Lawot
asked on
Problems getting Remote Desktop to work with a trusted and optional network, Watchguard Firebox X Edge
I have a Small Business Server 2003 Standard R2 with 2 nics. The Internet goes through the watchguard firebox X Edge with the ip of 10.10.2.2 to the network card with the ip of 10.10.2.1. The servers local area network is 10.10.1.1.
I have opened up several ports on the firewall. Standard stuff like RDP, SMTP , ect. I am unable to terminal service into the server (Or use any other ports) When I type the ip address into internet explorer, it opens up the watchguard remote website, which leads me to believe that the firebox is forwarding traffic to my trusted network and not the optional network.
When I setup the incoming firewall settings, I opened up Port 3389 and forwared it to 10.10.1.1. I believe because 10.10.1.1 is on the optional network, it is not working and there is some setting I need help on.
Anyone have any ideals?
I have opened up several ports on the firewall. Standard stuff like RDP, SMTP , ect. I am unable to terminal service into the server (Or use any other ports) When I type the ip address into internet explorer, it opens up the watchguard remote website, which leads me to believe that the firebox is forwarding traffic to my trusted network and not the optional network.
When I setup the incoming firewall settings, I opened up Port 3389 and forwared it to 10.10.1.1. I believe because 10.10.1.1 is on the optional network, it is not working and there is some setting I need help on.
Anyone have any ideals?
ASKER
I understand that, and I have forwared all ports to my sbs. https://FQDN/remote will forward me to the watchguard box. Again I believe this is an issue with everything being forwarded to my optional network and not my trusted one.
I always install Edges onto my clients networks, but I'me using only one NIC.
If you have two nics, please use the following guide:
http://www.smallbizserver.net/Articles/tabid/266/articleType/ArticleView/articleId/76/Two-Nics-a-static-IP-address-ISA-router.aspx
(skip the isa part)
Just make sure you configure a firewall routle which forwards port 4125 to the sbs internal nic: 192.168.16.2 by default.
An ipconfig /all of the server and maybe one workstation would be interesting.
If you have two nics, please use the following guide:
http://www.smallbizserver.net/Articles/tabid/266/articleType/ArticleView/articleId/76/Two-Nics-a-static-IP-address-ISA-router.aspx
(skip the isa part)
Just make sure you configure a firewall routle which forwards port 4125 to the sbs internal nic: 192.168.16.2 by default.
An ipconfig /all of the server and maybe one workstation would be interesting.
ASKER
My local nic is 10.10.1.1. I am forwarding everything to this nic
ipconfig /all of server would be interesting to see your setup, and maybe watchguard setup too.
can't tell anything out of one ip
can't tell anything out of one ip
ASKER
Here are the results of the ipconfig /all
ip.JPG
ip.JPG
did you also forward port 443 to the SBS?
Sorry to sound ilke this but I am confused on your network setup, if I understand correctly the setup you have is (A):
10.10.2.x - Trusted network
Internet ----- X Edge---------------------S
10.10.1.1
The server is acting as a router. If this is the case then the things should work; you would need to configure options on server to forward packet to LAN and back.
OR is it (B):
10.10.2.x - Trusted network
Internet ----- X Edge---------------------S
|-------------------------
10.10.1.1 - Optional network
If it is B; then it would not work; there are many instances about multi-homed machine behind WG not being able to work properly. Can I ask you if you are having B as setup what is the need of having two NICs on the server; what if you use just one NIC.
Please advice.
Thank you.
10.10.2.x - Trusted network
Internet ----- X Edge---------------------S
10.10.1.1
The server is acting as a router. If this is the case then the things should work; you would need to configure options on server to forward packet to LAN and back.
OR is it (B):
10.10.2.x - Trusted network
Internet ----- X Edge---------------------S
|-------------------------
10.10.1.1 - Optional network
If it is B; then it would not work; there are many instances about multi-homed machine behind WG not being able to work properly. Can I ask you if you are having B as setup what is the need of having two NICs on the server; what if you use just one NIC.
Please advice.
Thank you.
ASKER
Everything is forwarded to the SBS Server, Everything.
dkp wall
I am pretty sure I am using option A
10.10.2.x - Trusted network
Internet ----- X Edge---------------------S
10.10.1.1
Internet Nic is 10.10.2.1, Watchguard 10.10.2.2 and Server is 10.10.1.1
This is standard setup in a small business enviroment. I need the 2 nics to enable windows firewall, going to one nic is not an option.
How would I configure options on server to forward packet to LAN and back.
dkp wall
I am pretty sure I am using option A
10.10.2.x - Trusted network
Internet ----- X Edge---------------------S
10.10.1.1
Internet Nic is 10.10.2.1, Watchguard 10.10.2.2 and Server is 10.10.1.1
This is standard setup in a small business enviroment. I need the 2 nics to enable windows firewall, going to one nic is not an option.
How would I configure options on server to forward packet to LAN and back.
As your Server is acting as a router, add a route in WG as below:
In Configuration Page, go to Network > Routes; Add:
Network; 10.10.1.0/24; gateway 10.10.2.1
Now from WG you should be able to ping the machines on 10.10.1.x network and from the machines on 10.10.1.x you should be able to ping 10.10.2.2.
If above is true, then the rule you created to forward traffic to 10.10.1.1 would work; also you can create rule to allow incoming traffic to any of the machines on the 10.10.1.x network.
Thank you.
In Configuration Page, go to Network > Routes; Add:
Network; 10.10.1.0/24; gateway 10.10.2.1
Now from WG you should be able to ping the machines on 10.10.1.x network and from the machines on 10.10.1.x you should be able to ping 10.10.2.2.
If above is true, then the rule you created to forward traffic to 10.10.1.1 would work; also you can create rule to allow incoming traffic to any of the machines on the 10.10.1.x network.
Thank you.
ASKER
I added the route as you described. But it is still forwarding to the firewall. Any ideals?
After you added the route were you able to ping the internal IP address of the firewall from the machines on the 10.10.1.x network; if no, then the firewall would not be able to route traffic to the hosts.
Please note first have the connectivity between the machines on the 10.10.1.x network and the firewall; the machines should also be able to connect to the internet through the firewall and should the default gateway as the internal IP address of the firewall.
Further, please note you should be able to ping 10.10.1.1 and 10.10.2.1 from all the machines on the 10.10.1.x network; if no; then you need to check your settings on the Windows machines that it is acting as a router.
Thank you.
Please note first have the connectivity between the machines on the 10.10.1.x network and the firewall; the machines should also be able to connect to the internet through the firewall and should the default gateway as the internal IP address of the firewall.
Further, please note you should be able to ping 10.10.1.1 and 10.10.2.1 from all the machines on the 10.10.1.x network; if no; then you need to check your settings on the Windows machines that it is acting as a router.
Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Good to know that the problem is resolved.
If you are working with RWW: https://FQDN/remote you need to forward port 4125 to your SBS server, no need to open port 3389
Regards,
suppsaws