword:000005dc Doing so only one of the two DHCPINFOTM packets sent by the VPN client will be declared as spoofed by ISA. The other one will make it and the DHCP options will be obtain. Best regards!

Jason Jones -> RE: WINS required for ISA 2006? (1.Jun.2007 8:55:32 AM)
Nice update...good to see a fix. JJ

tshinder -> RE: WINS required for ISA 2006? (3.Jun.2007 7:17:27 PM)
Hey guys, I thought I'd put my two cents in here. I use WINS for my VPN clients because I get lazy and don't want to deal with DHCP relay sometimes. This is mostly for simple single segment networks and since WINS takes care of itself, it doesn't really add much overhead. Of course, Win2003 is supposed to support local subnet NetBIOS broadcasting for VPN clients, but I've never confirmed if it actually works and what might be required on the ISA Firewall to make it work, if we can make it work at all since ISA likes to block broadcasts :) Tom

elmajdal -> RE: WINS required for ISA 2006? (4.Jun.2007 12:10:36 PM)
Hi Tom, Thanks for your 2 cents [:D]

elmajdal -> RE: WINS required for ISA 2006? (4.Jun.2007 12:57:28 PM)
quote: ORIGINAL: Jason Jones Hi Tarek, I have been lurking, but not posting much. I tend to spend a lot of time contributing in my spare time, but what with an ill wife and a small baby, this is kinda difficult at times! Work has also been pretty full-on what with ForeFront AV, IAG and ISA 2006 I have been up to my eyeballs in consultancy! [&:] Trying to contribute when I can! [:)] Cheers JJ Hi JJ, please check above text in bold [:)], this is my life story [8D] Hope she will get well soon. & welcome back. Tarek.

Page: [1] 2 next > >>