Solved

Windows 2003 Server unable to see in or out behind a firewall (even with open access rules).

Posted on 2004-08-26
12
350 Views
Last Modified: 2010-04-11
Our Windows 2003 Server has 2 gigabit ethernet cards. We use one and have 2 IP addresses assigned to it. We don't use NAT and we've tried turning off/on the integrated firewall with the 2003 server. The server, when connected directly to the network, will function properly and see in and out. When we turn on the integrated firewall, it still works fine (we keep http/https open). We then put up a Sonicwall firewall and the computer was unable to see in or out. The Sonicwall has one wan and one lan port (Soho3). The lan port connects to a separate switch where the the servers all connect to. We have 2 other Windows 2000 servers that operate correctly behind this Sonicwall (i.e. they can see in and out) through this switch which traverses through the firewall.

At first we thought the firewall went bad and replaced it with another functioning unit that had 3 built in ports (Soho 10) and we got the same problem. The Windows 2003 server solely can not see in or out. The IP address (each computer has it's own non-conflicting ip address), subnet mask, and gateway are all the same in all locations (the two Windows 2000 servers, the Windows 2003 server, and the firewall's own settings). To make sure that there were no rules that conflicted, we deleted all the rules and set 2 simple rules to allow all traffic inbound and outbound with no port restrictions. The Windows 2000 servers operate perfectly. These network connections are through a colo-center directly into their switch (no dsl/cable, etc).  We also tried using the other ethernet card on the 2003 server (and the ip addresses of both ethernet cards are different - the other settings are the same in terms of subnet mask and gateway). This didn't work either.

We also tried an experiment of putting the Windows 2000 servers behind the firewall (no rules) and the Windows 2003 on a separate direct network connection to the colo's switch. The firewalled machines were able to see out to any website EXCEPT our own website which was on the same network. To make sure that the 2003 machine was not down, we went to an outside machine on a different subnet and connected directly to our website. We then tried from the Windows 2003 server and it too could see any machine except the Windows 2000 machines (behind the firewall). We also tried to ping the machines behind the 'open' firewall and it could not reach them. We tried from an outside machine to ping the Windows 2000 machines and it could.  We tried to ping the Windows 2000 machines and it could (from the outside machine). We're confused as to why the Windows 2003 will work ONLY when connected directly to the network but not behind the firewall and less importantly, why these machines can't see each other. We didn't want to put the Windows 2000 machines directly on the network without a firewall due to having previous issues with hackers. The Windows 2003 machine at least has the built in firewall, so we felt more comfortable in leaving it on a direct connection. We're sure if they are all on the same network with no firewall, they'd probably see each other. So, it would seem that the firewall is the issue, but given that the two firewalls work fine with other servers and computers (both of the firewalls was actively pulled from different networks that had a mix of workstations and servers), it seems the firewalls aren't the problem, but rather it's a configuration issue with Windows 2003 server. Since the network configuration pages are very similar to Windows 2000, we set them up alike (obviously with different IP's). We aren't sure if we're missing something. We are looking for possible reasons/solutions to make the Windows 2003 server work behind a firewall appliance (not using it's own built-in firewall). Thank you.


0
Comment
Question by:matrixracing
12 Comments
 
LVL 7

Expert Comment

by:wparrott
ID: 11909483
To me, it sounds like your NICs are the problem, not the switch or the firewall. Try forcing the speed of the NIC on the Win2k3 server to 100Mbit in the Advanced tab (while viewing the properties of the connection, click configure next to the NIC). One of the options should be to set the connection speed, duplex settings, etc.
0
 
LVL 2

Expert Comment

by:brian_appliedcpu
ID: 11918975
There is a classic issue with your network design.
You have two cards that are independent devices and you have configured them as two doors into one adjacent room.
Basically you cannot do that.
If you want to use them in load balancing or fail-over mode, then use the utils to set that up.
If you have two networks then it is allowed, else you will need to turn one off.

Nic 1

ip 192.168.1.2
sm 255.255.255.0
gw ip address of the soho
dns ip of the dns server or itself if it has dns running on it or the ip of the soho if it has dns capabilities,however this can be a problem for internal resolutions....so it is best to use an internal dns server.

Nic 2 (if seperate network)
ip 192.168.2.2
sm 255.255.255.0
gw empty if that network does not have a router else nic one needs to be empty and you put the routers ip here
dns as above

0
 

Author Comment

by:matrixracing
ID: 11919032
Thanks for both of your answers. I have yet to try this, but I will in the next couple days.

wparrot: The setting is currently on "auto detect." The choices are 10mb/s half or full duplex and 100mb/s half or full duplex. I assume you mean to forced it at 100mb/s. Assuming the second answer works below, it might be best to leave it at auto detect.

brian_appliedcpu: I assume your IP's are for example (not nat related as we use straight external IP's). Yes, you're right. Both NICs have the network settings of being on the same subnet and gateway, just differnet IP's (one NIC has .182, .183 in the last octet, and the other has .188), The second one is not used (it has a red X on it since it has no connection). This still would conflict? There is only one network, hence no need to run the other NIC. Should we blank out the settings or disable it in the bios (they are both onboard nics).  The other two W2k servers have only single NICs and work fine.



