?
Solved

PCanywhere...Nat or port forwarding or both?...Im confused :(

Posted on 2003-12-04
17
Medium Priority
?
9,881 Views
Last Modified: 2013-11-16
We use PCanywhere to remotely look after one of our servers which works fine.  I forward the ports from my netgear router to the server and open the ports on our ISA server (installed on our only server W2K 2 network cards one LAN side one WAN side)...works a treat.

However we now need to install pcanywhere on a PC on the LAN side and I cant work out how to get to it! (remotely)....If I open a different set of ports on the router I cant forward them to the PC because its on the lan side of the server.  How can I get to it???? it has to pass through the server (W2K with ISA) and then forward on to the PC.  Now this is where Im confused..I know the RRAS has some kind of NAT bit in it...so do I need to forward the ports again to the PC???....Ive got a headache now.
0
Comment
Question by:NeilDavis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 4
  • +2
17 Comments
 
LVL 7

Expert Comment

by:Robing66066
ID: 9876216
Open the ports from the router to the server.  Then open the ports from the server to the workstation.  It's a bit messy, but should get you there.
0
 

Expert Comment

by:cannon1000
ID: 9876416
You may want to look at "Conferencing" on PCAnywhere....

I would suggest that you really reconsider using PCA to remotely manage your Servers....not the most secure way to do it.  We decided to use GoToMyPC on our servers because it does not require any port forwarding...the traffic is encrypted....the response time is much better and I can manage as many or as few PC's and servers as I want from anywhere I need.

The other advantage is you can access these servers from anywhere...if you were at your friends house and needed to check on them....you could, without any software.  It is also 100% secure, with no risk to your servers or your LAN.

http://www.gotomypc.com

Chris
0
 
LVL 37

Expert Comment

by:bbao
ID: 9876432
this MSKB article may help:

How to Configure Packet Filtering for pcAnywhere Hosted on ISA Server 2000
http://support.microsoft.com/?id=kb;en-us;304350
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 9

Expert Comment

by:drev001
ID: 9877311
Can you give some more detail on the setup. Is it like this:

Internet
|
|
Router (WAN IP:200.200.200.201 LAN IP: 10.0.0.1) NAT
|
|
Windows 2000 Server NIC 2: IP: 10.0.0.2
Windows 2000 Server NIC 1: 192.168.0.2

Note: all ip addresses made up

If it's setup like this, I can see the problem, but please clarify before we go any further.

0
 
LVL 1

Author Comment

by:NeilDavis
ID: 9881166
Yep its like that.  

Internet----Router (WAN IP xxx.xxx.xxx.xxx--LAN 192.168.0.1)----Server NIC2 192.168.0.2---ISA SERVER---Server NIC1 10.0.0.1----PC to get to 10.0.0.15

I can open the ports as Robing66066 suggests but that wont get me to the pc.  The ports need to be forwarded to the PC.


0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9882748
Sorry, I should have been more clear.

On your router, you should have the ability to set up a reverse proxy, sometimes called a conduit or virtual server.  That means that an address on the outside of the device maps to an address on the inside of the device.  You can usually choose between configuring it to allow all ports in, or just some.  You want just some, if possible.

Although your router may not have this ability (though I would be shocked), the ISA server certainly does.  You can set it up as outlined in the link provided by bbao.  (http://support.microsoft.com/?id=kb;en-us;304350 )

So, what you want to do is this.  On your router, set up a conduit between the WAN IP and Server NIC2 (192.168.0.2).  For that conduit, allow the PCAnywhere ports to pass.  (5631 and 5632).  That will get you to the ISA Server.

From the ISA server, set up the filter (conduit) for the workstation (10.0.0.15) as outlined in the above link.  

That should get you there.  The person on the outside will set PCAnywhere to connect to the WAN IP address.  The router will forward that to the ISA server and the ISA server will forward that to the PC.  Should work fine.

Good luck!
0
 

Expert Comment

by:cannon1000
ID: 9883144
The author should be aware that this allows anyone with PCAnywhere to connect to that PC as well.  

