Showing posts with label Logical Networking. Show all posts
Showing posts with label Logical Networking. Show all posts

Determining The MTU To A Single Server

This summary is not available. Please click here to view the post.

1 comments

Topics: , , , , , ,

Share This Post! Del.icio.us Del.icio.us Digg Digg Facebook Facebook StumbleUpon StumbleUpon Technorati Technorati Twitter Twitter

Controlling, And Watching, The Services Running On Your Computer

The Services are the various low-level system processes, that all programs and applications depend upon. Services run independently of who is logged in to a computer; most services start when the computer is started, not after login.

While there are many services provided with the Operating System, all services are not essential on any given computer, and may not be running at any given time.

The essential services must be running, yet other services may have to be NOT running, on your computer. You must make the decision, based upon how your computer is to be used. You set each service in question appropriately.

You can start, stop, change startup status, and / or query the status of a service interactively (using the Services wizard), or from a command window (using the Services Controller CLI). You can use Process Explorer, to find out many details about any service, since (as I wrote above) services are the low level processes running on your computer.

The Services Wizard
You start the Services wizard from Control Panel - Administrative Tools - Services.

You may use the Services wizard presented in Standard, or Extended, mode. The choice is yours.



Find the service that concerns you, and double click on it (or right click, and select "Properties").





The Service name and Display name are two descriptors which are used, alternately, in various places. You should be aware of both values.

You may find Path to executable useful when you are researching an instance of "svchost.exe", using Process Explorer.

Startup type determines when, or if, it will ever be started.

Service status determines whether it is, or should be, running now.


  • If the service in question is running, and you want it stopped, hit "Stop", and wait while it stops.
  • If the service is not running, and you want it running, hit "Start" and wait.
  • If you want the service in question to start the next time the system starts, set Startup type to "Automatic".
  • If you want the service to be started the next time it is needed, set Startup type to "Manual".
  • If you want the service to never start, set the Startup type to "Disabled".

Dependencies shows other services that this service requires to be running, and other services that require this service to be running, before they themselves will start.
If the service wouldn't start, or if its Startup Type wouldn't change, it may have a dependency. Look on the Dependencies tab, under "This service depends upon the following system components". Make sure that everything there is present on the computer, and all services listed are Started. Also check the Event Viewer logs for clues. The Services Controller CLI You can also use the Services Controller, aka "SC", from a command window. Observe the spaces in the examples below; they are essential.
  • To find ot the status of the browser service, enter
    sc query browser
  • To stop the browser service, enter
    sc stop browser
  • To start the browser service, enter
    sc start browser
  • To disable the browser service at startup, enter
    sc config browser start= disable
  • To enable the browser service at startup, enter
    sc config browser start= auto
For more information about the Services Controller, see (KB166819): Using Sc.exe and Netsvc.exe to Control Services. If no help yet, check Event Viewer for additional clues. For more information about the many services, the Internet expert is BlackViper, and you can (currently) refer to his websites, Windows Vista Service Configurations, and / or Windows XP Service Configurations. Note that each service has TWO identities. Some utilities and wizards might use one identity to refer to a service, others might use the other. The Browser Service has, for instance,
  1. Service Name: Browser.
  2. Display Name: Computer Browser.
The Workstation Service has,
  1. Service Name: lanmanworkstation.
  2. Display Name: Workstation.
Don't be confused if you can't find a particular service in a list, or if the SC command doesn't seem to work. Make sure that you know both identities for the service that you're interested in. >> Top

0 comments

Topics: , , , , ,

Share This Post! Del.icio.us Del.icio.us Digg Digg Facebook Facebook StumbleUpon StumbleUpon Technorati Technorati Twitter Twitter

Using The Internet As A WAN Link? Use A VPN.

Stable and secure Windows Networking depends upon properly designed, routed, subnets. IP routing was designed to make Local Area Networks connect, yet still observe geographical relationships. Using routers between LANs allows localisation of some domain services (browsing, name resolution), but wide spread availability of others.

When you route IP connectivity thru wiring that you own and control, that's behind a firewall, each connected LAN is as safe as any of the other LANs. Threats on the outside (Internet) stay on the outside. Two geographically separate LANs, connected by a dedicated, leased communication line, are as safe as each other is safe.

What if you have 2 LANs, distant from each other, and can't justify the expense (initial or ongoing) of a leased or owned communication line? If both LANs have Internet access, you can still connect them; just use the Internet as the WAN link.

But wait! I hope you know how dangerous the Internet can be. It's bad enough when accessing it as clients. Plain old web browsing is bad enough, how about running a server on the Internet? OK, how about running all of the computers on your LANs thru the Internet? Why not hold up a $100 bill, and stroll thru Times Square in New York City? See if you get anywhere alive.

But you can connect your LANs thru the Internet, if you design the connection properly. A controlled, encrypted tunnel between your LANs, using routers that support a Virtual Private Network (aka VPN) will do this fine.

A VPN will be a lot easier to setup, and more stable and secure, when properly planned.



>> Top

Each LAN Is Addressed By Its WAN Address.
The VPN routers setup static tunnels between each other. Setting up a VPN router requires identifying the other router(s), by its IP address as well as by a pre installed certificate (aka pre shared authentication key). If you can't provide a fixed IP address for each router, you'll have to use a domain name, registered with a dynamic DNS service like DynDNS, TZO, or the like.

>> Top

Hardware Compatibilty Is A Must.
There are various conventions and standards for establishing, and conducting, authentication and encryption in a VPN. Each router manufacturer will likely have some variation, however small. The easiest, and most stable, VPNs will use router hardware of the same make, model, and firmware level at each end of a VPN tunnel.

>> Top

LAN Subnets Must Be Unique.
A VPN provides a routed connection between LANs. In order for routing to work best, you have to have different subnets on each LAN. When you setup a VPN between LANs that were setup before being connected, you may have some LANs using the same subnet. You can't have stable LANs, each having the same subnet, connected by a router.

>> Top

Use DNS For Reliable Name Resolution.
On most small LANs, you'll use broadcasts for name resolution. Broadcasts aren't routable; each IP subnet is, by definition, a broadcast domain. If you want computers on one subnet to access computers on another (which is, presumably, why you're setting up a VPN), you'll find computer names more convenient than IP addresses. Some VPNs will, if configured, pass SMBs for name resolution and browsing, but this will likely slow down Windows Networking. DNS based name resolution is the best way to go, for anything more complex than a single local cluster of computers.

>> Top

Use Domains, Not Workgroups.
If you use Network Neighbourhood to identify and access other computers, you'll need browsing to work between the subnets connected thru the VPN. A properly designed domain structure will make browsing work much better.

