Cannot open additional ports on Windows 2003 Enterprise Server

Hi Aeraps,

Thanks for your response. I used the GUI version of Nmap (ZenMap) to verify which ports were open and listening on the server in question. I'll give PortQryUI a try and see how it compares. I'm not in the office currently, but when I am, I'll check out canyouseeme.org to verify that I correctly opened the ports on the firewall appliance. It seems that it can only check to see if the ports are open from your current IP address, not an IP which you can specify. If I am mistaken about this, please inform me. I'm also wondering if those ports will show open anyway as I specified that they be available only from 4 specific external IP addresses.

The Domain controller pretty much is using the default Group Policy configuration. The server in question is a plain vanilla installation of 2003 Enterprise Server. Thanks again.

Aeraps...
I tried PortQryUI. It's a nice easy GUI. I show 3 of the ports for PowerSchool listening with PortQry: 80, 407, and 7880. I also tried canyouseeme.org from my office to verify that the ports I need open on my firewall are open, and all inquiries came back Error: I could not see your service on 192.xxx.xxx.xxx on port (xxx)
Reason: Connection timed out. As I said, I only opened these ports on the firewall to 4 specific incoming IP's, so I'm not sure if canyouseeme.org can show these as open even if they were.

oks1977...
Thanks for chiming in on this. I tried using the netstat command as you suggested, and I get the same results as indicated above. However, I show only Port 80 listening on my IP (192.xxx.xxx.xxx). I show the other 2 ports listening on IP 0.0.0.0. I can also get a Telnet connection to the 3 ports both locally from the server and from another machine on the network (not sure what you meant by desktop/laptop that it is locating to).
As for the firewall rules, they are entered via a GUI and the configuration settings are pretty straight forward (which doesn't mean I couldn't have made a mistake). The settings I configured are as follows:
Service Name: SSH:TCP
Filter: Allow Always
WAN Users: 168.xxx.xxx.xxx (the remote IP looking to access our network)
Destination: WAN 1 (which represents our external IP)
Bandwidth Profile: NONE

The following is a lnk on NetGears site that will take you to a sample management console for the appliance:
http://tools.netgear.com/landing/gui/security/fvs336g/simulators/v_2.2.0_59.9/router_status.htm
Thanks for your help so far.

Hi, I'm looking @ your question again...

You are trying to open up ports for SIS application (PowerSchool) on your Windows 2003 Ent Server. Why do you need to do so?
Are you able to connect to SIS application (PowerSchool) from another machine inside your network?

Hi oks1977,

The company (Pearson) requires access to the server for remote support, configuration and update purposes. Also, I'm having a problem accessing the PowerSchool application from other machines within my network, which is one of the reasons they currently need access.

Thanks.

Hi jquartic1,

Thanks for the information.  So they require access to PowerSchool application, but through which application? Is it terminal service, citrix, etc? When you enabled or install such applications, the port will be opened.

From within your network, is it everybody having issue or a cluster of them? You may want to look @ their subnets and whether they have any FW protected, etc.

Hi oks1977,

You seem to be asking exactly the right questions. They gain access through Timbuktu Pro. Timbuktu Pro is installed and configured on the server. One of the ports for Timbuktu does show open and listening, but it is one of the 3 ports I mentioned previously that shows as associated with IP 0.0.0.0 when I do netstat and not my actual server IP 192.xxx.xxx.xxx. Here is a breakdown of the ports that have to be open and the associated services:

HTTP - incoming and outgoing access
 PowerSchool: TCP 80
 PowerGrade: TCP 5071
 PowerTeacher: TCP 7880

Timbuktu - incoming and outgoing access
 TCP: 407, 1417 - 1420 (total of 5 ports)
 UDP: 407, 1417 - 1420 (total of 5 ports)

Thanks again.

Hi jquartic1,

When netstat result shows 0.0.0.0., it means that it is listening on all ports. Looking at your last post according to you, port 80, 407, and 7880 are open. So does it mean U are still having issue?

3 of the 13 total ports I need are open. Only 1 of the 10 Timbuktu ports is open (see my previous eMail for ports I need open). Referring to one of your previous answers, I believe you said the application will open the port on the server. If the application is installed, and the ports did not open, could that be because of Group Policy settings or some other security settings on the server? Could antivirus software prevent the ports from opening? I did have av software installed on the server when I installed Timbuktu. I subsequently remove the av software.

I do not think that Group Policy will block that. I believe that it was due to the certain service of the application did not start. As thus the application did not start and ports did not open.

It is like windows 2003. IIS is there but you will need to install and start it so that you are able to use it. For the ports 1417 -1420 (TCP & UDP), this should be resolve when the services are started.

You may want to check on KB or check with their support for Timbuktu Pro or PowerSchool application.

Put the server in DMZ mode on your netgear and ask your remote support people to try to access and it should be ok ;

as oks1977 have mentioned that 0.0.0.0 means listening on all ip address

you may want to check your iis bindings and port numbers you have configured for them.

OK... here's where I am now. I configured a rule on my firewall to allow ANY inbound IP (as opposed to the specific inbound IP's) to access Port 407 on my server. I used the canyouseeme.org and another external port scanner site, and the port still cannot be seen. That tells me that something else is stopping those ports from being seen... correct?

I have a Cisco 1600 series router on the network here also. It is not currently serving any purpose that I can see on our network, and I was going to retire it when I brought on the new firewall appliance. As I understand it, I should be able to just run with the Netgear ProSafe firewall. My broadband connections come directly into the firewall. The router is connected to the switch and sits on the network. When I originally disconnected the router, I lost outside connectivity (and I'm not sure why). In any case, is it possible that something in the router config is not allowing the ports to be seen from the outside, even though the firewall is configured to open the ports? My guess is that I should post the configuration of the router here as additional information.

Also, from what I understand about Timbuktu, there should be 5 services running... one on port 407, and the other 4 on ports 1417-1420. When I check Services on the server, I only see 1 Timbuktu service (Tb2 Launch) running. Based on this, I think I'm going to reinstall Timbuktu on the server and see if that resolves the issue of ports 1417-1420 not being open on the server.

Please let me know what you think about this. Thanks.

Yes, if you have correctly enabled ANY inbound IP address, have tested from internal network (no FW involved) and is able to connect to the port. Then it could be something else still blocking (could be the FW or others).

before you do any Reinstall of Timbuktu, maybe you should check with their support. After you have install the software on your hand. All services and ports ( 407, and the other 4 on ports 1417-1420) should be open. Maybe they need some logs.

For troubleshooting, it should be from the server -> Network -> FW -> Internet.

This is what I think.

Hi all,

As a new member, I think that I need to close out this question and reframe it another way that is more focused. I would like to award some points to one of the contributors who helped point me in the right direction, but I do not want to accept a solution and have this go into the knowlegebase as the issue really hasn't been resolved.

I searched around for a way to do this, but it wasn't really clear to me how I should proceed. If anyone can give some advice on this, I'd appreciate it.

Thanks.