Solved

SBS -  Cannot connect to RWW or OWA remotely

Posted on 2006-10-29
24
2,404 Views
Last Modified: 2013-11-30
I recently completed an installation of a SBS2003 SP1 Standard box without ISA, using the two recommended NIC configuration. The broadband connection is an Efficient 5861 DSL router with a 4-Port switch set up with a static public IP from our (AT&T) ISP. The NIC #1 (external WAN) has a fixed IP address 192.168.254.10, and connects to the DSL router 4-port switch.

DHCP is handled by the SBS, and the #2 NIC (internal LAN) uses fixed IP 192.168.16.2. This NIC connects to the LAN 24-port switch along with all workstations.

This installation worked as expected once it was set up – All workstations have Internet access, Exchange server handles the email, and all users are able to connect printers, files, and other resources. And internally, we could also access features like RWW, SharePoint and OWA. But I could not access these features remotely from outside the network.

I began to wonder if the router was blocking the connection, so I followed the advice I received from SBS newsgroup and opened ports 443, 444, 4125, 1723 and 3389 in our Efficient 5861 DSL router, by using their internal configuration program. But I still couldn't connect remotely using https://publicIP/remote. I called Efficient tech support to have them verify that the ports I specified were actually opened. Their tech told me he couldn't telnet into our router through our public IP to check, but confirmed that I had done the setup steps correctly.

After that I reran CEICW to verify all Web services were checked. First, I expanded everything under IIS, checked all settings, and nothing was being blocked. Just to be sure, I stopped all the services and restarted them. Everything still looked the same with nothing being blocked. I completely reran CIECW, first disabling settings, then selecting broadband with local router, e-mail (no VPN), firewall, then selecting OWA, RWW, and SharePoint services. I rebuilt the certificate using the public IP provided by DSL ISP. At the end I went back and checked the IIS settings and printed out the Summary of Settings for CEICW, reviewed the summary and didn't see anything that looked wrong.

But I still couldn’t connect remotely. I received two recommendations from the newsgroup folks. One was to bypass the DSL router using my laptop plugged into the Efficient 4-port switch, but set up on a different subnet. Still, no connection.

The other recommendation was to verify the proper bindings on each of the two NICs by clicking the Advanced tabs. That is where it got a little strange. The Advanced tab would not open at all, and instead pops up this essage: "Windows Firewall cannot run because another program or service is running that might use the network address translation component (Ipnat.sys)". This turns out to be a bogus message. Windows Firewall is disabled.

To pursue this further, I disabled the SBS firewall through CEICW, disconnected the lan cable, and uninstalled the external NIC built into the Intel motherboard through the BIOS setup. I restarted SBS, but still could not access the Advanced tab on the internal NIC. I removed the internal NIC, reinstalled the external NIC, but again was unable to open the Advanced tab. After each change, I reran CEICW and verified the desired settings. After each change I would also try to open the Advanced tab on each NIC. In all cases, the tab would not open, and a separate window pops up with the "Windows Firewall cannot run because another program or service is running that might use the network address translation component (Ipnat.sys)" message.

I'm at my wits end with this problem. I set this thing up 'by the book' to avoid problems, and everything looks normal except for remote access. I’m about ready to turn this problem over to Microsoft's tech support - and pay that $245 incident fee. Then again, I’d really like to solve this problem without their help. Mostly, to understand what the problem really is, and what the solution turns out to be. So if anyone can help I’ll greatly appreciate it. Thanks.

Leon


0
Comment
Question by:OleBear
  • 12
  • 11
24 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 17830598
Hi Leon, a couple of points i may be able to help with. Wynn clicking on the advanced tab you will get the Firewall message, which is not quite accurate" if any services are configured that use RRAS such as routing (2 NIC's) VPN, and some others. You can pretty much ignore that. as for the binding order, which I am doubtful is the problem, though important is actually located elsewhere. Go to Control panel | Net work connections | on the menu bar at the top of the screen choose advanced | and then advanced settings.

Sounds to me like a port forwarding issue. A good test is to log on to the SBS itself, and go to   http://www.canyouseeme.org  and test for the appropriate ports. If you get failed or timed out, the problem is most likely with the modem and or router. If it does fail let us know the make and model of the modem and router, and perhaps we can be specific.
0
 

Author Comment

by:OleBear
ID: 17830945
Hello RobWill, -- Thanks for this information, because it looks very helpful. I'll be in that office this coming Tuesday and will take a look at the system. I've kinda suspected a port forwarding issue, but didn't know how to check it. I'll post what I find out just as soon as I'm done. Thanks again!

