PCanywhere...Nat or port forwarding or both?...Im confused :(

We use PCanywhere to remotely look after one of our servers which works fine.  I forward the ports from my netgear router to the server and open the ports on our ISA server (installed on our only server W2K 2 network cards one LAN side one WAN side)...works a treat.

However we now need to install pcanywhere on a PC on the LAN side and I cant work out how to get to it! (remotely)....If I open a different set of ports on the router I cant forward them to the PC because its on the lan side of the server.  How can I get to it???? it has to pass through the server (W2K with ISA) and then forward on to the PC.  Now this is where Im confused..I know the RRAS has some kind of NAT bit in it...so do I need to forward the ports again to the PC???....Ive got a headache now.
LVL 1
NeilDavisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Robing66066Commented:
Open the ports from the router to the server.  Then open the ports from the server to the workstation.  It's a bit messy, but should get you there.
0
cannon1000Commented:
You may want to look at "Conferencing" on PCAnywhere....

I would suggest that you really reconsider using PCA to remotely manage your Servers....not the most secure way to do it.  We decided to use GoToMyPC on our servers because it does not require any port forwarding...the traffic is encrypted....the response time is much better and I can manage as many or as few PC's and servers as I want from anywhere I need.

The other advantage is you can access these servers from anywhere...if you were at your friends house and needed to check on them....you could, without any software.  It is also 100% secure, with no risk to your servers or your LAN.

http://www.gotomypc.com

Chris
0
bbaoIT ConsultantCommented:
this MSKB article may help:

How to Configure Packet Filtering for pcAnywhere Hosted on ISA Server 2000
http://support.microsoft.com/?id=kb;en-us;304350
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

drev001Commented:
Can you give some more detail on the setup. Is it like this:

Internet
|
|
Router (WAN IP:200.200.200.201 LAN IP: 10.0.0.1) NAT
|
|
Windows 2000 Server NIC 2: IP: 10.0.0.2
Windows 2000 Server NIC 1: 192.168.0.2

Note: all ip addresses made up

If it's setup like this, I can see the problem, but please clarify before we go any further.

0
NeilDavisAuthor Commented:
Yep its like that.  

Internet----Router (WAN IP xxx.xxx.xxx.xxx--LAN 192.168.0.1)----Server NIC2 192.168.0.2---ISA SERVER---Server NIC1 10.0.0.1----PC to get to 10.0.0.15

I can open the ports as Robing66066 suggests but that wont get me to the pc.  The ports need to be forwarded to the PC.


0
Robing66066Commented:
Sorry, I should have been more clear.

On your router, you should have the ability to set up a reverse proxy, sometimes called a conduit or virtual server.  That means that an address on the outside of the device maps to an address on the inside of the device.  You can usually choose between configuring it to allow all ports in, or just some.  You want just some, if possible.

Although your router may not have this ability (though I would be shocked), the ISA server certainly does.  You can set it up as outlined in the link provided by bbao.  (http://support.microsoft.com/?id=kb;en-us;304350 )

So, what you want to do is this.  On your router, set up a conduit between the WAN IP and Server NIC2 (192.168.0.2).  For that conduit, allow the PCAnywhere ports to pass.  (5631 and 5632).  That will get you to the ISA Server.

From the ISA server, set up the filter (conduit) for the workstation (10.0.0.15) as outlined in the above link.  

That should get you there.  The person on the outside will set PCAnywhere to connect to the WAN IP address.  The router will forward that to the ISA server and the ISA server will forward that to the PC.  Should work fine.

Good luck!
0
cannon1000Commented:
The author should be aware that this allows anyone with PCAnywhere to connect to that PC as well.  

Opening up and redirecting these well known ports is like locking the door on your house but leaving the back windows unlocked.  The only defense would be PCAnywhere's authentication.
0
Robing66066Commented:
Agreed.   (Although PCAnywhere will now accept Windows username/passwords too...)
0
bbaoIT ConsultantCommented:
agreed too. IMO, i think NeilDavis may try one or all of the following methods:

1. change default listening port of pcanywhere, although it is not  way to prevent risk at all, at least it is a trick to prevent newbies. ;-)
2. use VPN. of course, it needs a lot for both remote side and internal side, but the outcome should be much safe.

as for MSKB Q304350, it is for pcAnywhere Hosted on ISA Server 2000, not for those PCs behind the ISA, to do for the 2nd scenario, the following KB articles are helpful although they are not for pcanywhere directly (just replace the port number of TS to those of pcanywhere):

http://support.microsoft.com/?id=kb;en-us;275210
http://support.microsoft.com/?id=kb;en-us;294720

hope it helps,
bbao
0
NeilDavisAuthor Commented:
bbao \ Robing66066 \ and everyone.  All the MS docs Ive read including those above assume you are trying to get to your server and no further...294720 starts....

"This article describes how to Server Publish a Windows 2000 Terminal Server on a private Intranet to the Internet via Internet Security and Acceleration Server (ISA) where the ISA server is also running Terminal Server"

Where the ISA is also running terminal server...eg on the same box.

As it stands we have one w2k server that runs ISA server on it as well.  I can already get to this and dont use the standard tcp \ udp port config for pcany.  I just cant get past it....maybe it cant be done.
0
NeilDavisAuthor Commented:
Ive just read a bit more of 294720 and it talks about internal servers...i will have a look at this...although I thought the whole process would be a bit easier!.
0
bbaoIT ConsultantCommented:
quoted from Q294720:

"In the IP address of internal server field, enter the IP address of the internal server. If you want this rule to enable Terminal Server Access to the ISA server, type its Internal IP address. If this is for another computer *behind* the ISA server on the LAN, type that computer's IP address."

hope it helps,
bbao
0
Robing66066Commented:
Sorry.  That was just stupidity on my part.  I didn't even read that all the way through, I just thought it would show you how to publish the application.

For the ISA side, you'll have to do this:

First, configure a protocol definition for PCAnywhere.  You can find how to do that here: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/isa/proddocs/isadocs/M_P_C_ProtocolSchem.asp

Once you have that in place, you should be able to publish the "server" (your workstation).  See this link for info on how to do that:  http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/isa/proddocs/isadocs/M_P_C_ProtocolSchem.asp

and

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/isa/proddocs/isadocs/cmt_h_reverseaction.asp

I think that should get you through it.  To test, start by publishing the PCAnywhere machine on the ISA server.  Place a PCAnywhere client in front of the ISA server and see if you can get through.  Then configure your outside router.  Place a PCAnywhere client in front of that and see if you can get through.

Sorry for the confusion.  That should work now...  (Sure hope so anyway!  Whew!)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NeilDavisAuthor Commented:
Guys having a usual flat out Mon morning I hope to test this as soon as I can!.....thanks for all your help!...
0
bbaoIT ConsultantCommented:
good luck!
0
NeilDavisAuthor Commented:
bbao \ Robing66066 thanks for your help here...in the end publishing the PC on the ISA server worked a treat!.  

I wated to split the points here but again I cant work out how to do it!...
0
bbaoIT ConsultantCommented:
there is a "split" button above your answer field. or you may ask EE moderator to help you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.