Discussion:
nat/basic firewall
(too old to reply)
Leonard
2008-04-27 23:49:00 UTC
Permalink
we have a windows 2003 std server

i want to turn off its firewall, which is under Routing and Remote access -
IP Routing - NAT/Basic Firewall

I want to turn this off and only use my hardware firewall as we have new
software which uses IIS and something is blocking remote access to this from
out the office although it works ok in the office

Look forward to your reply
Herb Martin
2008-04-28 00:01:32 UTC
Permalink
Post by Leonard
we have a windows 2003 std server
i want to turn off its firewall, which is under Routing and Remote access -
IP Routing - NAT/Basic Firewall
I want to turn this off and only use my hardware firewall as we have new
software which uses IIS and something is blocking remote access to this from
out the office although it works ok in the office
Ok, go ahead -- if that is what you want.
Post by Leonard
Look forward to your reply
What do you want us to tell you? (There is really no question above).

Obviously you can make the Basic firewall work, and use it to
increase your protection from local (or remote) attacks BUT it
may not be worth the trouble for you to do so -- in your
particular business/security situation.

Some people will turn it off (or never knew it existed to turn it on)
and others will replace it with something (3rd party) that is even
stronger.

All such are choices.
Bill Grant
2008-04-28 00:32:30 UTC
Permalink
Post by Herb Martin
Post by Leonard
we have a windows 2003 std server
i want to turn off its firewall, which is under Routing and Remote access -
IP Routing - NAT/Basic Firewall
I want to turn this off and only use my hardware firewall as we have new
software which uses IIS and something is blocking remote access to this from
out the office although it works ok in the office
Ok, go ahead -- if that is what you want.
Post by Leonard
Look forward to your reply
What do you want us to tell you? (There is really no question above).
Obviously you can make the Basic firewall work, and use it to
increase your protection from local (or remote) attacks BUT it
may not be worth the trouble for you to do so -- in your
particular business/security situation.
Some people will turn it off (or never knew it existed to turn it on)
and others will replace it with something (3rd party) that is even
stronger.
All such are choices.
I would think it more likely that your hardware firewall is blocking the
connection. What form of remote access are you using? https, RDP, dialup,
vpn?
Ace Fekay [MVP]
2008-04-28 04:21:14 UTC
Permalink
Post by Bill Grant
I would think it more likely that your hardware firewall is
blocking the connection. What form of remote access are you using?
https, RDP, dialup, vpn?
I agree, Bill. If directly trying to connect using RDP, he must open 3389
TCP and map it to the internal machine. But then again, I agree he may be
using a VPN to first connect in, then trying to access the machine using
RDP. He didn't provide enough info.

Ace
Leonard
2008-04-28 22:18:00 UTC
Permalink
the address iam connecting to is http://mydomain or IP/crmlive/eware.dll

I have enven put the hardware router in DMZ and this still did not work.

My software people say it my firewall hence why I wanted to disable the one
in windows.

Just how do I disable the one on the server
Post by Ace Fekay [MVP]
Post by Bill Grant
I would think it more likely that your hardware firewall is
blocking the connection. What form of remote access are you using?
https, RDP, dialup, vpn?
I agree, Bill. If directly trying to connect using RDP, he must open 3389
TCP and map it to the internal machine. But then again, I agree he may be
using a VPN to first connect in, then trying to access the machine using
RDP. He didn't provide enough info.
Ace
Ace Fekay [MVP]
2008-04-29 04:32:50 UTC
Permalink
Post by Leonard
the address iam connecting to is http://mydomain or
IP/crmlive/eware.dll
I have enven put the hardware router in DMZ and this still did not work.
My software people say it my firewall hence why I wanted to disable
the one in windows.
Just how do I disable the one on the server
You are trying to connect to http://mydomain, not http://mydomain.com? If
you want to connect to a resource from the outside world, it must be a valid
domain name, such as www.domain.com, http://domain.com, etc. Using a single
name, will not work. Besides, whatever name you want to use must be
registered in the public registrar, such as your domain name. Then you would
create a resource (hostname) such as www, or crmlive under your domain name,
and give it the public IP address of your WAN connection. Then you would
use, for example, http://crmlive.yourdomain.com.

THen in your NAT/firewall device, you would port-remap any inbound port 80
requests to the webserver hosting the crmlive app.

Do you have a public domain name registered?

You can also do it by IP, as you suggested.

Disable the WIndows firewall unless you know how to configure it. Honestly
for a server, we NEVER use the Windows firewall. We rely on our edge
firewall/NAT device for protection. Besides, it eliminates issues you may be
seeing, that is if the portremap and external public names are configured
properly.

