Browsing share on AD slow over VPN

Hi,
Don't know where to post this, so thought I'd start from here. Have
searched the internet over and found "many solutions" however, not sure if
they'll work!
I've got AD setup with DHCP/DNS/Network Shares/Print Servers (yes, against
all Microsoft convetions - i know). Anyway, the other day I finally setup
the following:

Remote Client (CISCO VPN Client) -----> PIX515E Firewall -----> AD which has
network share and separate Exchange Server for emails

The problem I've got is that when I am outside of office, I launch the CISCO
VPN and connect to the firewall, get verified and then when I try to get to
my network share to get my word documents, it is extremely slow (I did UNC ad
mapped shared drive on both wired and wireless connection, got verified, but
just too slow - takes about 5 to 10 minutes to show contents of m network
share). At work we've got a 2Mbps leased line (so upload and download same),
whie at home I got broadband, 1Mbps.

I've read that I should check NetBIOS settings, Host files, MTU size, that I
should (and shouldnt) open ports 137, 138 and 139 on my PIX....

Has anyone come up with a solution that works or seen this before? What is
the host file setting all about? It says to do it only on Client PC....

I haven't found a specific answer as yet....suspect there might also
possibly be a DNS issue...dont know what else to think! Appreciate if someone
could lend me a hand!

Many thanks!

"Maki" <Maki@discussions.microsoft.com> wrote in message
news:2E3F4FEF-E554-4845-836F-CA0591A1E76D@microsoft.com...
> Hi,
> Don't know where to post this, so thought I'd start from here. Have
> searched the internet over and found "many solutions" however, not sure if
> they'll work!
> I've got AD setup with DHCP/DNS/Network Shares/Print Servers (yes, against
> all Microsoft convetions - i know). Anyway, the other day I finally setup
> the following:
>
> Remote Client (CISCO VPN Client) -----> PIX515E Firewall -----> AD which
> has
> network share and separate Exchange Server for emails
>
> The problem I've got is that when I am outside of office, I launch the
> CISCO
> VPN and connect to the firewall, get verified and then when I try to get
> to
> my network share to get my word documents, it is extremely slow (I did UNC
> ad
> mapped shared drive on both wired and wireless connection, got verified,
> but
> just too slow - takes about 5 to 10 minutes to show contents of m network
> share). At work we've got a 2Mbps leased line (so upload and download
> same),
> whie at home I got broadband, 1Mbps.
>
> I've read that I should check NetBIOS settings, Host files, MTU size, that
> I
> should (and shouldnt) open ports 137, 138 and 139 on my PIX....
>
> Has anyone come up with a solution that works or seen this before? What
> is
> the host file setting all about? It says to do it only on Client PC....
>
> I haven't found a specific answer as yet....suspect there might also
> possibly be a DNS issue...dont know what else to think! Appreciate if
> someone
> could lend me a hand!
>
> Many thanks!


Are you using WINS? That will help across VPNs.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

I've noticed I can only get to verify the user name when mapping network
share if I put IP address of server rather than its host name.
So do I just edit the lmhosts file in c:\windows\system32\drivers\etc
directory and add the line for the server at the remot client machine (so my
machine at home)? Or the server as well?
Find all this a bit confusing as I thought that I can configure the VPN pool
to give out the local DNS server so that machines know how to resolve names?
If I check the TCP/IP settings on local machine and hit advanced, I got the
DNS and WINS tab. Funny thing is that in DNS tab the server IP is listed so
anything else I need to do?
I have setup split tunneling over the CISCO firewall as I figured the users
would want to still use the internet from local connection? Is this a
problem? Does internal DNS get ignored?
I've also click on use local lan access on vpn cisco client program, but it
says disabled - I gather I have to enable this somewhere else on server or
firewall side also for it to work? Lmhosts seems like an answer but it will I
assume take a lot of effort to support all 50-60 users that might use it...
Does it also mean I have to install WINS service on server?
Seems so much to do!

