Solved

PCanywhere...Nat or port forwarding or both?...Im confused :(

Posted on 2003-12-04
17
9,863 Views
Last Modified: 2013-11-16
We use PCanywhere to remotely look after one of our servers which works fine.  I forward the ports from my netgear router to the server and open the ports on our ISA server (installed on our only server W2K 2 network cards one LAN side one WAN side)...works a treat.

However we now need to install pcanywhere on a PC on the LAN side and I cant work out how to get to it! (remotely)....If I open a different set of ports on the router I cant forward them to the PC because its on the lan side of the server.  How can I get to it???? it has to pass through the server (W2K with ISA) and then forward on to the PC.  Now this is where Im confused..I know the RRAS has some kind of NAT bit in it...so do I need to forward the ports again to the PC???....Ive got a headache now.
0
Comment
Question by:NeilDavis
  • 5
  • 5
  • 4
  • +2
17 Comments
 
LVL 7

Expert Comment

by:Robing66066
ID: 9876216
Open the ports from the router to the server.  Then open the ports from the server to the workstation.  It's a bit messy, but should get you there.
0
 

Expert Comment

by:cannon1000
ID: 9876416
You may want to look at "Conferencing" on PCAnywhere....

I would suggest that you really reconsider using PCA to remotely manage your Servers....not the most secure way to do it.  We decided to use GoToMyPC on our servers because it does not require any port forwarding...the traffic is encrypted....the response time is much better and I can manage as many or as few PC's and servers as I want from anywhere I need.

The other advantage is you can access these servers from anywhere...if you were at your friends house and needed to check on them....you could, without any software.  It is also 100% secure, with no risk to your servers or your LAN.

http://www.gotomypc.com

Chris
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9876432
this MSKB article may help:

How to Configure Packet Filtering for pcAnywhere Hosted on ISA Server 2000
http://support.microsoft.com/?id=kb;en-us;304350
0
 
LVL 9

Expert Comment

by:drev001
ID: 9877311
Can you give some more detail on the setup. Is it like this:

Internet
|
|
Router (WAN IP:200.200.200.201 LAN IP: 10.0.0.1) NAT
|
|
Windows 2000 Server NIC 2: IP: 10.0.0.2
Windows 2000 Server NIC 1: 192.168.0.2

Note: all ip addresses made up

If it's setup like this, I can see the problem, but please clarify before we go any further.

0
 
LVL 1

Author Comment

by:NeilDavis
ID: 9881166
Yep its like that.  

Internet----Router (WAN IP xxx.xxx.xxx.xxx--LAN 192.168.0.1)----Server NIC2 192.168.0.2---ISA SERVER---Server NIC1 10.0.0.1----PC to get to 10.0.0.15

I can open the ports as Robing66066 suggests but that wont get me to the pc.  The ports need to be forwarded to the PC.


0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9882748
Sorry, I should have been more clear.

On your router, you should have the ability to set up a reverse proxy, sometimes called a conduit or virtual server.  That means that an address on the outside of the device maps to an address on the inside of the device.  You can usually choose between configuring it to allow all ports in, or just some.  You want just some, if possible.

Although your router may not have this ability (though I would be shocked), the ISA server certainly does.  You can set it up as outlined in the link provided by bbao.  (http://support.microsoft.com/?id=kb;en-us;304350 )

So, what you want to do is this.  On your router, set up a conduit between the WAN IP and Server NIC2 (192.168.0.2).  For that conduit, allow the PCAnywhere ports to pass.  (5631 and 5632).  That will get you to the ISA Server.

From the ISA server, set up the filter (conduit) for the workstation (10.0.0.15) as outlined in the above link.  

That should get you there.  The person on the outside will set PCAnywhere to connect to the WAN IP address.  The router will forward that to the ISA server and the ISA server will forward that to the PC.  Should work fine.

Good luck!
0
 

Expert Comment

by:cannon1000
ID: 9883144
The author should be aware that this allows anyone with PCAnywhere to connect to that PC as well.  

Opening up and redirecting these well known ports is like locking the door on your house but leaving the back windows unlocked.  The only defense would be PCAnywhere's authentication.
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9883160
Agreed.   (Although PCAnywhere will now accept Windows username/passwords too...)
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9883411
agreed too. IMO, i think NeilDavis may try one or all of the following methods:

1. change default listening port of pcanywhere, although it is not  way to prevent risk at all, at least it is a trick to prevent newbies. ;-)
2. use VPN. of course, it needs a lot for both remote side and internal side, but the outcome should be much safe.

as for MSKB Q304350, it is for pcAnywhere Hosted on ISA Server 2000, not for those PCs behind the ISA, to do for the 2nd scenario, the following KB articles are helpful although they are not for pcanywhere directly (just replace the port number of TS to those of pcanywhere):

http://support.microsoft.com/?id=kb;en-us;275210
http://support.microsoft.com/?id=kb;en-us;294720

hope it helps,
bbao
0
 
LVL 1

Author Comment

by:NeilDavis
ID: 9883514
bbao \ Robing66066 \ and everyone.  All the MS docs Ive read including those above assume you are trying to get to your server and no further...294720 starts....

"This article describes how to Server Publish a Windows 2000 Terminal Server on a private Intranet to the Internet via Internet Security and Acceleration Server (ISA) where the ISA server is also running Terminal Server"

Where the ISA is also running terminal server...eg on the same box.

As it stands we have one w2k server that runs ISA server on it as well.  I can already get to this and dont use the standard tcp \ udp port config for pcany.  I just cant get past it....maybe it cant be done.
0
 
LVL 1

Author Comment

by:NeilDavis
ID: 9883535
Ive just read a bit more of 294720 and it talks about internal servers...i will have a look at this...although I thought the whole process would be a bit easier!.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9883544
quoted from Q294720:

"In the IP address of internal server field, enter the IP address of the internal server. If you want this rule to enable Terminal Server Access to the ISA server, type its Internal IP address. If this is for another computer *behind* the ISA server on the LAN, type that computer's IP address."

hope it helps,
bbao
0
 
LVL 7

Accepted Solution

by:
Robing66066 earned 250 total points
ID: 9883699
Sorry.  That was just stupidity on my part.  I didn't even read that all the way through, I just thought it would show you how to publish the application.

For the ISA side, you'll have to do this:

First, configure a protocol definition for PCAnywhere.  You can find how to do that here: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/isa/proddocs/isadocs/M_P_C_ProtocolSchem.asp

Once you have that in place, you should be able to publish the "server" (your workstation).  See this link for info on how to do that:  http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/isa/proddocs/isadocs/M_P_C_ProtocolSchem.asp

and

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/isa/proddocs/isadocs/cmt_h_reverseaction.asp

I think that should get you through it.  To test, start by publishing the PCAnywhere machine on the ISA server.  Place a PCAnywhere client in front of the ISA server and see if you can get through.  Then configure your outside router.  Place a PCAnywhere client in front of that and see if you can get through.

Sorry for the confusion.  That should work now...  (Sure hope so anyway!  Whew!)
0
 
LVL 1

Author Comment

by:NeilDavis
ID: 9895507
Guys having a usual flat out Mon morning I hope to test this as soon as I can!.....thanks for all your help!...
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9895539
good luck!
0
 
LVL 1

Author Comment

by:NeilDavis
ID: 9940828
bbao \ Robing66066 thanks for your help here...in the end publishing the PC on the ISA server worked a treat!.  

I wated to split the points here but again I cant work out how to do it!...
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9942358
there is a "split" button above your answer field. or you may ask EE moderator to help you.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now