PCanywhere...Nat or port forwarding or both?...Im confused :(
We use PCanywhere to remotely look after one of our servers which works fine. I forward the ports from my netgear router to the server and open the ports on our ISA server (installed on our only server W2K 2 network cards one LAN side one WAN side)...works a treat.
However we now need to install pcanywhere on a PC on the LAN side and I cant work out how to get to it! (remotely)....If I open a different set of ports on the router I cant forward them to the PC because its on the lan side of the server. How can I get to it???? it has to pass through the server (W2K with ISA) and then forward on to the PC. Now this is where Im confused..I know the RRAS has some kind of NAT bit in it...so do I need to forward the ports again to the PC???....Ive got a headache now.
However we now need to install pcanywhere on a PC on the LAN side and I cant work out how to get to it! (remotely)....If I open a different set of ports on the router I cant forward them to the PC because its on the lan side of the server. How can I get to it???? it has to pass through the server (W2K with ISA) and then forward on to the PC. Now this is where Im confused..I know the RRAS has some kind of NAT bit in it...so do I need to forward the ports again to the PC???....Ive got a headache now.
Open the ports from the router to the server. Then open the ports from the server to the workstation. It's a bit messy, but should get you there.
You may want to look at "Conferencing" on PCAnywhere....
I would suggest that you really reconsider using PCA to remotely manage your Servers....not the most secure way to do it. We decided to use GoToMyPC on our servers because it does not require any port forwarding...the traffic is encrypted....the response time is much better and I can manage as many or as few PC's and servers as I want from anywhere I need.
The other advantage is you can access these servers from anywhere...if you were at your friends house and needed to check on them....you could, without any software. It is also 100% secure, with no risk to your servers or your LAN.
http://www.gotomypc.com
Chris
I would suggest that you really reconsider using PCA to remotely manage your Servers....not the most secure way to do it. We decided to use GoToMyPC on our servers because it does not require any port forwarding...the traffic is encrypted....the response time is much better and I can manage as many or as few PC's and servers as I want from anywhere I need.
The other advantage is you can access these servers from anywhere...if you were at your friends house and needed to check on them....you could, without any software. It is also 100% secure, with no risk to your servers or your LAN.
http://www.gotomypc.com
Chris
this MSKB article may help:
How to Configure Packet Filtering for pcAnywhere Hosted on ISA Server 2000
http://support.microsoft.com/?id=kb;en-us;304350
How to Configure Packet Filtering for pcAnywhere Hosted on ISA Server 2000
http://support.microsoft.com/?id=kb;en-us;304350
Can you give some more detail on the setup. Is it like this:
Internet
|
|
Router (WAN IP:200.200.200.201 LAN IP: 10.0.0.1) NAT
|
|
Windows 2000 Server NIC 2: IP: 10.0.0.2
Windows 2000 Server NIC 1: 192.168.0.2
Note: all ip addresses made up
If it's setup like this, I can see the problem, but please clarify before we go any further.
Internet
|
|
Router (WAN IP:200.200.200.201 LAN IP: 10.0.0.1) NAT
|
|
Windows 2000 Server NIC 2: IP: 10.0.0.2
Windows 2000 Server NIC 1: 192.168.0.2
Note: all ip addresses made up
If it's setup like this, I can see the problem, but please clarify before we go any further.
ASKER
Yep its like that.
Internet----Router (WAN IP xxx.xxx.xxx.xxx--LAN 192.168.0.1)----Server NIC2 192.168.0.2---ISA SERVER---Server NIC1 10.0.0.1----PC to get to 10.0.0.15
I can open the ports as Robing66066 suggests but that wont get me to the pc. The ports need to be forwarded to the PC.
Internet----Router (WAN IP xxx.xxx.xxx.xxx--LAN 192.168.0.1)----Server NIC2 192.168.0.2---ISA SERVER---Server NIC1 10.0.0.1----PC to get to 10.0.0.15
I can open the ports as Robing66066 suggests but that wont get me to the pc. The ports need to be forwarded to the PC.
Sorry, I should have been more clear.
On your router, you should have the ability to set up a reverse proxy, sometimes called a conduit or virtual server. That means that an address on the outside of the device maps to an address on the inside of the device. You can usually choose between configuring it to allow all ports in, or just some. You want just some, if possible.
Although your router may not have this ability (though I would be shocked), the ISA server certainly does. You can set it up as outlined in the link provided by bbao. (http://support.microsoft.com/?id=kb;en-us;304350 )
So, what you want to do is this. On your router, set up a conduit between the WAN IP and Server NIC2 (192.168.0.2). For that conduit, allow the PCAnywhere ports to pass. (5631 and 5632). That will get you to the ISA Server.
From the ISA server, set up the filter (conduit) for the workstation (10.0.0.15) as outlined in the above link.