"Ace Fekay [MCT]" wrote:

> "Maki" <Maki@discussions.microsoft.com> wrote in message
> news:2E3F4FEF-E554-4845-836F-CA0591A1E76D@microsoft.com...
> > Hi,
> > Don't know where to post this, so thought I'd start from here. Have
> > searched the internet over and found "many solutions" however, not sure if
> > they'll work!
> > I've got AD setup with DHCP/DNS/Network Shares/Print Servers (yes, against
> > all Microsoft convetions - i know). Anyway, the other day I finally setup
> > the following:
> >
> > Remote Client (CISCO VPN Client) -----> PIX515E Firewall -----> AD which
> > has
> > network share and separate Exchange Server for emails
> >
> > The problem I've got is that when I am outside of office, I launch the
> > CISCO
> > VPN and connect to the firewall, get verified and then when I try to get
> > to
> > my network share to get my word documents, it is extremely slow (I did UNC
> > ad
> > mapped shared drive on both wired and wireless connection, got verified,
> > but
> > just too slow - takes about 5 to 10 minutes to show contents of m network
> > share). At work we've got a 2Mbps leased line (so upload and download
> > same),
> > whie at home I got broadband, 1Mbps.
> >
> > I've read that I should check NetBIOS settings, Host files, MTU size, that
> > I
> > should (and shouldnt) open ports 137, 138 and 139 on my PIX....
> >
> > Has anyone come up with a solution that works or seen this before? What
> > is
> > the host file setting all about? It says to do it only on Client PC....
> >
> > I haven't found a specific answer as yet....suspect there might also
> > possibly be a DNS issue...dont know what else to think! Appreciate if
> > someone
> > could lend me a hand!
> >
> > Many thanks!
>
>
> Are you using WINS? That will help across VPNs.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among
> responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
> Messaging
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>
>

"Maki" <Maki@discussions.microsoft.com> wrote in message
news:914815E1-C78B-422E-BC42-C26061DD8350@microsoft.com...
> I've noticed I can only get to verify the user name when mapping network
> share if I put IP address of server rather than its host name.
> So do I just edit the lmhosts file in c:\windows\system32\drivers\etc
> directory and add the line for the server at the remot client machine (so
> my
> machine at home)? Or the server as well?
> Find all this a bit confusing as I thought that I can configure the VPN
> pool
> to give out the local DNS server so that machines know how to resolve
> names?
> If I check the TCP/IP settings on local machine and hit advanced, I got
> the
> DNS and WINS tab. Funny thing is that in DNS tab the server IP is listed
> so
> anything else I need to do?
> I have setup split tunneling over the CISCO firewall as I figured the
> users
> would want to still use the internet from local connection? Is this a
> problem? Does internal DNS get ignored?
> I've also click on use local lan access on vpn cisco client program, but
> it
> says disabled - I gather I have to enable this somewhere else on server or
> firewall side also for it to work? Lmhosts seems like an answer but it
> will I
> assume take a lot of effort to support all 50-60 users that might use
> it...
> Does it also mean I have to install WINS service on server?
> Seems so much to do!
>

I wouldn't suggest using LMHOSTS files. There is more than just putting a
name in an lmhosts file, besides it's being non-centralized.

I use a Pix 501, 506 and ASA 5505 at various clients with the legacy VPN
client and the newer SSL VPN Client. I use the internal DNS as well, for
when the VPN is connected, the default interface is the VPN interface, so it
will use the internal DNS to access AD and other things internally. I also
have Split Tunneling setup, so if the connected client want to access the
internet, they use their own gateway instead of the remote network gateway.

It should work setup such as this, however being old school, I use WINS fro
NetBIOS name resolution. Yes, it involves installing WINS on a server, (no
changes to DNS settings or zone property settings), but I do change the DHCP
settings for option 044 and 046 so all internal machines get the WINS
address, as well as setting the WINS address in my VPN Pool IP range. And
yes, I use a different IP range for VPN clients, just to keep them
separated, and access rules set to allow the VPN subnet access to the
internal subnet.

If you are having difficulty, and you own a Pix 515, I assume you've
purchased a 24/7 gold support contract. If so, simply put in a TAC request,
and those guys will be more than happy to setup the whole thing for you.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

OK. So bottom line is (and yes, of course I am usinga different IP range for
VPN Clients - No NAT translation from internal IP to VPN client IP address):

1. Install WINS and change DHCP setting for option 044 and 046
2. Setup WINS address in CISCO PIX515E VPN Pool IP Range
3. Accress rules on PIX to allow VPN subnet access to internal subnet (this
would mean what? any traffic coming from outside interface going to inside
network?)

I'll try this out tomorrow.

Thanks.

