Re: Connecting to XP sp2 machines by VPN

---

• From: Jim Behning SBS MVP <jimbehning@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Fri, 09 May 2008 08:01:06 -0400

---

I think I have seen this before. You probably need to add other
networks to allow foreign ips in. Here is my long story from a few
years ago. I hope it is relevant.
http://msmvps.com/blogs/bgb/archive/2006/05/16/95140.aspx

On Fri, 9 May 2008 02:25:01 -0700, Leigh
<Leigh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Hello Bill

I have allowed the print and file sharing to be accessed by any computer
(including those on the internet) previously and still no luck.!!
I also created a log file "pfirewall" previously which I have copied into
here. Unfortunately it doesnt fit very well and looks a mess in this post.
Perhaps you can cast your eye over it and make some observations that may
help as I do not really understand all the information contained.

81.140.65.54 is the SBS external static .192.168.16.41 is the XP internal
fixed IP 192.168.0.1 is the internal SBS ip
I can see a lot of DROPS in the log which seem to involve TCP and UDP ports

In all the research I have done I understood I only need to make sure to
open port 1723 so what are all the others, are they to do with the VPN
connection I am trying to make and do I need to open them.
I dont want to open them if that will cause me other problems. Can you advise

Thanks for your help

2008-04-25 14:15:42 OPEN-INBOUND TCP 81.140.65.54 192.168.16.41 13477 1723 -
- - - - - - - -
2008-04-25 14:15:46 DROP UDP 192.168.0.174 255.255.255.255 68 67 328 - - - -
- - - RECEIVE
2008-04-25 14:15:50 DROP UDP 192.168.0.174 255.255.255.255 68 67 328 - - - -
- - - RECEIVE
2008-04-25 14:16:03 DROP TCP 192.168.16.41 192.168.0.174 445 13502 48 SA
3084194260 1133350834 9520 - - - SEND
2008-04-25 14:16:03 DROP TCP 192.168.0.1 192.168.16.41 13503 139 48 S
804954720 0 65535 - - - RECEIVE
2008-04-25 14:16:03 DROP TCP 192.168.16.41 192.168.0.174 139 13504 48 SA
369768440 2327057425 9520 - - - SEND
2008-04-25 14:16:06 DROP TCP 192.168.16.41 192.168.0.174 445 13502 48 SA
3084194260 1133350834 9520 - - - SEND
2008-04-25 14:16:06 DROP TCP 192.168.16.41 192.168.0.174 139 13504 48 SA
369768440 2327057425 9520 - - - SEND
2008-04-25 14:16:06 DROP TCP 192.168.0.1 192.168.16.41 13503 139 48 S
804954720 0 65535 - - - RECEIVE
2008-04-25 14:16:06 DROP TCP 192.168.16.41 192.168.0.174 445 1350240 A
3084194261 1133350834 9520 - - - SEND
2008-04-25 14:16:06 DROP TCP 192.168.16.41 192.168.0.174 139 13504 40 A
369768441 2327057425 9520 - - - SEND
2008-04-25 14:16:12 DROP TCP 192.168.16.41 192.168.0.174 139 13504 48 SA
369768440 2327057425 9520 - - - SEND
2008-04-25 14:16:12 DROP TCP 192.168.16.41 192.168.0.174 445 13502 48 SA
3084194260 1133350834 9520 - - - SEND
2008-04-25 14:16:12 DROP TCP 192.168.0.1 192.168.16.41 13503 139 48 S
804954720 0 65535 - - - RECEIVE
2008-04-25 14:16:12 DROP TCP 192.168.16.41 192.168.0.174 445 13502 40 A
3084194261 1133350834 9520 - - - SEND
2008-04-25 14:16:12 DROP TCP 192.168.16.41 192.168.0.174 139 13504 40 A
369768441 2327057425 9520 - - - SEND
2008-04-25 14:16:22 DROP UDP 192.168.0.170 255.255.255.255 138 138 239 - - -
- - - - SEND
2008-04-25 14:16:24 DROP TCP 192.168.0.174 192.168.16.41 13518 80 48 S
1701259848 0 65535 - - - RECEIVE
2008-04-25 14:16:27 DROP TCP 192.168.0.174 192.168.16.41 13518 80 48 S
1701259848 0 65535 - - - RECEIVE
2008-04-25 14:16:33 DROP TCP 192.168.0.174 192.168.16.41 13518 80 48 S
1701259848 0 65535 - - - RECEIVE


"Bill Sanderson" wrote:

I'm surprised at this result. I'd have thought that the VPN tunnel between
the SBS server and the XP workstation would have bypassed the firewall.