Leon
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17831234
Great, let us know how it goes.
If you do have a forwarding problem, it may be that your modem is a combined router and modem . You can tell, if the router's WAN/Internet interface has a private IP 192.168.x.x, 10.x.x.x or 172.16-31.x.x  If so the modem needs to be put in bridge mode, and the routers WAN connection configured with your ISP's connection information.
0
 

Author Comment

by:OleBear
ID: 17836141

The DSL modem? - router is an Efficient 5861, which is pretty old and very difficult to work on. It indeed uses 192.168.x.x interface to access the settings, if that's what you mean. Nevertheless, if I do have a forwarding problem, that Efficient 5861 is gonna get replaced. Even the AT&T techs were surprised that we still had it. It came from SBC before AT&T took them over. I'll let you know . . .

Leon
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17838365
>>"It indeed uses 192.168.x.x interface to access the settings"
That would be on the inside/LAN interface which is fine. The concern is the outside/WAN/Public interface. It should have a true public IP rather than a private.
0
 

Author Comment

by:OleBear
ID: 17843986

"It should have a true public IP rather than a private." It does . . . I'm on my way out to the system this morning. I'll let you know the results in a few hours.

Leon
0
 

Author Comment

by:OleBear
ID: 17852317
The results of running http://www.canyouseeme.org
 Ports
21 connection refused  (connection refused)
25 connection refused  (connection refused)
80 OK (OK)
110 connection refused (connection refused)
443 OK (OK)
444 connection refused (connection refused)
1723 timed out  (connection refused)
3389 timed out (OK)
4125 connection refused (OK)
Note: Values in Parenthesis are with SBS firewall turned off

As for the NIC bindings, by using this method: Go to Control panel | Net work connections | on the menu bar at the top of the screen choose advanced | and then advanced settings.
I still get that dreaded "Windows Firewall cannot run because another program or service is running that might use the network address translation component (Ipnat.sys)" messsage. BUMMER!

Leon
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17852526
Based on the above, the only thing that might work is Outlook Web Access. Have you tried that ?
https://publicIP/exchange

If you have anything configured that uses RRAS (routing and Remote Access Service), such as the VPN - "Remote Connection Service", you will get the firewall message. However I am surprised you get that when accessing features from the menu bar.
Ipnat.sys = RRAS

Not sure what would be blocking the other ports. I am assuming the router is configured for all ports in the same way ? Is the Efficient 5861  a basic modem or modem/router? Do you have 2 devices which may require port forwarding? The ports do not need to be "open" but rather "forwarded".
0
 

Author Comment

by:OleBear
ID: 17860871

Yes, I tried OWA right away, but it doesn't work. Also, I have specifically not enabled VPN.

The Efficient 5861 is a modem/router. I used the command line interface to open the ports, but did not see a way within that interface of doing port forwarding. Yesterday I did some Internet searching on the 5861 and found additional instructions on port forwarding. I'll try that later on. My limitation is that this SBS is the heart of a civil engineering firm, and I'm unable to do any restarts or reboots during work hours. Reconfiguring that DSL device nearly always requires a restart. They hate it when they lose Internet or file server access. (actually, everybody is pretty good about it, but they do have deadlines to meet).

I too am concerned about not being able to access the advanced settings on those two NICs. Although I was very careful about setting them up originally and believe the settings are correct, I wonder if no access is indicating a problem somewhere else. However, everything about that SBS and its extra features work just fine in-house for all users. And the lack of remote access would seem to indicate that it's being blocked somewhere. Although I hate that 5861 because it's old and difficult to configure, I don't want to do so only to find out it wasn't the problem. So I guess I better try port forwarding first.

Leon
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17864091
Opening the ports will not work, you definitely have to be able to forward them. You could try as a test setting up a PC on the WAN side of your SBS, but on the inside of the Efficient 5861, as a test to see if the problem is the modem/router/ISP.

Just checked a virtual SBS of mine that has RRAS configured. I get the same "Windows Firewall cannot run because......(Ipnat.sys)" message when trying t o check the firewall (advanced/settings) option on the network adapter, as expected, however no problem to access the Advanced settings and binding orders from the menu bar. Interesting, I wonder why yours is blocked. I have never seen that.
0
 

Author Comment

by:OleBear
ID: 17864309

I finally gained access to the Efficient 5861 GUI, which made it much easier to see existing settings and also how to change them.  
I found: Outbound NAT and Inbound NAT enabled.
For Outbound NAT there were no settings specified.
For Inbound NAT, the following ports were specified.
Ports 80 443 1723 3389 forwarded to 192.168.254.10 (WAN side NIC IP)
I then added Ports 444 and 4125 forwarded to 192.168.254.10 (WAN side NIC IP)

I rebooted the router, went back in to make sure the setting were in place, and had several users confirm they had access to email, the Internet and the file server.
I then went to my computer outside the network and tried both https://PublicIP/remote and exchange. Still, Nothing worked.
(Previously, I had tried setting up my laptop on the WAN side of the SBS, but I could never gain access that way either)

A newsgroup SBS-MVP suggested I remove the NICs one at a time, then try to get into the advanced tab on each. Since I'm using the NIC built into the Intel motherboard, I wasn't able to actually remove it, but I did disable it. Then I went to the other NIC, and I was still unable to access the Advanced tab. I continued to get that (Ipnat.sys) message. -- This is a very perplexing problem.