Ace
Leonard
2008-04-29 18:47:00 UTC
Permalink
well the domain is resgistered and OWA works fine

we do get a logon screen for CRM but none of the graphics load, and when you
do get logged in its very slow and again no graphics load.

If we connect to the server via VPN all works ok then, but dont want to have
to use VPN

any other suggestions
Post by Ace Fekay [MVP]
Post by Leonard
the address iam connecting to is http://mydomain or
IP/crmlive/eware.dll
I have enven put the hardware router in DMZ and this still did not work.
My software people say it my firewall hence why I wanted to disable
the one in windows.
Just how do I disable the one on the server
You are trying to connect to http://mydomain, not http://mydomain.com? If
you want to connect to a resource from the outside world, it must be a valid
domain name, such as www.domain.com, http://domain.com, etc. Using a single
name, will not work. Besides, whatever name you want to use must be
registered in the public registrar, such as your domain name. Then you would
create a resource (hostname) such as www, or crmlive under your domain name,
and give it the public IP address of your WAN connection. Then you would
use, for example, http://crmlive.yourdomain.com.
THen in your NAT/firewall device, you would port-remap any inbound port 80
requests to the webserver hosting the crmlive app.
Do you have a public domain name registered?
You can also do it by IP, as you suggested.
Disable the WIndows firewall unless you know how to configure it. Honestly
for a server, we NEVER use the Windows firewall. We rely on our edge
firewall/NAT device for protection. Besides, it eliminates issues you may be
seeing, that is if the portremap and external public names are configured
properly.
Ace
Ace Fekay [MVP]
2008-04-30 00:35:51 UTC
Permalink
Post by Leonard
well the domain is resgistered and OWA works fine
we do get a logon screen for CRM but none of the graphics load, and
when you do get logged in its very slow and again no graphics load.
If we connect to the server via VPN all works ok then, but dont want
to have to use VPN
any other suggestions
Is CRM on the Exchange server?

If OWA is working fine, and you are getting the logon screen, I'm assuming
they are on the same server, because you can only port-remap one port per
internal IP.

So if it is loading slow or no graphics, a port is being blocked that CRM
uses. Does the CRM have a web-based ONLY method, meaning that it will only
use port 80 or 443. I am not familiar with your CRM. Who's the vendor? What
do their docs say? Have you contacted their support.

I am asking this because obviously it is initially connecting, but it
appears to be "looking" for something else during the connection process.
Possibly your Windows firewall (Windows firewall, you haven't disabled yet
to test it?) or your edge firewall.

I'm also assuming you have port 80 remapped to the Exchange server for OWA,
unless of course you are using SSL, which would be port 443? See, this is
why we always ask questions. We need to have a wholistic view of the
environment, equipment, port settings, mappings, what servers are internal,
what ports are mapped to which servers, etc. Know what I mean.

So PLEASE, elaborate on your setup, etc, for all of us trying to help. It
eliminates assumptions and guesswork.

Thanks,

Ace
Leonard
2008-04-30 17:34:01 UTC
Permalink
we are running 2 x std windows 2003 server
1 the domain controller (192.168.16.2) and the 2nd is the exchange server
2003 (192.168.16.3)

we have open ports on NAT

80 is open and with ip address 192.168.16.2
443 is opena dn forwarded to the exchange server 192.168.16.3
remote desktop is pointing to 192.168.16.2
VPN is pointing to 192.168.16.2

we changed OWA fron port 80 to 443 as we know we cant forward to 2 different
places

on our hard ware firewall, we have all the above ports open and they are all
forwarding to 192.168.16.2

