Laun has identified two common problems he sees in VPN clients:
1. Authentication issues on NT/Windows 2000 domains
2. DNS resolution difficulties, especially with those using Windows 98
If you're a consultant who is responsible for training your clients' VPN users, consider these simple tips from Laun and head off these problems with some preemptive user education.
Disadvantage: Home user operating systems
Although some companies don't allow this practice due to security issues like virus protection, TechRepublic allows independent contractors and employees who work from home to use personal equipment.
Like most companies, TechRepublic has an operating system standard, Windows 2000, for its computers. However, remote users may not have an up-to-date OS, which can present difficulties for Laun.
"You know nothing about their operating system, so right from the start when you're trying to help them configure, you're at a disadvantage," he said.
Norris' troubles: Authentication on NT/Windows 2000 domains
Here's an illustration of an authentication issue that Laun encountered recently. TechRepublic employee Norris Shelton was working from home recently when he encountered an "access denied" message as he tried to use some network resources over the VPN.
"When Norris is at home and connects via VPN and tries to hit a network resource, it comes back to his machine looking for account information," Laun explained. "It really doesn't like it because his machine isn't a member of the domain. It doesn't understand his account information, so it gives him an access denied."
TechRepublic uses domain permissions to allow employee access to corporate shares. In the office, users have no problem accessing any part of the network for which they have permission. As they navigate to the network resource, it comes back to their machine requesting a password. It finds the password from the information the employee entered when logging on.
In Norris' case, he was being denied access to network resources because he was using the same username and password on his home machine, as if the machine was set up for the TechRepublic domain, Laun said. Such a problem, he said, is common for users with Windows NT or 2000.
"You're actually challenging the machine itself, not the domain," he explained. "You have to type in the domain name, backslash (\), username, and then the password. That's one of those things that you either know or you don't. It's not intuitive at all."
Here's how it would work.
If a user, Johnny Doe, has a username of Jdoe and the password -identity," he might assume that he would be able to use the same username and password on his home machine that he does at work. If he enters the following...
...he won't be able to access the network.
However, if he adds the domain name before the username, he should be able to get it. Here's how it would look if the domain name were -TECHREPUB."
Laun said training users to differentiate between their use at the office and at home can quickly solve the problem and head off user and administrative headaches.
(Tip: Make sure that remote users understand that their VPN connection doesn't automatically authenticate them to their domain and they won't automatically get access to their resources unless they log in to the domain.)
Katy's woes: DNS resolution errors
In another instance, Katy Yocom, a freelance editor, had difficulty accessing TechRepublic's content management system (CMS) from her home computer, which uses Windows 98. When she called Laun for support, he found that her troubles stemmed from a Domain Name Server (DNS), or name resolution issue.
Once logged on to the network on-site at TechRepublic, users can access the CMS simply by typing contentmanagement into a browser address bar. That wouldn't work on Katy's home computer.
"The first place it's going to try to resolve that name is to an IP address," Laun said. "It's going to go to the Internet DNS servers and they're going to say, 'nope, we don't know what that means.'
"One of the things about Windows 95, Windows 98, and NT 4 is that its TCP/IP stack is not strong or robust. If it goes to the first couple of DNS servers and doesn't find it, it just gives up."
To resolve the issue, users must use a fully qualified domain name, Laun said. While the solution is simple, it's far from something the average user would know, he said. A fully qualified domain name consists of the network resource, the domain name, and your Web address. For example, an address to a company's content management system might look like the following:
http://contentmanagement.domainname.businessname.com
Laun said he often arrives at the office on Monday mornings to find e-mail or voice mail from users who have tried to access network resources during the weekend. Without a fully qualified domain name, they're unable to reach those files, shares, or systems.
He suggests that one way to head off this problem is to not let users get in the habit of using abbreviated names while working from the office. For example, TechRepublic might have had users set up a shortcut to the fully qualified domain name of the CMS instead of telling users they could simply type contentmanagement into their browser address bars. That way, when they work from home and have logged on through a VPN connection, they can use the address they're accustomed to using.
(Tip: Encourage users to use a fully qualified domain name for network resources instead of accessing network resources using shortcuts.)
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2001 TechRepublic, Inc.
Access to short names (i.e. not FQDNs) can be accomplished by creating an entry in the <WinSys>\hosts. file. E.g. c:\windows\hosts. Windows98 includes a sample file called hosts.sam.
I've also used this method to resolve name accesses for web servers that rewrite URLs into names that the clients no longer recognize. For instance a MediaWiki server that rewrites URLs to use a name that successfully resolves on the internal name servers that does not successfully resolve by extenral name servers. Adding a line
<address> <internal server name>
allowed the rewritten URLs to be resolved by the hosts file to the (VPNed and NATed) address.
Some shotrcut domain names are assigned in A (alias) records. It is a trivial exercise to write a script to publish A records into a well-formed hosts file. Then users can use that hosts file on their client machines and successfully resolve aliases.