Previous Index Next

ISCS version 0.1.1

Windows Remote Access User Notes

Windows remote access users may require some registry changes to enable full windows functionality remotely.

Authentication Problems:

Some Windows versions exempt Kerberos authentication traffic from being tunneled when using either IPSec or L2TP over IPSec. Some IPSec clients account for this and make the requisite registry changes while others, including several popular open source front ends to the built in Microsoft IPSec implementation, do not. This solution may also require patches on Windows 2000 and Windows 2003.

If you are experiencing authentication problems with IPSec or L2TP over IPSec remote access users, you may need the following registry setting:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExempt DWORD registry value set to 1

Network Browsing:

These recommendations apply to IPSec, L2TP over IPsec and OpenVPN remote access solutions. Network browsing should not be done via broadcast in a remote access environment. Thus, the client should be set to either a hybrid node (H-node - typically the default) or a point-to-point node (P-node). One must configure a WINS server, enable NetBIOS traffic to it and configure the clients to use the WINS. Incidentally, primary and secondary WINS values should be configured in the client set up even if the same WINS is used for both. WINS and NetBIOS are required for network browsing even in a 100% active directory environment.

The following registry changes will be required to reliably build a browse list. They may or may not have been made automatically by your VPN client:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster set to FALSE

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList set to FALSE

Previous Index Next