we have only 1 external IP address

hope all that makes sence, if you need more info just ask

and

how do i turn of the NAT on my server is it just a simply of unticking the box

thanks
Post by Ace Fekay [MVP]
Post by Leonard
well the domain is resgistered and OWA works fine
we do get a logon screen for CRM but none of the graphics load, and
when you do get logged in its very slow and again no graphics load.
If we connect to the server via VPN all works ok then, but dont want
to have to use VPN
any other suggestions
Is CRM on the Exchange server?
If OWA is working fine, and you are getting the logon screen, I'm assuming
they are on the same server, because you can only port-remap one port per
internal IP.
So if it is loading slow or no graphics, a port is being blocked that CRM
uses. Does the CRM have a web-based ONLY method, meaning that it will only
use port 80 or 443. I am not familiar with your CRM. Who's the vendor? What
do their docs say? Have you contacted their support.
I am asking this because obviously it is initially connecting, but it
appears to be "looking" for something else during the connection process.
Possibly your Windows firewall (Windows firewall, you haven't disabled yet
to test it?) or your edge firewall.
I'm also assuming you have port 80 remapped to the Exchange server for OWA,
unless of course you are using SSL, which would be port 443? See, this is
why we always ask questions. We need to have a wholistic view of the
environment, equipment, port settings, mappings, what servers are internal,
what ports are mapped to which servers, etc. Know what I mean.
So PLEASE, elaborate on your setup, etc, for all of us trying to help. It
eliminates assumptions and guesswork.
Thanks,
Ace
Ace Fekay [MVP]
2008-04-30 21:29:50 UTC
Permalink
Post by Leonard
we are running 2 x std windows 2003 server
1 the domain controller (192.168.16.2) and the 2nd is the exchange
server 2003 (192.168.16.3)
we have open ports on NAT
80 is open and with ip address 192.168.16.2
443 is opena dn forwarded to the exchange server 192.168.16.3
remote desktop is pointing to 192.168.16.2
VPN is pointing to 192.168.16.2
we changed OWA fron port 80 to 443 as we know we cant forward to 2
different places
on our hard ware firewall, we have all the above ports open and they
are all forwarding to 192.168.16.2
we have only 1 external IP address
hope all that makes sence, if you need more info just ask
and
how do i turn of the NAT on my server is it just a simply of
unticking the box
thanks
Thanks for the extra info. I don't know why you have NAT on the server
enabled because your hardware firewall is handling that. You can remove it
in RRAS, assuming that is how it was configured, unless you used ICS? But if
you used ICS, you wouldn't have been able to setup RRAS for VPN. Just remove
the NAT instance in RRAS because you want to keep RRAS for the VPN
services. Assuming the DC only has one IP, good.

Remote Desktop (RDP) requires TCP 3389 opened to 192.168.16.2. I assume you
mapped port 3389 TCP on the hardware firewall?

As for the CRM, it sounds like something in the app is causing the issue.

Ace
Leonard
2008-04-30 22:06:00 UTC
Permalink
ok thanks

I will turn of NAT and try CRM again

I have been telling the apps provider its not a firewall and they insist its
that.

thing is the apps working on on systems in the office

I know its IIS and SQL based and then thats all above my head

will let you know if turning off the nat works but iam not hopefull

thanks for the advice so far
Post by Ace Fekay [MVP]
Post by Leonard
we are running 2 x std windows 2003 server
1 the domain controller (192.168.16.2) and the 2nd is the exchange
server 2003 (192.168.16.3)
we have open ports on NAT
80 is open and with ip address 192.168.16.2
443 is opena dn forwarded to the exchange server 192.168.16.3
remote desktop is pointing to 192.168.16.2
VPN is pointing to 192.168.16.2
we changed OWA fron port 80 to 443 as we know we cant forward to 2
different places
on our hard ware firewall, we have all the above ports open and they
are all forwarding to 192.168.16.2
we have only 1 external IP address
hope all that makes sence, if you need more info just ask
and
how do i turn of the NAT on my server is it just a simply of
unticking the box
thanks
Thanks for the extra info. I don't know why you have NAT on the server
enabled because your hardware firewall is handling that. You can remove it
in RRAS, assuming that is how it was configured, unless you used ICS? But if
you used ICS, you wouldn't have been able to setup RRAS for VPN. Just remove
the NAT instance in RRAS because you want to keep RRAS for the VPN
services. Assuming the DC only has one IP, good.
Remote Desktop (RDP) requires TCP 3389 opened to 192.168.16.2. I assume you
mapped port 3389 TCP on the hardware firewall?
As for the CRM, it sounds like something in the app is causing the issue.
Ace
Bill Grant
2008-05-01 00:33:47 UTC
Permalink
From the info you posted it appears that you are running your DC as a VPN
server. This is not a good idea. As soon as a remote user connects and the
internal interface in RRAS becomes active and acquires an IP, your DC is
multihomed. This is not nice.

