Jump to content

nat/basic firewall

Guest Leonard

By Guest Leonard
in Windows 2003 Server

 Share

Recommended Posts

Guest Leonard

Guest Leonard

Posted
Posted

we have a windows 2003 std server

 

i want to turn off its firewall, which is under Routing and Remote access -

IP Routing - NAT/Basic Firewall

 

I want to turn this off and only use my hardware firewall as we have new

software which uses IIS and something is blocking remote access to this from

out the office although it works ok in the office

 

Look forward to your reply

  • Replies 13
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Herb Martin

Guest Herb Martin

Posted
Posted

Re: nat/basic firewall

 

 

"Leonard" <Leonard@discussions.microsoft.com> wrote in message

news:5C2D3FC9-2997-4BDA-9D45-0F101134BB4F@microsoft.com...

> we have a windows 2003 std server

>

> i want to turn off its firewall, which is under Routing and Remote

> access -

> IP Routing - NAT/Basic Firewall

>

> I want to turn this off and only use my hardware firewall as we have new

> software which uses IIS and something is blocking remote access to this

> from

> out the office although it works ok in the office

 

Ok, go ahead -- if that is what you want.

> Look forward to your reply

 

What do you want us to tell you? (There is really no question above).

 

Obviously you can make the Basic firewall work, and use it to

increase your protection from local (or remote) attacks BUT it

may not be worth the trouble for you to do so -- in your

particular business/security situation.

 

Some people will turn it off (or never knew it existed to turn it on)

and others will replace it with something (3rd party) that is even

stronger.

 

All such are choices.

Guest Bill Grant

Guest Bill Grant

Posted
Posted

Re: nat/basic firewall

 

 

"Herb Martin" <news@learnquick.com> wrote in message

news:Ov9cFMMqIHA.2520@TK2MSFTNGP02.phx.gbl...

>

> "Leonard" <Leonard@discussions.microsoft.com> wrote in message

> news:5C2D3FC9-2997-4BDA-9D45-0F101134BB4F@microsoft.com...

>> we have a windows 2003 std server

>>

>> i want to turn off its firewall, which is under Routing and Remote

>> access -

>> IP Routing - NAT/Basic Firewall

>>

>> I want to turn this off and only use my hardware firewall as we have new

>> software which uses IIS and something is blocking remote access to this

>> from

>> out the office although it works ok in the office

>

> Ok, go ahead -- if that is what you want.

>

>> Look forward to your reply

>

> What do you want us to tell you? (There is really no question above).

>

> Obviously you can make the Basic firewall work, and use it to

> increase your protection from local (or remote) attacks BUT it

> may not be worth the trouble for you to do so -- in your

> particular business/security situation.

>

> Some people will turn it off (or never knew it existed to turn it on)

> and others will replace it with something (3rd party) that is even

> stronger.

>

> All such are choices.

>

>

I would think it more likely that your hardware firewall is blocking the

connection. What form of remote access are you using? https, RDP, dialup,

vpn?

Guest Ace Fekay [MVP]

Guest Ace Fekay [MVP]

Posted
Posted

Re: nat/basic firewall

 

In news:uvVMYdMqIHA.4912@TK2MSFTNGP03.phx.gbl,

Bill Grant <not.available@online> typed:

> I would think it more likely that your hardware firewall is

> blocking the connection. What form of remote access are you using?

> https, RDP, dialup, vpn?

 

I agree, Bill. If directly trying to connect using RDP, he must open 3389

TCP and map it to the internal machine. But then again, I agree he may be

using a VPN to first connect in, then trying to access the machine using

RDP. He didn't provide enough info.

 

Ace

Guest Leonard

Guest Leonard

Posted
Posted

Re: nat/basic firewall

 

the address iam connecting to is http://mydomain or IP/crmlive/eware.dll

 

I have enven put the hardware router in DMZ and this still did not work.

 

My software people say it my firewall hence why I wanted to disable the one

in windows.

 

Just how do I disable the one on the server

 

"Ace Fekay [MVP]" wrote:

> In news:uvVMYdMqIHA.4912@TK2MSFTNGP03.phx.gbl,

> Bill Grant <not.available@online> typed:

>

> > I would think it more likely that your hardware firewall is

> > blocking the connection. What form of remote access are you using?

