Re: RWW interal not external

From: Les Connor [SBS Community Member - SBS MVP] (les.connor_at_DEL.cfive.ca)
Date: 01/18/05 

Date: Mon, 17 Jan 2005 22:02:48 -0600

A second NIC, a soho gateway router and utilize RRAS is the least expensive
way to get adequete protection. 

-- 
Les Connor [SBS Community Member - SBS MVP]
-----------------------------------------------------------
SBS Rocks !
"Clay Gerrard" <clay.gerrard@sbcglobal.net> wrote in message 
news:%23S2kOHQ$EHA.3124@TK2MSFTNGP11.phx.gbl...
> any suggestions on a *good* firewall for a small business network?
>
> -clay
>
> "Les Connor [SBS Community Member - SBS MVP]" <les.connor@DEL.cfive.ca> 
> wrote in message news:u8rZwWP$EHA.3260@TK2MSFTNGP14.phx.gbl...
>> In a single nic scenario, you definately want a *good* firewall, and 
>> definately do *not* want the DMZ setting. That would open up your SBS 
>> completely to the internet, and you'd be comprimised literally within 
>> minutes. Linksys should be shot for recommending this.
>>
>> If all things work internally, but not externally, then it's either a 
>> router malfunction/misconfiguration, or the ISP is blocking ports. 
>> Probably the router.
>>
>> -- 
>> Les Connor [SBS Community Member - SBS MVP]
>> -----------------------------------------------------------
>> SBS Rocks !
>>
>>
>> "Clay Gerrard" <clayg@gvtc.com> wrote in message 
>> news:u9OFjOP$EHA.1396@tk2msftngp13.phx.gbl...
>>> SBS Standard, one NIC, no ISA.
>>>
>>> I have set the port forwarding on the router as best I can.  SSL & RWW 
>>> are TCP correct?  I can't think of anything special I'd have to do for 
>>> those ports on the router as opposed to SMTP.  I'm going to contact 
>>> Linksys in the morning - I'll see if they have any suggestions, but I've 
>>> found their tech support to be targeted toward a home user.
>>>
>>> I've re-ran the Remote Access Wizard and CEICW a number of times.  I 
>>> promise I'm electing to "change settings" and selecting:
>>> Outlook Web Access
>>> Remote Web Workplace
>>> Outlook via the Internet
>>>
>>> If there error is in RRAS the wizard isn't fixing it, but I've never 
>>> manually changed anything in the "Routing and Remote Access" console, so 
>>> I couldn't even begin to guess where to start looking for something 
>>> "odd"
>>>
>>> On a side note, before I call Linksys, does anyone have any info about 
>>> "DMZ" - DeMilitirized Zone - and how it might apply to a 
>>> router/firewall. Its an option in my routers service console, under the 
>>> port forwarding section.  You can "enable or disable" it, you can select 
>>> the source ip address to be "any ip" or a range [x].[x].[x].[y]-[z] and 
>>> you can set the "host" ip address.  Everytime I call Linksys "Support" 
>>> they tell me to turn it on, leave it set to any ip, then point it to the 
>>> internal ip of the server.  Which I do, but it doesn't help, so I turn 
>>> it back off.  I'm not sure what it's supposed to be doing.
>>>
>>> ipconfig /all from server:
>>>
>>> Microsoft Windows [Version 5.2.3790]
>>> (C) Copyright 1985-2003 Microsoft Corp.
>>> C:\Documents and Settings\Administrator>ipconfig /all
>>> Windows IP Configuration
>>>   Host Name . . . . . . . . . . . . : SERVER2800
>>>   Primary Dns Suffix  . . . . . . . : cci.local
>>>   Node Type . . . . . . . . . . . . : Unknown
>>>   IP Routing Enabled. . . . . . . . : Yes
>>>   WINS Proxy Enabled. . . . . . . . : Yes
>>>   DNS Suffix Search List. . . . . . : cci.local
>>> Ethernet adapter Server Local Area Connection:
>>>   Connection-specific DNS Suffix  . :
>>>   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network 
>>> Connection
>>>   Physical Address. . . . . . . . . : 00-C0-9F-46-FD-E7
>>>   DHCP Enabled. . . . . . . . . . . : No
>>>   IP Address. . . . . . . . . . . . : 192.168.1.3
>>>   Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>   Default Gateway . . . . . . . . . : 192.168.1.1
>>>   DNS Servers . . . . . . . . . . . : 192.168.1.3
>>>   Primary WINS Server . . . . . . . : 192.168.1.3
>>> C:\Documents and Settings\Administrator>
>>>
>>> Thanks again for everyone's help.  I'm definately leaning twoards this 
>>> being a router issue, so I'll continue working with Linksys and if I 
>>> find anything out I'll post back.
