instyle
asked on
Open port on Server 2003 & SBS 2003
Hi,
I have a Windows Server 2003 & a Windows Small Business Server 2003, that both appear to be blocking a port that I need to open.
I didn't know that the servers had a built in firewall, until I dug deep and found the GPO that mentioned a firewall. I have been doing some reading and I think I am running an IPSec policy that is the main culprite of my port blocking.
The situation is as follows:
The Server 2003 connects to the net through the SBS 2003 server, as it is the dns server and domain controller. I have cisco vpn software installed on the Server 2003 machine, and I can connect to the required site using the VPN software, but I can't access port 7685 (required for the site I am connecting to). So, if I can connect, obviously it is not the VPN software that is being blocked, but rather port 7685.
How do I open port 7685 (or any port for that matter) on both Server 2003 and SBS 2003?
If you need more info to answer this question, please be specific and I'll get the answers for you.
Thanks for your help.
I have a Windows Server 2003 & a Windows Small Business Server 2003, that both appear to be blocking a port that I need to open.
I didn't know that the servers had a built in firewall, until I dug deep and found the GPO that mentioned a firewall. I have been doing some reading and I think I am running an IPSec policy that is the main culprite of my port blocking.
The situation is as follows:
The Server 2003 connects to the net through the SBS 2003 server, as it is the dns server and domain controller. I have cisco vpn software installed on the Server 2003 machine, and I can connect to the required site using the VPN software, but I can't access port 7685 (required for the site I am connecting to). So, if I can connect, obviously it is not the VPN software that is being blocked, but rather port 7685.
How do I open port 7685 (or any port for that matter) on both Server 2003 and SBS 2003?
If you need more info to answer this question, please be specific and I'll get the answers for you.
Thanks for your help.
ASKER
Nope, I'm not talking about the windows firewall. SBS 2003 doesn't even have the firewall option on each network connection.
I believe the ports are being blocked by some default group policy or security policy. I tried looking it up in the help file but I didn't know exactly what I was looking for and none of the stuff in there worked for me.
I believe the ports are being blocked by some default group policy or security policy. I tried looking it up in the help file but I didn't know exactly what I was looking for and none of the stuff in there worked for me.
ok then. If you go into the network connection, and then into tcp/ip properties, advanced, highlight tcp/ip filtering and options, then can you see what ports are open and closed in here? If not then it will probably be filtering down through group policy.
If you grab a copy of the group management console from microsoft then you can run a group policy modelling which will let you show exactly what policies are pushed down to the machine. I'm not sure exactly where the options for closing and opening ports are but as far as I know the ipsec stuff doesn't do this
Richard
If you grab a copy of the group management console from microsoft then you can run a group policy modelling which will let you show exactly what policies are pushed down to the machine. I'm not sure exactly where the options for closing and opening ports are but as far as I know the ipsec stuff doesn't do this
Richard
If you look in the IPSec settings in group policy howevere, if you have see which ports require authentication and things like that, but I am unsure whether these are the settings that you need to change.
Which group policy setting mentions the firewall, as I know the one under admin tools >> network >> windows firewall will force the settings that I mentioned above. If you drill down in the gpresult then you will be able to see which setting is forcing the firewall on, and be able to add an exception for the port in there. It's in the 'define program exceptions' section
Richard
Which group policy setting mentions the firewall, as I know the one under admin tools >> network >> windows firewall will force the settings that I mentioned above. If you drill down in the gpresult then you will be able to see which setting is forcing the firewall on, and be able to add an exception for the port in there. It's in the 'define program exceptions' section
Richard
ASKER
I have gone into network connections as you suggested and under tcp/ip filtering I have the following settings:
- (Unticked) Enable TCP\IP Filtering (All Adapters)
- TCP Ports - Permit All
- UDP Ports - Permit All
- IP Protocols - Permit All
So that doesn't really show me which things are blocked or unblocked. I'm assuming that TCP/IP filtering isn't turned on because the Enable TCP/IP Filtering box was unticked.
I suppose this leaves me back at group policy (which I am finding very confusing).
I've downloaded the group policy management console and opened it. I've found the group policy that relates to the windows firewall :) and it does say that the firewall is active for all network connections. I've added in exceptions to the group policy but unfortunately it hasn't changed my situation. I still can't get through the firewall.