Leon
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17865666
The reason you are probably getting the "Windows Firewall cannot run because......(Ipnat.sys)" message is due to the fact that you are using 2 network adapters. In order for this to work the server needs to configure NAT, and thus RRAS. Though using 2 adapters is fine, and very common practice, it is not necessary.

As to why you get the message when trying to view the binding order, I don't know. Not to be a pain but again......you are trying to access from:
Control panel | Net work connections | on the menu bar at the top of the screen choose advanced | and then advanced settings
and not from:
Control panel | Net work connections | network adapter - properties | advanced

If "playing" with removing adapters, when the device manager is open, on the menu bar choose "view", then "show hidden devices". Do not randomly delete devices, but see if there are any old configurations for other network adapters or previous installs of the same adapters, that may be causing issues.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:OleBear
ID: 17873984

"Not to be a pain but again......you are trying to access from . . . " You know, now I'm not quite sure. I thought I had followed your instructions exactly, but I'm gonna go back and do it again. Sometimes it's overlooking those small things that come back to haunt us.

I did do a 'show hidden devices' previously, and didn't see anything strange there. But you can bet I'm gonna check again.

Leon
0
 

Author Comment

by:OleBear
ID: 17927490

OK, an update on this very perplexing problem:

I was finally able to view the settings of both NICs. The internal LAN is first, and has checkmarks for File and Printer settings, and for Client for MS networks. -- The external WAN NIC is second in the list, has no checkmarks checked, and all required settings inside are empty. Clicking 'show hidden devices' shows only the current settings, nothing strange.

After checking all these, I reran CEICW and rebuilt the firewall and other the suggested settings. At the end, I printed out the Sumary of Settings, reviewed it and didn't see anything I would recognize as incorrect. In fact, it looked pretty good.

Then I went to a computer remote to the SBS network and, bummer -- I still couldn't connect remotely.

Two things came to mind. First, none of the workstations are joined to the domain. Does that matter? The network is still operated P-to-P because I wanted to wait until everything was working properly before joining the workstations. (and on another SBS network I work with, not joining the workstations didn't affect remote connection - I could still get to the log-on page and the intranet webpage) -- The second thing that came to mind is reading about people having problems with port TCP 1723, and GRE protocol #47. However, when I was inside the Efficient modem/router, port TCP 1723 was shown to be forwarded to the public IP of the router. -- As has been the case all along, the internal LAN works just fine, with each workstation able to access the custom intranet website and most services like email on it.

Oh lordy, lordy, what else is there to try?? -- Is it finally time - can I even be saying this? - to pay that $245 and make this Microsoft's problem?

Leon

Leon
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17928015
>>"none of the workstations are joined to the domain. Does that matter?"
It does if you are trying to use RWW to connect to a workstation. Server should be fine.

>>" The second thing that came to mind is reading about people having problems with port TCP 1723, and GRE protocol #47."
You only need to worry about this is you are enabling a VPN. Doesn't sound above as if you are, however if so  not only do you need to forward port 1723, but also enable "PPTP pass-through". Not all routers support VPN pass-through.

Now that you have made changes to the router and re-run the CEICW, do you have success with http://www.canyouseeme.org ?
0
 

Author Comment

by:OleBear
ID: 18022204

A post Thanksgiving update:
Not much to be thankful for regarding this SBS problem, it turns out.

"Now that you have made changes to the router and re-run the CEICW, do you have success with http://www.canyouseeme.org?" -- No, I get exactly the same results as before.

So I went back in, made sure the NICs were properly configured, re-ran CEICW without VPN, and tried again. No luck connecting remotely. More troubling is that I still cannot connect with my laptop by bypassing the router. I'm doing this by configuring my laptop with a fixed IP 192.168.x.x address on a different subnet, and plugging it into one of the switch ports on the router. I get "Internet Explorer cannot display the webpage" when I try. I have never been able to get to the RWW sign-on page either remotely or by by-passing the router. I also cannot ping the public IP address either way, although I'm not sure that's allowed.

A question: When forwarding ports in the router, I have them forwarded to the WAN side NIC IP (192.168.254.10), is that correct?

