Guest Leonard Posted April 27, 2008 Posted April 27, 2008 we have a windows 2003 std server i want to turn off its firewall, which is under Routing and Remote access - IP Routing - NAT/Basic Firewall I want to turn this off and only use my hardware firewall as we have new software which uses IIS and something is blocking remote access to this from out the office although it works ok in the office Look forward to your reply
Guest Herb Martin Posted April 28, 2008 Posted April 28, 2008 Re: nat/basic firewall "Leonard" <Leonard@discussions.microsoft.com> wrote in message news:5C2D3FC9-2997-4BDA-9D45-0F101134BB4F@microsoft.com... > we have a windows 2003 std server > > i want to turn off its firewall, which is under Routing and Remote > access - > IP Routing - NAT/Basic Firewall > > I want to turn this off and only use my hardware firewall as we have new > software which uses IIS and something is blocking remote access to this > from > out the office although it works ok in the office Ok, go ahead -- if that is what you want. > Look forward to your reply What do you want us to tell you? (There is really no question above). Obviously you can make the Basic firewall work, and use it to increase your protection from local (or remote) attacks BUT it may not be worth the trouble for you to do so -- in your particular business/security situation. Some people will turn it off (or never knew it existed to turn it on) and others will replace it with something (3rd party) that is even stronger. All such are choices.
Guest Bill Grant Posted April 28, 2008 Posted April 28, 2008 Re: nat/basic firewall "Herb Martin" <news@learnquick.com> wrote in message news:Ov9cFMMqIHA.2520@TK2MSFTNGP02.phx.gbl... > > "Leonard" <Leonard@discussions.microsoft.com> wrote in message > news:5C2D3FC9-2997-4BDA-9D45-0F101134BB4F@microsoft.com... >> we have a windows 2003 std server >> >> i want to turn off its firewall, which is under Routing and Remote >> access - >> IP Routing - NAT/Basic Firewall >> >> I want to turn this off and only use my hardware firewall as we have new >> software which uses IIS and something is blocking remote access to this >> from >> out the office although it works ok in the office > > Ok, go ahead -- if that is what you want. > >> Look forward to your reply > > What do you want us to tell you? (There is really no question above). > > Obviously you can make the Basic firewall work, and use it to > increase your protection from local (or remote) attacks BUT it > may not be worth the trouble for you to do so -- in your > particular business/security situation. > > Some people will turn it off (or never knew it existed to turn it on) > and others will replace it with something (3rd party) that is even > stronger. > > All such are choices. > > I would think it more likely that your hardware firewall is blocking the connection. What form of remote access are you using? https, RDP, dialup, vpn?
Guest Ace Fekay [MVP] Posted April 28, 2008 Posted April 28, 2008 Re: nat/basic firewall In news:uvVMYdMqIHA.4912@TK2MSFTNGP03.phx.gbl, Bill Grant <not.available@online> typed: > I would think it more likely that your hardware firewall is > blocking the connection. What form of remote access are you using? > https, RDP, dialup, vpn? I agree, Bill. If directly trying to connect using RDP, he must open 3389 TCP and map it to the internal machine. But then again, I agree he may be using a VPN to first connect in, then trying to access the machine using RDP. He didn't provide enough info. Ace
Guest Leonard Posted April 28, 2008 Posted April 28, 2008 Re: nat/basic firewall the address iam connecting to is http://mydomain or IP/crmlive/eware.dll I have enven put the hardware router in DMZ and this still did not work. My software people say it my firewall hence why I wanted to disable the one in windows. Just how do I disable the one on the server "Ace Fekay [MVP]" wrote: > In news:uvVMYdMqIHA.4912@TK2MSFTNGP03.phx.gbl, > Bill Grant <not.available@online> typed: > > > I would think it more likely that your hardware firewall is > > blocking the connection. What form of remote access are you using? > > https, RDP, dialup, vpn? > > I agree, Bill. If directly trying to connect using RDP, he must open 3389 > TCP and map it to the internal machine. But then again, I agree he may be > using a VPN to first connect in, then trying to access the machine using > RDP. He didn't provide enough info. > > Ace > > > > >