> > https, RDP, dialup, vpn?

>

> I agree, Bill. If directly trying to connect using RDP, he must open 3389

> TCP and map it to the internal machine. But then again, I agree he may be

> using a VPN to first connect in, then trying to access the machine using

> RDP. He didn't provide enough info.

>

> Ace

>

>

>

>

>

Guest Ace Fekay [MVP]

Guest Ace Fekay [MVP]

Posted
Posted

Re: nat/basic firewall

 

In news:3FBBA8B6-BA37-45F0-AFA8-65CBDB8A57FC@microsoft.com,

Leonard <Leonard@discussions.microsoft.com> typed:

> the address iam connecting to is http://mydomain or

> IP/crmlive/eware.dll

>

> I have enven put the hardware router in DMZ and this still did not

> work.

>

> My software people say it my firewall hence why I wanted to disable

> the one in windows.

>

> Just how do I disable the one on the server

 

You are trying to connect to http://mydomain, not http://mydomain.com? If

you want to connect to a resource from the outside world, it must be a valid

domain name, such as http://www.domain.com, http://domain.com, etc. Using a single

name, will not work. Besides, whatever name you want to use must be

registered in the public registrar, such as your domain name. Then you would

create a resource (hostname) such as www, or crmlive under your domain name,

and give it the public IP address of your WAN connection. Then you would

use, for example, http://crmlive.yourdomain.com.

 

THen in your NAT/firewall device, you would port-remap any inbound port 80

requests to the webserver hosting the crmlive app.

 

Do you have a public domain name registered?

 

You can also do it by IP, as you suggested.

 

Disable the WIndows firewall unless you know how to configure it. Honestly

for a server, we NEVER use the Windows firewall. We rely on our edge

firewall/NAT device for protection. Besides, it eliminates issues you may be

seeing, that is if the portremap and external public names are configured

properly.

 

Ace

Guest Leonard

Guest Leonard

Posted
Posted

Re: nat/basic firewall

 

well the domain is resgistered and OWA works fine

 

we do get a logon screen for CRM but none of the graphics load, and when you

do get logged in its very slow and again no graphics load.

 

If we connect to the server via VPN all works ok then, but dont want to have

to use VPN

 

any other suggestions

 

 

 

 

"Ace Fekay [MVP]" wrote:

> In news:3FBBA8B6-BA37-45F0-AFA8-65CBDB8A57FC@microsoft.com,

> Leonard <Leonard@discussions.microsoft.com> typed:

> > the address iam connecting to is http://mydomain or

> > IP/crmlive/eware.dll

> >

> > I have enven put the hardware router in DMZ and this still did not

> > work.

> >

> > My software people say it my firewall hence why I wanted to disable

> > the one in windows.

> >

> > Just how do I disable the one on the server

>

> You are trying to connect to http://mydomain, not http://mydomain.com? If

> you want to connect to a resource from the outside world, it must be a valid

> domain name, such as http://www.domain.com, http://domain.com, etc. Using a single

> name, will not work. Besides, whatever name you want to use must be

> registered in the public registrar, such as your domain name. Then you would

> create a resource (hostname) such as www, or crmlive under your domain name,

> and give it the public IP address of your WAN connection. Then you would

> use, for example, http://crmlive.yourdomain.com.

>

> THen in your NAT/firewall device, you would port-remap any inbound port 80

> requests to the webserver hosting the crmlive app.

>

> Do you have a public domain name registered?

>

> You can also do it by IP, as you suggested.

>

> Disable the WIndows firewall unless you know how to configure it. Honestly

> for a server, we NEVER use the Windows firewall. We rely on our edge

> firewall/NAT device for protection. Besides, it eliminates issues you may be

> seeing, that is if the portremap and external public names are configured

> properly.