Leon
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18025108
>>"More troubling is that I still cannot connect with my laptop by bypassing the router. I'm doing this by configuring my laptop with a fixed IP 192.168.x.x address on a different subnet,"
If the laptop is connected to the SBS external NIC through a switch, i.e. not routed, it actually needs to be on the same subnet, 192.168.254.x
This would be a good test actually to see that the SBS is not the problem.

>>"When forwarding ports in the router, I have them forwarded to the WAN side NIC IP (192.168.254.10), is that correct?"
Correct!
0
 

Author Comment

by:OleBear
ID: 18088808

"If the laptop is connected to the SBS external NIC through a switch, i.e. not routed, it actually needs to be on the same subnet, 192.168.254.x
This would be a good test actually to see that the SBS is not the problem."

Well, unfortunately, after setting up my laptop to do this, then going back and rerunning CEICW and carefully chosing the settings that follow all the previous suggestions, I still could not connect to the SBS. Not this way, or remotely from outside the network. -- So it looks like the SBS is somehow still the problem. Dang!!

Leon


0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18094973
Earlier with the "canyouseeme" test it showed port 1723 was blocked.
Try connecting to the SBS directly by means of the switch as you last did and test for port 1723. However, this time from the connecting computer go to a command line (DOS window) and enter:
telnet  192.168.254.10  1723
(assuming that is the server's WAN/External IP)
If it is open (i.e. connects) you should get a blank screen with a flashing cursor. If blocked you will get an error message or simply time out. This will tell us if the server itself is blocking traffic.
0
 

Author Comment

by:OleBear
ID: 18149590

When connecting to the SBS directly through the switch, here are the results of the Telnet testing of ports using the WAN External IP 192.168.254.10:

Ports Open OK
21
25
80
443
444

Ports Fail or Time Out
1723
3389
110
143
22
23
220
4125
1701

This certainly seems to indictate that the SBS itself is blocking 1723.
So it seems the question is, can this port be opened from within SBS?

Leon

Ps. I only have access to this SBS using the two NIC configuration. However, I do have access to a single-NIC SBS that uses a Cisco PIX 506e, and running "canyouseeme" gives me these results:

Open
1723
143
110
80
25

Times Out or Connection Refused
21
23
1531
3389

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18150663
The only thing on the SBS that could be blocking those ports is the Windows firewall. However this should be looked after by the CEICW. Personally I would "kill" RRAS by opening the RRAS management console and Right clicking on the server and choose disable. Then open the Windows firewall, which you may have to turn on to do, and manually turn it off. Now re-run the CEICW.
Make sure there are no other software firewalls, or Symantec anti-virus, as well.
0
 
LVL 2

Expert Comment

by:marklar1
ID: 18186069
Hi

I have have just had a similar problem. I have not read the whole thread above so appologies if this has already been mentioned.

I resolved this problem after calling Netgear who supplied the firewall I was using. To remotely administer their router via the web you connect via https to port 8080, however, this means it severely interferes with https on port 443. The problem was resolved by simply disabling remote web admin on the router.

Netgear are upgrading their firmware sometime in the future!!!!

Good luck.

Mark
0
 

Author Comment

by:OleBear
ID: 18298037
RobWill, I performed your last suggestion and reran CEICW. No improvement at all. I then connected my laptop into the DSL router port and ran telnet 192.168.254.10 with each of the commonly used SBS ports. If anything, I lost ground and found even fewer that would open. I began to think something else was wrong in some other place. I had never gone too deeply into the settings inside the Efficient DSL router, mostly because SBC installed it before I came on the scene, and because Internet access and email worked OK. All I had ever done was go in and forward all the ports required by SBS using the command line interface - the same ports that never showed up as open. -- This time I used the GUI interface to look at the setup, and indeed, the ports were forwarded as expected. Then I discovered something rather strange. On the SBC WAN side I found the IP address was set to the gateway address and the gateway field was blank. I was actually surprised that the system even worked! I also discovered that I could not change those values through the GUI interface. Today (from home) I called SBC and verified that the IP address entered is in fact the gateway address. I wondered what would happen if I used the gateway IP address to try a remote connection, and son-of-a-gun it actually works!! Next, I'll be contacting SBC to straighten out the WAN and Gateway addresses.

Thanks very much for your help on this problem. Your suggestions kept me going on trying things, and was an inspiration to keep digging for a solution.

Thanks again. -- Leon
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18298082
Wow, odd!  You are very welcome Leon.
Thanks for the update. As you say I am surprised you haven't had other problems. Good luck with SBC and thanks for the points.
Cheers.
--Rob
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

I was recently sitting at a desk at work with one of my colleagues and needed some information on my home computer. He watched as I turned on my home computer, established a remote session into it, got the information I needed and then shut it down …
Article by: IanTh
Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now