Re: SBS 2003 Misconfigured?

Cliff Galiher <cgaliher@xxxxxxxxx> wrote:
Sorry Lanwench, I'm probably gonna start a religious war...and
unintentionally at that, but I gotta voice my opinion. ;) So...be
easy on me.

I've had quite a bit of experience with the netopia devices
recently...ever since Motorola took them over, our local Telco pushes
them like candy. I've thrown quite a bit at them, and just have to
disagree that they are inherently less secure than the netgear. I'd
like to know (genuinely, no sarcasm intended) what your experiences
have been that make you think they are?

I'll admit that I haven't had to work with one in a long while (in that I
always have them configured as routers only, and have my own equipment) so
I'm not sure how relevant that'll be.

I *will* grant you that the firewall management on the netopia is not
as user-friendly as it is on the netgear....but web based GUI's are
not an indication of quality. Watchguard didn't get the GUI right on
their edge devices for 7 versions (8 was the first I liked) but I
think most people would stand by their security.

True, although I am not a Watchguard fan namely because I found their
interface gawd-awful in the past.

The netopia,
properly configured, is a reasonably secure device.

Yeah, maybe it's not that different from the Netgear, for all that. However,
the Netgear has a much more intuitive interface, better logging (although
it's still minimal) and supports VPN. I've got bitty Netgears installed in
several bitty client offices where they really couldn't spring for more, and
they've been providing good service & security for years.

With that said though, I agree that a business-class firewall
appliance (Watchguard, sonicwall, etc) would be a worthwhile purchase
for anybody looking for more robust security.

Ayuh.

-Cliff


"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:OGP9zoX$IHA.3756@xxxxxxxxxxxxxxxxxxxxxxx
Mark Grantom <mgrantom@xxxxxxxxxx[no spam]> wrote:
Thanks once again. I checked all of the DHCP settings before I
posted and rechecked them after your response. I used the wizard to
setup DHCP and I have also gone in and manually created a new scope
and authorized it as well. Everything looks correct. I remember
that when I first used the Netgear router with SBS 2003, and ran
the ICEW wizard, it detected the fact that the router was UPNP and
I told it to set it up for me and it worked beautifully. Later,
when I flashed the firmware to the router, (can't remember what the
issue was) the UPNP never was detected if I re-ran the ICEW wizard.
(I do have it enabled on the router and windows XP does detect it
because it shows up in the network neighborhood).

*Never* use UPnP. Disable it. :-)

Also, the firmware update was a
major one going from 1.x to a 2.x and totally changed the graphical
interface on the router, however, it also caused the router to
display an error message "unable to obtain profile". A tech at
netgear suggested that I reflash the firmware so when I went back to
re-download it, the 2.x version for my router is no longer listed as
being compatible with my older unit, so I downgraded the firmware to
the latest 1.x version. Bottom line, the router may have issues.

It's easy to bypass this - just get an ethernet switch & be
disconnected from the Internet modem when you do this.

It
is very frustrating to try to find a person willing to administer
SBS 2003 on a tiny system like mine in the real world. I had one
tech spend 4+ hours on my system, and then tell me to enable DHCP
on the router. This tech is in charge of a major oil company's IT
department with several SBS 2003 servers.

Hmmm. I'd be surprised if a major oil company had SBS - and having
more than one SBS server in a company makes no sense. So...

I had another guy tell me
not to use DHCP on the server as well.

Where are you finding techs? Where are you located?

So far, all of the real world
people that have shown up have not been of much help. Thus my
attempt with this group.

I went out and purchased a netgear 8 port switch which I am going to
try and setup per the previous posts. I assume I will link it via
one of the ethernet ports on the Netopia, and enable the firewall
settings on the Netopia as well.

No - I do not recommend that - it is not sufficiently secure.

I will experiment with the Netgear
router by itself and see if I can reflash it back into use. If so,
I will swap it out later since it appears to be a superior
firewalling product.

Yes, I think so. However, if you really want to take care of that,
get a SonicWALL or similar.