>

> Ace

>

>

>

Guest Ace Fekay [MVP]

Guest Ace Fekay [MVP]

Posted
Posted

Re: nat/basic firewall

 

In news:C57F81AC-20A3-4AFF-9B55-CD26338FE6F6@microsoft.com,

Leonard <Leonard@discussions.microsoft.com> typed:

> well the domain is resgistered and OWA works fine

>

> we do get a logon screen for CRM but none of the graphics load, and

> when you do get logged in its very slow and again no graphics load.

>

> If we connect to the server via VPN all works ok then, but dont want

> to have to use VPN

>

> any other suggestions

 

Is CRM on the Exchange server?

 

If OWA is working fine, and you are getting the logon screen, I'm assuming

they are on the same server, because you can only port-remap one port per

internal IP.

 

So if it is loading slow or no graphics, a port is being blocked that CRM

uses. Does the CRM have a web-based ONLY method, meaning that it will only

use port 80 or 443. I am not familiar with your CRM. Who's the vendor? What

do their docs say? Have you contacted their support.

 

I am asking this because obviously it is initially connecting, but it

appears to be "looking" for something else during the connection process.

Possibly your Windows firewall (Windows firewall, you haven't disabled yet

to test it?) or your edge firewall.

 

I'm also assuming you have port 80 remapped to the Exchange server for OWA,

unless of course you are using SSL, which would be port 443? See, this is

why we always ask questions. We need to have a wholistic view of the

environment, equipment, port settings, mappings, what servers are internal,

what ports are mapped to which servers, etc. Know what I mean.

 

So PLEASE, elaborate on your setup, etc, for all of us trying to help. It

eliminates assumptions and guesswork.

 

Thanks,

 

Ace

Guest Leonard

Guest Leonard

Posted
Posted

Re: nat/basic firewall

 

we are running 2 x std windows 2003 server

1 the domain controller (192.168.16.2) and the 2nd is the exchange server

2003 (192.168.16.3)

 

we have open ports on NAT

 

80 is open and with ip address 192.168.16.2

443 is opena dn forwarded to the exchange server 192.168.16.3

remote desktop is pointing to 192.168.16.2

VPN is pointing to 192.168.16.2

 

we changed OWA fron port 80 to 443 as we know we cant forward to 2 different

places

 

on our hard ware firewall, we have all the above ports open and they are all

forwarding to 192.168.16.2

 

we have only 1 external IP address

 

hope all that makes sence, if you need more info just ask

 

and

 

how do i turn of the NAT on my server is it just a simply of unticking the box

 

thanks

 

 

"Ace Fekay [MVP]" wrote:

> In news:C57F81AC-20A3-4AFF-9B55-CD26338FE6F6@microsoft.com,

> Leonard <Leonard@discussions.microsoft.com> typed:

> > well the domain is resgistered and OWA works fine

> >

> > we do get a logon screen for CRM but none of the graphics load, and

> > when you do get logged in its very slow and again no graphics load.

> >

> > If we connect to the server via VPN all works ok then, but dont want

> > to have to use VPN

> >

> > any other suggestions

>

> Is CRM on the Exchange server?

>

> If OWA is working fine, and you are getting the logon screen, I'm assuming

> they are on the same server, because you can only port-remap one port per

> internal IP.

>

> So if it is loading slow or no graphics, a port is being blocked that CRM

> uses. Does the CRM have a web-based ONLY method, meaning that it will only

> use port 80 or 443. I am not familiar with your CRM. Who's the vendor? What

> do their docs say? Have you contacted their support.

>

> I am asking this because obviously it is initially connecting, but it

> appears to be "looking" for something else during the connection process.

> Possibly your Windows firewall (Windows firewall, you haven't disabled yet

> to test it?) or your edge firewall.

>

> I'm also assuming you have port 80 remapped to the Exchange server for OWA,

> unless of course you are using SSL, which would be port 443? See, this is

> why we always ask questions. We need to have a wholistic view of the

> environment, equipment, port settings, mappings, what servers are internal,

> what ports are mapped to which servers, etc. Know what I mean.

>

> So PLEASE, elaborate on your setup, etc, for all of us trying to help. It

> eliminates assumptions and guesswork.

