Does the pain and pressure of maintaining your company's VPN make you want to commit an act of VPN violence? Before you wage war on your virtual private network, take a look at what our VPN ambassadors have to say. In this two-part article, our site experts will bring peace to the front line of your VPN battleground.
SearchWin2000.com member: I'm worried that my company's home PC users accessing the corporate network via a VPN will spread viruses. It's virtually impossible to monitor these remote machines to make sure they have up-to-date firewalls and antivirus protection. Do you have any advice for those of us who have many users accessing our networks via a VPN from home computers?
Scott Blake:This is a big problem that is only getting bigger. There have only been a few high-profile instances of home computers being used as an attack vector into corporations, but there's every reason to believe there will be many more cases. Look for security vendors to be improving their offerings in the future.
One measure you can try now, which is very difficult to accomplish, is a strong company security policy. A written policy requiring remote users to comply with standards like using a firewall and current antivirus software can help bring the issues to users' minds. Although we'd all hate to do it, firing someone for noncompliance would be a huge help in getting the users conscious of their home machine security.
SearchWin2000.com member: Does Microsoft VPN work on MACs and PCs? If so, will MACs be able to access their shared drives?
Jerry Honeycutt: The PPTP VPN supported by Microsoft may be supported by MACs, but L2TP is not. If you can establish a PPTP connection between a MAC and Windows, then you can access anything on the Windows system/network that you could over a normal cabled network connection.
SearchWin2000.com member: I have VPN set up to my network and can ping my servers IP address and NetBIOS names, but I cannot access the shared folders. Do you have any clue what could be happening?
William Boswell: This could be caused by a couple of things. The most likely is that you are not resolving the flat names of the servers correctly. Are you running Windows 2000 or NT at the VPN client? If so, attempt to connect to a shared resource directly by IP address rather than by name as follows: net use *
If this works, then you know it is a name resolution issue. The most common cause for name resolution issues over a dial-up or VPN connection is the failure of the server to return a DHCP configuration packet containing the IP address of the WINS server. Verify this by making the VPN connection then running IPCONFIG /ALL. If there is no entry for WINS server, that's your problem. Add the WINS server manually to the IP configuration of the VPN connection and that should solve the problem.
SearchWin2000.com member: I have an RRAS server set up in our Windows 2000 environment. I have remote users logging in using a VPN connection that was created using the connection manager that comes with Win2k. A remote user can connect OK with this "connectoid," but after he has connected successfully to the server, how does he access network resources? He can't see anything extra in Network Neighborhood or any extra drives in My Computer. The RRAS server is configured to allocate IP addresses via DHCP.
Tony Northrup: To enable browsing of resources, you should add the systems to an Active Directory or, alternatively, create a WINS server. Either will allow the user to browse a directory of available network resources. If you're relying on broadcast messages to browse for resources, which is the default method in Win2k, VPN clients will not be able to browse or resolve NetBIOS names. However, they will be able to map connections using IP addresses. For example, a VPN client who does not have WINS or an Active Directory server configured could connect to the 192.168.1.100c$ share, but not to servernamec$.
SearchWin2000.com member: How can I eliminate the ability to cache passwords on a Windows 2000 Professional VPN connectoid?
Frank Alperstaedt: This depends largely on the VPN system being used. If it's the native Win2k VPN system, then you can use a registry edit to disable all dial-up password caching:
If you're using a third-party VPN system, then it would depend on that system's individual capabilities.