Mark Grantom <mgrantom@xxxxxxxxxx[no spam]> wrote:
DHCP shows up on the server as running. I am attempting to do
this using remote desktop so, I'm not sure of the results.

Ah. It's best to do this stuff in person, really.

When I pulled
up one of the workstations via remote web connection, and changed
the tcp/ip settings to "obtain ip automatically" and "obtain DNS
automatically", the NIC on the workstation apparently reset itself
and I lost my remote session of course.

Biensure!

When I remote back into the
server and look at DHCP, I did see the ip address of
192.168.5.101 which is what I had also previously used as the
static ip address.

OK, but why are you looking at the server rather than the
workstation? Can't you still connect?
I
assume DHCP assigned it, but how can I verify that. Is there a
way to force a client to obtain a new ip address by issuing a
command from the server?

Not really. Do this in person on the client.

ipconfig /release
ipconfig /renew
ipconfig /all
(this will show you the DHCP lease info).


Also, I may have misstated the original issue about
DHCP not working. What I mean to say is that when tcp/ip is set
to "auto obtain" on the workstations, I was having connection
problems with the workstations.

Such as?

It could be that DHCP is working but is
misconfigured.

If the server was set up using the wizards, this wouldn't happen.
However, it's very easy to reconfigure your DHCP server / scope
options after the fact. Make surte DHCP is disabled on your router.
What you want is something like this:

Scope: 192.168.5.1 - 192.168.5.254
Subnet mask: 255.255.255.0
Exclusions: 192.168.5.1 - 192.168.5.100 (if you're using my scheme,
in which case assign the server something like .30) and also
192.168.5.200 - 192.168.5.250. If you want to stick with your
existing server IP, exclude it singly.
Router: 192.168.5.1
DNS domain/suffix: whatever.local
DNS servers: 192.168.5.xxx (your server's LAN IP)
WINS server: 192.168.5.xxx (your server's LAN IP)
WINS node type: 0x8 (hybrid node)

I don't think you can re-configure your DHCP server using the
CEICW, which is a shame as you wouldn't have to do all this work
manually, but someone else may contradict or confirm that.



For example, I noticed that under "Server Options"
there is a setting for Router. Is this the netgear router or is
it the SBS server?

The Netgear, or whatever you use as your gateway to get out to the
Internet.

As for the tech issue, the last guy's solution was
to enable DHCP on the router, which is not what I wanted.

Nor should it be. Try and find a good/qualified tech who's worked
with SBS before, but also has experience with & understanding of AD
& basic networking.

Thanks for
your help.

You're welcome.



Mark Grantom <mgrantom@xxxxxxxxxx[no spam]> wrote:
I went back and looked at the Netgear. I don't see anything
that allows you to turn NAT on or off. I based my post on the
notes that a tech I hired left me.

I'm guessing that you may want to get another tech in there to
help you out at this point, honestly.

I DO know that NAT is off on the Netopia.
The netgear has a setting for the Internet IP which is set to
the static IP given to me by AT&T. It also has a setting for
the LAN ip which is set to 192.168.5.2 if this helps.

Then you do have NAT on there.

The additonal information
on how my workstations are manuall configured:
WINS is set to the SBS server's ip 192.168.5.109
DNS server address is set to SBS server's ip 192.168.5.109
Append primary and connection specific DNS suffixes is selected
DNS suffix for this connection is set to "grantomlaw.local"
Register this connections addresses in DNS is checked
Use this connection's DNS suffix in DNS registration is checked
IP Settings
192.168.5.101 Subnet mask of 255.255.255.0
Gateway is set to 192.168.5.2 (address of the netgear router)
Automatic metric is checked

That's all good, but something else is clearly awry if you can't
get DHCP working - and as Cliff says, that should be a simple
thing. The fact that it isn't working indicates you've got larger
problems.. Ignore the Netopia & Internet access right now - in
fact, disconnect the WAN port of the Netgear from the Netopia
entirely. So, everything is plugged into the switch ports on your
Netgear now, yes?

