06-09-2008 01:48 PM
I have been asked by a collegue if the following is possible: Two sites connected via two SSG5 firewalls by a site to site VPN tunnel. Both sites use NetBIOS name resolution by means of broadcast messages (all nodes are in B mode). No WINS server is in use and cannot be installed in the near future.
Is it possible that the SSG5 firewalls forward the NetBIOS name resolution broadcast messages, i.e. acting as some kind of NetBIOS proxy, to allow computers from one side resolve NetBIOS names from computers in the other site?
Solved! Go to Solution.
06-09-2008 09:56 PM
u can use the option NETBIOS over TCP/IP option in NIC properties.
06-09-2008 11:11 PM
I think you misunderstand me. The Option "NetBIOS over TCP" in the NIC properties just enables or disables NetBIOS on some workstation. It is enabled by default and if you disable it, all programs that use the NetBIOS API won't work. In particulary, the SMB protocol is used in its SMB over TCPI variant instead of encapsulating it in NetBIOS packets that are themselves tunneled in TCP packets.
This option has to be enabled that the Browser service can work. If so, it uses NetBIOS broadcasts that are implemented as ordinary UDP broadcasts in the subnet. The firewall as a Layer 3 device will be the border of the broadcast domain and therefore not forward these broadcast packets through the VPN tunnel.
What I'm actually looking for is a ScreenOS option that the FW detects these broadcast packets and forward them anyway through the tunnel after doing some kind of rewriting of the packet to reflect that they are now in a different subnet. Very similiar to the way a DHCP relay works that listens too for some specific broadcast messages and forwards them to a server configured in the options.
06-10-2008 01:21 AM