VPN client can browse host:host cannot browse client-side

Discussion in 'Windows Small Business Server' started by phorest, May 11, 2006.

  1. phorest

    phorest Guest


    I have a main-office and branch setup. The branch connects via VPN. I have
    no problem browsing My Network Places (to the host-side) from branch, however
    I cannot see or browse the My Network Places (to the client-side) from the
    host. At one time it worked fine. It was using DFS/FRS without a problem,
    though right now the replication status is questionable.

    If I search for the branch from the host it times out. on the reverse
    everything is fine.

    In DFS Root both directories are "online" on both sides, but on the host
    side the branch directory replication info shows "offline".

    any ideas?
    phorest, May 11, 2006
    1. Advertisements

  2. Hi,

    Thanks for posting here.

    From your description, I understand the issue to be: users in host-site can
    not browse computers in branch office and replications status has problem.
    If I am off base, please let me know.

    The computer browsing is based on broadcast traffic. As we know, the
    broadcast traffic cannot go through a router. Since the networks are
    connected through VPN, it's expected that the browsing broadcast cannot go
    through the network. For the non-broadcast network, we need to leverage
    WINS server. Let us check as follows:

    1. Go to the main site client workstations. Open TCP/IP properties. Click
    'Advanced' button. In 'WINS' tab, add the SBS server's IP address into the
    list. Select 'Enable NetBIOS' over TCP/IP.

    2. For the branch office computers, configure them to use the SBS server as
    'WINS'. Also enable 'NetBIOS over TCP/IP'.

    3. Wait for several minutes. Will you be able to see the computers in
    branch office?

    More information:

    117633 How browsing over a multi-subnet TCP/IP network works in a domain
    and in a workgroup

    If the issue persists, please check the following settings:

    1. You can try to install the update to see if it helps.

    898060 Installing security update MS05-019 or Windows Server 2003 Service
    Pack 1 may cause network connectivity between clients and servers to fail

    2. Make sure that you have selected Enable NetBIOS over TCP/IP on LAN
    computer and SBS in host-side as following:

    1) Right click My Network Places and select Properties.
    2) Right click Local Area Connection (client computer)/Network Connection
    (server) and select Properties.
    3) Click Internet Protocol (TCP/IP) and high light it. Click Properties.
    4) On the General tab, click Advanced. Go to WINS tab.
    5) Make sure that you select Enable NetBIOS over TCP/IP.
    6) Click OK twice and close all the windows.

    For detailed information, please refer to the following KB article:

    318030 You cannot access shared files and folders or browse computers in

    3. Make sure the TCP/IP NetBIOS Helper service and the Server service and
    Workstation service are running on SBS and LAN computers. You may check
    them through running Services.msc.

    4. Check WINS:

    1) Open WINS console in the SBS Administrative Tools.
    2) Make sure that the service is started.

    5. Check Computer Browser on SBS and LAN computers:

    1) Open Services console in the SBS Administrative Tools.
    2) In the right pane, make sure that the "Computer Browser" service is
    started and the startup type is "Automatic".
    3) Check the same settings on all client computers and make sure that the
    "Computer Browser" service is stopped and the startup type is "Disabled".

    6. Disable SMB signing in the whole server domain:

    1) Make sure the following policies are all ''Disable'' (instead of ''Not
    defined'') in BOTH ''Default Domain Policy'' and ''Default Domain
    Controller Policy'':

    A. Microsoft network client: Digitally sign communications (always):
    B. Microsoft network client: Digitally sign communications (if server
    agrees): Disabled
    C. Microsoft network server: Digitally sign communications (always):
    D. Microsoft network server: Digitally sign communications (if client
    agrees): Disabled
    E. LAN Manager Authentication Level set to Send LM and NTLM - use NTLMv2
    session security if negotiated

    You can find the policy as following:

    A. Open Server Management, and then expand Advanced Management | Group
    Policy Management | Forest | Domains | Server name.
    B. Right click Default Domain Policy and select Edit.
    C. In Group Policy Object Editor, expand Computer Configuration | Windows
    Settings | Security Settings | Local Policies.
    D. Click Security Options.
    E. Open Server Management, and then expand Advanced Management | Group
    Policy Management | Forest | Domains | Server name | Domain Controllers.
    F. Right click Default Domain Controllers Policy and select Edit.
    G. In Group Policy Object Editor, expand Computer Configuration | Windows
    Settings | Security Settings | Local Policies.
    H. Click Security Options.

    2) Still on the DC, issue ''gpupdate /force'' in a command console.
    3) Restart the DC and client computer to take effect.

    More information:

    298804 Internet firewalls can prevent browsing and file sharing

    Hope this information helps. If you have further questions or concerns on
    this issue, please let me know. I am looking forward to hearing from you.

    Have a nice day!


    Jenny Wu
    Microsoft CSS Online Newsgroup Support
    Get Secure! - www.microsoft.com/security
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    This posting is provided "AS IS" with no warranties, and confers no rights.

    Jenny wu [MSFT], May 12, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.