Is there an AFP client for Windows 7 and beyond?

Question

Level 1

0 points

Is there an AFP client for Windows 7 and beyond?

We are a mostly-Mac environment, with a few PC clients and mostly PC servers. We have Windows 2003 file servers, which run AFP and SMB. We also support users on home machines with AFP (until 10.7 came out) and FTP for PCs and newer Macs. We use Active Directory for authentication. The 10.7+ home Macs have a problem though, because the native FTP client in Mac OS 10.7+ is read-only.

So we have finally decided to retire our Windows 2003 servers, and replace them with NASes. The NASes have AFP 3.3 (via netatalk), and are thus supported by 10.7 and beyond, solving the read-only FTP issue with home Mac users. The AFP and SMB services on the NAS both support Active Directory authentication.

Unfortunately, their FTP implementation does NOT allow Active Directory authentication. The logic of that oversight is beyond me, but there it is. SMB (port 445 and/or 137-139) is blocked globally by Comcast and many other ISPs, so allowing SMB through the firewall is not a solution.

The manufacturer (Overland) has suggested we implement VPN, and PC users can then use SMB. I was hoping that maybe there was an AFP client for Windows out there.

Does anyone know of a way to get Windows 7 and newer computers to connect to a server over AFP?

Thanks in advance!

--

Jay Duff, ACMT

Network Administrator

Mannheim School District 83

Franklin Park

HP ZBook-OTHER, Windows 7, Primary work computer

Posted on Apr 10, 2015 6:29 AM

Reply

Answer 1

Best reply

Templeton Peck

Level 9

62,197 points

Apr 10, 2015 11:59 AM in response to MacDude72

Pretty sure there is no such solution for connecting windows to shares via AFP.

Are you sure Comcast does not allow SMB sharing, as I have Comcast and regularly connect to my home server (mac mini) from my work VDI using Windows 7 via SMB, and it works fine. Maybe you subscribe to Comcast Business and they restrict it there?

Having SMB wide open for any home users to connect to isn't secure. For the sake of security I would suggest use a VPN for your home users or extend your LAN by using a secure service that's "always on" like LogMeIn Hamachi. I use Hamachi to support my clients for my side business, and I can connect to them using any and all protocols any time of day.

https://secure.logmein.com/products/hamachi/

Reply

Answer 2

MacDude72 Author

Level 1

0 points

Apr 10, 2015 12:04 PM in response to Templeton Peck

Comcast's website explicitly states that they block SMB on Xfinity. http://customer.comcast.com/help-and-support/internet/list-of-blocked-ports/

I understand the risks of opening up SMB. I was going to open it up strictly to the NASes, as they are Linux-based, and less prone to the SMB worms.

Our firewall has an SSLVPN server built in, so I've been working with it, to try to get an easy, non-technical, installation procedure working, but OpenVPN is the client, and the installer needs a lot of tweaking on the client, after the install is complete. The users will line up outside my office with torches and pitchforks if I force it on them.

AFP is such a great solution. It's got excellent broadcast-based service advertising, but remains routable (unlike Bonjour). It's a shame that fewer and fewer developers are keeping it alive.

Reply

Answer 3

Apr 11, 2015 6:15 AM in response to MacDude72

Well unfortuantely user satisfaction is not always the best policy. Securing district information should take priority. People have to adapt to change, so I say stick with the VPN solution and force people to learn. You could easily use Composer to package up the VPN client software / configs that the users could install, saving them a bit of any learning curve. It'll make you look good and cover your butt as well.

Reply

Answer 4

KiltedTim

Level 10

195,939 points

Apr 11, 2015 6:20 AM in response to MacDude72

Probably the simplest VPN solution I've come across for a small organization is Logmein Hamachi. All you need is a spare, relatively old PC you can throw on your network to act as a gateway. Simple deployment, stable, and low maintenance.

Reply

Answer 5

MacDude72 Author

Level 1

0 points

Apr 13, 2015 8:06 AM in response to Templeton Peck

I hear ya. Most of our teachers are not exactly open to change.

That being said, I spent this weekend perfecting the VPN client. Our UTM system (Smoothwall) has a fairly robust SSLVPN server built in, that integrates with Active Directory. I was, once all the kinks are worked out, planning to put a link to the VPN client installer on our site. Smoothwall actually generates a zip file that includes an OpenVPN client, the certificates, and a config file. So that was pretty easy.

KiltedTim - does LogMeIn Hamachi do anything other than provide the VPN?

Now I need to figure out how to get the home PCs to connect to their home folders, once they bring up the VPN. Since the client computers aren't bound to our Active Directory, it's kind of a challenge. I was thinking of using a file:// URL, but I couldn't make it work without already having the user logged into AD. I think I can get it done with a post-connect script but...

I believe that is outside the scope of this forum.

Thanks for the helps.

Reply

Answer 6

Apr 13, 2015 8:32 AM in response to MacDude72

Hamachi is not necessarily a VPN. It's an "always on" secure extension of your LAN. I use it for my side job clients and it works great.

https://secure.logmein.com/products/hamachi/

Reply