>> Top

Connectivity Between Any LAN And The Internet Can Affect Its Connection With The Others.
A VPN connection between any two LANs requires regular interchange of control information, and irregular application data. Balanced connectivity makes both more predictable. If one LAN has a dual WAN business class DSL service, and the other has residential class dialup, how secure and stable will that VPN be?

>> Top

Security On Any LAN Can Affect The Others.
VPNs are used to connect geographically separate LANs, and imply some degree of trust between those LANs. The computers on any LAN, connected to a VPN, are only as secure as the computers on the LAN with the weakest security policies. Review, and synchronise security policies before setting up a VPN.

If you wish to setup a VPN between your home network and your work network, security at your work may be compromised. You should always get permission from LAN administration, before doing this. You may be legally at risk without such precautions.

>> Top

Increased Sophistication and Excess Bandwidth Mitigates These Issues.
As availability of VPNs has increased, with VPN capable hardware sold in WalMart and similar convenience stores, and as VPN firmware becomes more sophisticated, each endpoint in a VPN relationship will be better able to adjust to differences between its own environment and the environment present at the other end. Many of the above issues won't be quite as relevant in the future. But if you start out being aware of the issues, you will be prepared to deal with them when they do become relevant.

>> Top

0 comments

Topics: , , , , ,

Share This Post! Del.icio.us Del.icio.us Digg Digg Facebook Facebook StumbleUpon StumbleUpon Technorati Technorati Twitter Twitter

The Network Language That Your Computer Speaks

If you have Windows XP, and you just ran the Network Setup Wizard, your computer most likely uses NetBIOS Over TCP/IP (NetBT). If all of your computers use this same language, and were all setup properly, the chances are good that you will be able to share files with them.

There are other languages that your computers might speak.


  • NetBT uses IPV4, the current Internet addressing scheme of nnn.nnn.nnn.nnn. IPV6 will expand this to xxxx.xxxx.xxxx.xxxx.xxxx.xxxx, giving IPV6 almost infinitely more address space than IPV4.
  • NetBT is more completely known as "Server Message Blocks hosted over NetBT". SMBs over NetBT is most useful in small LANs that use broadcasts for name resolution. If you have a LAN with a DNS server for local name resolution, you can Disable NetBT, and use SMBs directly hosted over IP.
  • There are odd circumstances where SMBs hosted over alternate protocols such as IPX/SPX or NetBEUI may be advisable.

Windows XP will support any of the above languages, if you already have a LAN, and want to keep your existing computers as they are right now. If you have a portable computer, and intend to use it on different networks, or if you have a small LAN and want to have the most choices in design and support available, using SMBs hosted over NetBT makes the most sense.

It's your computer, and your choice. Just know what the choices are, and how they may affect you. You may select IPV4, IPV6, IPX/SPX, and NetBEUI from the Network Connection Properties wizard. You Enable SMBs hosted over NetBT from the TCP/IP Properties - Advanced wizard.

>> Top

0 comments

Topics: , , , ,

Share This Post! Del.icio.us Del.icio.us Digg Digg Facebook Facebook StumbleUpon StumbleUpon Technorati Technorati Twitter Twitter

Automatic Metrics and The Ability To Roam Wirelessly

If you have a portable computer, and you've setup a WiFi LAN in your house or office, you'll enjoy the freedom of moving around the house, at will, while still connected to the LAN. Even so, sometimes there will be times when the WiFi connection isn't enough. You'll never get rid of Ethernet, completely.

Most portable computers come with an Ethernet adapter, and a WiFi adapter, installed and activated. The Automatic Metric feature in Windows XP let you leave both connections activated, and will use the fastest connection, that is working, at any time.

You can use automatic metrics (by default), or you can manually change the settings to prefer either connection, using the TCP/IP Properties - Advanced wizard.

NOTE: Using the Automatic Metric feature on a laptop having a role as a server on your LAN may cause problems with the browser infrastructure. Don't carry a server around without understanding the complications.

>> Top

0 comments

Topics: , , ,

Share This Post! Del.icio.us Del.icio.us Digg Digg Facebook Facebook StumbleUpon StumbleUpon Technorati Technorati Twitter Twitter

Firewall Behaviour - And Windows Networking

The classical personal firewalls, which would be installed on most personal computers in a typical Small Office / Home Office environment, block only specific network traffic. By default, they are open, and pass all traffic.

Modern firewalls, used by more cautious network experts, permit only specific network traffic. By default, they are closed, and pass no traffic. After installing this type of firewall, you must run a manager and configure the firewall to pass your desired traffic.

My suspicion is that the nVidia nForce hardware firewall falls in the latter category. If you don't run the firewall manager, it will pass only a minimum of traffic, probably just enough for you to surf to the nVidia website and get software upgrades. This intentionally blocks SMBs (whether NetBT hosted, or directly hosted), and protects against the dangers offered by Windows Networking. If you're going to use Windows Networking over TCP/IP, you must run the firewall manager, and intentionally configure it for Windows Networking.

Short of configuring the firewall for Windows Networking over TCP/IP, you have no choice but to install an alternate transport such as IPX/SPX or NetBEUI, which bypasses the firewall completely.

For ongoing discussion about this issue, see these threads in the Microsoft Public WindowsXP Network_Web forum:


  • Selling my soul to the devil is the next step...
  • NVIDIA "hidden firewall" causes networking problem, by the Original Poster in the previous thread
    If you have the NVIDIA nforce networking controller with onboard LAN, you may have a "hidden firewall" interfering with your network connection. I'll describe my own situation and how I resolved the problem. I owe great gratitude to Chuck, frequent poster in this group, who worked with me for about a week, and had suggested the possibility of the NVIDIA "hidden firewall", but I was reluctant to accept that because, well, it really was hidden and I couldn't find it (and still can't). But it was there. (For those who want to review the original thread, it was posted in this group under the title "networking only works one way" on 08/04/06.)

  • Networking only works "one way", with only my part of the thread provided, because the Other Poster's content was not archived.


>> Top

2 comments

Topics: , , , , ,

Share This Post! Del.icio.us Del.icio.us Digg Digg Facebook Facebook StumbleUpon StumbleUpon Technorati Technorati Twitter Twitter

Manual Network Setup Procedures

The Windows Network Setup Wizard, provided on computers running Windows XP, is a convenient way to setup your network. Sometimes though, you need to setup things manually.

In cases where you can't use the Network Setup Wizard, you'll be using the Network Connection Wizard.