Guest Ace Fekay [MVP] Posted April 29, 2008 Posted April 29, 2008 Re: nat/basic firewall In news:3FBBA8B6-BA37-45F0-AFA8-65CBDB8A57FC@microsoft.com, Leonard <Leonard@discussions.microsoft.com> typed: > the address iam connecting to is http://mydomain or > IP/crmlive/eware.dll > > I have enven put the hardware router in DMZ and this still did not > work. > > My software people say it my firewall hence why I wanted to disable > the one in windows. > > Just how do I disable the one on the server You are trying to connect to http://mydomain, not http://mydomain.com? If you want to connect to a resource from the outside world, it must be a valid domain name, such as http://www.domain.com, http://domain.com, etc. Using a single name, will not work. Besides, whatever name you want to use must be registered in the public registrar, such as your domain name. Then you would create a resource (hostname) such as www, or crmlive under your domain name, and give it the public IP address of your WAN connection. Then you would use, for example, http://crmlive.yourdomain.com. THen in your NAT/firewall device, you would port-remap any inbound port 80 requests to the webserver hosting the crmlive app. Do you have a public domain name registered? You can also do it by IP, as you suggested. Disable the WIndows firewall unless you know how to configure it. Honestly for a server, we NEVER use the Windows firewall. We rely on our edge firewall/NAT device for protection. Besides, it eliminates issues you may be seeing, that is if the portremap and external public names are configured properly. Ace
Guest Leonard Posted April 29, 2008 Posted April 29, 2008 Re: nat/basic firewall well the domain is resgistered and OWA works fine we do get a logon screen for CRM but none of the graphics load, and when you do get logged in its very slow and again no graphics load. If we connect to the server via VPN all works ok then, but dont want to have to use VPN any other suggestions "Ace Fekay [MVP]" wrote: > In news:3FBBA8B6-BA37-45F0-AFA8-65CBDB8A57FC@microsoft.com, > Leonard <Leonard@discussions.microsoft.com> typed: > > the address iam connecting to is http://mydomain or > > IP/crmlive/eware.dll > > > > I have enven put the hardware router in DMZ and this still did not > > work. > > > > My software people say it my firewall hence why I wanted to disable > > the one in windows. > > > > Just how do I disable the one on the server > > You are trying to connect to http://mydomain, not http://mydomain.com? If > you want to connect to a resource from the outside world, it must be a valid > domain name, such as http://www.domain.com, http://domain.com, etc. Using a single > name, will not work. Besides, whatever name you want to use must be > registered in the public registrar, such as your domain name. Then you would > create a resource (hostname) such as www, or crmlive under your domain name, > and give it the public IP address of your WAN connection. Then you would > use, for example, http://crmlive.yourdomain.com. > > THen in your NAT/firewall device, you would port-remap any inbound port 80 > requests to the webserver hosting the crmlive app. > > Do you have a public domain name registered? > > You can also do it by IP, as you suggested. > > Disable the WIndows firewall unless you know how to configure it. Honestly > for a server, we NEVER use the Windows firewall. We rely on our edge > firewall/NAT device for protection. Besides, it eliminates issues you may be > seeing, that is if the portremap and external public names are configured > properly. > > Ace > > >
Guest Ace Fekay [MVP] Posted April 30, 2008 Posted April 30, 2008 Re: nat/basic firewall In news:C57F81AC-20A3-4AFF-9B55-CD26338FE6F6@microsoft.com, Leonard <Leonard@discussions.microsoft.com> typed: > well the domain is resgistered and OWA works fine > > we do get a logon screen for CRM but none of the graphics load, and > when you do get logged in its very slow and again no graphics load. > > If we connect to the server via VPN all works ok then, but dont want > to have to use VPN > > any other suggestions Is CRM on the Exchange server? If OWA is working fine, and you are getting the logon screen, I'm assuming they are on the same server, because you can only port-remap one port per internal IP. So if it is loading slow or no graphics, a port is being blocked that CRM uses. Does the CRM have a web-based ONLY method, meaning that it will only use port 80 or 443. I am not familiar with your CRM. Who's the vendor? What do their docs say? Have you contacted their support. I am asking this because obviously it is initially connecting, but it appears to be "looking" for something else during the connection process. Possibly your Windows firewall (Windows firewall, you haven't disabled yet to test it?) or your edge firewall. I'm also assuming you have port 80 remapped to the Exchange server for OWA, unless of course you are using SSL, which would be port 443? See, this is why we always ask questions. We need to have a wholistic view of the environment, equipment, port settings, mappings, what servers are internal, what ports are mapped to which servers, etc. Know what I mean. So PLEASE, elaborate on your setup, etc, for all of us trying to help. It eliminates assumptions and guesswork. Thanks, Ace
