Internal firewall - can't do NT Login Auth

Internal firewall - can't do NT Login Auth

Post by kli.. » Sat, 03 Jun 2000 04:00:00



HI !

I am setting up a firewall between 2 internal networks - at this point
it is just forwarding from our 10.0.0.0 network to our 172.16.0.0
network. I can ping and telnet to unix hosts and use any other protocol
I have tried.

The problem I am having is that I need a machine on the 10.0.0.0 network
to do a NT domain logon to get at NT resources on the other side of the
firewall.

I did a tcpdump of a connection attemp and it is doing a local directed
broadcast to fine the logon server:

10.10.10.76.netbios-ns > 10.255.255.255.netbios-ns: udp 68

It tries a couple of times then does a DNS query and tells the
workstation it can't find a domain server to do the authentication.

I assume that I am not passing the broadcast thru the firewall, how can
I do this ?

Or is there an easier solution ?

Thanks
Kevin

Sent via Deja.com http://www.deja.com/
Before you buy.

 
 
 

Internal firewall - can't do NT Login Auth

Post by Robert Marshal » Sat, 03 Jun 2000 04:00:00


Easier? Not particularly.

You will probably want to run WINS. Microsoft networks want to either be
able to broadcast to all find every server on the network, or they want
to runs WINS. This is especially important in routed networks, since a
PC obviously cannot (and should not) broadcast across a router.

If WINS is not an option, you can *try* using DNS, but do not expect it
to be easy. You will have to update a system file on every Win95/98
machine (c:\windows\system\vnbt.386), you will have lots of trouble with
network boot disks made with Network Client Administrator, and you will
have lots of trouble getting new NT servers and workstations to join the
domain. The secret to getting DNS to work at all is to create a host
record for the domain name that points to the PDC's ip address.

Finally, you can co-locate domain controllers. By placing a BDC on the
other network, you give the 95/98 devices a domain controller to talk to
via broadcast. This should work well for logins, but does not address
password changes or server/workstation additions.

I would not consider using lmhosts files for a network of more than,
say, five client PC's. And you should NEVER forward broadcasts across a
firewall.


> HI !

> I am setting up a firewall between 2 internal networks - at this point
> it is just forwarding from our 10.0.0.0 network to our 172.16.0.0
> network. I can ping and telnet to unix hosts and use any other protocol
> I have tried.

> The problem I am having is that I need a machine on the 10.0.0.0 network
> to do a NT domain logon to get at NT resources on the other side of the
> firewall.

> I did a tcpdump of a connection attemp and it is doing a local directed
> broadcast to fine the logon server:

> 10.10.10.76.netbios-ns > 10.255.255.255.netbios-ns: udp 68

> It tries a couple of times then does a DNS query and tells the
> workstation it can't find a domain server to do the authentication.

> I assume that I am not passing the broadcast thru the firewall, how can
> I do this ?

> Or is there an easier solution ?

> Thanks
> Kevin

> Sent via Deja.com http://www.deja.com/
> Before you buy.