>>>
>>> -clay
>>>
>>> "Les Connor [SBS Community Member - SBS MVP]" <les.connor@DEL.cfive.ca> 
>>> wrote in message news:uSqwHhO$EHA.3368@TK2MSFTNGP15.phx.gbl...
>>>> There are two places where the ports might be blocked.
>>>>
>>>> a) the router. Ensure you have the port forwarding set correctly, from 
>>>> your external IP on the router, to the external IP of the SBS.
>>>> b) RRAS or ISA - run the CEICW, make sure you elect to change the 
>>>> settings, not leave them. Ensure you have the items you want accessible 
>>>> from the internet selected.
>>>>
>>>> I haven't seen an ipconfig/all in this thread - have we checked to see 
>>>> that the nics are correctly configured ?
>>>>
>>>> -- 
>>>> Les Connor [SBS Community Member - SBS MVP]
>>>> -----------------------------------------------------------
>>>> SBS Rocks !
>>>>
>>>>
>>>> "Clay Gerrard" <clayg@gvtc.com> wrote in message 
>>>> news:%23uVouWO$EHA.2876@TK2MSFTNGP12.phx.gbl...
>>>>> EXTERNALLY
>>>>>
>>>>> I can NOT telnet in on 444, 443, or 4125
>>>>> the message response is "connection refused"
>>>>>
>>>>> I can however get through on port 25 to my SMTP server from the 
>>>>> internet
>>>>>
>>>>> INTERNALLY is a different story
>>>>>
>>>>> I CAN telnet in to 444 & 443, but not much happens when I get there. 
>>>>> I don't even know how to close the connection =\
>>>>> 4125 however gives me "could not open connection to host on port 
>>>>> 4125", but for all I know this is the expected behavior.  I didn't 
>>>>> know telnet could get me in on ANY of these ports, so I've already 
>>>>> learned something.
>>>>>
>>>>> But, what does all this tell us?  Is my router not forwarding the 
>>>>> ports to my server or could SBS somehow be refusing a connection to an 
>>>>> outside computer?  The router has some built in firewall protection, 
>>>>> SPI and all that - could this be shutting us down and would "DMZ" have 
>>>>> anything to do with it?  But then why would port 25 be working? 
>>>>> Gremlins?
>>>>>
>>>>> Thanks for all your support!
>>>>>
>>>>> -clay
>>>>>
>>>>>
>>>>>
>>>>> "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in 
>>>>> message news:ugYtg6N$EHA.3592@TK2MSFTNGP09.phx.gbl...
>>>>>> Hi Clay,
>>>>>>
>>>>>> Can you check if you can telnet to your public IP on port 444 from 
>>>>>> the
>>>>>> internet?
>>>>>>
>>>>>> -- 
>>>>>> Regards,
>>>>>>
>>>>>> Marina
>>>>>> Microsoft SBS-MVP
>>>>>> One of the Magical M&M's
>>>>>>
>>>>>> "Clay Gerrard" <clayg@gvtc.com> schreef in bericht
>>>>>> news:uzGvdkN$EHA.1452@TK2MSFTNGP11.phx.gbl...
>>>>>>> installed the RMA router, didn't make any difference.  I'm going to 
>>>>>>> call
>>>>>>> Linksys in the morning.
>>>>>>>
>>>>>>> Just so everybody knows the WRT55AGv2 latest firmware v.1.10 is 
>>>>>>> apparently
>>>>>> a
>>>>>>> black hole router.  It may have other issues as well.
>>>>>>>
>>>>>>> -clay
>>>>>>>
>>>>>>> "Clay Gerrard" <clayg@gvtc.com> wrote in message
>>>>>>> news:OYxFnQN$EHA.1296@TK2MSFTNGP10.phx.gbl...
>>>>>>> >I reran CEICW with the public IP.  It went through ok the second 
>>>>>>> >time,
>>>>>> but
>>>>>>> >the first time I tried it got an error on the "configure firewall" 
>>>>>>> >step.
>>>>>>> >
>>>>>>> > anyway
>>>>>>> >
>>>>>>> > https://[external_ip]/remote did not work from an external 
>>>>>>> > connection,
>>>>>>> > http://[interal_ip]/remote still works great from internal.
>>>>>>> >
>>>>>>> > I'm still thinking this is a router issue, acctually some one just
>>>>>> dropped
>>>>>>> > my RMA linksys router on my desk, so I'm going to go try and 
>>>>>>> > install
>>>>>> that.
>>>>>>> > I'd really love to have some way to verify that requests coming in 
>>>>>>> > on
>>>>>>> > these forwarded ports are acctually hitting the server.  Is there
>>>>>>> > somewhere in some IIS log that would show me this?
>>>>>>> >
>>>>>>> > -clay
>>>>>>> >
>>>>>>> > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote 
>>>>>>> > in
>>>>>>> > message news:%23d1t9TM$EHA.2540@TK2MSFTNGP09.phx.gbl...