That should get you there. The person on the outside will set PCAnywhere to connect to the WAN IP address. The router will forward that to the ISA server and the ISA server will forward that to the PC. Should work fine.
Good luck!
On your router, you should have the ability to set up a reverse proxy, sometimes called a conduit or virtual server. That means that an address on the outside of the device maps to an address on the inside of the device. You can usually choose between configuring it to allow all ports in, or just some. You want just some, if possible.
Although your router may not have this ability (though I would be shocked), the ISA server certainly does. You can set it up as outlined in the link provided by bbao. (http://support.microsoft.com/?id=kb;en-us;304350 )
So, what you want to do is this. On your router, set up a conduit between the WAN IP and Server NIC2 (192.168.0.2). For that conduit, allow the PCAnywhere ports to pass. (5631 and 5632). That will get you to the ISA Server.
From the ISA server, set up the filter (conduit) for the workstation (10.0.0.15) as outlined in the above link.
That should get you there. The person on the outside will set PCAnywhere to connect to the WAN IP address. The router will forward that to the ISA server and the ISA server will forward that to the PC. Should work fine.
Good luck!
The author should be aware that this allows anyone with PCAnywhere to connect to that PC as well.
Opening up and redirecting these well known ports is like locking the door on your house but leaving the back windows unlocked. The only defense would be PCAnywhere's authentication.
Opening up and redirecting these well known ports is like locking the door on your house but leaving the back windows unlocked. The only defense would be PCAnywhere's authentication.
Agreed. (Although PCAnywhere will now accept Windows username/passwords too...)
agreed too. IMO, i think NeilDavis may try one or all of the following methods:
1. change default listening port of pcanywhere, although it is not way to prevent risk at all, at least it is a trick to prevent newbies. ;-)
2. use VPN. of course, it needs a lot for both remote side and internal side, but the outcome should be much safe.
as for MSKB Q304350, it is for pcAnywhere Hosted on ISA Server 2000, not for those PCs behind the ISA, to do for the 2nd scenario, the following KB articles are helpful although they are not for pcanywhere directly (just replace the port number of TS to those of pcanywhere):
http://support.microsoft.com/?id=kb;en-us;275210
http://support.microsoft.com/?id=kb;en-us;294720
hope it helps,
bbao
1. change default listening port of pcanywhere, although it is not way to prevent risk at all, at least it is a trick to prevent newbies. ;-)
2. use VPN. of course, it needs a lot for both remote side and internal side, but the outcome should be much safe.
as for MSKB Q304350, it is for pcAnywhere Hosted on ISA Server 2000, not for those PCs behind the ISA, to do for the 2nd scenario, the following KB articles are helpful although they are not for pcanywhere directly (just replace the port number of TS to those of pcanywhere):
http://support.microsoft.com/?id=kb;en-us;275210
http://support.microsoft.com/?id=kb;en-us;294720
hope it helps,
bbao
ASKER
bbao \ Robing66066 \ and everyone. All the MS docs Ive read including those above assume you are trying to get to your server and no further...294720 starts....
"This article describes how to Server Publish a Windows 2000 Terminal Server on a private Intranet to the Internet via Internet Security and Acceleration Server (ISA) where the ISA server is also running Terminal Server"
Where the ISA is also running terminal server...eg on the same box.
As it stands we have one w2k server that runs ISA server on it as well. I can already get to this and dont use the standard tcp \ udp port config for pcany. I just cant get past it....maybe it cant be done.
"This article describes how to Server Publish a Windows 2000 Terminal Server on a private Intranet to the Internet via Internet Security and Acceleration Server (ISA) where the ISA server is also running Terminal Server"
Where the ISA is also running terminal server...eg on the same box.
As it stands we have one w2k server that runs ISA server on it as well. I can already get to this and dont use the standard tcp \ udp port config for pcany. I just cant get past it....maybe it cant be done.
ASKER
Ive just read a bit more of 294720 and it talks about internal servers...i will have a look at this...although I thought the whole process would be a bit easier!.
quoted from Q294720:
"In the IP address of internal server field, enter the IP address of the internal server. If you want this rule to enable Terminal Server Access to the ISA server, type its Internal IP address. If this is for another computer *behind* the ISA server on the LAN, type that computer's IP address."
hope it helps,
bbao
"In the IP address of internal server field, enter the IP address of the internal server. If you want this rule to enable Terminal Server Access to the ISA server, type its Internal IP address. If this is for another computer *behind* the ISA server on the LAN, type that computer's IP address."
hope it helps,
bbao
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Guys having a usual flat out Mon morning I hope to test this as soon as I can!.....thanks for all your help!...
good luck!
ASKER
bbao \ Robing66066 thanks for your help here...in the end publishing the PC on the ISA server worked a treat!.
I wated to split the points here but again I cant work out how to do it!...
I wated to split the points here but again I cant work out how to do it!...
there is a "split" button above your answer field. or you may ask EE moderator to help you.