"Ace Fekay [MCT]" wrote:

> "Maki" <Maki@discussions.microsoft.com> wrote in message
> news:914815E1-C78B-422E-BC42-C26061DD8350@microsoft.com...
> > I've noticed I can only get to verify the user name when mapping network
> > share if I put IP address of server rather than its host name.
> > So do I just edit the lmhosts file in c:\windows\system32\drivers\etc
> > directory and add the line for the server at the remot client machine (so
> > my
> > machine at home)? Or the server as well?
> > Find all this a bit confusing as I thought that I can configure the VPN
> > pool
> > to give out the local DNS server so that machines know how to resolve
> > names?
> > If I check the TCP/IP settings on local machine and hit advanced, I got
> > the
> > DNS and WINS tab. Funny thing is that in DNS tab the server IP is listed
> > so
> > anything else I need to do?
> > I have setup split tunneling over the CISCO firewall as I figured the
> > users
> > would want to still use the internet from local connection? Is this a
> > problem? Does internal DNS get ignored?
> > I've also click on use local lan access on vpn cisco client program, but
> > it
> > says disabled - I gather I have to enable this somewhere else on server or
> > firewall side also for it to work? Lmhosts seems like an answer but it
> > will I
> > assume take a lot of effort to support all 50-60 users that might use
> > it...
> > Does it also mean I have to install WINS service on server?
> > Seems so much to do!
> >
>
> I wouldn't suggest using LMHOSTS files. There is more than just putting a
> name in an lmhosts file, besides it's being non-centralized.
>
> I use a Pix 501, 506 and ASA 5505 at various clients with the legacy VPN
> client and the newer SSL VPN Client. I use the internal DNS as well, for
> when the VPN is connected, the default interface is the VPN interface, so it
> will use the internal DNS to access AD and other things internally. I also
> have Split Tunneling setup, so if the connected client want to access the
> internet, they use their own gateway instead of the remote network gateway.
>
> It should work setup such as this, however being old school, I use WINS fro
> NetBIOS name resolution. Yes, it involves installing WINS on a server, (no
> changes to DNS settings or zone property settings), but I do change the DHCP
> settings for option 044 and 046 so all internal machines get the WINS
> address, as well as setting the WINS address in my VPN Pool IP range. And
> yes, I use a different IP range for VPN clients, just to keep them
> separated, and access rules set to allow the VPN subnet access to the
> internal subnet.
>
> If you are having difficulty, and you own a Pix 515, I assume you've
> purchased a 24/7 gold support contract. If so, simply put in a TAC request,
> and those guys will be more than happy to setup the whole thing for you.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among
> responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
> Messaging
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>
>

"Maki" <Maki@discussions.microsoft.com> wrote in message
news:4831AE91-563F-4CDC-8F02-D3AAF3CF4B9B@microsoft.com...
> OK. So bottom line is (and yes, of course I am usinga different IP range
> for
> VPN Clients - No NAT translation from internal IP to VPN client IP
> address):
>
> 1. Install WINS and change DHCP setting for option 044 and 046
> 2. Setup WINS address in CISCO PIX515E VPN Pool IP Range
> 3. Accress rules on PIX to allow VPN subnet access to internal subnet
> (this
> would mean what? any traffic coming from outside interface going to inside
> network?)
>
> I'll try this out tomorrow.
>
> Thanks.
>

#3: Allows access from the VPN pool to the internal subnet. How about
split-tunneling?

Ace

I've already done split tunneling...I can ping internal server from vpn
client no problem - I thought from your reply that I would have to put in an
additional ACL


"Ace Fekay [MCT]" wrote:

> "Maki" <Maki@discussions.microsoft.com> wrote in message
> news:4831AE91-563F-4CDC-8F02-D3AAF3CF4B9B@microsoft.com...
> > OK. So bottom line is (and yes, of course I am usinga different IP range
> > for
> > VPN Clients - No NAT translation from internal IP to VPN client IP
> > address):
> >
> > 1. Install WINS and change DHCP setting for option 044 and 046
> > 2. Setup WINS address in CISCO PIX515E VPN Pool IP Range
> > 3. Accress rules on PIX to allow VPN subnet access to internal subnet
> > (this
> > would mean what? any traffic coming from outside interface going to inside
> > network?)
> >
> > I'll try this out tomorrow.
> >
> > Thanks.
> >
>
> #3: Allows access from the VPN pool to the internal subnet. How about
> split-tunneling?
>
> Ace
>
>
>
>

"Maki" <Maki@discussions.microsoft.com> wrote in message
news:3576DBC6-D7CA-4D1F-A97F-6318F200D51C@microsoft.com...
> I've already done split tunneling...I can ping internal server from vpn
> client no problem - I thought from your reply that I would have to put in
> an
> additional ACL

No, but I just wanted to make sure since you didn't mention it previously.

Then it should just work!

