Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » File and Printer Sharing Over VPN
  •  
Mavhack

Messages: 16
Karma: 0
Send a private message to this user
Having 1 major issue now with VPN, I can't seem to get Microsoft File And Printer Sharing working over it!

Will it work or doesn't it support it????

Cheers

Simon
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
When I connect to a share on a 'workgroup' machine it works. When I try to connect to a share on a 'domain' machine it does not work... In the filterlog I can not find any 'deny/drop' rule.
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
I did some additional testing. My previous post was not correct. I can now connect to shares of workstation (not part of a domain) and domainmembers (like a domain server) over VPN.

I created the following traffic rules:

-- to enable the vpn client to connect to KWF --
name: VPN service
source: internet
dest: firewall
service: kerio vpn
action: allow
translation: none
inspector: default

-- to allow a vpn client to use resources in the lan --
name: vpn clients to lan
source: vpn clients
dest: lan
service: microsoft-ds, netbios-ssn
action: allow
translation: none
inspector: default

For every machine in the lan that needs to allow a connection from a vpn client make sure the return route is available. If the default gateway is not the KWF firewall a connection can not be made. If it is not possible to change the default gateway add an extra route for the ip range of the vpn clients with 'route add'.

The settings for the Kerio VPN adapter on the VPN client:
- enable tcp/ip protocol. I have entered a fix ip address (make sure its an address that is not used in any other subnet). I use the same ip address for all Kerio VPN adapters. No DNS, no WINS, no gateway, Netbios disabled.
- enable the client for microsoft networks. If you forget this you will get an error 5.

The settings for the Kerio VPN adapter on the KWF firewall
- enable tcp/ip protocol. I have entered a fix ip address (make sure its an address that is not used in any other subnet). I use the same ip address for all Kerio VPN adapters. No DNS, no WINS, no gateway, Netbios disabled.
- I have not enabled any client or service for that adapter, only the protocol tcp/ip.

How to connect to a share:
use the ms-dos command:
net use <drive-letter>: \\<ip_of_computer_to_connect_to>\<sharename> <password> /user:<domain_name>\<user_name>

example:
net use x: \\10.0.0.8\share secretpassword /user:dom_abc\john

use the explorer
use the menu extra to create a new mapping
specify the correct username for that connection like dom_abc\john
specify the correct password for that connection

[Updated on: Sat, 02 April 2005 11:25]

  •  
Mavhack

Messages: 16
Karma: 0
Send a private message to this user
Tried that, but all's I get is network not found! I can ping the other machines over the VPN, by the IP Address, but I can't get to them for file and printer sharing.

The PC's are just basic sharing in a workgroup, not on a domain!

Cheers

Simon
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
When you connect to a pc make sure you use a username / password combination that exists on that pc (the pc thats offering the share).
  •  
Mavhack

Messages: 16
Karma: 0
Send a private message to this user
Doing that I get System Error 67

Network name can not be found
  •  
Mavhack

Messages: 16
Karma: 0
Send a private message to this user
Just Noticed that it shows up under the Warning Log, As an Anti-Spoofing Packet, turned antispoofing off and it still doesn't make any difference.


[02/Apr/2005 22:40:19] Anti-spoofing: Packet from VPN client home, proto:TCP, len:48, ip/port:192.168.8.5:4344 -> 10.0.0.5:139, flags: SYN , seq:3100424665 ack:0, win:25200, tcplen:0

Thats the log message

[Updated on: Sat, 02 April 2005 23:34]

  •  
_sbs_

Messages: 4
Karma: 0
Send a private message to this user
Hello

My experience about it (since I have the same trouble) is kerberos tickets when using AD security.

When you login on the LAN, you get assigned kerberos ticket by the DC that is used for all authentication purposes. When you connect to the LAN through the VPN, all goes about well until the ticket expires, then all is "access denied" with no log.

If you try a netdiag /test:kerberos /v you'll get the status of your kerberos tickets and probably an error telling that \\yourmachine.yourdomain.endof_the_domain cannot be found. Which is true, since you are not that machine any more from the LAN standpoint.

I have no solution for that but I guess that if VPN clients could register in the DHCP lease-list that would help a bunch since the machine name would resolve to the valid VPN address and not the old LAN one.

S. BARTHES
  •  
Mavhack

Messages: 16
Karma: 0
Send a private message to this user
I'm not using active directory though!

It's just WinXP Shares on 3 machines that just act as file servers. They won't allow access.

from command prompt

net use ......

gives error as staed before

in win xp doing start >> run gives

no network provider would accept the given network path

Driving me mad now I've created the following rules....

VPN Tunnel
Local Area Connection (Internet Ethernet connection)
Firewall
Kerio VPN
Allow

and

VPN Internal Access
VPN Clients
Local Area Connection 2 (LAN)
Microsoft-DS, Port 137, Port 139, NetBIOS-DGM, NetBIOS-NS, Netbios-SSN
Allow

Can't see what's missing. Of cause I've email Kerio, and not had a response, the email was sent nearly a week ago.

Cheers

Simon
  •  
_sbs_

Messages: 4
Karma: 0
Send a private message to this user
Then you can try digging into netdiag results to try finding what is wrong with your setup.

You can find netdiag part of the resource kit in the support tools of your xp pro install CD
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
I use the ip address of the computer I want to connect to, not the computername.
  •  
lifutom

Messages: 3
Karma: 0
Send a private message to this user
Hi Simon,

just an idea:

if you want to use a fileshare over vpn you have to have something that resolve your share name.

i.e:

\\svr\share -> for this you need something the resolve svr to a ip-address.

This can be done by the lmhosts file. This should reside in the directory c:\windows\system32\drivers\etc. If you never used this file, just copy the file lmhosts.sam auf lmhosts. Then add a entry with the text editor the ip address of the server (this is just an example):

192.168.1.1 svr

Than save the file, and try to ping the machine with the name.

If this works then try to connect to the share. It should work.

thomas
  •  
Mavhack

Messages: 16
Karma: 0
Send a private message to this user
Mmmmm, tried that to no avail a few days ago.

To add to the Mix now, from XP Home and Win 98 test machines over the VPN I can now access the shares, (since change the rule to include port 137 and 139), BUT XP Pro won't go anywhere near!

Tried it off a few machines!
  •  
Mavhack

Messages: 16
Karma: 0
Send a private message to this user
Solved it in the end, it was down to the XP Pro machine Sharing options. Alter it to simple file sharing and it was fine! Thanks for all the help guys!

Now have 6 sites linked via VPN tunnels and sharing 7 servers, (just to test the load it can take), and it seems quicker to transfer files over 512/256k ADSL than it is to transfer over the local LAN!

That's Windowz for you!

Simon
resendes.w

Messages: 1
Karma: 0
Send a private message to this user
What if you are trying to connect to a workstation that has a share, but uses the DHCP and DNS servvices built into Winroute. Why wont it let me use the machine name? Does DNS not work thru the VPN. It's all Kerio software and its driving me a little crazy. All local systems can ping each other by name just fine

PLEASE HELP
Previous Topic: Kerio WinRoute Firewall 6.0.11 released!
Next Topic: Anyone had any luck with Kerio and Joint Ops?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Nov 20 20:19:38 CET 2017

Total time taken to generate the page: 0.00556 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.