  • Please start by reviewing Networking Your Computers, if you haven't already.
  • From Settings, open Network Connections. Find the network connection that you'll be using. The most common one is called Local Area Connection. Right click on the appropriate connection, and choose Properties. Make sure the following network components are installed, in the network items list.
    • Client for Microsoft Networks.
    • File and Printer Sharing for Microsoft Networks.
    • Internet Protocol (TCP/IP)
  • Make sure that the Internet Connection Firewall / Internet Connection Sharing (ICS) (pre-SP2), or Windows Firewall / Internet Connection Sharing (ICS) (SP2) service is running - Started and Automatic.
  • Configure your firewall setup, including installing any third party firewalls, after you run the wizard.


>> Top

Local Area Connection Properties
Start from the connection items list (Start - Settings - Network Connections in Windows XP). Right click on Local Area Connection, and select Properties. This will give you the Local Area Connection Properties wizard. If you have additional or alternate network devices, your connection may have a different name.




If you need to make changes to the network adapter, click on Configure. This will give you the Network Adapter Settings Wizard.



Make sure that the required protocols, for Windows Networking, are loaded. And make sure that you know what are loaded, and remove any that aren't necessary.



You'll likely be configuring TCP/IP as your primary network protocol. Double click on Internet Protocol (TCP/IP). This will open the TCP/IP Properties Wizard.



>> Top



In most cases, you'll use automatic (dynamic) settings.
  • Select Obtain an IP address automatically.
  • Select Obtain DNS server address automatically.
If you must make manual IP settings, you'll have up to 5 values to set.
  • IP address
  • Subnet mask
  • Default gateway
  • Preferred DNS server
  • Alternate DNS server
If you're just connecting 2 (or more) computers directly, IP address and subnet mask will be the only relevant entries. If you're connecting (2 or more) computers, and providing Internet service, you'll have also Default gateway and DNS servers to set.



>> Top



If you selected Obtain an IP address automatically, you'll have an opportunity to enter alternate settings too. If no DHCP server is available, you'll have static network settings, aka APIPA. This will let you connect with other computers on your immediate network (that are also using APIPA), and possibly other networks (with a gateway on the APIPA subnet).



>> Top

TCP/IP Properties - Advanced

Sometimes you will need to make settings beyond the basic 5 on the TCP/IP Properties window. From TCP/IP Properties, hit the Advanced button at the bottom. This opens the Advanced TCP/IP Settings wizard.


If you selected Use the following IP address, you'll be able to have your computer use multiple IP addresses.

With either automatic or manual IP addresses, you'll have a chance to specify multiple gateways. If the default gateway isn't available, your computer will try an alternate gateway, automatically.

And here, you can adjust the metric for this connection. If you have multiple network connections, and one is faster or more reliable, you can influence IP routing. These selections are reflected in the static route table. This is important with a computer with multiple network connections.




On the DNS tab, you have the ability to define more than 2 DNS servers. And additional DNS settings.




On the WINS tab, you will find the most frequently checked and set selection - the NetBIOS setting, aka NetBT.
  • If your LAN has a DHCP server (not a NAT router), you can select "Default", and control the setting from a setting in the DHCP server.
  • If you have a domain, and use DNS for name resolution, you can select "Disable", and use Direct Hosted SMBs.
  • If you don't know what any of this means, or if you have a small LAN without a DNS server, select "Enable".





On the Options tab, you can set various TCP/IP filtering options.



>> Top

0 comments

Topics: , , , , ,

Share This Post! Del.icio.us Del.icio.us Digg Digg Facebook Facebook StumbleUpon StumbleUpon Technorati Technorati Twitter Twitter

Setup WiFi - And WPA - Carefully

Setting up a WiFi LAN is a great experience. The convenience of surfing the web from your back yard, or sharing files between your main computer and your music server, without running wires here and there, is exhilarating. But there is stress involved.

When you connect a computer to a WiFi LAN, with WPA (and WPA-PSK is absolutely the minimum security measure that you should - no must - take), you are testing a number of things, simultaneously.

  • The WiFi router.
  • Your computer.
  • Your WPA setup.


Now if you do this carefully, and with a small amount of preparation, the whole project can take an hour - or less. Plan it wrong, or make a mistake, and you could be days figuring out the problems. Use a layered strategy - similar to layered testing.
  1. Get each computer connected, by Ethernet, to each other.
  2. Setup, and copy, a key set to each computer.
  3. Get each computer connected, by WiFi, with no security.
  4. Setup WPA on the router, and on each WiFi client.


The different WiFi router vendors have different ideas what type of key their WPA security should work with. Steve Gibson's GRC "Perfect Passwords" Generator will give you a choice of 3. Here's an example of what you might be provided when you click the latter link. Try it, and see.
  • 64 random hexadecimal characters (0-9 and A-F) (not case sensitive):
    1DBE12287EC82B22233C74B356BAC5E4EDC1447168B5F5A9C985C154220E0568

  • 63 random printable ASCII characters (case sensitive):
    Hb+r#^S-T/1!JTP0_~SB 4&rQ7|s"q)7S`teMB`]x_uGATQQ-{B:=%W/_")$w6h

  • 63 random alpha-numeric characters (a-z, A-Z, 0-9):
    0btNigYpFmG5MGDBahRnw203t6jQlCYCNcuvCYgGAZVCFSLSwp7deBMj9Iy7Vfr


All I do is to go to the web page (where it generates a new key set each time - try it), copy the six lines (as in the above list) to a Notepad file, and save the file. Then, with all computers connected by Ethernet (step 1 above), copy the file to each computer. Depending upon the router, one key may work properly, while another won't. Having 3 possibilities, in an identical set on each computer, means repeatedly copying and pasting, without having to worry about getting the computer back online, by other means, to simply copy another file.

After you copy the key set to each computer, start up the WiFi radio, and the WiFi clients. Start with WiFi in open (unencrypted) mode. Make sure that the router works, and you have a working signal, by testing without setting up security.

Since you'll probably be testing the router connection by loading a web page, decide how comfortable you are with giving your neighbourhood open Internet access while you test. If you're not comfortable, then disconnect the Internet feed from the router, while you test, and load the router management web page for your test. Reconnect the Internet service after you get WPA security working.

After you can connect the computer without security, and all network functions work, add WPA-PSK security.
  • Configure the router - copy the appropriate portion of 64 random hexadecimal characters into the router management program.
  • Copy the identical portion of 64 random hexadecimal characters into the client computer WiFi client manager setup wizard.
  • Test the WiFi client. If it works, fine. If not, repeat these steps, trying the 63 random printable ASCII characters, and finally the 63 random alpha-numeric characters.


This is 3 times as complex as it needs to be, and after you've done this a few times, you'll be able to simplify these procedures. But for the first couple times you do this, the careful planning, and the lowered stress level, will make it easier to not make mistakes. By not making mistakes, you're more likely for this to work. And making it work is the reason for my writing this in the first place.

