Name Resolution for Mobile VPN with SSL
The goal of a mobile VPN connection is to allow users to connect to network resources as if they were connected locally. With a local network connection, NetBIOS traffic on the network enables you to use the device name to connect to your devices. It is not necessary to know the IP address of each network device. However, mobile VPN tunnels cannot pass broadcast traffic. Because NetBIOS relies on broadcast traffic to operate correctly, you must use an alternate method for name resolution.
Methods of Name Resolution Through a Mobile VPN with SSL Connection
You must choose one of these two methods for name resolution:
WINS/DNS (Windows Internet Name Service/Domain Name System)
A WINS server keeps a database of NetBIOS name resolution for the local network. DNS uses a similar method. If your domain uses only Active Directory, you must use DNS for name resolution.
LMHOSTS file
The LMHOSTS file is a manually created file that you install on all computers with Mobile VPN with SSL. The file contains a list of resource names and their associated IP addresses.
Select the Best Method for Your Network
Because of the limited administration requirements and current information it provides, WINS/DNS is the preferred solution for name resolution through a Mobile VPN tunnel. The WINS server constantly listens to the local network and updates its information. If the IP address of a resource changes, or a new resource is added, you do not have to change any settings on the SSL client. When the client tries to get access to a resource by name, a request is sent to the WINS/DNS servers and the most current information is given.
If you do not already have a WINS server, the LMHOSTS file is a fast way to provide name resolution to Mobile VPN with SSL clients. Unfortunately, it is a static file and you must edit it manually any time there is a change. Also, the resource name/IP address pairs in the LMHOSTS file are applied to all network connections, not only the Mobile VPN with SSL connection.
Configure DNS or WINS for Name Resolution
Each network is unique in terms of the resources available and the skills of the administrators. The best resource to help you learn how to configure a WINS server is the documentation for your server, such as the documentation found on the Microsoft website. When you configure your WINS or DNS server, note that:
- The WINS server must be configured to be a client of itself.
- Your Firebox must be the default gateway of the WINS and DNS servers.
- For WINS, you must make sure that network resources do not have more than one IP address assigned to a single network interface. NetBIOS only recognizes the first IP address assigned to a NIC.
Add DNS and WINS Servers to a Mobile VPN with SSL Configuration
In Fireware v12.3, the steps to open the Mobile VPN with SSL configuration changed. In Fireware v12.2 1 or lower, select VPN > Mobile VPN with SSL. In Policy Manager v12.2 1 or lower, select VPN > Mobile VPN > SSL.
- Select VPN > Mobile VPN.
- In the SSL section, click Configure.
The Mobile VPN with SSL General page appears. - Select the Advanced tab.
The Mobile VPN with SSL Advanced page appears.
- In the DNS Settings section, select one of these options:
Assign the network DNS/WINS settings to mobile clients
If you select this option, mobile clients receive the DNS and WINS settings you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 10.0.2.53in the Network DNS/WINS settings, mobile VPN clients use 10.0.2.53as a DNS server.
By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.
Do not assign DNS or WINS settings to mobile clients
If you select this option, clients do not receive DNS or WINS settings from the Firebox.
Assign these settings to mobile clients
If you select this option, mobile clients receive the domain name suffix, DNS server, and WINS server settings you specify in this section. For example, if you specify example.com as the domain name and 10.0.2.53 as the DNS server, mobile clients use example.com for unqualified domain names and 10.0.2.53 as the DNS server.
You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses.
For more information about DNS and WINS server settings for Mobile VPN with IPSec users, go to Configure DNS and WINS Servers for Mobile VPN with IPSec.
For more information on DNS and WINS, go to Name Resolution for Mobile VPN with SSL.
- Click Save.
- Select VPN > Mobile VPN > SSL.
- Select the Advanced tab.
- In the DNS Settings section, select one of these options:
Assign the network DNS/WINS settings to mobile clients
If you select this option, mobile clients receive the DNS and WINS settings you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 10.0.2.53in the Network DNS/WINS settings, mobile VPN clients use 10.0.2.53as a DNS server.
By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.
Do not assign DNS or WINS settings to mobile clients
If you select this option, clients do not receive DNS or WINS settings from the Firebox.
Assign these settings to mobile clients
If you select this option, mobile clients receive the domain name suffix, DNS server, and WINS server settings you specify in this section. For example, if you specify example.com as the domain name and 10.0.2.53 as the DNS server, mobile clients use example.com for unqualified domain names and 10.0.2.53 as the DNS server.
You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses.
For more information about DNS and WINS server settings for Mobile VPN with IPSec users, go to Configure DNS and WINS Servers for Mobile VPN with IPSec.
For more information about DNS and WINS, go to Name Resolution for Mobile VPN with SSL.
- Click OK.
- Save the Configuration File.
The next time an SSL client computer authenticates to the Firebox, the new settings are applied to the connection.
Configure the LMHOSTS File to Provide Name Resolution
When you use the LMHOSTS file to get name resolution for your Mobile VPN clients, no changes to the Mobile VPN client software are necessary. In Fireware v12.2 or lower, no Firebox changes are necessary.
In Fireware v12.2.1 or higher, you must configure a setting in the Mobile VPN with SSL configuration so that no DNS or WINS settings are assigned to mobile clients.
- Select VPN > Mobile VPN.
- In the SSL section, click Configure.
The Mobile VPN with SSL General page appears. - Select the Advanced tab.
The Mobile VPN with SSL Advanced page appears. - In the DNS Settings section, select Do not assign DNS or WINS settings to mobile clients.
If you select this option, clients do not receive DNS or WINS settings from the Firebox. - Click Save.
- Select VPN > Mobile VPN > SSL.
- Select the Advanced tab.
The Mobile VPN with SSL Advanced page appears. - In the DNS Settings section, select Do not assign DNS or WINS settings to mobile clients.
If you select this option, clients do not receive DNS or WINS settings from the Firebox. - Click Save.
Basic instructions to help you create an LMHOSTS file are included in the next section.
Edit the LMHOSTS File
To edit the LMHOSTS file on the Mobile VPN client computer:
- Find the LMHOSTS file on the Mobile VPN client computer.
The LMHOSTS file is usually located in the C:\WINDOWS\system32\drivers\etc directory. - Open the LMHOSTS file with a text editor, such as Notepad.
If you cannot find an LMHOSTS file, create a new file in a text editor. - To create an entry in the LMHOSTS file, type the IP address of a network resource, five spaces, and then the name of the resource.
The resource name must be 15 characters or less. It should look like this: 192.168.42.252 server_name - If you started with an older LMHOSTS file, save the file with the original file name.
If you created a new file, save it with the file name lmhost in the C:\WINDOWS\system32\drivers\etc directory.
If you used Notepad to create the new file, you must also choose the type All Files in the Save dialog box, or Notepad adds the .txt file extension to the file name. - Reboot the SSL client computer for the LMHOSTS file to become active.
Download, Install, and Connect the Mobile VPN with SSL Client