Guest Leonard Posted April 30, 2008 Posted April 30, 2008 Re: nat/basic firewall we are running 2 x std windows 2003 server 1 the domain controller (192.168.16.2) and the 2nd is the exchange server 2003 (192.168.16.3) we have open ports on NAT 80 is open and with ip address 192.168.16.2 443 is opena dn forwarded to the exchange server 192.168.16.3 remote desktop is pointing to 192.168.16.2 VPN is pointing to 192.168.16.2 we changed OWA fron port 80 to 443 as we know we cant forward to 2 different places on our hard ware firewall, we have all the above ports open and they are all forwarding to 192.168.16.2 we have only 1 external IP address hope all that makes sence, if you need more info just ask and how do i turn of the NAT on my server is it just a simply of unticking the box thanks "Ace Fekay [MVP]" wrote: > In news:C57F81AC-20A3-4AFF-9B55-CD26338FE6F6@microsoft.com, > Leonard <Leonard@discussions.microsoft.com> typed: > > well the domain is resgistered and OWA works fine > > > > we do get a logon screen for CRM but none of the graphics load, and > > when you do get logged in its very slow and again no graphics load. > > > > If we connect to the server via VPN all works ok then, but dont want > > to have to use VPN > > > > any other suggestions > > Is CRM on the Exchange server? > > If OWA is working fine, and you are getting the logon screen, I'm assuming > they are on the same server, because you can only port-remap one port per > internal IP. > > So if it is loading slow or no graphics, a port is being blocked that CRM > uses. Does the CRM have a web-based ONLY method, meaning that it will only > use port 80 or 443. I am not familiar with your CRM. Who's the vendor? What > do their docs say? Have you contacted their support. > > I am asking this because obviously it is initially connecting, but it > appears to be "looking" for something else during the connection process. > Possibly your Windows firewall (Windows firewall, you haven't disabled yet > to test it?) or your edge firewall. > > I'm also assuming you have port 80 remapped to the Exchange server for OWA, > unless of course you are using SSL, which would be port 443? See, this is > why we always ask questions. We need to have a wholistic view of the > environment, equipment, port settings, mappings, what servers are internal, > what ports are mapped to which servers, etc. Know what I mean. > > So PLEASE, elaborate on your setup, etc, for all of us trying to help. It > eliminates assumptions and guesswork. > > Thanks, > > Ace > > >
Guest Ace Fekay [MVP] Posted April 30, 2008 Posted April 30, 2008 Re: nat/basic firewall In news:6A074D8B-A235-4BB9-A92B-AF15F2A2CFFF@microsoft.com, Leonard <Leonard@discussions.microsoft.com> typed: > we are running 2 x std windows 2003 server > 1 the domain controller (192.168.16.2) and the 2nd is the exchange > server 2003 (192.168.16.3) > > we have open ports on NAT > > 80 is open and with ip address 192.168.16.2 > 443 is opena dn forwarded to the exchange server 192.168.16.3 > remote desktop is pointing to 192.168.16.2 > VPN is pointing to 192.168.16.2 > > we changed OWA fron port 80 to 443 as we know we cant forward to 2 > different places > > on our hard ware firewall, we have all the above ports open and they > are all forwarding to 192.168.16.2 > > we have only 1 external IP address > > hope all that makes sence, if you need more info just ask > > and > > how do i turn of the NAT on my server is it just a simply of > unticking the box > > thanks Thanks for the extra info. I don't know why you have NAT on the server enabled because your hardware firewall is handling that. You can remove it in RRAS, assuming that is how it was configured, unless you used ICS? But if you used ICS, you wouldn't have been able to setup RRAS for VPN. Just remove the NAT instance in RRAS because you want to keep RRAS for the VPN services. Assuming the DC only has one IP, good. Remote Desktop (RDP) requires TCP 3389 opened to 192.168.16.2. I assume you mapped port 3389 TCP on the hardware firewall? As for the CRM, it sounds like something in the app is causing the issue. Ace
Guest Leonard Posted April 30, 2008 Posted April 30, 2008 Re: nat/basic firewall ok thanks I will turn of NAT and try CRM again I have been telling the apps provider its not a firewall and they insist its that. thing is the apps working on on systems in the office I know its IIS and SQL based and then thats all above my head will let you know if turning off the nat works but iam not hopefull thanks for the advice so far "Ace Fekay [MVP]" wrote: > In news:6A074D8B-A235-4BB9-A92B-AF15F2A2CFFF@microsoft.com, > Leonard <Leonard@discussions.microsoft.com> typed: > > we are running 2 x std windows 2003 server > > 1 the domain controller (192.168.16.2) and the 2nd is the exchange > > server 2003 (192.168.16.3) > > > > we have open ports on NAT > > > > 80 is open and with ip address 192.168.16.2 > > 443 is opena dn forwarded to the exchange server 192.168.16.3 > > remote desktop is pointing to 192.168.16.2 > > VPN is pointing to 192.168.16.2 > > > > we changed OWA fron port 80 to 443 as we know we cant forward to 2 > > different places > > > > on our hard ware firewall, we have all the above ports open and they > > are all forwarding to 