0
 
LVL 2

Expert Comment

by:brian_appliedcpu
ID: 11921087
Yes you are correct, set the card to disabled even in windows is fine.
Be sure to clear out the settings first, as windows will try to hang on to this information.
Turning it off in the bios is a good idea also, but not necessary.

Multihomed master browser may cause Event ID 8021 and 8032
http://support.microsoft.com/default.aspx?scid=kb;en-us;135404&Product=win2000

Why are you not using NAT, you should be at least using Static NAT.  To put a server out on it's own is crazy.  You cannot turn off all the ports a 2000 server uses as you will criple the server.
At a cmd prompt type netstat -a displays all connections and listening ports.

Can you post your   (xxx out the first two octets of the ip, gw and dns)
IP xxx.xxx.    .
SM
GW
DNS
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 5

Accepted Solution

by:
web4net earned 250 total points
ID: 11938275
MatrixRacing:

It is YudaVision speaking.

I suggest you give brian's idea a try.

I have checked your Motherboard's specs. Your NIC supports Gigabit Ethernet.

• Dual Port Intel® 82546EB Gigabit Ethernet
• Supports 10BASE-T, 100BASE-TX, and 1000BASE-T, RJ45 output

I left you a V.M. Call me when you get a chance.

(I have a meeting with Ivette tomorrow)
0
 

Author Comment

by:matrixracing
ID: 11948189
We're using external addresses due to the fact that commerce website has hard-coded IP address entries in the asp scripts. Not the most elegant programming, but we have to live with it for now until we get a new site made. We previously were using a firewall on the 2000 servers closing off all ports and selectively opening some with IP address restrictions. But the 2003 server has been a problem working behind a firewall (except using it's own built in one).

IP xxx.xxx.173.182
SM 255.255.255.0
GW xxx.xxx.173.1
DNS 206.116.241.10

I tried your solution of disabling changing the IP information of the second NIC to an internal IP (completely different than the other NIC) and then disabling the NIC altogether. I also rebooted the machine and went into the BIOS to see if I could disable the NIC, but there wasn't any area there to do that. I also tried wparrot's solution of forcing the card into 100 mb/s or 10 mb/s mode in both full or half duplex. It didn't seem to make a difference in the machines ability to see in our out.  After trying the solution of disabling the NIC through the control panel, I then tried to put it behind the firewall. The computer was able to see the other two W2k servers and vice versa. It was also able to go out to the internet and see any website. The problem was that the outside world couldn't see the Windows 2003 server behind the firewall.  We couldn't ping it from outside the firewall. Inside the firewall, it was reachable from the other two servers that were behind it. The rules on the firewall are set to allow all traffic in and out on all ports. So, it's still a mystery. We're using one connection to the colo's switch (which is at 100 mb/s) and using a switch to divide the traffic. The 2003 server is in front of the firewall, the firewall connects to the same switch and the other two machines are behind the firewall. This the only way we can have all 3 running at the same time. The problem is they can't see each other and ultimately, we'd like to put the Windows 2003 server behind the firewall as the firewall device is much better than the one installed with the OS.

Any other ideas? Thank you.
0
 
LVL 2

Assisted Solution

by:brian_appliedcpu
brian_appliedcpu earned 250 total points
ID: 11948350
The firewall is set to allow the traffic in and out but does it know where to send it once it gets there?
By this I mean is there a route statement?
How can the firewall route the traffic from the outside interface to the inside interface using the same IP address?
Normally one would need to translate from public to private or if it was just a router, then you could route the entire block thru but the network on the outside of the router cannot be the same network as on the inside of the network.  It violates the rules of routing.

Public IP Network --------Firewall or Router-------- Private Network Hub/Switch ---Servers
or
Public IP Router Provided by ISP -----------Hub/Switch ------Servers
0
 
LVL 2

Expert Comment

by:brian_appliedcpu
ID: 12578223
I believe he was given sufficient information to at least test out the proposed solutions.
I tried to give him a basic understanding of routing.
0
 

Author Comment

by:matrixracing
ID: 12708798
Apologies for the lack of replies. The answer lie in the firewall. The Windows 2003 machine needed explicit rules to its IP vs. the blanket "*" rule when used for blocks of IPs. This was found out within extensive tech support with a level 2 tech support person. They initially they thought the firewall had a problem and it's firmware was cleared and reinstalled, but they didn't fix the problem. They didn't have a good explanation why as the Windows 2000 machines would work with blanket ranges and the 2003 machine would not. When we applied a single IP and referenced the rules to the IP, it worked after that. We had tried the other alternatives described above and none fixed it. I thank you for your help and this thread can be closed and points split accordingly.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now