The goal of a branch office VPN connection is to allow users to connect to remote network resources as if those resources were on the local network. On the local network, NetBIOS traffic enables you to use the device name to connect to a network device. It is not necessary to know the IP address of each network device. However, NetBIOS relies on broadcast traffic to operate correctly, and local subnet broadcast traffic cannot be routed through a branch office VPN tunnel. So you must use an alternate method for name resolution through a branch office VPN tunnel.
Methods of Name Resolution Through a Branch Office VPN Tunnel
You can use one of two methods for name resolution:
WINS/DNS (Windows Internet Name Service/Domain Name System)
Configure a WINS server that contains a database of NetBIOS name resolution for the local network. Or configure a DNS server, which uses a similar method. If your domain uses only Active Directory, you must use DNS for name resolution.
Manually create an LMHOSTS file that you install on all client computers. The file contains a list of resource names and their associated IP addresses.
Select the Best Method for Your Network
Because of the limited administration requirements and current information it provides, WINS/DNS is the preferred solution for name resolution through a branch office VPN tunnel. The WINS server constantly listens to the local network and updates its information. If the IP address of a resource changes, or a new resource is added, you do not have to change any settings on the client computer. When the client tries to get access to a resource by name, a request is sent to the WINS/DNS servers and the WINS or DNS server returns the most current IP address.
If you do not already have a WINS server, the LMHOSTS file is a fast way to provide name resolution to client computers. Unfortunately, it is a static file and you must edit it manually any time there is a change. Also, the resource name/IP address pairs in the LMHOSTS file apply to all network connections, not only when the client computer is connected to your network.
Configure WINS or DNS for Name Resolution
Each network is unique in terms of the resources available and the skills of the administrators. The best resource to help you learn how to configure a WINS server is the documentation for your server. When you configure your WINS or DNS server, note that:
- The WINS server must be configured to be a client of itself.
- Your Firebox must be the default gateway of the WINS or DNS server.
- If you use a WINS server, must make sure that network resources do not have more than one IP address assigned to a single network interface. NetBIOS only recognizes the first IP address assigned to an interface.
Use DNS and WINS Servers for Client Computers
If you use WINS or DNS for name resolution at one end of the branch office VPN tunnel, clients at the remote site should also use those WINS or DNS servers, or a local DNS server that can resolve the names of those remote resources.
For more information about how to configure network (global) DNS and WINS servers, see Configure Network DNS and WINS Servers.
If you have configured DNS or WINS settings in the DHCP settings for an interface, or in the mobile VPN configuration, this overrides the network (global) DNS server settings for client computers on that interface or VPN connection. For more information about DNS server precedence, see About DNS on the Firebox.
DNS Server Configuration for Managed VPNs
If you use your Management Server to configure Branch Office VPNs between your Fireboxes, you can easily configure remote sites to use the DNS servers configured on your main Firebox. The DNS server configured in the managed VPN tunnel sets the global DNS setting on the remote devices. This global setting can be overridden by a DNS server configured within the interface DHCP or Mobile VPN with SSL configuration on the remote device.
For more information about how to edit a managed VPN tunnel, see Edit a Tunnel Definition.
Configure an LMHOSTS File to Provide Name Resolution
When you use an LMHOSTS file to get name resolution for remote resources, no changes to the Firebox are necessary. Basic instructions to help you create an LMHOSTS file are included in the next section. You must follow these instructions to configure each device that needs to access resources by name across the VPN tunnel.
Edit an LMHOSTS File
- Find the LMHOSTS file on the client computer.
The LMHOSTS file is usually located in the C:\WINDOWS\system32\drivers\etc directory.
- Open the LMHOSTS file with a text editor, such as Notepad.
If you cannot find an LMHOSTS file, create a new file in a text editor.
- To create an entry in the LMHOSTS file, type the IP address of a network resource, five spaces, and then the name of the resource.
The resource name must be 15 characters or less. It should look like this:
- If you started with an older LMHOSTS file, save the file with the original file name.
If you created a new file, save it with the file name lmhost in the C:\WINDOWS\system32\drivers\etc directory.
If you used Notepad to create the new file, you must also choose the type All Files in the Save dialog box, or Notepad adds the .txt file extension to the file name.
- Reboot the client computer for the LMHOSTS file to become active.