Solved

Unable to connect to ftp - rdc - thightvnc through vpn checkpoint firewall

Posted on 2006-06-26
20
593 Views
Last Modified: 2012-05-05
I have a server at a COLO.  I have a checkpoint firewall in place with VPN access.  I'm able to establish a VPN tunnel to the firewall and ping the server behind the firewall.  However, I'm unable to access or FTP to the server, connect to the server using RDC (the server is configured to allow remote connections), and I'm unable to connect to the server in order to administer the server using TightVNC (server services are running, and configured correctly).

This is a new Dell server, fresh install Server 2003 R2 no internal firewall running (ICS services not running and disabled), and no third party firewall configured on the machine.

I can receive ping replies back from the server... just unable to access the server for remote administration.

Ideas?  This is an emergency project, I've assigned 500 points to this questions.

Best,
Bryan
0
Comment
Question by:breynolds01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 9
20 Comments
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 16988702
Depending on where your VPN tunnel terminates you might have to put some rules in place within Checkpoint to allow these things.  This is true if the tunnel terminates on the outside interface of the firewall.



0
 
LVL 2

Author Comment

by:breynolds01
ID: 16988924
I don't have access to the Checkpoint Firewall the ISP configured the firewall and VPN for us.  They're telling us that once we connect using the VPN that all ports are open and that traffic will flow with no problems.  Is that true?  I'm not familiar with the Checkpoint firewalls and VPN solution.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16988967
It could be, yes.  If they terminated the tunnel inside the firewall, then yes, all ports should be open.

You can download PortQry and check it after you connect with the VPN client.

http://www.microsoft.com/downloads/details.aspx?FamilyID=89811747-c74b-4638-a2d5-ac828bdc6983&DisplayLang=en

http://www.microsoft.com/downloads/details.aspx?FamilyID=8355e537-1ea6-4569-aabb-f248f4bd91d0&DisplayLang=en

0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 2

Author Comment

by:breynolds01
ID: 16989040
I've tried scanning the server behind the firewall and almost all of the returns say "FILTERED" with almost all of the procedures failing with this message: "exits with return code 0x00000002".

Here is a query for port 21:

 Starting portqry.exe -n   x . x . x . x   -e 21 -p TCP ...


Querying target system called:

x . x . x . x

Attempting to resolve IP address to a name...


IP address resolved to xxxxxx.com

querying...

TCP port 21 (ftp service): FILTERED
portqry.exe -n   x . x . x . x   -e 21 -p TCP exits with return code 0x00000002.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16989060
Then they don't have many ports open.

Do you have FTP running inside your LAN?  You may want to test domain ports using the GUI.

0
 
LVL 2

Author Comment

by:breynolds01
ID: 16996777
Yes, I have FTP open on the LAN.  We have a public ip of 69.x.x.x which points to the firewall.  Behind the firewall they have given us another public IP of 69.x.x.x, could this be part of the issue?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16996787
I would think so, yes.  You can't have the same subnet on both sides of the firewall.  Packets will be dropped.

0
 
LVL 2

Author Comment

by:breynolds01
ID: 17007141
Looks like they had the firewall misconfigured.  Now can load the underconstruction page, but I'm still unable to pass RDC traffice, and FTP traffic.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17008673
RDP uses TCP port 3389.
FTP uses TCP ports 20 and 21.

These ports must be allowed through the firewall.  You would want to allow them using a rule so that the whole world doesn't have access.

0
 
LVL 2

Author Comment

by:breynolds01
ID: 17020213
I've been told that the rules are in place and that the only thing allowed through our VPN is port 3389 for RDC.  After establishing the VPN tunnel and initiating a RDC connection to our ip address, I receive the error "the connection to the server cannot be established".  We do not have a internal firewall on the server at this point.

In the past all I've had to do is open port 3389 and point it to the internal server which I would like to connect to remotely from the outside world.

This is enabled under > system properties > remote > Enable Remote Desktop on this computer.

Is this correct, or do I have to configure Terminal Services on Server 2003 in order to use RDC through the VPN?  
0
 
LVL 2

Author Comment

by:breynolds01
ID: 17020628
Update, it seems that the server isn't listening for port 3389, after doing a netstat -n
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17020805
No, you don't need to configure Terminal Services.  Simply right-click on My Computer, select Properties, select the Remote tab and check the box at the bottom for "Enable Remote desktop on this computer".

0
 
LVL 2

Author Comment

by:breynolds01
ID: 17020841
Which is what I have done.  What would cause the server not to respond to RDC request?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17020931
How many NICs are in this server?

If you try to RDP into the server from the inside of the firewall, can you?

0
 
LVL 2

Author Comment

by:breynolds01
ID: 17021110
No, I can't and there are two nics, one is disabled. I have since removed the IP address of the NIC I was using and have enabled the other NIC and entered the IP address I was previously using.  Still nothing.

When I do a netstat -a I can see the port 3389 but it's not boud to a IP address:

Proto       Local Address               Foreign Address                      State
TCP         0.0.0.0:3389                0.0.0.0:0                                 Listening

Here's what's listed on the IP address I'm using.

TCP  69.30.x.x:135    69.30.x.x:3444    Established
TCP  69.30.x.x:139    0.0.0.0:0            Listening
TCP  69.30.x.x:389    69.30.x.x:3442    Established
TCP  69.30.x.x:3442  69.30.x.x:389      Established
TCP  69.30.x.x:3444  69.30.x.x:135      Established
TCP  69.30.x.x:3457  66.30.x.x:80        Established
TCP  69.30.x.x:3458  69.30.x.x:139      Time_Wait
TCP  69.30.x.x:3459  69.30.x.x:139      Time_Wait

0
 
LVL 51

Expert Comment

by:Netman66
ID: 17021595
Do you have RRAS installed?  If so, you may need to rerun the setup and remove the filters.

0
 
LVL 2

Author Comment

by:breynolds01
ID: 17025805
No RRAS installed.  The only thing installed is IIS, .net framework 1.1 / 2.0, dhcp, dns are the only things installed on the server.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17026412
Have you rebooted this server lately?  There is an issue with Remote Desktop after any patches are installed.  Most of the time it takes 2 reboots after patching to get RDP back online.

I have this issue with my server and you'll find a number of people on here do also.

0
 
LVL 2

Author Comment

by:breynolds01
ID: 17031677
I've reboot the server about four times, I'll head back into the colo and boot the server a couple of times to see if that fixes the issue.  I'll post after doing so.  Thanks for the heads up.  
0
 
LVL 2

Author Comment

by:breynolds01
ID: 17094907
The problem seems to be the firewall and passing the 3389 traffic to the IP/Machine behind the firewall.  I've created a segmented LAN and I'm able to RDP with no issues.  I've also been able to use the LAN side of the firewall and RDP behind the firewall.  Seems the issue is still with the VPN connection and the traffic passing through thte VPN / Firewall.

At this point I've pushed the issue back to the COLO who's managing our firewall.  Thank you for your help, and as we both stated at the begining of this thread... RDP isn't that complicated.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question