dsteinschneider
asked on
2003 SBS - GPO - Windows Firewall - PIX 501 - Something is preventing browsing remote workstation file shares
Question 1 - I updated 2003 SBS SP1 per some instructions from a software vendor in order to get an Exchange add-on to work correctly. Part of the update was the XP SP2 client updates. This introduced GPO controlled client windows firewall - how do I adjust it?
Question 2 - What is the best way to turn it off completely for troubleshooting.
Question 3 - How can I then turn it on but enable File and Printer Sharing Exception - right now that control is greyed out on the remote workstation. I don't see how to control it in Domain Group Policy branch for networks/firewall
Question 4 - Would it be a mistake to run gpedit on the workstation and edit the exceptions there and then enter 139:192.168.100.2/254:enab
Specifically I can't browse the remote workstation shares from the server to the remote workstation accross the PIX TO PIX VPN. I looked in the Windows Firewall exceptions on the remote workstation and noticed that the File Sharing and Printing execption is not checked.
Question 5 - I got very odd results while testing changes in Group Policy accross the VPN. Everything happens exactly as I expect if the workstation is one of the ones on the same network.
Question 6 - Do I need to turn on SBS 2003 Firewall (on the server itself) to control workstation settings via GPO?
One of issues is this network is 2 hours away. The server doesn't have Windows Firewall service started. Is that where changes are made so Group Policy can sync them out to the remote workstation? I haven't tried that because gas is getting very expensive :) I'm worried if I turn the service on I may not be able to remotedly administer it after that. If that's whats needed I need some way of guaranteeing myself that neither GPO nor the Firewall itself will cause the RDP exception to be disabled.
Question 7 - Why does the Cisco software VPN client running on the remote workstation allow the server to see the remote workstation's file shares?
The server and remote workstation are connected by a pair of PIX 501's. A year ago you could browse the network in both directions. Then about 6 months ago the IP addresses for each location changed. Once I modified the PIX script to reflect the new IP addresses for some reason the server couldn't see the remote workstation over the PIX to PIX VPN. If I connected from the workstation to the server using the Cisco software VPN client I could browse network resources in both directions. Now I can ping the client from the server and use RDP (by machine name) from the server to the remote without the software VPN client but can't reach the shares.
I would give this more than 500 points or break up the questions but I've asked some of them separately and haven't been able to solve this problem.
Maybe someone could tell me what order to troubleshoot this in such as make sure you can do these things with the PIX first - then troubleshoot the windows components etc.
Thanks in advance
Question 2 - What is the best way to turn it off completely for troubleshooting.
Question 3 - How can I then turn it on but enable File and Printer Sharing Exception - right now that control is greyed out on the remote workstation. I don't see how to control it in Domain Group Policy branch for networks/firewall
Question 4 - Would it be a mistake to run gpedit on the workstation and edit the exceptions there and then enter 139:192.168.100.2/254:enab
Specifically I can't browse the remote workstation shares from the server to the remote workstation accross the PIX TO PIX VPN. I looked in the Windows Firewall exceptions on the remote workstation and noticed that the File Sharing and Printing execption is not checked.
Question 5 - I got very odd results while testing changes in Group Policy accross the VPN. Everything happens exactly as I expect if the workstation is one of the ones on the same network.
Question 6 - Do I need to turn on SBS 2003 Firewall (on the server itself) to control workstation settings via GPO?
One of issues is this network is 2 hours away. The server doesn't have Windows Firewall service started. Is that where changes are made so Group Policy can sync them out to the remote workstation? I haven't tried that because gas is getting very expensive :) I'm worried if I turn the service on I may not be able to remotedly administer it after that. If that's whats needed I need some way of guaranteeing myself that neither GPO nor the Firewall itself will cause the RDP exception to be disabled.
Question 7 - Why does the Cisco software VPN client running on the remote workstation allow the server to see the remote workstation's file shares?
The server and remote workstation are connected by a pair of PIX 501's. A year ago you could browse the network in both directions. Then about 6 months ago the IP addresses for each location changed. Once I modified the PIX script to reflect the new IP addresses for some reason the server couldn't see the remote workstation over the PIX to PIX VPN. If I connected from the workstation to the server using the Cisco software VPN client I could browse network resources in both directions. Now I can ping the client from the server and use RDP (by machine name) from the server to the remote without the software VPN client but can't reach the shares.
I would give this more than 500 points or break up the questions but I've asked some of them separately and haven't been able to solve this problem.
Maybe someone could tell me what order to troubleshoot this in such as make sure you can do these things with the PIX first - then troubleshoot the windows components etc.
Thanks in advance
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Generally you don't need to do anything to enable file sharing, unless you've already done something to inhibit it. An overview of this is here: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngdepgp.mspx
I'd highly suggest that you take a look at the SBS Best Practices and SBS Advanced books by Harry Brelsford, it will have a host of good info for you. You can find them here: http://snipurl.com/bestpractices and http://snipurl.com/advanced
Jeff
TechSoEasy
I'd highly suggest that you take a look at the SBS Best Practices and SBS Advanced books by Harry Brelsford, it will have a host of good info for you. You can find them here: http://snipurl.com/bestpractices and http://snipurl.com/advanced
Jeff
TechSoEasy
ASKER
I ordered the Brelsford books. I didn't buy his first SBS book - just the Advanced and his book on SMB consulting. Thanks for the tip on those.
Even after 30 SBS installs, I still have the Best Practices book at my side when I'm configuring a new server/network. There's some good basic stuff in it. If you're interested, send me an email directly (in my profile) and I see about getting you an electronic copy.
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
Thanks for the great answers. You can't know how grateful I am to have so many of them answered so quickly. Before I read this response I had already disabled the GPO for the firewall. That fixed the problem of not being able to reach the shares on the remote workstations from the server. I still don't see the remote workstations (on the other side of the VPN) in network neighborhood on the server's network side but that problem can be solved by creating some shortcuts to shares the users need access to. I have seen the machines show up in Network Neighborhood on the server during the past two days of troubleshooting but when clicked on got the message that the resource wasn't available. The remote workstations are able to browse the entire network.
The only IP address that changed was the external IP address assigned by the provider. The internal subnets are 192.168.100.nnn and 192.168.200.nnn (latter is for the remote network). I think the Cisco PIX to PIX VPN issues are resolved - it just happened that just as I was finishing the VPN solution when I moved on to do the very update order you spelled out in your post. I didn't know it would turn on GPO for the firewall so yesterday was a long day teaching myself as much as I could about it in order to start getting a handle on the problem. I'm watching the ms webcasts today on managing Group Policies.
Thanks for the link on www.smallbizserver.net - great resource - suprised it never turned up in my Google searches yet again confirming my suspicions that Google isn't working quite like it used to.
Finally - on the potential DNS issue - I installed WINS hoping that would take care of the name resolution. On the DNS side the domain name with and without its extension is entered in the "append these suffixes" under the DNS tab for each workstation. Late breaking update - the remote shares are now showing up in Network Neighborhood on the server so the entire issue was the GPO controlled firewall settings introduced during the updates!
Well that wraps this one up - thanks for the help. One last question:
Is this definition string correct for making sure that filesharing is on once I enable the firewall GPO? - 139:192.168.100.2/254:enab