If you really must run your DC as a remote access server have a look at
KB 292822 for an indication of the problems you could face.
Post by Leonard
ok thanks
I will turn of NAT and try CRM again
I have been telling the apps provider its not a firewall and they insist its
that.
thing is the apps working on on systems in the office
I know its IIS and SQL based and then thats all above my head
will let you know if turning off the nat works but iam not hopefull
thanks for the advice so far
Post by Ace Fekay [MVP]
Post by Leonard
we are running 2 x std windows 2003 server
1 the domain controller (192.168.16.2) and the 2nd is the exchange
server 2003 (192.168.16.3)
we have open ports on NAT
80 is open and with ip address 192.168.16.2
443 is opena dn forwarded to the exchange server 192.168.16.3
remote desktop is pointing to 192.168.16.2
VPN is pointing to 192.168.16.2
we changed OWA fron port 80 to 443 as we know we cant forward to 2
different places
on our hard ware firewall, we have all the above ports open and they
are all forwarding to 192.168.16.2
we have only 1 external IP address
hope all that makes sence, if you need more info just ask
and
how do i turn of the NAT on my server is it just a simply of unticking the box
thanks
Thanks for the extra info. I don't know why you have NAT on the server
enabled because your hardware firewall is handling that. You can remove it
in RRAS, assuming that is how it was configured, unless you used ICS? But if
you used ICS, you wouldn't have been able to setup RRAS for VPN. Just remove
the NAT instance in RRAS because you want to keep RRAS for the VPN
services. Assuming the DC only has one IP, good.
Remote Desktop (RDP) requires TCP 3389 opened to 192.168.16.2. I assume you
mapped port 3389 TCP on the hardware firewall?
As for the CRM, it sounds like something in the app is causing the issue.
Ace
Ace Fekay [MVP]
2008-05-01 01:45:54 UTC
Permalink
Post by Bill Grant
From the info you posted it appears that you are running your DC as
a VPN server. This is not a good idea. As soon as a remote user
connects and the internal interface in RRAS becomes active and
acquires an IP, your DC is multihomed. This is not nice.
If you really must run your DC as a remote access server have a
look at KB 292822 for an indication of the problems you could face.
Good point about VPN on the DC. If the edge firewall supports VPN, suggest
to use that.

Ace
Ace Fekay [MVP]
2008-05-01 01:47:16 UTC
Permalink
Post by Leonard
ok thanks
I will turn of NAT and try CRM again
I have been telling the apps provider its not a firewall and they
insist its that.
thing is the apps working on on systems in the office
I know its IIS and SQL based and then thats all above my head
will let you know if turning off the nat works but iam not hopefull
thanks for the advice so far
YOu are welcome. Also, I want to point out that besides turning off NAT,
make sure the Windows firewall is disabled.

Can you also post an ipconfig /all of the DC please? I would like to take a
closer 'look' at your configuration.

Thanks,
Ace
Vivek V
2011-04-15 10:09:41 UTC
Permalink
Hi,

In my setup I have separate networks as shown below.

172.25.16.0/24
|
|(172.25.16.1)
Windows 2003 Server (Server 1) NAT enabled
|(20.209.168.235)
|
SOME LAN
|
|(20.217.46.48)
Windows 2003 Server (Server 2) NAT enabled
|(192.168.100.1)
|
192.168.100.0


In above network setup:
1. 20.209.168.x can reach 20.217.46.x and vice-versa.
2. 172.25.16.x can reach 20.217.46.48.
3. 192.168.100.x can reach 20.209.168.235.
4. There are 5-6 hops between 20.209.168.235 and 20.217.46.48 (As seen with tracert)

* My goal is to create routes/ setup/ configurations such that 172.25.16.x can reach 192.168.100.x.

