More Secure Network (MSN)
Windows Workgroups and Domains
Windows workgroups depend on browse lists (the list of machines you see when opening Network Neighborhood); therefore, moving to the MSN can cause problems with machine location, especially when using peer-to-peer networking.
- Browse lists are compiled by a local machine acting as the 'Browse Master' using broadcast. Since the MSN will not allow inbound traffic that originates outside the firewall, you will have two browse masters: one behind the MSN on your subnet and another one on the open network on your subnet. These two groups of machines will not be able to "see" each other, thus causing peer-to-peer resources to be unavailable.
- Browsing, at best, is unreliable on the same subnet. Across subnets is fraught with problems. You may be able to alleviate some of the problems by using WINS. If you do not run WINS, you can use ITS's WINS servers, 220.127.116.11 and 18.104.22.168.
- Since traffic originating outside the firewall will still not be permitted inbound, the best approach is to locate all of your machines on the MSN. Then, peer-to-peer resources should work as before.
Windows domains have browsing limitations similar to those discuussed for Windows Workgroups.
- If you are moving the servers behind the MSN, it is strongly recommended that you move all client workstations.
- If you do not move all the workstations:
- Inform users remaining on the standard University network that they will have to obtain a MSN VPN to reach the resources on the server.
- Manually map resources since logon scripts will not run.