cmdown
asked on
Dual NIC SBS2003 with BT2700HGV Router - UltraVNC and Remote Desktop - Urgent 500 points -
I have an SBS2003 std edition server that is sitting behind a BT BT2700HGV router.
The server has dual NIC
I have ( I think) configured the router for UltraVNC in the hosted applications firewall section - although for some reason the BT router shows the servername twice - presumably once for each card.
Question - how do I correctly set up (a) the router and (b) the firewall to allow UltraVNC / Remote desktop to see the server?
I normally use logmein but I've got to set up access for a third party to access the server for legitimate technical reasons
The server has dual NIC
I have ( I think) configured the router for UltraVNC in the hosted applications firewall section - although for some reason the BT router shows the servername twice - presumably once for each card.
Question - how do I correctly set up (a) the router and (b) the firewall to allow UltraVNC / Remote desktop to see the server?
I normally use logmein but I've got to set up access for a third party to access the server for legitimate technical reasons
cm,
First, you have to make sure to FORWARD port 5900 to ONE of the two NICS IP addresses. I'm assuming even though you have the dual NIC card, only ONE network cable is connected to the router correct?
So before you forward the port, you need to make sure you have a STATIC LAN IP address set on one of the two dual network ports (the second is not needed). Let's say your router is 192.168.1.1 ... then you could set your static IP to something like 192.168.1.10 (subnet 255.255.255.0 - and default gateway of 192.168.1.1 which is the router) on the one port on the dual port NIC. Then under port forwarding on the ROUTER, forward port 5900 to the IP of 192.168.1.10. Remember, you should then have a network cable going from this port to a regular switched port on the router (not the Internet or WAN port obviously - that's for your DSL/CABLE modem etc.).
What kind of modem is it by the way? Cable or DSL? Just curious - because some DSL modems are actually routers - and can block some incoming packets (VNC in this case). If DSL, let me know and I'll go into further detail on that.
Then ... you'll have to go under the firewall on SBS .. which should be the same place as it is on Enterprise 2003 which we run. START > CONTROL PANEL > WINDOWS FIREWALL. CLICK 'ADD PORT' ... name it 'VNC' or something ... port number should be 5900 ... protocol is TCP. Click OK and then OK again.
Assuming Ultra-VNC is then setup to RECEIVE connections (check under UltraVNC properties as you should have the server loaded and the icon in the lower-right), you should then be able to connect from the Internet to the server.
Let me know how this works for you.
First, you have to make sure to FORWARD port 5900 to ONE of the two NICS IP addresses. I'm assuming even though you have the dual NIC card, only ONE network cable is connected to the router correct?
So before you forward the port, you need to make sure you have a STATIC LAN IP address set on one of the two dual network ports (the second is not needed). Let's say your router is 192.168.1.1 ... then you could set your static IP to something like 192.168.1.10 (subnet 255.255.255.0 - and default gateway of 192.168.1.1 which is the router) on the one port on the dual port NIC. Then under port forwarding on the ROUTER, forward port 5900 to the IP of 192.168.1.10. Remember, you should then have a network cable going from this port to a regular switched port on the router (not the Internet or WAN port obviously - that's for your DSL/CABLE modem etc.).
What kind of modem is it by the way? Cable or DSL? Just curious - because some DSL modems are actually routers - and can block some incoming packets (VNC in this case). If DSL, let me know and I'll go into further detail on that.
Then ... you'll have to go under the firewall on SBS .. which should be the same place as it is on Enterprise 2003 which we run. START > CONTROL PANEL > WINDOWS FIREWALL. CLICK 'ADD PORT' ... name it 'VNC' or something ... port number should be 5900 ... protocol is TCP. Click OK and then OK again.
Assuming Ultra-VNC is then setup to RECEIVE connections (check under UltraVNC properties as you should have the server loaded and the icon in the lower-right), you should then be able to connect from the Internet to the server.
Let me know how this works for you.
ASKER
Hi kmruss
Thanks for your reply - I am aware of everything you have said :o) and indeed that is how the system is set up - the problem is that it just deosn't work.
I normally specify Vigor / Watchguard firewall routers but this client has a BT Voyager BT2700HGV and won't change it. I can't figure out what is going on ! I'm certain the problem is with the BT2700 router.
Thanks for your reply - I am aware of everything you have said :o) and indeed that is how the system is set up - the problem is that it just deosn't work.
