Windows 2003 Server unable to see in or out behind a firewall (even with open access rules).
Posted on 2004-08-26
Our Windows 2003 Server has 2 gigabit ethernet cards. We use one and have 2 IP addresses assigned to it. We don't use NAT and we've tried turning off/on the integrated firewall with the 2003 server. The server, when connected directly to the network, will function properly and see in and out. When we turn on the integrated firewall, it still works fine (we keep http/https open). We then put up a Sonicwall firewall and the computer was unable to see in or out. The Sonicwall has one wan and one lan port (Soho3). The lan port connects to a separate switch where the the servers all connect to. We have 2 other Windows 2000 servers that operate correctly behind this Sonicwall (i.e. they can see in and out) through this switch which traverses through the firewall.
At first we thought the firewall went bad and replaced it with another functioning unit that had 3 built in ports (Soho 10) and we got the same problem. The Windows 2003 server solely can not see in or out. The IP address (each computer has it's own non-conflicting ip address), subnet mask, and gateway are all the same in all locations (the two Windows 2000 servers, the Windows 2003 server, and the firewall's own settings). To make sure that there were no rules that conflicted, we deleted all the rules and set 2 simple rules to allow all traffic inbound and outbound with no port restrictions. The Windows 2000 servers operate perfectly. These network connections are through a colo-center directly into their switch (no dsl/cable, etc). We also tried using the other ethernet card on the 2003 server (and the ip addresses of both ethernet cards are different - the other settings are the same in terms of subnet mask and gateway). This didn't work either.
We also tried an experiment of putting the Windows 2000 servers behind the firewall (no rules) and the Windows 2003 on a separate direct network connection to the colo's switch. The firewalled machines were able to see out to any website EXCEPT our own website which was on the same network. To make sure that the 2003 machine was not down, we went to an outside machine on a different subnet and connected directly to our website. We then tried from the Windows 2003 server and it too could see any machine except the Windows 2000 machines (behind the firewall). We also tried to ping the machines behind the 'open' firewall and it could not reach them. We tried from an outside machine to ping the Windows 2000 machines and it could. We tried to ping the Windows 2000 machines and it could (from the outside machine). We're confused as to why the Windows 2003 will work ONLY when connected directly to the network but not behind the firewall and less importantly, why these machines can't see each other. We didn't want to put the Windows 2000 machines directly on the network without a firewall due to having previous issues with hackers. The Windows 2003 machine at least has the built in firewall, so we felt more comfortable in leaving it on a direct connection. We're sure if they are all on the same network with no firewall, they'd probably see each other. So, it would seem that the firewall is the issue, but given that the two firewalls work fine with other servers and computers (both of the firewalls was actively pulled from different networks that had a mix of workstations and servers), it seems the firewalls aren't the problem, but rather it's a configuration issue with Windows 2003 server. Since the network configuration pages are very similar to Windows 2000, we set them up alike (obviously with different IP's). We aren't sure if we're missing something. We are looking for possible reasons/solutions to make the Windows 2003 server work behind a firewall appliance (not using it's own built-in firewall). Thank you.