>> Top

0 comments

Topics: , , , , ,

Share This Post! Del.icio.us Del.icio.us Digg Digg Facebook Facebook StumbleUpon StumbleUpon Technorati Technorati Twitter Twitter

Advanced Windows Networking Using Internet Protocol

Windows Networking is the subsystem that lets you share files and printers, between computers running the various versions of Windows. Server Message Blocks, also called SMBs, are the foundation of Windows Networking. SMBs provide several crucial functions.



(Note): If you're not familiar with the concept of network layers, take a few moments and read about the OSI Network Model.

SMBs are not transported directly over the various physical networking components, as Layer 1 or 2 traffic. SMBs may be transported over Internet Protocol (IP), as well as alternate protocols like IPX/SPX or NetBEUI.

Windows Networking has historically used NetBIOS Over TCP/IP (NetBT) as an intermediate transport for SMBs over IP. Windows 2000, XP, and Vista however, will transport SMBs over IP, without NetBT, using directly hosted SMBs.

To remain compatible with the older versions of Windows, a Windows Networking client, running Windows 2000, Windows XP, or Windows Vista, can use either directly hosted SMBs, or it can use NetBT. If any server supports directly hosted SMBs, the client computer in question will bypass NetBT, when communicating with that specific server.

This dual compatibility, which allows Windows 2000 / XP / Vista clients to communicate with computers running other editions of Windows, is not without cost. Trying for two communications channels, when establishing a connection with any server, increases program complexity and network traffic. In some cases, it may increase latency.

We need to resolve one major misconception. It may appear that when you Disable NetBT, you are disabling Windows Networking over IP. This is not correct. When you Disable NetBT, you are merely disabling hosting of SMBs over NetBT. You then end up with SMBs hosted directly over IP. But look at address resolution on your LAN, before trying this. Don't make this change blindly.

If your LAN
  • Has a domain.
  • Has computers running only Windows 2000, Windows 2002 (aka Windows XP), Windows 2003 (aka Server 2003), Windows 2006 (aka Vista), and Windows 2009 (aka Windows 7).
  • Uses DNS, properly setup, for name resolution.
then you may wish to Disable NetBT, and (KB204279): use directly hosted SMBs. If any of the above are not true, you should Enable NetBIOS Over TCP/IP. Be consistent on all computers.

In the TCP/IP Properties - Advanced wizard, WINS, select Disable NetBIOS Over TCP/IP. Alternately, if you have the Default NetBIOS setting selected (instead of "Disable" or "Enable") on your client computers, and you have a DHCP server (not a NAT router with DHCP), you can disable NetBT from a DHCP server setting.

If you use directly hosted SMBs, whether alternately or exclusively, be aware of the security implications.
  • NetBT uses TCP and UDP ports 137 - 139.
  • Direct hosted SMBs use TCP port 445.

Be sure that all personal firewalls have the proper ports opened.

Here are the relevant ports used by SMBs over NetBT, per IANA port number allocation:

netbios-ns 137/tcp NETBIOS Name Service
netbios-ns 137/udp NETBIOS Name Service
netbios-dgm 138/tcp NETBIOS Datagram Service
netbios-dgm 138/udp NETBIOS Datagram Service
netbios-ssn 139/tcp NETBIOS Session Service
netbios-ssn 139/udp NETBIOS Session Service

And the relevant ports used by directly hosted SMBs:

microsoft-ds 445/tcp Microsoft-DS
microsoft-ds 445/udp Microsoft-DS


Similar to the effect of a personal firewall, SMBs can be setup to use secure channel communication, by using SMB Authentication and Encryption. If you ever see
The account is not authorized to log in from this station.

then check SMB Encryption and Signing settings.

And, if you have an integrated security suite (previously sold as anti-virus protection), you may have an anti-worm component protecting you. Anti-worm protection, if not correctly configured, may interfere with any or all of the above NetBT traffic. Different brands of products will cause different problems.

For more information:

>> Top

1 comments

Topics: , , , , , , , , , , , , ,

Share This Post! Del.icio.us Del.icio.us Digg Digg Facebook Facebook StumbleUpon StumbleUpon Technorati Technorati Twitter Twitter

NetBIOS Over TCP/IP

Microsoft Windows, in its default state, uses TCP/IP, and NetBIOS Over TCP/IP, for networking. Sometimes, we forget this detail. NetBT is so easily overlooked, yet it is essential.

If we are looking at the output from "ipconfig /all", and we see


        IP Address. . . . . . . . . . . . : 192.168.1.50
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.11
                                            192.168.1.33
        NetBIOS over Tcpip. . . . . . . . : Disabled
        Lease Obtained. . . . . . . . . . : Wednesday, April 16, 2003 11:19:12
        Lease Expires . . . . . . . . . . : Wednesday, April 23, 2003 11:19:12


Obviously, we're going to correct that. But what if we simply see

        IP Address. . . . . . . . . . . . : 192.168.1.50
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.11
                                            192.168.1.33
        Lease Obtained. . . . . . . . . . : Wednesday, April 16, 2003 11:19:12
        Lease Expires . . . . . . . . . . : Wednesday, April 23, 2003 11:19:12

Do we see any problem there? Probably not. Look in the TCP/IP - Advanced Properties wizard, WINS tab. There are 3 possible settings for NetBIOS Over TCP/IP
  • Default.
  • Enable.
  • Disable.

The last setting, Disable, becomes apparent when we see the first example above. But what if if we see the second example above? Well, that display can result from either the "Default", or the "Enable" setting. If it's not showing Disabled, it could be either.

The Default setting, according to the wizard, is for

Use NetBIOS setting from the DHCP server.

If your LAN
  • Has a domain.
  • Has computers running only Windows 2000, Windows 2002 (aka Windows XP), and Windows 2003 (aka Server 2003).
  • Uses DNS, properly setup, for name resolution.
then you may wish to disable NetBT, and use directly hosted SMBs.

But what if your LAN has a NAT router providing DHCP services, and / or has no domain? NAT routers are Operating System independent, and NetBT is a Microsoft Windows Networking feature. NAT routers have no setting for NetBIOS Over TCP/IP. If you select "Default", and you have a NAT router, what network functionality do you get?

The challenge is that this one setting affects multiple functions between your computer, and other computers, in both directions.
  1. Browsing: Ability to see other computers.
  2. File sharing: Ability to access resources on other computers.
  3. Name resolution: Ability to find out the addresses of other computers.


Depending upon what network hardware and software you have, any or all of the above functions may or may not work, in either direction (incoming or outgoing), between any pair of computers. And each different pair of computers may yield a different set of symptoms. If you have a NAT router providing DHCP services, the only way to deal with this reliably is to Enable NetBT consistently, on all computers.