The firewall settings I changed were in:
Group Policy Editor
->Small Business Server Windows Firewall
-> Computer Configuration
-> Administrative Templates
-> Network
-> Network Connections
-> Windows Firewall
-> Domain Profile
I must be getting close to cracking this problem. Has anyone got any other pointers?
- (Unticked) Enable TCP\IP Filtering (All Adapters)
- TCP Ports - Permit All
- UDP Ports - Permit All
- IP Protocols - Permit All
So that doesn't really show me which things are blocked or unblocked. I'm assuming that TCP/IP filtering isn't turned on because the Enable TCP/IP Filtering box was unticked.
I suppose this leaves me back at group policy (which I am finding very confusing).
I've downloaded the group policy management console and opened it. I've found the group policy that relates to the windows firewall :) and it does say that the firewall is active for all network connections. I've added in exceptions to the group policy but unfortunately it hasn't changed my situation. I still can't get through the firewall.
The firewall settings I changed were in:
Group Policy Editor
->Small Business Server Windows Firewall
-> Computer Configuration
-> Administrative Templates
-> Network
-> Network Connections
-> Windows Firewall
-> Domain Profile
I must be getting close to cracking this problem. Has anyone got any other pointers?
Well to start with, I know that it's not the answer, but to ensure that you're looking at the right part, force the firewall off in group policy.
If you're worried about this affecting other machines on your network, just create a new group policy object and link it to the OU where the server resides, make it enforced, remove authenticated users from the permissions group and just add in the server, with the read and apply group policy security rights, and then disable the firewall in that
Did you just drill down in the console to get the settings, or did you run the group policy results or the group policy modelling for the server.
If you run the modelling then you can type in the computername and grab which settings will run
If you run the modelling then you can do the same but it will also show you any local settings as well as group policy settings. You can then see which policies are getting applied, and it shows you which group policy object puts them in
Paste the results into the reply that you send (just the firewall parts)
Richard
If you're worried about this affecting other machines on your network, just create a new group policy object and link it to the OU where the server resides, make it enforced, remove authenticated users from the permissions group and just add in the server, with the read and apply group policy security rights, and then disable the firewall in that
Did you just drill down in the console to get the settings, or did you run the group policy results or the group policy modelling for the server.
If you run the modelling then you can type in the computername and grab which settings will run
If you run the modelling then you can do the same but it will also show you any local settings as well as group policy settings. You can then see which policies are getting applied, and it shows you which group policy object puts them in
Paste the results into the reply that you send (just the firewall parts)
Richard
ASKER
I've tried disabling them like you said. It doesn't seem to make any difference for the outcome of the program.
When I run the modelling it shows the firewall GPO's under the "Denied GPO's" section. To disable them, I right clicked on the GPO and clicked "Unlink", neither of the policies were "enforced" in the first place. Am I disabling it correctly?
Here is a screen shot of the relevant part. http://205.234.161.156/gpo.jpg
To prove the windows firewall is off, I have also taken a screen shot of that: http://205.234.161.156/firewall.jpg
I'm not sure where else to go from here. Any pointers?
When I run the modelling it shows the firewall GPO's under the "Denied GPO's" section. To disable them, I right clicked on the GPO and clicked "Unlink", neither of the policies were "enforced" in the first place. Am I disabling it correctly?
Here is a screen shot of the relevant part. http://205.234.161.156/gpo.jpg
To prove the windows firewall is off, I have also taken a screen shot of that: http://205.234.161.156/firewall.jpg
I'm not sure where else to go from here. Any pointers?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Oh, I've also just found the setting the setting to completely disable the GPO, not just unlink it.
But again this hasn't really helped me. I am going to do some furth testing tomorrow to make sure though.
But again this hasn't really helped me. I am going to do some furth testing tomorrow to make sure though.
ASKER
I'm not sure if the SBS server is running ISA, I don't have direct access to it at the moment because I am connecting to the Server 2003 through RDC.
Now I said the Server 2003 connects to the net through the SBS Server, well yes the default gateway setting on the Server 2003 server is set to the IP address of the SBS Server.
The VPN is trying to connect to an external site. The vpn can connect most of the time but then I need to telnet into port 7568 and that fails.