>

> Thanks,

>

> Ace

>

>

>

Guest Ace Fekay [MVP]

Guest Ace Fekay [MVP]

Posted
Posted

Re: nat/basic firewall

 

In news:6A074D8B-A235-4BB9-A92B-AF15F2A2CFFF@microsoft.com,

Leonard <Leonard@discussions.microsoft.com> typed:

> we are running 2 x std windows 2003 server

> 1 the domain controller (192.168.16.2) and the 2nd is the exchange

> server 2003 (192.168.16.3)

>

> we have open ports on NAT

>

> 80 is open and with ip address 192.168.16.2

> 443 is opena dn forwarded to the exchange server 192.168.16.3

> remote desktop is pointing to 192.168.16.2

> VPN is pointing to 192.168.16.2

>

> we changed OWA fron port 80 to 443 as we know we cant forward to 2

> different places

>

> on our hard ware firewall, we have all the above ports open and they

> are all forwarding to 192.168.16.2

>

> we have only 1 external IP address

>

> hope all that makes sence, if you need more info just ask

>

> and

>

> how do i turn of the NAT on my server is it just a simply of

> unticking the box

>

> thanks

 

Thanks for the extra info. I don't know why you have NAT on the server

enabled because your hardware firewall is handling that. You can remove it

in RRAS, assuming that is how it was configured, unless you used ICS? But if

you used ICS, you wouldn't have been able to setup RRAS for VPN. Just remove

the NAT instance in RRAS because you want to keep RRAS for the VPN

services. Assuming the DC only has one IP, good.

 

Remote Desktop (RDP) requires TCP 3389 opened to 192.168.16.2. I assume you

mapped port 3389 TCP on the hardware firewall?

 

As for the CRM, it sounds like something in the app is causing the issue.

 

Ace

Guest Leonard

Guest Leonard

Posted
Posted

Re: nat/basic firewall

 

ok thanks

 

I will turn of NAT and try CRM again

 

I have been telling the apps provider its not a firewall and they insist its

that.

 

thing is the apps working on on systems in the office

 

I know its IIS and SQL based and then thats all above my head

 

will let you know if turning off the nat works but iam not hopefull

 

thanks for the advice so far

 

 

"Ace Fekay [MVP]" wrote:

> In news:6A074D8B-A235-4BB9-A92B-AF15F2A2CFFF@microsoft.com,

> Leonard <Leonard@discussions.microsoft.com> typed:

> > we are running 2 x std windows 2003 server

> > 1 the domain controller (192.168.16.2) and the 2nd is the exchange

> > server 2003 (192.168.16.3)

> >

> > we have open ports on NAT

> >

> > 80 is open and with ip address 192.168.16.2

> > 443 is opena dn forwarded to the exchange server 192.168.16.3

> > remote desktop is pointing to 192.168.16.2

> > VPN is pointing to 192.168.16.2

> >

> > we changed OWA fron port 80 to 443 as we know we cant forward to 2

> > different places

> >

> > on our hard ware firewall, we have all the above ports open and they

> > are all forwarding to 192.168.16.2

> >

> > we have only 1 external IP address

> >

> > hope all that makes sence, if you need more info just ask

> >

> > and

> >

> > how do i turn of the NAT on my server is it just a simply of

> > unticking the box

> >

> > thanks

>

> Thanks for the extra info. I don't know why you have NAT on the server

> enabled because your hardware firewall is handling that. You can remove it

> in RRAS, assuming that is how it was configured, unless you used ICS? But if

> you used ICS, you wouldn't have been able to setup RRAS for VPN. Just remove

> the NAT instance in RRAS because you want to keep RRAS for the VPN

> services. Assuming the DC only has one IP, good.

>

> Remote Desktop (RDP) requires TCP 3389 opened to 192.168.16.2. I assume you

> mapped port 3389 TCP on the hardware firewall?

>

> As for the CRM, it sounds like something in the app is causing the issue.

>

> Ace

>

>

>

Guest Bill Grant

Guest Bill Grant

Posted
Posted

Re: nat/basic firewall

 

From the info you posted it appears that you are running your DC as a VPN

server. This is not a good idea. As soon as a remote user connects and the

internal interface in RRAS becomes active and acquires an IP, your DC is

multihomed. This is not nice.