In the TCP/IP - Advanced Properties - WINS wizard for all relevant network connections,

  • Select the radio button "Enable NetBIOS over TCP/IP".
  • Hit OK 3 times.
  • Close Network Connections, after enabling NetBT on all relevant network connections.

If you still see

        NetBIOS over Tcpip. . . . . . . . : Disabled
after Enabling NetBT, check the TCP/IP NetBIOS Helper service.

Be safe - don't settle for "Default".

>> Top

9 comments

Topics: , , , , , ,

Share This Post! Del.icio.us Del.icio.us Digg Digg Facebook Facebook StumbleUpon StumbleUpon Technorati Technorati Twitter Twitter

The DNS Server Settings On Your Computer

Domain Name Services, or DNS, is a critical service on almost all Local and Wide Area Networks. DNS is used for host name to IP address resolution of all Internet hosts, many WAN hosts, and may be used for address resolution of LAN hosts too. DNS resolution is so important that Windows supports configuration of 2 DNS servers in basic IP configuration; with more work, you can define even 3 or more DNS servers. Many NAT routers will let you define up to 3 DNS servers.

Any time you try to access a server on the Internet, and get "server not found" or "unknown host", check your DNS server settings. Run "ipconfig /all", and look for the DNS servers entry, such as:


        DNS Servers . . . . . . . . . . . : 192.168.1.11
                                            192.168.1.33


The DNS server sequence is important. When DNS resolution is needed, server #1 is queried first. If server #1 is busy or otherwise unavailable, server #2 is used in that query, and all subsequent queries. If server #2 is needed to provide a backup to server #1, server #1 may not be used again, until you reset the computer or router. This behaviour is not consistent, though, some DNS clients may always try DNS Server #1 first, then #2, and finally (if defined), #3.

If you're researching a problem where the symptoms indicate a DNS issue, and the problem isn't consistent between computers, compare the DNS server settings on each computer.

If all DNS servers in the sequence don't have balanced ability (availability, capacity, connection to higher level DNS server), you can get to a situation where the next server in the sequence is used, and won't provide consistent service. Resetting the DNS client, generally by restarting the computer or router, after DNS server #1 is returned to service, is the normal recovery from this problem.

Recognising a DNS problem may not be easy, though. Without some minimal diagnosis, a DNS problem can be confused with a physical connectivity problem, a security problem, or even a simple CKI fault.

The long term solution, for a DNS server sequence problem, is to have a properly balanced DNS server sequence. Many networks plan their primary DNS server very carefully, and throw a surplus (generally old and underpowered) computer in as the secondary. Some networks may even have 2 primary servers (with the clients split between the two), and an single, surplus, secondary.

What happens when the primary DNS server goes down? If your clients are using the secondary server suddenly, and it doesn't have the same capacity as the primary server, you're going to have performance problems. Make sure that your backup server is equal to the task of replacing, even temporarily, the primary server. Remember that the clients will be using the backup server, after the primary server comes back online. And if there's a chance that a secondary DNS server will be in use during an outage of other equipment, don't compound the stress. The stress that your clients experience will be passed on to you, generally doubled.

If you relay DNS requests to external DNS servers, and ones that you don't control, again try to specify servers of equal ability. Also, make sure that both external servers have good servers feeding them, and that they are secured against exploits that would permit pharming. If, for any reason, some of your clients are using the backup external server, and others the primary, both servers need to be able to resolve your DNS queries properly. If either server filters addresses differently, for instance, you'll have some clients able to access websites that other clients can't. Again, more stress for you.

If you're using DNS for address resolution on your LAN, make sure that both the server and all clients are setup properly.

If your Internet service goes thru a NAT router, you may be using the NAT router as a DNS relay.

If you think that you have a DNS problem, but aren't quite sure, read Identifying A DNS Problem In Your Internet Service.

>> Top

0 comments

Topics: , , ,

Share This Post! Del.icio.us Del.icio.us Digg Digg Facebook Facebook StumbleUpon StumbleUpon Technorati Technorati Twitter Twitter

A Hidden Personal Firewall - The nVidia nForce Network Adapter

The nVidia corporation, probably best known for their industry leading video cards like the GeForce, is now marketing a hardware based personal firewall. The nForce comes in two forms - an Ethernet adapter PCI card, and a motherboard with an embedded Ethernet adapter.

The nForce is an ICSA certified firewall, with full firewall functionality, that sits inside your computer.

If you're having a Windows Networking, or file sharing, problem, and you have an nForce component in your computer, you need to know this. During January and February 2006, I assisted in diagnosing several network issues that involved the nForce. In at least one case, the person with the computer had no idea what he had purchased, and innocently installed.

Run an "ipconfig /all" on your computer. If you see something like


Windows IP Configuration

Host Name . . . . . . . . . . . . : PChuck1
Primary Dns Suffix  . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nforce Networking Controller

and you're having any type of problem pinging that computer, seeing it in Network Neighborhood, or otherwise accessing that computer thru the network, take a few minutes and read the manual. Or peruse the nVidia Support Forum, and in particular, POST HERE, Problems with nvidia network port. And my latest effort, Firewall Behaviour - And Windows Networking.

And be aware - the drivers for the nVidia nForce Versions 2, 3, and 4 contain shared components. And the installable component in the firewall, the nVidia Access Manager, has been reported to fail open. That is, if you don't install NAM, or don't activate it, the firewall blocks traffic, and not necessarily all traffic.

Be aware of what you're buying, please.

Disenchanted nVidia Customers
Here are some individual discussions and / or threads from folks who have experienced this problem first hand:
  • 2006/09/16: Even WikiPedia is involved now. Markus, in Updating Firewall rules for ActiveArmor Network Access Manager provides the link to WikiPedia: NForce4: Flaws, which contains an interesting summary of the problem.
  • 2006/08/13: NVIDIA "hidden firewall" causes networking problem, which makes immediate reference to a very long thread in the forum. Usenet technical details require that I archive the end of the thread here, since all posts by the person experiencing the problem are being removed:

  • >>>>>Good Morning, Chuck. And for the twentieth time, I appeciate your
    >>>>>tenacity and effort in trying to help me solve this frustrating
    >>>>>problem.

