• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 918
  • Last Modified:

Firewall & RRAS in SBS2003 SP1

Hi guys

I'm tearing my hair out with this one, can you help, please?
We are running a single server under SBS2003 SP1 with XP Pro SP2 clients.

I have updated our AVG antivirus network edition to the latest version and remotely installed updates to all clients, but cannot do so to the server on which the AVG RemoteAdmin software resides, whereas it would do so with the last major update of 7.1.

Grisoft TechSupport are pointing to the firewall as a problem.

Windows firewall exceptions are set in group policies and include provision for the remote agent, however the firewall is disabled in SBS2003 so the policy has no effect.  
Trying to open the firewall on the server produces the error, "Windows Firewall cannot run because another program or service is running that might use the network address translation component (Ipnat.sys)"

The reason for it being disabled appears to be an incompatibility between the firewall and RRAS but I cannot find out how (or if I can) create exceptions in RRAS to allow the software to work.

Is it possible?  If so, how, please?

Thanks, in advance
0
morse57
Asked:
morse57
  • 5
  • 4
  • 2
1 Solution
 
funky2yc340Commented:
Have you tried stopping the RRAS server before you run the update?  This would at least tell you if RRAS was actually blocking the update and/or whehter to look somewhere else for the problem.

To stop the RRAS server:
1.  Enter RRAS manager, right-click on server, choose Stop.
0
 
morse57Author Commented:
Hmmmm

Seems that RRAS wasn't the problem - AVG still won't install with it turned off.  I've unistalled the old version and installed the new one manually, instead of via the Admin console & hooked it up to the Admin centre.  Everything appears to be working OK.

The query remains, though: can I make exceptions for ports/programs as one can in windows firewall?

Cheers
0
 
funky2yc340Commented:
You can make exceptions in RRAS.  If you right-click on any of your connections, in RRAS Manager, select properties.  Go to the Advanced tab and select Add to configure additonal attributes.  Select MS-Quarantined-IP Filter.  Here you can add inbound and outbound ports to allow.

You may also need to add the MS-Quarantined-Timeout attribute, if it's not already enabled.

Hope this helps.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
If the software is running on the SBS, then there is no reason at all that either RRAS or ANY firewall would interfere with it's operation locally.  The only issue would be if it needs to go out to the Internet for an update.

Can you please be more specific as to the problem you are encountering?  You state that you "cannot install the update" on the server.  What specific error are you getting?

Jeff
TechSoEasy
0
 
morse57Author Commented:
Hi Jeff

I was getting 3 errors in total.

Event Type:      Error
Event Source:      AVG7
Event Category:      Error
Event ID:      100
Date:            20/10/2006
Time:            18:09:18
User:            *******
Computer:      OUR SERVER
Description:
2006-10-20 17:09:18,875 OUR SERVER [008108:005484] ERROR 000 AVG7.STool.Com Exit: GetNewerInstallPackageFileName - failed - no instal file

Event Type:      Error
Event Source:      AVG7
Event Category:      Error
Event ID:      100
Date:            20/10/2006
Time:            18:09:19
User:            *******
Computer:      OUR SERVER
Description:
2006-10-20 17:09:19,093 OUR SERVER [008108:005484] ERROR 000 AVG7.STool.Scan GetInstallUser: InstallUser can't be obtained

Event Type:      Error
Event Source:      AVG7
Event Category:      Error
Event ID:      100
Date:            20/10/2006
Time:            18:29:38
User:            ********
Computer:      OUR SERVER
Description:
2006-10-20 17:29:38,859 OUR SERVER [007652:008004] ERROR 000 AVG7.CC.plugins.avgcckrn.CRemoteCommunicationPluginController getting state failed with error: Error 0x80004003

The errors appear, prima facie, to indicate that the setup is misconfigured but this is not the case; the admin centre had been used to successfully distribute the package to the network pcs but stubbornly refused to put it on the server itself.

AVG blamed the firewall, I told them it wasn't running because of RRAS and that seemed to stump their TS people.  

Thanks for moving the question, I thought I'd put it in SBS topic area, clearly not. Sorry.

Cheers
Steve
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I just want to double check that you modified all of these replacing the real name of your server with "our server".  The reason I need to check is that if your server name really did have a space in it's name that could be the rason that AVG won't install.

Jeff
TechSoEasy
0
 
morse57Author Commented:
Sorry, I didn't get an email about your response.

That's right - should have read our-server, no spaces as in the real name.

Cheers
Steve
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I think I may have found something to help you out here:  http://snipurl.com/10yb2

Jeff
TechSoEasy
0
 
morse57Author Commented:
Thanks, Jeff, however I have had this same communication from Grisoft.  I had set the relevant ports via group policy previously for the earlier version of AVG, I've checked and they are as they should be and there hasn't been any problem rolling out the software to clients or subsequent communications.

The difference on the server is that it is using RRAS, not running the windows firewall, so isn't affected by the GP settings (AFAIK), hence the origin of my question about RRAS.  Turning off RRAS has not defeated the problem.

Cheers
Steve
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Okay, sorry, I was on some other tangent for some reason... you can configure an open port in RRAS the same way you would in the Windows Firewall or on a Router's interface.  

Open the Server Management Console > Advanced Management > Computer Management (Local) > Services and Applications > Routing and Remote Access > IP Routing > NAT/Basic Firewall.  

Then right click on the Network Connection > Properties > Services and Ports.  Here you can add any service you like.  You should always use 127.0.0.1 for the IP address unless this service is being hosted on another computer in the LAN.

Jeff
TechSoEasy
0
 
morse57Author Commented:
Thanks, once again, Jeff.
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 5
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now