If DHCP is *disabled* on the NetGear (which, btw, I much prefer
as a simple firewall to the Netopia), then you should have DHCP
running on the SBS box. If the DHCP server service is started &
you can see it working/running in the DHCP server console on the
server, and you connect a workstation configured to get an IP
address automatically, what happens?

If this isn't your area of expertise or cup of tea there's no
shame in
that - but you ought to get someone experienced in to help you
out if you're having problems at this level.

Oh, and don't install Quickbooks on your server. Seriously.

Inline:

-Cliff

"Mark Grantom" <mgrantom@xxxxxxxxxx[no spam]> wrote in message
news:63AFF1B0-E929-40DB-B7FF-ED1377D9BC69@xxxxxxxxxxxxxxxx
Thanks for all the quick responses! I apologize for not
getting back sooner
but I had to be out of the office today unexpectedly. The
Netopia IS a router/modem, it is just not setup up for
routing. I wanted to use the Netgear router because it has 8
ports, utilizes UPNP (at least it did it ONCE
then quit) and is brand new (well almost).
UPnP is useful for a very limited subset of applications, none
of which apply in an office setting.

NAT is turned off on both devices.
Which, based on the configuration you gave, is part of the
problem. You mentioned that you assigned the ISP IP to netopia
AND the netgear. That itself will cause a problem. You *can*
configure the netopia to operate in bridged mode, but in this
configuration, it is literally acting as modem, converting
DSL/ATM traffic to ethernet and would not hold a public IP of
its own. Again, it would have to be configured properly to
pass ALL traffic to the netgear...tricky if you aren't sure
EXACTLY what you are doing.

Secondly, the netgear SHOULD be configured to NAT unless you
are running SBS in a 2-nic configuration in which case SBS
would be handling NAT. But, if SBS were in a 2-nic
configuration, you'd still need a switch on the
internal-facing NIC. You could use the netgear for this, but
at that point you'd configure the netgear without an external
IP...and basically not be using the routing functions at all. So
basically, from where I stand, you still have configuration
issues.
I am NOT a techie I just figured out a lot by myself in the
last 30 years that I have been building / using computers ( I
started in 1978). Initially when I installed SBS 2003 I was
using the netgear router with a DSL
modem. When I changed over to a static IP, AT&T sent me the
netopia router/modem so I was forced to use it, but since it
only has 4 ports, I had
a tech help me to set it up so it only obtains the ip (so it
does operate as
only a modem).
If it is properly configures as "only" a modem, then it won't
obtain the IP. It will let the netgear handle that task. See
above.

I then linked it to the netgear router. DHCP is configured
on the server, but if I set a workstation to "obtain ip
automatically" that
WS cannot get onto the internet. If I manually set the ip's
there are no problems.
A perfect example of why I think you have fundamental network
issues. Until you get DHCP working, you can't expect other
things to work. DHCP isn't an overly complex protocol. If it
is broke...well....you need to concentrate on fixing it. Don't even
*worry* about trying to fix the printing issue yet.
When you fix DHCP, I suspect you'll find other things
magically start working.
The specific problem I have at the moment is that I have to
run Quickbooks on my server (I know, I shouldn't but I HAVE to
because another application I use Time Matters "Quickbooks
Server, requires it.)
You know you shouldn't. We know you shouldn't. Suffice it to
say, you should look at addressing this. I'm familiar with
Time Matters and have my own opinions on how to resolve this
issue, but as tempted as I am to do so, I think it'd only
fracture the thread and frankly does not directly relate to
the problem you have right now.

When I try
to print from the server using the laser printer on one of the
workstations,
the printer does not show up. Everything else seems to work.
Everything except DHCP. You can't ignore problems and expect
everything else to work. Sorry if that comes across harshly,
but it is true. To say "everything else seems to work"
blatantly ignores the other problems you've posted here.

I can browse
files on the workstations etc. The printer is properly shared
on the workstation and the box checked that says to "list in
directory".
The "list in directory" is nice if you are using AD to find
printers. It is not necessary though. If you've shared the
printer, then you can always fall back to 'classic' file and
printer sharing. And since that does not appear to be working,
you have other problems.