    >>>>>Update:
    >>>>>I think I followed your suggestions properly. Here's what I did:
    >>>>>1. Established a new account on all three (ASUS-AMD is back up!)
    >>>>>computers. They are adminstrative accounts with identical passwords.
    >>>>>2. Simple file sharing disabled on all three.
    >>>>>3. Created a test folder on AMD64, with full permissions for everyone
    >>>>>under "sharing" tab, and with "read" permissions for each user and
    >>>>>group under the "security" tab. (Some were greyed out).
    >>>>>4. Activated this user name on each computer with "net user name
    >>>>>/active:yes"
    >>>>>5. Checked TCP/IP for correct settings and did "repair" to flush.
    >>>>>6. Put remote registry service on automatic. There are very few
    >>>>>services now disabled (alerter, messenger, clip book)
    >>>>>6. Rebooted.
    >>>>>7. Tested system...Result --->No change. Working from amd64, I can
    >>>>>easily see and copy files from the other two computers. Working from
    >>>>>either asus-amd or mbx-notebook, I can see files and folders on amd64,
    >>>>>but I cannot open them. Tried again with all firewalls disabled. No
    >>>>>change.

    >>>>>

    >>>
    >>>***********************************************************
    >>>Soooo, Chuck, I guess I am essentially out of luck, and if my
    >>>persistent search for a "hidden" firewall proves to be fruitless, I
    >>>guess I must accept defeat. Or reinstall Windows.

    >>>Nothing came of the NVIDIA forum post except the one reply I quoted,
    >>>and there is nothing there which applies to my situation, although
    >>>they've had lots of firewall and driver problems, but not this kind.

    >>>I sincerely appreciate all your time and effort.
    >>>I will post a followup.
    >>>Of course if you have any other suggestions (please!), I'll be most
    >>>eager to pursue them

    >>>Jack

    >>Hello Chuck,
    >>Well, finally some good news. Success! You were right all along in
    >>suspecting a "hidden firewall" in the NVIDIA system. Apparently when I
    >>installed the latest drivers, a network manager was installed. This
    >>was acting as a firewall despite not having the actual NVIDIA firewall
    >>installed and despite not activating the firewall software (Active
    >>Armor or Armor On or something like that.) Fortunately, I was able to
    >>uninstall this manager without uninstalling the "NVIDIA drivers" which
    >>was a separate entity in the "Add-Remove programs". When I rebooted
    >>and went into Device Manager, I could see that there was now an older
    >>date on the driver for the NVIDIA network controller, which Windows
    >>must have silently installed.
    >>Caveat Emptor!
    >>My mind is so muddled now that I can't remember the exact name of the
    >>function I deleted.
    >>But I get easy access to the "server" now from the two secondary
    >>computers. Amen!
    >>Can't thank you enough for all the work you put in on this with me. I
    >>hope others may learn from this. If I have the energy (a bit burnt out
    >>now), I may go through this process again and make some notes to post
    >>for those who may be faced with this problem in the future. No help
    >>from NVIDIA or their forum, sadly.
    >>Sincere appreciation,
    >>Jack

    >All right, Jack!! Way to go!!

    >YOU will be the help to nVidia customers. Please write up what you can, and
    >whatever you write up will go into my article, and you will be able to help
    >other folks like you.

    Hi Chuck.
    I went through the process of reinstalling and uninstalling the
    troublesome NVIDIA network access manager, just so I could plan a post
    with some specific instructions for some unfortunate individual like
    me and try to save that person some time and frustration. So I plan to
    post it as a new topic under the heading

    "NVIDIA "hidden firewall" causes networking problem"

    I thought it might be more retrievable for someone with a similar
    problem if I put NVIDIA in the title of the topic.
    Many thanks again!

    Jack


>> Top

2 comments

Topics: , , , , , ,

Share This Post! Del.icio.us Del.icio.us Digg Digg Facebook Facebook StumbleUpon StumbleUpon Technorati Technorati Twitter Twitter

LSP / Winsock Analysis Using A Log From Autoruns

The LSP / Winsock component in the Internet Protocol network stack is complex. It's used by the Windows OS, and by malware and anti-malware alike, to allow, and to affect, your access to the network.

Problems with the LSP / Winsock layer can be a lot of fun to diagnose. Generally, the problem is termed "corruption", and you are urged to use any of several tools / procedures to simply reset it. But what if you suspect a problem, but a simple reset isn't possible? Or what if you want to make an educated decision about a problem, or to help somebody else do the same?

You might start by enumerating (inventorying) the system components registered in the stack. One tool for doing this is the SysInternals product, Autoruns.

Autoruns, like many SysInternals products, needs no complicated install process. Just download it, and run it. Make sure that "Verify Code Signatures", under Options, is enabled. It will present an incredibly detailed GUI inventory of all of the processes started by your computer automatically, in a tabbed display. One of the tabs, labeled "Winsock Providers", will list all components registered in the LSP / Winsock layer.

If you save an Autoruns log, you can extract the Protocol_Catalog9 portion of the log, which will contain a text based inventory of LSP / Winsock components. Each section of the log is headed by the complete path of the key to its root, in the case of Protocol_Catalog9, that's


HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9

Protocol_Catalog9, on my computers, is the next to last section in the log.

Below, in Attachment A, you will find an example of the relevant information, extracted from a log from one of my computers. A log from one of your computers may or may not contain the same entries - and the differences might point us towards a solution to your problem. If your log includes entries that are listed as "(Not verified)", check them out with Online Analysis (free).

If none of these details interest you, you are welcome to simply reset your LSP / Winsock, using any of the 6 recommended procedures and tools. It's your computer, and your dime.


Attachment A - Autoruns Log: LSP / Winsock Enumeration

HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9  
+ DiamondCS TCP/IP Layer [RAW] dcsws2 (Not verified) DiamondCS c:\windows\system32\dcsws2.dll
+ DiamondCS TCP/IP Layer [TCP] dcsws2 (Not verified) DiamondCS c:\windows\system32\dcsws2.dll
+ DiamondCS TCP/IP Layer [UDP] dcsws2 (Not verified) DiamondCS c:\windows\system32\dcsws2.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{4AA95793-B5DE-4179-8D2C-2469C3D63D3F}] DATAGRAM 2 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{4AA95793-B5DE-4179-8D2C-2469C3D63D3F}] SEQPACKET 2 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{64409384-CE61-4B92-ADFA-77A210FA4C80}] DATAGRAM 3 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{64409384-CE61-4B92-ADFA-77A210FA4C80}] SEQPACKET 3 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{7D8C1637-F016-494D-B66A-1BD865F1E19F}] DATAGRAM 7 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{7D8C1637-F016-494D-B66A-1BD865F1E19F}] SEQPACKET 7 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{9E8A31FA-5327-49A2-8091-E9C207367658}] DATAGRAM 8 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{9E8A31FA-5327-49A2-8091-E9C207367658}] SEQPACKET 8 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{AE574BAC-9E75-4917-B07E-EC7CB922CF5D}] DATAGRAM 1 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{AE574BAC-9E75-4917-B07E-EC7CB922CF5D}] SEQPACKET 1 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{B7E18D15-D9B1-4295-9DAD-C733C695294F}] DATAGRAM 0 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{B7E18D15-D9B1-4295-9DAD-C733C695294F}] SEQPACKET 0 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD Tcpip [RAW/IP] Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD Tcpip [TCP/IP] Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD Tcpip [UDP/IP] Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ RSVP TCP Service Provider Microsoft Windows Rsvp 1.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\rsvpsp.dll
+ RSVP UDP Service Provider Microsoft Windows Rsvp 1.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\rsvpsp.dll

