Name Resolution for Mobile VPN with SSL
The goal of a mobile VPN connection is to allow users to connect to network resources as if they were connected locally. With a local network connection, NetBIOS traffic on the network allows you to use the device name to connect to your devices. It is not necessary to know the IP address of each network device. However, Mobile VPN tunnels cannot pass broadcast traffic. Because NetBIOS relies on broadcast traffic to operate correctly, you must use an alternate method for name resolution.
Methods of Name Resolution Through a Mobile VPN with SSL Connection
You must choose one of these two methods for name resolution:
WINS/DNS (Windows Internet Name Service/Domain Name System)
A WINS server keeps a database of NetBIOS name resolution for the local network. DNS uses a similar method. If your domain uses only Active Directory, you must use DNS for name resolution.
The LMHOSTS file is a manually created file that you install on all computers with Mobile VPN with SSL. The file contains a list of resource names and their associated IP addresses.
Select the Best Method for Your Network
Because of the limited administration requirements and current information it provides, WINS/DNS is the preferred solution for name resolution through a Mobile VPN tunnel. The WINS server constantly listens to the local network and updates its information. If the IP address of a resource changes, or a new resource is added, you do not have to change any settings on the SSL client. When the client tries to get access to a resource by name, a request is sent to the WINS/DNS servers and the most current information is given.
If you do not already have a WINS server, the LMHOSTS file is a fast way to provide name resolution to Mobile VPN with SSL clients. Unfortunately, it is a static file and you must edit it manually any time there is a change. Also, the resource name/IP address pairs in the LMHOSTS file are applied to all network connections, not only the Mobile VPN with SSL connection.
Configure WINS or DNS for Name Resolution
Each network is unique in terms of the resources available and the skills of the administrators. The best resource use to help you learn how to configure a WINS server is the documentation for your server, such as the Microsoft website. When you configure your WINS or DNS server, note that:
- The WINS server must be configured to be a client of itself.
- Your Firebox must be the default gateway of the WINS and DNS servers.
- For WINS, you must make sure that network resources do not have more than one IP address assigned to a single network interface. NetBIOS only recognizes the first IP address assigned to a NIC. For more information, see http://support.microsoft.com/kb/q131641/.
Add WINS and DNS Servers to a Mobile VPN with SSL Configuration
- Select VPN > Mobile VPN with SSL.
- Select the Advanced tab.
The Mobile VPN with SSL Advanced page appears.
- In the WINS and DNS Servers section, type the primary and secondary addresses for the WINS and DNS servers.
You can also type a domain suffix in the Domain Name text box for a client to use with unqualified names.
- Click Save.
- Select VPN > Mobile VPN > SSL.
- Select the Advanced tab.
- Type the primary and secondary addresses for the WINS and DNS servers.
You can also type a domain suffix in the Domain Name text box for a client to use with unqualified domain names.
- Click OK.
- Save the Configuration File.
The next time an SSL client computer authenticates to the Firebox, the new settings are applied to the connection.
Configure the LMHOSTS File to Provide Name Resolution
When you use the LMHOSTS file to get name resolution for your Mobile VPN clients, no changes to the Firebox or the Mobile VPN client software are necessary. Basic instructions to help you create an LMHOSTS file are included in the subsequent section.
Edit the LMHOSTS File
To edit the LMHOSTS file on the Mobile VPN client computer:
- Find the LMHOSTS file on the Mobile VPN client computer.
The LMHOSTS file is usually located in the C:\WINDOWS\system32\drivers\etc directory.
- Open the LMHOSTS file with a text editor, such as Notepad.
If you cannot find an LMHOSTS file, create a new file in a text editor.
- To create an entry in the LMHOSTS file, type the IP address of a network resource, five spaces, and then the name of the resource.
The resource name must be 15 characters or less. It should look like this: 192.168.42.252 server_name
- If you started with an older LMHOSTS file, save the file with the original file name.
If you created a new file, save it with the file name lmhost in the C:\WINDOWS\system32\drivers\etc directory.
If you used Notepad to create the new file, you must also choose the type All Files in the Save dialog box, or Notepad adds the .txt file extension to the file name.
- Reboot the SSL client computer for the LMHOSTS file to become active.