I normally specify Vigor / Watchguard firewall routers but this client has a BT Voyager BT2700HGV and won't change it. I can't figure out what is going on ! I'm certain the problem is with the BT2700 router.
ASKER
BT2700HGV is a dsl router
when he tries to connect to your server, can you see his traffic coming through to you?
via your firewall client, or netmon, or other utility?
can you access your server from another external source? if so, then you know it is the client side and not yours
via your firewall client, or netmon, or other utility?
can you access your server from another external source? if so, then you know it is the client side and not yours
ASKER
hI
No - if the client tries to connect it just times out - indicates that the connection is blocked. Traffic is not getting through at all. The client pc is not blocking the connection as it can connect to other pcs / servers using the same port numbers.
No - if the client tries to connect it just times out - indicates that the connection is blocked. Traffic is not getting through at all. The client pc is not blocking the connection as it can connect to other pcs / servers using the same port numbers.
what happens when the client tries to telnet
e.g.
telnet <your ip> 5900
e.g.
telnet <your ip> 5900
also this might be something you want to try
http://www.vitoplantamura.com/index.aspx?page=axvncviewer
http://www.vitoplantamura.com/index.aspx?page=axvncviewer
ASKER
I've done some more work on this today - still getting stuck but here's what I've done.
Rechecked firewall in BT router - all 4 VNC ports (TCP 5900 & 5800 & UDP 5900 & 5800) are forwarded to the external NIC (192.168.5.2)
Windows firewall isn't running as server has IIS installed and RRAS has been configured
Gone into group policy > small business server firewall > computer configuration > administrative templates > network > network copnnections > windows firewall > domain profile
- added port exceptions for 5900:TCP:*:Enabled:VNC1
- added port exceptions for 5800:TCP:*:Enabled:VNC2
- added port exceptions for 5900:UDP:*:Enabled:VNC3
- added port exceptions for 5800:UDP:*:Enabled:VNC4
- added program exception c:\program files\vnc\winvnc.exe:*:ena
I am now sure that connection is getting through the router but is stil being blocked by IIS
** HELP ** :o(
ASKER
** Hurrah **
Fixed It
having done all of the above I went in and checked the RRAS settings
myservername > ip routing > nat / basic firewall > network connection > services & ports
added the ports in there as well and hey presto - connection at last.
I can't say I know why it has to be added in all these places - if anyone can explain what was actually required and what was clouding the issue so that I'll know what i'm doing next time I'll happily award the points !!
Fixed It
having done all of the above I went in and checked the RRAS settings
myservername > ip routing > nat / basic firewall > network connection > services & ports
added the ports in there as well and hey presto - connection at last.
I can't say I know why it has to be added in all these places - if anyone can explain what was actually required and what was clouding the issue so that I'll know what i'm doing next time I'll happily award the points !!
ASKER
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
congrats
cmdown,
My guess is, because you were using Remote Routing and Access. I never activated this service on our server - and I just had to specify the setting in the normal Firewall settings. I would bet that when you're turning on RRAS, it either ignores the settings in the normal Firewall - OR - takes into account both settings. Nevertheless, good to know for future reference. We never had a need for enabling the RRAS - so I never have. And we even have two default gateways to two different ISP's. Did you actually need this service for some reason?
My guess is, because you were using Remote Routing and Access. I never activated this service on our server - and I just had to specify the setting in the normal Firewall settings. I would bet that when you're turning on RRAS, it either ignores the settings in the normal Firewall - OR - takes into account both settings. Nevertheless, good to know for future reference. We never had a need for enabling the RRAS - so I never have. And we even have two default gateways to two different ISP's. Did you actually need this service for some reason?
ASKER
kmruss
the server was originally set up by another company but they do need RRAS as they are using the VPN functionality of SBS2003
the server was originally set up by another company but they do need RRAS as they are using the VPN functionality of SBS2003
Good to know then cmdown - in case we decide to use RRAS. I guess that makes sense too - since by using RRAS, you almost turn your server into a 'router' itself - so allowing through that as well makes sense. Just wouldn't spring to my mind either when setting it all up. Glad you found that.
Closed, 500 points refunded.
Vee_Mod
Community Support Moderator
Vee_Mod
Community Support Moderator
http://www.redline-software.com/eng/support/articles/isaserver/publishing/publishing-remote-desktop-web-connection-sites-isa-firewall-part1.php