0 comments

Topics: ,

Share This Post! Del.icio.us Del.icio.us Digg Digg Facebook Facebook StumbleUpon StumbleUpon Technorati Technorati Twitter Twitter

Networking Your Computers

Setting up a computer network, whether to share files, or Internet service, can be a lot of fun. It's more fun, though, if you set it up properly, from the start. I'll try and make that possible, if you work with me.



>> Top

With the basic issues out of the way, you can get detailed instruction from plenty of websites, that will give you illustrated instructions. Here are but five, listed in alphabetical order.

If you have properly chosen and setup your equipment, advice from any one of the above should get your network in order. The various guides are written by different organisations, and each has a different style, so check them all out if possible. Find the one which works best for you.

>> Top

Solving Problems
If you're here because you have problems, please start by reading Solving Network Problems.

Now, what is your specific problem? Is it accessing the Internet? Then read Troubleshooting Internet Connectivity. Or is the problem with File Sharing? Then read Troubleshooting Network Neighborhood (Windows Networking).

One major issue that the websites listed above won't help you with, if your problem is with file sharing, is the browser. Now when I mention the browser, don't start with "My Internet access is not a problem". The browser is the program that provides the contents of Network Neighborhood on your LAN. It's frequently involved in problems when "I can't see the other computers", or "I get access denied when I try to access another computer". Please read my article Windows NT (NT/2000/XP/2003) and the Browser.

Do you have a LAN with both Windows 9x (95, 98, ME) computers and Windows NT (NT, 2000, XP) computers? Then you should read Windows 9x (95/98/ME) and the Browser.

>> Top

In Conclusion
All of the above articles link to dozens of other articles, so read carefully. And be patient with me, as I add to this blog occasionally. Check back here periodically. Or write to my Guestbook.

>> Top

0 comments

Topics: , , , , , , , , , , ,

Share This Post! Del.icio.us Del.icio.us Digg Digg Facebook Facebook StumbleUpon StumbleUpon Technorati Technorati Twitter Twitter

Setting Up A Domain Or A Workgroup? Plan For The Future

If you have just one computer, you have the beginnings of a network. With two computers, you definitely have a network. With three computers, you have a workgroup. Beyond that? Consider the benefits of a domain.

Look at the members (people) in your workgroup. Remember that the purpose of networking computers is to share resources (data and / or printers). Do you have a group of people who trust each other, totally, with all shared resources? If so, then you can setup an open workgroup, with no reservations. And you can, generally, use Guest authentication.

If you can't trust everybody with all shared resources, you will have to setup non-Guest authentication (who is this person?) and authorisation (should this person access this resource?). Without a domain to provide authentication, you have to setup an account for each person on both one or more clients, and one or more servers. With a domain, it's simply a matter of adding one more domain account.

Account and password maintenance, in a workgroup environment, can be a real experience.


  • You have to create an account, with an identical password, on each client and on each server.
  • You have to change a password on each client, and each server, simultaneously. The account owner has to be logged off on each client, while you do this, or face password conflicts.
  • When somebody leaves the group, you have to delete their account on each client and server.

With a domain, again just add an account, change the password, or delete the domain account.

Will you possibly have people sharing each others computer from time to time? Will you have people accessing shared resources on more than one computer? Will you have group turnover, where one person leaves the group, and is replaced by somebody else? Will you have staff sharing each others account / password (you know folks shouldn't share passwords, but eventually they will).

For that matter, how does a workgroup member change his / her password, on the servers? Surely you wouldn't want each person walking up to the server, and logging themself in, locally, for a simple password change?

And how about the need for one person to have unrestricted access to each computer? Any LAN of any size needs an administrator. The administrator account has to be on each computer. Proper security procedures demand regular changing of the administrator password - but how do you do that on each computer?

Besides the people related issues, how about the network layout? Is your workgroup likely to span multiple subnets? If so, you will need a domain. Be aware of issues involved with Browsing Across Multiple Subnets.

There is one show stopper here. If you have computers running XP Home, you might as well stick with the workgroup. Computers running XP Home can't join a domain.

Now, setting up a domain shouldn't be done casually. The initial expense, and setup, of a domain, is significant. Minimally, you need:

  • A dedicated server (not shared as somebody's desktop computer).
  • A server Operating System.
  • Server administration techniques. Since the server is depended upon by each person, it is proportionally more important to keep it secure and stable.


Setting up Server 2003, and a domain, is a lot more work than setting up a single Windows XP host. Maintaining a server is a little more work than maintaining a single personal computer. But, as soon as you see how simple it is to add or update a new person in a domain, compared to adding or updating multiple clients and servers in a workgroup, you'll see that it's worth the initial and ongoing complications.

In short, a workgroup setup makes sense for a group that is:

  • Trusting of each person.
  • Small.
  • Doesn't share multiple resources.
  • Static.
  • Mostly computers running XP Home.


My personal experience? If you have more than 4 or 5 computers or people, you will, eventually, end up with one or more problems with the limitations listed above. You can maybe work around each of those limits procedurally; and if you have enough time and patience (by the staff, and whoever maintains the LAN), none of them will matter too much. If you need to move somebody from one computer to another, you can use the File and Settings Transfer Wizard to make the process almost scriptable.

But, if you have ever administered a workgroup of any size, with any staff turnover, secreting of data, and / or sharing of computers, you will know that a domain, with a simple procedure to setup and maintain each account, makes more sense in the long run.

0 comments

Topics: ,

Share This Post! Del.icio.us Del.icio.us Digg Digg Facebook Facebook StumbleUpon StumbleUpon Technorati Technorati Twitter Twitter

Windows Networking And Alternate Transports

Windows Networking is the suite of programs that provide file and printer sharing between computers running Microsoft Windows (and compatible Operating Systems, such as Linux). Windows Networking runs at the Application level of the OSI Network Model, and, in its default configuration, uses NetBIOS Over TCP/IP (NetBT) and TCP/IP, for logical connectivity. It can be customised to use alternate transports, like IPX/SPX or NetBEUI.