Ace

I know! I just find it strange. I'm trying from a computer from home which is
not joined to the domain at work - it's just in the workgroup. I'm thinking
maybe that's just the problem - maybe I should take laptop from work home and
try it out to see if that works! Because, I can ping all computers on the
work network from home, I can do remote desktop to servers - I worked on them
no problem - maybe like a 0.3 second delay but that's it! So that's why I'm
thinking this should work also.
As part of my VPN CISCO PIX515e configuration, I've placed a statement to
first no nat (no network address translation) for the local network ip range
with the vpn client ip range as well as setting up a split tunneling
statement. I specified what local dns is is somewhere in there so that's what
im thinking - is WINS really something EXTRA i would be doing for nothing or
do I really need to do it?!? very strange case. The share folder which I
just added using my server ip took about 4 minutes to open with my items once
I just mapped network drive (got a 1Mbps broadband connection at home - but
then again, I don't think this should even matter).
I'll try with the computer joined to domain tomorrow from home or anywhere
outside and let you know how i go....
Thanks!

"Ace Fekay [MCT]" wrote:

> "Maki" <Maki@discussions.microsoft.com> wrote in message
> news:3576DBC6-D7CA-4D1F-A97F-6318F200D51C@microsoft.com...
> > I've already done split tunneling...I can ping internal server from vpn
> > client no problem - I thought from your reply that I would have to put in
> > an
> > additional ACL
>
> No, but I just wanted to make sure since you didn't mention it previously.
>
> Then it should just work!
>
> Ace
>
>
>
>

"Maki" <Maki@discussions.microsoft.com> wrote in message
news:33935A37-4D52-4F31-B0AC-C5F451C4EC1E@microsoft.com...
>I know! I just find it strange. I'm trying from a computer from home which
>is
> not joined to the domain at work - it's just in the workgroup. I'm
> thinking
> maybe that's just the problem - maybe I should take laptop from work home
> and
> try it out to see if that works! Because, I can ping all computers on the
> work network from home, I can do remote desktop to servers - I worked on
> them
> no problem - maybe like a 0.3 second delay but that's it! So that's why
> I'm
> thinking this should work also.
> As part of my VPN CISCO PIX515e configuration, I've placed a statement to
> first no nat (no network address translation) for the local network ip
> range
> with the vpn client ip range as well as setting up a split tunneling
> statement. I specified what local dns is is somewhere in there so that's
> what
> im thinking - is WINS really something EXTRA i would be doing for nothing
> or
> do I really need to do it?!? very strange case. The share folder which I
> just added using my server ip took about 4 minutes to open with my items
> once
> I just mapped network drive (got a 1Mbps broadband connection at home -
> but
> then again, I don't think this should even matter).
> I'll try with the computer joined to domain tomorrow from home or anywhere
> outside and let you know how i go....
> Thanks!
>

Possibly because the Primary DNS Suffix doesn't match the domain name. I bet
if you set the laptop (without joining it) to your internal domain name as
the Prim DNS Suffix, it may work. That's used by the resolver service. Or
you can simply add it as a search suffix in the NIC properties, but you
would have to add it to both the wired and wireless interfaces.

Try it ...

Ace

You mean open the wireless connection (not VPN) on home computer go to TCP/IP
click on properties, advanced and under DNS in DNS suffix for this connection
specify my domain name? The append primary and connector specific DNS
suffixes button is checked as well as append parent suffixes of the primary
DNS suffix? Yeah, its actually working much faster now, but is this the
solution? That i have to enter my domain through the primary suffix of every
users computer? Surely I don't have to do this all the time - imagine - the
domain controller is now synchronizing with my machine at agonizingly slow
speed!


"Ace Fekay [MCT]" wrote:

> "Maki" <Maki@discussions.microsoft.com> wrote in message
> news:33935A37-4D52-4F31-B0AC-C5F451C4EC1E@microsoft.com...
> >I know! I just find it strange. I'm trying from a computer from home which
> >is
> > not joined to the domain at work - it's just in the workgroup. I'm
> > thinking
> > maybe that's just the problem - maybe I should take laptop from work home
> > and
> > try it out to see if that works! Because, I can ping all computers on the
> > work network from home, I can do remote desktop to servers - I worked on
> > them
> > no problem - maybe like a 0.3 second delay but that's it! So that's why
> > I'm
> > thinking this should work also.
> > As part of my VPN CISCO PIX515e configuration, I've placed a statement to
> > first no nat (no network address translation) for the local network ip
> > range
> > with the vpn client ip range as well as setting up a split tunneling
> > statement. I specified what local dns is is somewhere in there so that's
> > what
> > im thinking - is WINS really something EXTRA i would be doing for nothing
> > or
> > do I really need to do it?!? very strange case. The share folder which I
> > just added using my server ip took about 4 minutes to open with my items
> > once
> > I just mapped network drive (got a 1Mbps broadband connection at home -
> > but
> > then again, I don't think this should even matter).
> > I'll try with the computer joined to domain tomorrow from home or anywhere
> > outside and let you know how i go....
> > Thanks!
> >
>
> Possibly because the Primary DNS Suffix doesn't match the domain name. I bet
> if you set the laptop (without joining it) to your internal domain name as
> the Prim DNS Suffix, it may work. That's used by the resolver service. Or
> you can simply add it as a search suffix in the NIC properties, but you
> would have to add it to both the wired and wireless interfaces.
>
> Try it ...
>
> Ace
>
>
>
>