I'm not
sure, but I believe it MAY be related to my having "moved" the
workstations
in the Active Directory to the "my company" computers folder,
if I'm making
sense.
Possible, if a GPO is configured to stop file and printer
sharing or setting firewall rules to block such
communications. Why did you move the computer to a different
OU? For SBS, the default setup with /connectcomputer is good
99% of the time. There *are* legitimate reasons to move
machines, but I find many people do so when it is unnecessary
as well. There is usually a better way...
Thanks for all of the help.
--
Mark G


"Lanwench [MVP - Exchange]" wrote:

Cliff Galiher <cgaliher@xxxxxxxxx> wrote:
Lanwench brings up good points, but I'm going to go a step
further and say I'm concerned about your current device
configuration.

If I read this properly, you have the WAN port of your
netgear device plugged into one of the LAN ports of your
netopia.

Yes, that was my understanding as well.

The netopia 3300
series (I'm guessing the model based on the specs given)
default to a NAT routing configuration,

But not necessarily. I have several clients running
Netopias. I merely tell
the ISP that I have my own firewall appliance & don't want
NAT or any filtering. The NetGear FVS318 is not the greatest
firewall on the planet, but it's a decent little device - and
it has an integrated Ethernet swtich,
which I presume he's using.

Even if the Netopia were configured to do NAT, the worst
thing that would happen is that his LAN would be 'double
NATted' - which might cause problems
with *inbound* traffic but wouldn't cause any problems with
LAN traffic or
outbound Internet connectivity.

Guess we'll have to wait til the OP posts back to find out.

so essentially you've segmented your
network if you have equipment plugged into both devices. This
could cause all sorts of problems if you haven't
carefully configured the equipment. I'd personally pull
the netgear out of the equation. No need for two peices of
equipment that do the same job.

I would instead pick up a switch (not a router), such as a
3com OfficeConnect (they come in managed and unmanaged
varieties) or a Linksys and plug it into the netopia. No
worrying about WAN ports, no configuration, just plug and
play. I think you'll find administration and
troubleshooting much easier if you don't have to worry
about network communications traversing multiple routable
devices. -Cliff

"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message
news:OpNPcrA$IHA.3964@xxxxxxxxxxxxxxxxxxxxxxx
Mark Grantom <mgrantom@xxxxxxxxxx[no spam]> wrote:
I apologize in advance for the length of this post,
however I wanted to furnish as much information as
possible to help me solve this problem. I have spent a
great deal of time trying to solve this myself but I am
at a complete roadblock at this



.

Relevant Pages

  • Re: SBS 2003 Misconfigured?
    ... I've thrown quite a bit at them, and just have to disagree that they are inherently less secure than the netgear. ... setup DHCP and I have also gone in and manually created a new scope ... when I first used the Netgear router with SBS 2003, ... than one SBS server in a company makes no sense. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 Misconfigured?
    ... I used the wizard to setup DHCP and I ... I remember that when I first used the Netgear ... router was UPNP and I told it to set it up for me and it worked beautifully. ... I had another guy tell me not to use DHCP on the server as ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 Misconfigured?
    ... The netgear has a setting for the Internet IP which is set to the ... DNS server address is set to SBS server's ip 192.168.5.109 ... DHCP working - and as Cliff says, that should be a simple thing. ... Which, based on the configuration you gave, is part of the problem. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 Misconfigured?
    ... The netgear has a setting for the Internet IP which is set to the ... DNS server address is set to SBS server's ip 192.168.5.109 ... but something else is clearly awry if you can't get DHCP ... Which, based on the configuration you gave, is part of the problem. ...
    (microsoft.public.windows.server.sbs)
  • Re: How do I configure SBS 2003 as a DHCP server?
    ... To disable the private "LAN" side DHCP service (not the DHCP service on the ... of the PPPoE adapter and enable your Speedstream as a DSL modem and router. ... For the Vista computer to interact with SBS, ... Windows Small Business Server 2003: ...
    (microsoft.public.windows.server.sbs)