Microsoft supports only NetBT and TCP/IP, though you may use IPX/SPX or NetBEUI, if you're prepared to deal with the support issues. There are advantages and disadvantages to using either alternative. (Update): Windows Vista will not support NetBEUI.

Similar in effect to IPX/SPX / NetBEUI, we have a commercial product called Network Magic. Network Magic requires no complicated configuration, you just install it and it works. Unfortunately, nobody that I know knows how it works, or if it's OSI Network compliant. And, just as the disadvantages of IPX/SPX / NetBEUI, if there's a problem with the network outside its scope of effect, you may not be able to diagnose such a problem as reliably as with IP.

Advantages Of Alternate Transports


  • No filtering problems. A misconfigured or overlooked personal firewall can cause problems with IP based networks. Neither IPX/SPX nor NetBEUI is affected by firewall problems.
  • Segments are isolated. Any separate networks, connected by routers, won't pass IPX/SPX or NetBEUI based traffic between them. Windows Networking simply won't leak onto any networks connected by routers, such as the Internet.
  • Easier to setup. There's no need to configure TCP/IP settings, both IPX/SPX and NetBEUI attach directly to the hardware, and both setup automatically.


Disadvantages Of Alternate Transports

  • Network complexity. You'll likely have redundant system components in use by each computer, and redundant network traffic between each computer.
  • Lack of diagnostics. The ipconfig and ping utilities can identify logical and physical connectivity problems on an IP network. This is not available on non-IP networks, and may not give consistent results when you deal with problems on mixed networks.
  • Lack of filtering. Firewalls only filter IP network traffic.
  • Limited effect. Using alternate transports provides a workaround only for TCP/IP configuration problems, or filtering problems. It does nothing for physical problems, or for problems caused by authentication / authorisation.
  • Only TCP/IP can link multiple segments. Any separate networks, connected by routers, won't pass IPX/SPX or NetBEUI based traffic between them. If your network is segmented, for physical reasons, you'll have to bridge the segments (which is, by design, what NBT does).
  • Have to be setup properly. If just one computer on the network attaches Windows Networking to NBT, convenience and security gains are eliminated.


>> Top

Filtering
IP traffic, by design, can be filtered by personal firewalls and routers. IPX/SPX and NetBEUI, which attach directly to the physical transport and in parallel to TCP/IP, are not affected by IP based filtering. This has its good side and its bad side.

If you're having a problem with a personal firewall on a computer, you can work around that problem. IPX/SPX and NetBEUI are not affected by personal firewalls.

However, if you depend upon a personal firewall providing protection against malicious network traffic, you won't have that. Any malicious network traffic, IPX/SPX or NetBEUI based, won't be filtered.

>> Top

Segmentation
IP traffic, by design, passes thru routers; IPX/SPX and NetBEUI traffic doesn't. This has its good side and its bad side.

If you have a network in a single segment, and you use IPX/SPX or NetBEUI to provide a transport for Windows Networking, all Windows Networking traffic will stay on that segment. All shares will be totally safe from malicious access from other network segments, including the Internet.

If your network includes multiple segments, connected by routers, and you use IPX/SPX or NetBEUI as a transport for Windows Networking, all Windows Networking traffic will stay on each segment. Computers on separate segments will be unable to access each other, unless you build bridges between the segments. NBT was designed as that bridge.

>> Top

Setup
A network, using IPX/SPX or NetBEUI, is easy to setup. It's not so easy to setup properly though.

A simple IPX/SPX or NetBEUI network, in a single segment, requires no configuration. Both transports essentially set themselves up. There's no subnetting or other complicated TCP/IP settings to make.

If you want to access the Internet from your computers, though, you will still have to have TCP/IP on each computer. If you do not separate Windows Networking from TCP/IP on even one single computer, your entire Windows Networking environment may be exposed. And without protection by personal firewalls, all computers may be at risk more than if they were using NBT.

>> Top

Complexity and Use of Network and System Resources

IPX/SPX and NetBEUI are not significantly more chatty than NBT, and do not use significantly more network or system resources. If your computers only use IPX/SPX or NetBEUI, there is no complexity or resource problem.

But, if your computers will be accessing the Internet too, you'll need TCP/IP on each computer. IPX/SPX, NetBEUI, and TCP/IP, although each run under the same operating system, use different system components. And while they each generate traffic on the same network, the content of that traffic is different. So, with multiple combinations of IPX/SPX, NetBEUI, and TCP/IP operating on your network, your computers will have to work harder (to use multiple protocols), and your network hardware will have to work harder (to transport multiple protocols, with a higher volume of traffic).

If Windows Networking functions like browsing, or name resolution, run thru dual protocols on one computer, or if all computers on the LAN aren't identically setup and different computers run services thru different protocols, you'll really have problems. And some problems might not be immediately obvious either.

Separating Internet traffic (using TCP/IP) from Intranet (Windows Networking) traffic (using IPX/SPX or NetBEUI) has an effect similar to using a Virtual LAN. But using a common protocol (TCP/IP) with a properly designed layered security strategy is more efficient in the long run.

>> Top

Network Diagnostic Tools

With any network, any time there's a problem, such as an "access denied" error, you'll want to first look for a possible physical problem (by observing the lights on the network devices, and by running Device Manager diagnostics). Having dismissed the physical possibility, on a TCP/IP network, you'll be looking at IPConfig, and pinging one computer from the other. You have to eliminate lower level problems, before you can diagnose higher level problems.

If you have TCP/IP on each computer, for Internet access, you can still use ipconfig and ping. But if Windows Networking is using a separate transport, neither ipconfig or ping will be conclusively valid.
  • Just because you have IP connectivity (valid ping results), that doesn't mean that you have IPX connectivity.
  • Just because your computers are on separate subnets (from a bad IP configuration, indicated by ipconfig), you can't expect to find a NetBEUI connectivity problem.
  • If you don't install TCP/IP on each computer (or if you completely detach it from any computer), then ipconfig, ping, and other IP based diagnostics won't provide consistently relevant results.


>> Top

Limitations of Effectiveness

If you have problems with either IP configuration, or with a personal firewall, either IPX/SPX or NetBEUI will provide a good workaround. But, if the problem causing the "access denied" error is a bad cable or connection, or if you haven't setup file sharing authentication / authorisation properly, you'll have the same problem with IPX/SPX or NetBEUI. But now you won't have diagnostic tools to identify the problem.

>> Top

0 comments

Topics: , , , , , ,

Share This Post! Del.icio.us Del.icio.us Digg Digg Facebook Facebook StumbleUpon StumbleUpon Technorati Technorati Twitter Twitter

Subscribe to: Posts (Atom)