 

If you really must run your DC as a remote access server have a look at

KB 292822 for an indication of the problems you could face.

 

"Leonard" <Leonard@discussions.microsoft.com> wrote in message

news:614296A6-DC35-4E7B-ADE1-AD3AEE93CCB6@microsoft.com...

> ok thanks

>

> I will turn of NAT and try CRM again

>

> I have been telling the apps provider its not a firewall and they insist

> its

> that.

>

> thing is the apps working on on systems in the office

>

> I know its IIS and SQL based and then thats all above my head

>

> will let you know if turning off the nat works but iam not hopefull

>

> thanks for the advice so far

>

>

> "Ace Fekay [MVP]" wrote:

>

>> In news:6A074D8B-A235-4BB9-A92B-AF15F2A2CFFF@microsoft.com,

>> Leonard <Leonard@discussions.microsoft.com> typed:

>> > we are running 2 x std windows 2003 server

>> > 1 the domain controller (192.168.16.2) and the 2nd is the exchange

>> > server 2003 (192.168.16.3)

>> >

>> > we have open ports on NAT

>> >

>> > 80 is open and with ip address 192.168.16.2

>> > 443 is opena dn forwarded to the exchange server 192.168.16.3

>> > remote desktop is pointing to 192.168.16.2

>> > VPN is pointing to 192.168.16.2

>> >

>> > we changed OWA fron port 80 to 443 as we know we cant forward to 2

>> > different places

>> >

>> > on our hard ware firewall, we have all the above ports open and they

>> > are all forwarding to 192.168.16.2

>> >

>> > we have only 1 external IP address

>> >

>> > hope all that makes sence, if you need more info just ask

>> >

>> > and

>> >

>> > how do i turn of the NAT on my server is it just a simply of

>> > unticking the box

>> >

>> > thanks

>>

>> Thanks for the extra info. I don't know why you have NAT on the server

>> enabled because your hardware firewall is handling that. You can remove

>> it

>> in RRAS, assuming that is how it was configured, unless you used ICS? But

>> if

>> you used ICS, you wouldn't have been able to setup RRAS for VPN. Just

>> remove

>> the NAT instance in RRAS because you want to keep RRAS for the VPN

>> services. Assuming the DC only has one IP, good.

>>

>> Remote Desktop (RDP) requires TCP 3389 opened to 192.168.16.2. I assume

>> you

>> mapped port 3389 TCP on the hardware firewall?

>>

>> As for the CRM, it sounds like something in the app is causing the issue.

>>

>> Ace

>>

>>

>>

Guest Ace Fekay [MVP]

Guest Ace Fekay [MVP]

Posted
Posted

Re: nat/basic firewall

 

In news:exd5EMyqIHA.3616@TK2MSFTNGP06.phx.gbl,

Bill Grant <not.available@online> typed:

> From the info you posted it appears that you are running your DC as

> a VPN server. This is not a good idea. As soon as a remote user

> connects and the internal interface in RRAS becomes active and

> acquires an IP, your DC is multihomed. This is not nice.

>

> If you really must run your DC as a remote access server have a

> look at KB 292822 for an indication of the problems you could face.

 

Good point about VPN on the DC. If the edge firewall supports VPN, suggest

to use that.

 

Ace

Guest Ace Fekay [MVP]

Guest Ace Fekay [MVP]

Posted
Posted

Re: nat/basic firewall

 

In news:614296A6-DC35-4E7B-ADE1-AD3AEE93CCB6@microsoft.com,

Leonard <Leonard@discussions.microsoft.com> typed:

> ok thanks

>

> I will turn of NAT and try CRM again

>

> I have been telling the apps provider its not a firewall and they

> insist its that.

>

> thing is the apps working on on systems in the office

>

> I know its IIS and SQL based and then thats all above my head

>

> will let you know if turning off the nat works but iam not hopefull

>

> thanks for the advice so far

 

YOu are welcome. Also, I want to point out that besides turning off NAT,

make sure the Windows firewall is disabled.

 

Can you also post an ipconfig /all of the DC please? I would like to take a

closer 'look' at your configuration.

 

Thanks,

Ace

 Share
Go to topic listing
×
×
  • Create New...