Any suggestion?
Post by Leonard
we have a windows 2003 std server
i want to turn off its firewall, which is under Routing and Remote access -
IP Routing - NAT/Basic Firewall
I want to turn this off and only use my hardware firewall as we have new
software which uses IIS and something is blocking remote access to this from
out the office although it works ok in the office
Look forward to your reply
Post by Herb Martin
Ok, go ahead -- if that is what you want.
What do you want us to tell you? (There is really no question above).
Obviously you can make the Basic firewall work, and use it to
increase your protection from local (or remote) attacks BUT it
may not be worth the trouble for you to do so -- in your
particular business/security situation.
Some people will turn it off (or never knew it existed to turn it on)
and others will replace it with something (3rd party) that is even
stronger.
All such are choices.
Post by Bill Grant
I would think it more likely that your hardware firewall is blocking the
connection. What form of remote access are you using? https, RDP, dialup,
vpn?
Post by Ace Fekay [MVP]
I agree, Bill. If directly trying to connect using RDP, he must open 3389
TCP and map it to the internal machine. But then again, I agree he may be
using a VPN to first connect in, then trying to access the machine using
RDP. He didn't provide enough info.
Ace
Post by Leonard
the address iam connecting to is http://mydomain or IP/crmlive/eware.dll
I have enven put the hardware router in DMZ and this still did not work.
My software people say it my firewall hence why I wanted to disable the one
in windows.
Just how do I disable the one on the server
Post by Ace Fekay [MVP]
You are trying to connect to http://mydomain, not http://mydomain.com? If
you want to connect to a resource from the outside world, it must be a valid
domain name, such as www.domain.com, http://domain.com, etc. Using a single
name, will not work. Besides, whatever name you want to use must be
registered in the public registrar, such as your domain name. Then you would
create a resource (hostname) such as www, or crmlive under your domain name,
and give it the public IP address of your WAN connection. Then you would
use, for example, http://crmlive.yourdomain.com.
THen in your NAT/firewall device, you would port-remap any inbound port 80
requests to the webserver hosting the crmlive app.
Do you have a public domain name registered?
You can also do it by IP, as you suggested.
Disable the WIndows firewall unless you know how to configure it. Honestly
for a server, we NEVER use the Windows firewall. We rely on our edge
firewall/NAT device for protection. Besides, it eliminates issues you may be
seeing, that is if the portremap and external public names are configured
properly.
Ace
Post by Leonard
well the domain is resgistered and OWA works fine
we do get a logon screen for CRM but none of the graphics load, and when you
do get logged in its very slow and again no graphics load.
If we connect to the server via VPN all works ok then, but dont want to have
to use VPN
any other suggestions
Post by Ace Fekay [MVP]
Is CRM on the Exchange server?
If OWA is working fine, and you are getting the logon screen, I'm assuming
they are on the same server, because you can only port-remap one port per
internal IP.
So if it is loading slow or no graphics, a port is being blocked that CRM
uses. Does the CRM have a web-based ONLY method, meaning that it will only
use port 80 or 443. I am not familiar with your CRM. Who's the vendor? What
do their docs say? Have you contacted their support.
I am asking this because obviously it is initially connecting, but it
appears to be "looking" for something else during the connection process.
Possibly your Windows firewall (Windows firewall, you haven't disabled yet
to test it?) or your edge firewall.
I'm also assuming you have port 80 remapped to the Exchange server for OWA,
unless of course you are using SSL, which would be port 443? See, this is
why we always ask questions. We need to have a wholistic view of the
environment, equipment, port settings, mappings, what servers are internal,
what ports are mapped to which servers, etc. Know what I mean.
So PLEASE, elaborate on your setup, etc, for all of us trying to help. It
eliminates assumptions and guesswork.
Thanks,
Ace
Post by Leonard
we are running 2 x std windows 2003 server
1 the domain controller (192.168.16.2) and the 2nd is the exchange server
2003 (192.168.16.3)
we have open ports on NAT
80 is open and with ip address 192.168.16.2
443 is opena dn forwarded to the exchange server 192.168.16.3
remote desktop is pointing to 192.168.16.2
VPN is pointing to 192.168.16.2
we changed OWA fron port 80 to 443 as we know we cant forward to 2 different
places
on our hard ware firewall, we have all the above ports open and they are all
forwarding to 192.168.16.2
we have only 1 external IP address
hope all that makes sence, if you need more info just ask
and
how do i turn of the NAT on my server is it just a simply of unticking the box
thanks
Post by Ace Fekay [MVP]
Thanks for the extra info. I don't know why you have NAT on the server
enabled because your hardware firewall is handling that. You can remove it
in RRAS, assuming that is how it was configured, unless you used ICS? But if
you used ICS, you wouldn't have been able to setup RRAS for VPN. Just remove
the NAT instance in RRAS because you want to keep RRAS for the VPN
services. Assuming the DC only has one IP, good.
Remote Desktop (RDP) requires TCP 3389 opened to 192.168.16.2. I assume you
mapped port 3389 TCP on the hardware firewall?
As for the CRM, it sounds like something in the app is causing the issue.
Ace
Post by Leonard
ok thanks
I will turn of NAT and try CRM again
I have been telling the apps provider its not a firewall and they insist its
that.
thing is the apps working on on systems in the office
I know its IIS and SQL based and then thats all above my head
will let you know if turning off the nat works but iam not hopefull
thanks for the advice so far
Post by Bill Grant
From the info you posted it appears that you are running your DC as a VPN
server. This is not a good idea. As soon as a remote user connects and the
internal interface in RRAS becomes active and acquires an IP, your DC is
multihomed. This is not nice.
If you really must run your DC as a remote access server have a look at
KB 292822 for an indication of the problems you could face.
Post by Ace Fekay [MVP]
Good point about VPN on the DC. If the edge firewall supports VPN, suggest
to use that.
Ace
Post by Ace Fekay [MVP]
YOu are welcome. Also, I want to point out that besides turning off NAT,
make sure the Windows firewall is disabled.
Can you also post an ipconfig /all of the DC please? I would like to take a
closer 'look' at your configuration.
Thanks,
Ace
Loading...