>>>>>>> >> Hi Clay,
>>>>>>> >>
>>>>>>> >> Did your ISP create a DNS record for your FQDN? If not, rerun 
>>>>>>> >> CEICW and
>>>>>>> >> enter your public IP for the web certificate.
>>>>>>> >>
>>>>>>> >> -- 
>>>>>>> >> Regards,
>>>>>>> >>
>>>>>>> >> Marina
>>>>>>> >> Microsoft SBS-MVP
>>>>>>> >> One of the Magical M&M's
>>>>>>> >>
>>>>>>> >> "Clay Gerrard" <clayg@gvtc.com> schreef in bericht
>>>>>>> >> news:eYHoFKM$EHA.1600@TK2MSFTNGP10.phx.gbl...
>>>>>>> >>> when I ran the CEICW it asked for the FQDN and it was my 
>>>>>>> >>> understanding
>>>>>>> >> that
>>>>>>> >>> the certificate is created at that time, is there something more 
>>>>>>> >>> that
>>>>>> I
>>>>>>> >> need
>>>>>>> >>> to do manually because this is the first I heard of it.
>>>>>>> >>>
>>>>>>> >>> But if I'm understanding you correctly only the address I 
>>>>>>> >>> specified
>>>>>> will
>>>>>>> >>> work correctly i.e. https://[FQDN]/remote
>>>>>>> >>>
>>>>>>> >>> also, I have already tried https vs http, same results
>>>>>>> >>>
>>>>>>> >>> -clay
>>>>>>> >>>
>>>>>>> >>> THANKS!
>>>>>>> >>>
>>>>>>> >>> "Les Connor [SBS Community Member - SBS MVP]"
>>>>>> <les.connor@DEL.cfive.ca>
>>>>>>> >>> wrote in message news:u8B$%23qL$EHA.1188@tk2msftngp13.phx.gbl...
>>>>>>> >>> > Hi Clay,
>>>>>>> >>> >
>>>>>>> >>> > Your server certificate will have been created with the name 
>>>>>>> >>> > [fqdn]
>>>>>>> >>> > *or*
>>>>>>> >>> > [external_IP], so you must use whichever when you type the URL 
>>>>>>> >>> > from
>>>>>> a
>>>>>>> >>> > remote location.
>>>>>>> >>> >
>>>>>>> >>> > Additionally, sometimes the HTTPS re-direct is the culprit - 
>>>>>>> >>> > so try
>>>>>>> >>> > https:// instead of http://, and see if that makes any 
>>>>>>> >>> > difference.
>>>>>>> >>> >
>>>>>>> >>> > -- 
>>>>>>> >>> > Les Connor [SBS Community Member - SBS MVP]
>>>>>>> >>> > -----------------------------------------------------------
>>>>>>> >>> > SBS Rocks !
>>>>>>> >>> >
>>>>>>> >>> >
>>>>>>> >>> > "Clay Gerrard" <clayg@gvtc.com> wrote in message
>>>>>>> >>> > news:uYUaahL$EHA.2156@TK2MSFTNGP10.phx.gbl...
>>>>>>> >>> >> I'm forwarding:
>>>>>>> >>> >> 443, 444, 4125, 1723, 3389, 80
>>>>>>> >>> >>
>>>>>>> >>> >> internally http://[internal_ip]/remote or
>>>>>> http://[servername]/remote
>>>>>>> >> work
>>>>>>> >>> >> great.
>>>>>>> >>> >>
>>>>>>> >>> >> externally, I can't reach http://FQDN/remote or
>>>>>>> >>> >> http://[external_ip]/remote
>>>>>>> >>> >>
>>>>>>> >>> >> is there a good way to verify that ports are being forwarded 
>>>>>>> >>> >> to the
>>>>>>> >>> >> server and elimiate the router as an issue?  Port 25 is being
>>>>>>> >>> >> forwarded
>>>>>>> >>> >> through the router just fine for SMTP, I can verify that with
>>>>>> telnet
>>>>>>> >> from
>>>>>>> >>> >> an external shell account.
>>>>>>> >>> >>
>>>>>>> >>> >> I've seen serveral posts on this issue, but it seems folks 
>>>>>>> >>> >> rarely
>>>>>>> >>> >> post
>>>>>>> >>> >> back the results.  If we figure this out I promise I'll let 
>>>>>>> >>> >> you
>>>>>> know
>>>>>>> >> what
>>>>>>> >>> >> the resolution was.
>>>>>>> >>> >>
>>>>>>> >>> >> Ok so, where do we start?
>>>>>>> >>> >>
>>>>>>> >>> >> -clay
>>>>>>> >>> >>
>>>>>>> >>> >>
>>>>>>> >>> >>
>>>>>>> >>> >
>>>>>>> >>> >
>>>>>>> >>>
>>>>>>> >>>
>>>>>>> >>
>>>>>>> >>
>>>>>>> >
>>>>>>> >
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Relevant Pages