192.168.16.2 > > > > we have only 1 external IP address > > > > hope all that makes sence, if you need more info just ask > > > > and > > > > how do i turn of the NAT on my server is it just a simply of > > unticking the box > > > > thanks > > Thanks for the extra info. I don't know why you have NAT on the server > enabled because your hardware firewall is handling that. You can remove it > in RRAS, assuming that is how it was configured, unless you used ICS? But if > you used ICS, you wouldn't have been able to setup RRAS for VPN. Just remove > the NAT instance in RRAS because you want to keep RRAS for the VPN > services. Assuming the DC only has one IP, good. > > Remote Desktop (RDP) requires TCP 3389 opened to 192.168.16.2. I assume you > mapped port 3389 TCP on the hardware firewall? > > As for the CRM, it sounds like something in the app is causing the issue. > > Ace > > >
Guest Bill Grant Posted May 1, 2008 Posted May 1, 2008 Re: nat/basic firewall From the info you posted it appears that you are running your DC as a VPN server. This is not a good idea. As soon as a remote user connects and the internal interface in RRAS becomes active and acquires an IP, your DC is multihomed. This is not nice. If you really must run your DC as a remote access server have a look at KB 292822 for an indication of the problems you could face. "Leonard" <Leonard@discussions.microsoft.com> wrote in message news:614296A6-DC35-4E7B-ADE1-AD3AEE93CCB6@microsoft.com... > ok thanks > > I will turn of NAT and try CRM again > > I have been telling the apps provider its not a firewall and they insist > its > that. > > thing is the apps working on on systems in the office > > I know its IIS and SQL based and then thats all above my head > > will let you know if turning off the nat works but iam not hopefull > > thanks for the advice so far > > > "Ace Fekay [MVP]" wrote: > >> In news:6A074D8B-A235-4BB9-A92B-AF15F2A2CFFF@microsoft.com, >> Leonard <Leonard@discussions.microsoft.com> typed: >> > we are running 2 x std windows 2003 server >> > 1 the domain controller (192.168.16.2) and the 2nd is the exchange >> > server 2003 (192.168.16.3) >> > >> > we have open ports on NAT >> > >> > 80 is open and with ip address 192.168.16.2 >> > 443 is opena dn forwarded to the exchange server 192.168.16.3 >> > remote desktop is pointing to 192.168.16.2 >> > VPN is pointing to 192.168.16.2 >> > >> > we changed OWA fron port 80 to 443 as we know we cant forward to 2 >> > different places >> > >> > on our hard ware firewall, we have all the above ports open and they >> > are all forwarding to 192.168.16.2 >> > >> > we have only 1 external IP address >> > >> > hope all that makes sence, if you need more info just ask >> > >> > and >> > >> > how do i turn of the NAT on my server is it just a simply of >> > unticking the box >> > >> > thanks >> >> Thanks for the extra info. I don't know why you have NAT on the server >> enabled because your hardware firewall is handling that. You can remove >> it >> in RRAS, assuming that is how it was configured, unless you used ICS? But >> if >> you used ICS, you wouldn't have been able to setup RRAS for VPN. Just >> remove >> the NAT instance in RRAS because you want to keep RRAS for the VPN >> services. Assuming the DC only has one IP, good. >> >> Remote Desktop (RDP) requires TCP 3389 opened to 192.168.16.2. I assume >> you >> mapped port 3389 TCP on the hardware firewall? >> >> As for the CRM, it sounds like something in the app is causing the issue. >> >> Ace >> >> >>
Guest Ace Fekay [MVP] Posted May 1, 2008 Posted May 1, 2008 Re: nat/basic firewall In news:exd5EMyqIHA.3616@TK2MSFTNGP06.phx.gbl, Bill Grant <not.available@online> typed: > From the info you posted it appears that you are running your DC as > a VPN server. This is not a good idea. As soon as a remote user > connects and the internal interface in RRAS becomes active and > acquires an IP, your DC is multihomed. This is not nice. > > If you really must run your DC as a remote access server have a > look at KB 292822 for an indication of the problems you could face. Good point about VPN on the DC. If the edge firewall supports VPN, suggest to use that. Ace
Guest Ace Fekay [MVP] Posted May 1, 2008 Posted May 1, 2008 Re: nat/basic firewall In news:614296A6-DC35-4E7B-ADE1-AD3AEE93CCB6@microsoft.com, Leonard <Leonard@discussions.microsoft.com> typed: > ok thanks > > I will turn of NAT and try CRM again > > I have been telling the apps provider its not a firewall and they > insist its that. > > thing is the apps working on on systems in the office > > I know its IIS and SQL based and then thats all above my head > > will let you know if turning off the nat works but iam not hopefull > > thanks for the advice so far YOu are welcome. Also, I want to point out that besides turning off NAT, make sure the Windows firewall is disabled. Can you also post an ipconfig /all of the DC please? I would like to take a closer 'look' at your configuration. Thanks, Ace
Recommended Posts