I have been given a list of the ports I need to open for the whole thing to work properly and I have set these ports to enabled in
Group Policy Editor
->Small Business Server Windows Firewall
-> Computer Configuration
-> Administrative Templates
-> Network
-> Network Connections
-> Windows Firewall
-> Domain Profile
However what I found very interesting was, when I did the netstat -a NONE of the ports were listed! Do I have to run the programs then do netstat -a for the ports to show as open or listening or should they always be in the list?
Should I be listing the ports as exceptions somewhere else?
Now I said the Server 2003 connects to the net through the SBS Server, well yes the default gateway setting on the Server 2003 server is set to the IP address of the SBS Server.
The VPN is trying to connect to an external site. The vpn can connect most of the time but then I need to telnet into port 7568 and that fails.
I have been given a list of the ports I need to open for the whole thing to work properly and I have set these ports to enabled in
Group Policy Editor
->Small Business Server Windows Firewall
-> Computer Configuration
-> Administrative Templates
-> Network
-> Network Connections
-> Windows Firewall
-> Domain Profile
However what I found very interesting was, when I did the netstat -a NONE of the ports were listed! Do I have to run the programs then do netstat -a for the ports to show as open or listening or should they always be in the list?
Should I be listing the ports as exceptions somewhere else?
right then, i think that we may have been looking in the wrong place then
try to find out if the SBS server has ISA on it for me, we need to add some rules in there
richard
try to find out if the SBS server has ISA on it for me, we need to add some rules in there
richard
right then. thinking about it you probably have ISA on your box if you are pointing your 2003 server at it to get to the internet.
What you need to do is :
Create a protocol definition in ISA for the VPN port.
Create an access rule for the computers that want to use on this VPN.
This should let you get it through.
Sorry looks like we've been looking in the wrong place, was going to start quizzing you on firewall rules next
Richard
What you need to do is :
Create a protocol definition in ISA for the VPN port.
Create an access rule for the computers that want to use on this VPN.
This should let you get it through.
Sorry looks like we've been looking in the wrong place, was going to start quizzing you on firewall rules next
Richard
ASKER
I'll try and get into the office some time in the next day or so to check out the "ISA".
Just to clarify the VPN stuff though. The VPN is only connected on demand to submit reports to a remote office. It doesn't stay connected all the time. When the VPN connection has been made, we then telnet into port 7568.
I'll let you know about the ISA as soon as I can.
Thanks for your help thus far. Your a legend!
Just to clarify the VPN stuff though. The VPN is only connected on demand to submit reports to a remote office. It doesn't stay connected all the time. When the VPN connection has been made, we then telnet into port 7568.
I'll let you know about the ISA as soon as I can.
Thanks for your help thus far. Your a legend!
ASKER
rjropes, I'm going to be offline for the next week, so I'll repost here when I get back. Sorry about that.
OK then, have a nice holiday.
A couple of things to check when you get back.
Establish the VPN (I presume that this is from the 2003 server).
With this, can you ping the IP address of the server that you need to?
Is the IP address the internal IP Address of the server or the external one, as the one that you should telnet is the internal IP
If the IP address is internal and you can't ping it, run a traceroute to it and see where it stops
This will prove that the VPN is set up correctly and you can get over the link to the other side. The ISA parts that I was asking about were mainly if the VPN was established on the SBS 2003 server rather than the 2003 server
Richard
A couple of things to check when you get back.
Establish the VPN (I presume that this is from the 2003 server).
With this, can you ping the IP address of the server that you need to?
Is the IP address the internal IP Address of the server or the external one, as the one that you should telnet is the internal IP
If the IP address is internal and you can't ping it, run a traceroute to it and see where it stops
This will prove that the VPN is set up correctly and you can get over the link to the other side. The ISA parts that I was asking about were mainly if the VPN was established on the SBS 2003 server rather than the 2003 server
Richard
ASKER
I've decided to get a computer company in to fix this problem up for me. Troubleshooting is taking me hours and they'll probably be able to fix it in 15 minutes.
Thanks heaps for your help Richard. You have been great. I'm sure we would have got it eventually.
Thanks heaps for your help Richard. You have been great. I'm sure we would have got it eventually.
If you're talking about the windows firewall, then on a server this isn't normally turned on if it doing things like active directory and dns and things like that.
If you want to add specific exclusions and leave it on however, you go to network connection >> properties of the connection that you want to edit >> advanced >> settings >> exceptions and add a program definition that will open the ports needed
Richard