Windows Firewall with RAS (incoming connection)

rpremuz_at_yahoo.com
Date: 12/29/04 

Date: 29 Dec 2004 03:29:32 -0800

(1) I have a MS Windows XP Pro. with SP2 computer in a workgroup
(computer name: SERVER). The computer is connected to a small LAN.
The LAN card has a static IP address: 169.254.1.0,
subnet mask: 255.255.0.0.
The computer also has an ISDN card with two ISDN links and an
incoming connection (not VPN) is created on the ISDN links.
On the SERVER the Windows Firewall is turned on with the following
exceptions enabled:
- File and Printer sharing
- Remote Assistance
- Remote Desktop
Also, for the ICMP the incoming echo request is allowed.

(2) From another PC in the LAN I can ping the SERVER's static IP
address on the LAN card (169.254.1.0) and the Remote Desktop
Connection to the SERVER can be established using that address.

(3) From a remote PC (MS Windows 2000 Pro. + SP4 which is not in
that LAN) I am able to connect to the SERVER's incoming connection
(by providing a username and password). The PPP connection from the
remote PC to the SERVER gets two dynamic IP addresses:
- server IP address, e.g. 169.254.183.219, subnet mask 255.255.255.255
- client IP address, e.g. 169.254.234.81, subnet mask 255.255.255.255

(4) From the remote PC I can ping the SERVER's dynamic IP address of
the PPP connection (e.g. 169.254.183.219) and the Remote Desktop
Connection to the SERVER can be established using that address,
but I cannot ping the SERVER's static IP address on the LAN card
(169.254.1.0) and the Remote Desktop Connection to the SERVER cannot
be established using that address.

(5) On the other hand, if the Windows Firewall is turned off on the
SERVER, then the problems with connecting to the SERVER's static IP
address from the remote PC disappear.

Considering (1) to (5) I'd say that the Windows Firewall doesn't
work correctly when a dial-in connection is established to a
Windows XP Pro computer. Or I should configure the Windows Firewall
another way?

-- rpr /Robert Premuž/

For more details have a look at the output of the following
commands on the SERVER:
ipconfig /all
===================================================================
Windows IP Configuration

Host Name . . . . . . . . . . . . : server
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI
Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-40-95-07-B1-A4
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 169.254.1.0
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 169.254.0.1

PPP adapter RAS Server (Dial In) Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Internal RAS Server
interface for dial in clients
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 169.254.183.219
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
== end of "ipconfig /all" =========================================

Case (3) & (4):
netsh firewall show config
===================================================================
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable

Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable No Remote Desktop

Allowed programs configuration for Domain profile:
Mode Name / Program
-------------------------------------------------------------------
Enable Remote Assistance / C:\WINDOWS\system32\sessmgr.exe

Port configuration for Domain profile:
Port Protocol Mode Name
-------------------------------------------------------------------
139 TCP Enable NetBIOS Session Service
445 TCP Enable SMB over TCP
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram Service
3389 TCP Enable Remote Desktop

Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable

Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable No Remote Desktop

Allowed programs configuration for Standard profile:
Mode Name / Program
-------------------------------------------------------------------
Enable Remote Assistance / C:\WINDOWS\system32\sessmgr.exe
Enable javaw / C:\Program
Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe

Port configuration for Standard profile:
Port Protocol Mode Name
-------------------------------------------------------------------
139 TCP Enable NetBIOS Session Service
445 TCP Enable SMB over TCP
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram Service
3389 TCP Enable Remote Desktop

ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 8 Allow inbound echo request

Log configuration:
-------------------------------------------------------------------
File location = C:\WINDOWS\pfirewall.log
Max file size = 4096 KB
Dropped packets = Enable
Connections = Enable

Local Area Connection firewall configuration:
-------------------------------------------------------------------
Operational mode = Enable
== end of "netsh firewall show config" ============================

Case (5):
netsh firewall show config
===================================================================
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable

Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable No Remote Desktop

Allowed programs configuration for Domain profile:
Mode Name / Program
-------------------------------------------------------------------
Enable Remote Assistance / C:\WINDOWS\system32\sessmgr.exe

Port configuration for Domain profile:
Port Protocol Mode Name
-------------------------------------------------------------------
139 TCP Enable NetBIOS Session Service
445 TCP Enable SMB over TCP
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram Service
3389 TCP Enable Remote Desktop

Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable

Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable No Remote Desktop

Allowed programs configuration for Standard profile:
Mode Name / Program
-------------------------------------------------------------------
Enable Remote Assistance / C:\WINDOWS\system32\sessmgr.exe
Enable javaw / C:\Program
Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe

Port configuration for Standard profile:
Port Protocol Mode Name
-------------------------------------------------------------------
139 TCP Enable NetBIOS Session Service
445 TCP Enable SMB over TCP
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram Service
3389 TCP Enable Remote Desktop

ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 8 Allow inbound echo request

Log configuration:
-------------------------------------------------------------------
File location = C:\WINDOWS\pfirewall.log
Max file size = 4096 KB
Dropped packets = Enable
Connections = Enable

Local Area Connection firewall configuration:
-------------------------------------------------------------------
Operational mode = Disable
== end of "netsh firewall show config" ============================

Relevant Pages

  • Remote Desktop problems
    ... configuration" of a Windows machine. ... >came back up Remote Desktop access did not work. ... >"The connection was ended because of a network error. ...
    (microsoft.public.windows.server.general)
  • Re: Remote Desktop and VPN
    ... When the VPN is connected between the two PCs, you need to use the "remote" ... >When I run Remote Desktop with my father's computer every thing works fine. ... >Configuration one: ... >computer) and I connect to his computer throu a VPN Connection. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Connection to terminal server
    ... Remote desktop connection disconnected and it gives me ... 2- the remote server has reached its limit (also not true ... >> configuration and I see no reason why it should not ...
    (microsoft.public.win2000.termserv.clients)
  • Re: Big hole??
    ... > firewall then even they can't get in, ... > supposedly safe SP2 for Windows XP invites any Internet ... > Connection Sharing of the PC has to be disabled. ... > in fact is a common configuration and not a rare sight. ...
    (microsoft.public.windowsxp.general)
  • Re: Remote Access and Outlook Web Access on SBS 2003
    ... SUMMARY OF SETTINGS FOR CONFIGURE E-MAIL AND INTERNET ... Internet Connection Wizard. ... network, firewall, secure Web site, and e-mail. ... NETWORKING CONFIGURATION SUMMARY ...
    (microsoft.public.windows.server.sbs)
Loading