Here's what I think I would do to try to troubleshoot this:

Arrange to be able to connect to one of the XP workstations via Remote
Desktop. Open Remote Desktop through the Windows firewall on that XP
machine.

You may find that when the VPN tunnel connects, you lose the RDP connection,
unfortunately--if that's the case, I'm not sure how to work around it.

http://support.microsoft.com/kb/875357

is the article I would use to guide your troubleshooting. However, I think
you
could save some time if you can find as much information about this
"inherited software" as possible--particularly--what executables, if any,
are involved on the XP end, and what ports and protocols.

One thought is to open file and printer sharing through the firewall, which
is a simple checkbox--if that is not already enabled. Another would be to
modify the scope of that sharing to include not just the local (in-store)
network, but also the IP address of the SBS 2003 server end of the VPN
tunnel.

The firewall on the XP end can be configured to log dropped packets. I'd
suggest enabling this logging, and attempting a connection, and then
inspecting the log to see what's happening. That should give you clues
about what needs to be allowed through.



"Leigh" <Leigh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B3009467-6D21-4EC4-99C8-BAC6AD48A285@xxxxxxxxxxxxxxxx

I have Win 2003SBS and several Win XP sp2 standalone remote machines.
I need to collect simple files from the XP machines using the 2003SBS and
the internet on a daily basis.
I have set XP machines as VPN servers
I can connect to these machines from the 2003SBS by VPN no problem

My problem is this.

When I try to map a drive in 2003SBS to the shared folder on the XP
machine
I am unable to do so except when the Windows firewall is switched off on
the
XP machine.
When the XP firewall is off every thing works fine.
What do I have to do to the firewall to allow access to the shared folder,
because I would rather not leave the firewall turned off permanently.

Thanks for any help

See what SBS support is working on
http://blogs.technet.com/sbs/default.aspx
Check your SBS with the SBS Best Practices Analyzer
http://blogs.technet.com/sbs/archive/tags/BPA/default.aspx
.

---

• Follow-Ups:
  • Re: Connecting to XP sp2 machines by VPN
    • From: Leigh

• References:
  • Connecting to XP sp2 machines by VPN
    • From: Leigh
  • Re: Connecting to XP sp2 machines by VPN
    • From: Bill Sanderson
  • Re: Connecting to XP sp2 machines by VPN
    • From: Leigh

• Prev by Date: Re: Vista Fax and Scan
• Next by Date: Re: VSS error 0x8004230f
• Previous by thread: Re: Connecting to XP sp2 machines by VPN
• Next by thread: Re: Connecting to XP sp2 machines by VPN
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Firewall on a single NIC SBS2003 Standard edition ... Frank McCallister SBS MVP ... > " Well, if you're wanting to run the firewall on a single NIC, you aren't ... Don't ask the server to do *everything*, ... > internet traffic from the workstations don't have to go through the SBS. ... (microsoft.public.windows.server.sbs) Re: Internet on nodes ... disabled state (someone please confirm this for SBS Standard, ... firewall service should result in 'ISA lockdown'. ... print' from both the server and a WS. ... Was not able to connect to the internet on the WS. ... (microsoft.public.windows.server.sbs) RE: SBS VPN - Connection Manager ... SBS if the laptop directly connects to internet, ... 305550How to configure a VPN connection to your corporate network in ... (microsoft.public.windows.server.sbs) VPN home worker implementation ... network security. ... Firewall acting as VPN host which is connected to Company ... All Internet, email etc must go through Company ... (comp.security.firewalls) Re: Using a Linksys router, should I also use Zonealarm? ... public internet to access corporate network. ... In the "old days" when people used to use Dial-In instead of VPN you ware ... protected by corporate Firewall -- since there was no public Internet ... (microsoft.public.security)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.sbs  > 2008-05