"Maki" <Maki@discussions.microsoft.com> wrote in message
news:7964ACCC-3E74-4C27-8261-903139A18527@microsoft.com...
> You mean open the wireless connection (not VPN) on home computer go to
> TCP/IP
> click on properties, advanced and under DNS in DNS suffix for this
> connection
> specify my domain name? The append primary and connector specific DNS
> suffixes button is checked as well as append parent suffixes of the
> primary
> DNS suffix? Yeah, its actually working much faster now, but is this the
> solution? That i have to enter my domain through the primary suffix of
> every
> users computer? Surely I don't have to do this all the time - imagine -
> the
> domain controller is now synchronizing with my machine at agonizingly slow
> speed!
>


DHCP Option 015 should take care of the domain name for you.

Ace

Hey Ace!
Thanks for repy. I already specified option 015 from way before. I'm
beginning to think about re-doing the VPN Conncetion setting on CISCO
firewall. Don't think this one has anything to do with Microsoft (Widows
Server or Client XP)....I think I might have to specify two access lists
whereby one is for NoNAT from local internal ip to vpn client ip and second
one basically allows only that particular IP to travel to the tunnel...i
think the setup I've got now which is single access list (only NoNAT) and
split tunneling (specificaly split tunneling) is the issue. i think all
traffic goes through the tunnel including the internet one and i think thats
where confusion with DNS is...i think only traffic from the server (local ip
and vpn ip) should be going back and forth thru the tunnel while the internet
traffic should be kept separate...it doesnt show that it might be confusing
these two but i was thinking about it last night...

"Ace Fekay [MCT]" wrote:

> "Maki" <Maki@discussions.microsoft.com> wrote in message
> news:7964ACCC-3E74-4C27-8261-903139A18527@microsoft.com...
> > You mean open the wireless connection (not VPN) on home computer go to
> > TCP/IP
> > click on properties, advanced and under DNS in DNS suffix for this
> > connection
> > specify my domain name? The append primary and connector specific DNS
> > suffixes button is checked as well as append parent suffixes of the
> > primary
> > DNS suffix? Yeah, its actually working much faster now, but is this the
> > solution? That i have to enter my domain through the primary suffix of
> > every
> > users computer? Surely I don't have to do this all the time - imagine -
> > the
> > domain controller is now synchronizing with my machine at agonizingly slow
> > speed!
> >
>
>
> DHCP Option 015 should take care of the domain name for you.
>
> Ace
>
>
>

"Maki" <Maki@discussions.microsoft.com> wrote in message
news:F7AE9FD9-4A3D-4D00-A166-8BFD92E561A8@microsoft.com...
> Hey Ace!
> Thanks for repy. I already specified option 015 from way before. I'm
> beginning to think about re-doing the VPN Conncetion setting on CISCO
> firewall. Don't think this one has anything to do with Microsoft (Widows
> Server or Client XP)....I think I might have to specify two access lists
> whereby one is for NoNAT from local internal ip to vpn client ip and
> second
> one basically allows only that particular IP to travel to the tunnel...i
> think the setup I've got now which is single access list (only NoNAT) and
> split tunneling (specificaly split tunneling) is the issue. i think all
> traffic goes through the tunnel including the internet one and i think
> thats
> where confusion with DNS is...i think only traffic from the server (local
> ip
> and vpn ip) should be going back and forth thru the tunnel while the
> internet
> traffic should be kept separate...it doesnt show that it might be
> confusing
> these two but i was thinking about it last night...
>
>

Using split tunneling should allow internet traffic to go across the
client's gateway, but corp traffic across the VPN. But yet, all queries will
be using the corp DNS servers while connected. If DNS is configured properly
in the corp network, that is with forwarding, such as that it can resolve
internal and external names, then there really shouldn't be a problem. Go
through your access lists and see where it's falling apart.

Ace