Re: May need to move from SBS because of connection issues

Jim,

Just to make sure you are clear regarding port 4125, if you only need to
access remote systems and you are behind a firewall on a non-SBS network,
port 4125 does NOT need to be opened inbound. For example, if you are at a
friend's house and he has a Linksys or similar router, you do not need to
modify anything in order to be able to access remote systems via RWW-RDP. As
long as OUTbound 4125 is open, you should be good.

Gregg Hill



"Jim Graue" <JimGraue@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:89BB7433-EBE9-497B-900A-10EBE830C4BE@xxxxxxxxxxxxxxxx
Hello, Larry:

My replies/comments are in-line, below:


"Larry Struckmeyer [SBS-MVP]" wrote:

While I am happy that your happy, I am also confused. I was sure we had
established that RWW worked TO your SBS network from outside. That
should
have been proof that the required ports were forwarded to the SBS server.

It was established that I could acquire a desktop from outside my network
using RWW/RDP in the typical fashion: https://mydomain.com/remote. I
could
remote access a Terminal Server or a workstation. Going back to my office
and using my workstation to connect to other SBS networks wouldn't work,
causing the aforementioned errors.

When I used "IN," I meant OUT. I was still revelling in my ability to get
desktops all over town without having to go to extraordinary measures.

Can you please be more explicit on what you changed?

Yes. Like most SBS networks, I have an edge-of-network firewall that
connects to the "outside" NIC of my SBS. Its WAN port, of course,
connects
to my ISP's router, which acts as a bridge. The "inside" NIC of my SBS
connects to my internal switch. Although I was able to acquire a desktop
from outside my network, port 4125 (and ONLY port 4125) was not allowed to
traverse my edge-of-network firewall (the Front firewall, in ISA parlance)
going back out.

Under "Packet Filter Rules," then, on the Front firewall, I added:
From LAN [the Front firewall and SBS are, of course, on the same subnet]
using RWW [my name for port 4125] to ANY ACCEPT.

So, the packet that was coming IN from an outside SBS could be sent back
OUT. ISA monitoring, before I removed it, would show me a 995 error,
aborted
process or thread dropped. There were no errors on any system, except,
perhaps, the physical firewall I use for edge-of-network, though I hadn't
looked at the logs of said device to find that out.

I hope that I've clarified the solution. Firewalls are funny beasts.
They're all different, of course, and have their advantages/shortcomings.
The brand I use more often than not is Multitech. They don't suck.
They're
pretty configurable. In this case, it was my failure to recognize that I
needed to pass RWW from inside going OUT. There are a group of protocols
that are, by default, allowed to pass out from the LAN to the outside
world.
RWW was not one of them. Neither was PPTP.
Still, though I'm able to make a tunnel with PPTP, the packets are not
moving through correctly. I can't use RDP to connect to a server in a
workgroup. But, I'll take Greg Hill's suggestion of using Wireshark and
trace the packet(s). I'm on the right path, I think, as I'm able now to
connect to other SBS networks from my own.

Enough. Thanks, again, one and all. If I can further clarify, please
don't
hesitate to post.
--
Best regards,
Jim Graue


-Larry



"Jim Graue" <JimGraue@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:09B245BB-9E6B-45E4-BD4F-0C05FFD9283F@xxxxxxxxxxxxxxxx
Hello, Mr. Hill:

"Gregg Hill" wrote:

Definitely check your firewall.

I have the same problem as you do, but only through a very
outbound-port-restricted firewall. If I go out my less-restricted
SonicWALL,
it works fine.

I'll post details after a couple good TV shows!

Thanks for your helpful hint. After looking at the settings of my
firewall,
I realized that there was no path IN for RWW (or PPTP, for that matter,
a
different problem). After creating aforementioned paths, I'm
connectiing
to
the desktops of the various networks without error!

I will re-install ISA 2004 and its SP3, shortly, where I may encounter
some
similar issue. Of course, I will be able to apply the same tenet to
ISA
and
get passthrough.

I feel so much better, now!

Thank you, one and all, for your patience and assistance. This
community
has helped me many, many times. If I'm unable to return the favor to
you,
I
hope that I can pass it forward.
--
Best regards,
Jim Graue



"Jim Graue" <JimGraue@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:216081A0-9ECB-4D94-AE4C-E57495AA0485@xxxxxxxxxxxxxxxx
Hello, all:

I may need some "talking down" on the following issue: I'm unable,
for
reasons unknown, to connect to other SBS networks from my own, new
SBS
2K3
network. I get either a "vbscript error" message, or a more generic
one,
indicating that I should contact the system admin (uh, me) if I
continue
to
have problems. I had ISA 2004 installed with SP3, but have since
removed
it.
Still, I cannot connect to another SBS network. I get as far as
RWW,
but
when I want to remote control a system or get a terminal session
from a
terminal server, the above-mentioned errors occur.

I'm considering backing out of SBS on my own network, as I'm finding
that
I
need to get to other networks. I'm thinking of installing W2K3
Server
and
Exchange, but I think it would mean that, by Best Practice, I
shouldn't
have
Exchange on a DC, right? I mean, it's only SBS, with its special
construction, that allows the mix of Exchange and DC, ISA, etc.

I've tried just about everything I can think of and a few things
suggested
in posts that I've made, here, and I appreciate the help I've
gotten.
It's
just that I'm reaching a critical stage where not having easy access
to
other
SBS networks is really causing a problem. It's disappointing,
because
I
really liked the idea of running a network in my own business that
was
akin
to the type I like to install for small businesses: SBS and a
Terminal
Server, along with workstations or thin clients, depending on the
vertical
market package that is called for.

Probably, if I'm leaving SBS-land, I ought to be posting this in the
Exchange ng, or the general Windows 2K3 ng. But, you will politely
let
me
know if I've posted improperly. I beg your indulgence, in advance.
--
Best regards,

Jim Graue







.

Relevant Pages

  • Re: Turning on Media Sharing in WMP11
    ... I believe it forms quite a reasonable network media device. ... Turning on SSDP (it was disabled as was uPnP) to Manual and then UPnP ... If there is a firewall, or NAT, built into your ... You need to open port s: ...
    (microsoft.public.windowsmedia.player)
  • Re: Identifying Internet Attacks
    ... contain the hacker to a particular machine, leave the machine on the network ... Some firewall software such as ... open ports; however, this will not identify which program is using the port. ... firewall logs, the IIS web and ftp server logs and Windows security event ...
    (microsoft.public.inetserver.iis.security)
  • RE: Citrix and SBS 2003
    ... I'd like to confirm the steps you configure the port forwarding in SBS. ... Highlight NAT/Basic Firewall and you will see SBS server external ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Switching IP address ranges
    ... ISA Firewall Fairy Tales - What Hardware Firewall Vendors Don't Want You to ... - The sonicwall is within my main network because it provides managed ... I have changed LAN IP subnets more than once on some relatively small SBS ...
    (microsoft.public.windows.server.sbs)
  • RE: How do I forward ports?
    ... I assume that RRAS is utilized as the basic firewall since you are using ... TCP, fill in port 5900, inbound. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)