Opening up and redirecting these well known ports is like locking the door on your house but leaving the back windows unlocked.  The only defense would be PCAnywhere's authentication.
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9883160
Agreed.   (Although PCAnywhere will now accept Windows username/passwords too...)
0
 
LVL 37

Expert Comment

by:bbao
ID: 9883411
agreed too. IMO, i think NeilDavis may try one or all of the following methods:

1. change default listening port of pcanywhere, although it is not  way to prevent risk at all, at least it is a trick to prevent newbies. ;-)
2. use VPN. of course, it needs a lot for both remote side and internal side, but the outcome should be much safe.

as for MSKB Q304350, it is for pcAnywhere Hosted on ISA Server 2000, not for those PCs behind the ISA, to do for the 2nd scenario, the following KB articles are helpful although they are not for pcanywhere directly (just replace the port number of TS to those of pcanywhere):

http://support.microsoft.com/?id=kb;en-us;275210
http://support.microsoft.com/?id=kb;en-us;294720

hope it helps,
bbao
0
 
LVL 1

Author Comment

by:NeilDavis
ID: 9883514
bbao \ Robing66066 \ and everyone.  All the MS docs Ive read including those above assume you are trying to get to your server and no further...294720 starts....

"This article describes how to Server Publish a Windows 2000 Terminal Server on a private Intranet to the Internet via Internet Security and Acceleration Server (ISA) where the ISA server is also running Terminal Server"

Where the ISA is also running terminal server...eg on the same box.

As it stands we have one w2k server that runs ISA server on it as well.  I can already get to this and dont use the standard tcp \ udp port config for pcany.  I just cant get past it....maybe it cant be done.
0
 
LVL 1

Author Comment

by:NeilDavis
ID: 9883535
Ive just read a bit more of 294720 and it talks about internal servers...i will have a look at this...although I thought the whole process would be a bit easier!.
0
 
LVL 37

Expert Comment

by:bbao
ID: 9883544
quoted from Q294720:

"In the IP address of internal server field, enter the IP address of the internal server. If you want this rule to enable Terminal Server Access to the ISA server, type its Internal IP address. If this is for another computer *behind* the ISA server on the LAN, type that computer's IP address."

hope it helps,
bbao
0
 
LVL 7

Accepted Solution

by:
Robing66066 earned 1000 total points
ID: 9883699
Sorry.  That was just stupidity on my part.  I didn't even read that all the way through, I just thought it would show you how to publish the application.

For the ISA side, you'll have to do this:

First, configure a protocol definition for PCAnywhere.  You can find how to do that here: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/isa/proddocs/isadocs/M_P_C_ProtocolSchem.asp

Once you have that in place, you should be able to publish the "server" (your workstation).  See this link for info on how to do that:  http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/isa/proddocs/isadocs/M_P_C_ProtocolSchem.asp

and

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/isa/proddocs/isadocs/cmt_h_reverseaction.asp

I think that should get you through it.  To test, start by publishing the PCAnywhere machine on the ISA server.  Place a PCAnywhere client in front of the ISA server and see if you can get through.  Then configure your outside router.  Place a PCAnywhere client in front of that and see if you can get through.

Sorry for the confusion.  That should work now...  (Sure hope so anyway!  Whew!)
0
 
LVL 1

Author Comment

by:NeilDavis
ID: 9895507
Guys having a usual flat out Mon morning I hope to test this as soon as I can!.....thanks for all your help!...
0
 
LVL 37

Expert Comment

by:bbao
ID: 9895539
good luck!
0
 
LVL 1

Author Comment

by:NeilDavis
ID: 9940828
bbao \ Robing66066 thanks for your help here...in the end publishing the PC on the ISA server worked a treat!.  

I wated to split the points here but again I cant work out how to do it!...
0
 
LVL 37

Expert Comment

by:bbao
ID: 9942358
there is a "split" button above your answer field. or you may ask EE moderator to help you.
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month14 days, 4 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question