bctf1
asked on
Need help to disable SBS 2003 R2 Standard ICS service
The Windows Firewall/ICS service is running on my SBS 2003 R2 Standard server configured as DC, DHCP server, DNS server, Exchange server, file server) with 1 nic. An Actiontec M1000 dsl gateway/router (dhcp disabled) is the default gateway for the server and workstations which are connected via network switches to the M1000. All workstations are configured DHCP.
If I disable the ICS service on my server it effectively breaks my lan. The server cannot be pinged from any workstation and server shares are not available to any workstation. Also, workstations cannot access the internet but the server can.
I understand that this configuration is basically sharing my server's internet connection for my lan and that the ICS service should not be running on SBS 2003. However, I can't figure out how to disable it without breaking my lan and internet access for my workstations.
I have a feeling that I created this problem myself during the initial SBS configuration. At one point my lan stopped working and I may have changed some group policy settings for ICF and the Windows Firewall. I have attached a couple of screen shots of my current ICF settings and denied GPO's hoping that it might provide a clue how I can disable ICS without breaking my lan. I am unsure what settings to change so I can disable ICS without breaking my lan.
Here is the results of an ipconfig/all from one of the workstations:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\username>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : computername
Primary Dns Suffix . . . . . . . : domainname.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domainname.local
domainname.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : domainname.local
Description . . . . . . . . . . . : Intel(R) 82562V-2 10/100 Network Connection
Physical Address. . . . . . . . . : 00-1D-09-86-D6-0E
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.5.24
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.5.1
DHCP Server . . . . . . . . . . . : 192.168.5.3
DNS Servers . . . . . . . . . . . : 192.168.5.3
Primary WINS Server . . . . . . . : 192.168.5.3
Lease Obtained. . . . . . . . . . : Saturday, August 02, 2008 9:40:52 AM
Lease Expires . . . . . . . . . . : Sunday, August 10, 2008 9:40:52 AM
Any and all comments are appreciated.
icfsettings.jpg
deniedgpo.jpg
If I disable the ICS service on my server it effectively breaks my lan. The server cannot be pinged from any workstation and server shares are not available to any workstation. Also, workstations cannot access the internet but the server can.
I understand that this configuration is basically sharing my server's internet connection for my lan and that the ICS service should not be running on SBS 2003. However, I can't figure out how to disable it without breaking my lan and internet access for my workstations.
I have a feeling that I created this problem myself during the initial SBS configuration. At one point my lan stopped working and I may have changed some group policy settings for ICF and the Windows Firewall. I have attached a couple of screen shots of my current ICF settings and denied GPO's hoping that it might provide a clue how I can disable ICS without breaking my lan. I am unsure what settings to change so I can disable ICS without breaking my lan.
Here is the results of an ipconfig/all from one of the workstations:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\username>ipconfig
Windows IP Configuration
Host Name . . . . . . . . . . . . : computername
Primary Dns Suffix . . . . . . . : domainname.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domainname.local
domainname.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : domainname.local
Description . . . . . . . . . . . : Intel(R) 82562V-2 10/100 Network Connection
Physical Address. . . . . . . . . : 00-1D-09-86-D6-0E
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.5.24
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.5.1
DHCP Server . . . . . . . . . . . : 192.168.5.3
DNS Servers . . . . . . . . . . . : 192.168.5.3
Primary WINS Server . . . . . . . : 192.168.5.3
Lease Obtained. . . . . . . . . . : Saturday, August 02, 2008 9:40:52 AM
Lease Expires . . . . . . . . . . : Sunday, August 10, 2008 9:40:52 AM
Any and all comments are appreciated.
icfsettings.jpg
deniedgpo.jpg
Are you sure it is ICS running and not Routing and Remote access? ICS should not and probably is not running on the server. It also requires 2 network connections in order to run such as WAN and a LAN adapter, or a wired and a wireless. Even your policy says Prohibit -enabled. Is the "windows firewall and internet connection sharing" service enabled and running in the services management console?
ASKER
Hi Rob,
Thanks for your reply. Yes, the ICS service is running, see the attachment below. To make a long story short, the way I discovered that ICS was running was that I enabled Remote Access via CIECW and configured VPN. After my server was rebooted the first time, my lan was broken and the server started generating 32009 system events: "The Windows Firewall/Internet Connection Sharing (ICS) service could not start because another program or service is running that might use the network address translation component (Ipnat.sys). This can occur when Routing and Remote Access is enabled. If this is the case, you must disable Routing and Remote Access before the Windows Firewall/Internet Connection Sharing (ICS) service can start."
I then disabled remote access via CIECW and rebooted. The ICS service started successfully and my lan was restored.
icsproperties.jpg
Thanks for your reply. Yes, the ICS service is running, see the attachment below. To make a long story short, the way I discovered that ICS was running was that I enabled Remote Access via CIECW and configured VPN. After my server was rebooted the first time, my lan was broken and the server started generating 32009 system events: "The Windows Firewall/Internet Connection Sharing (ICS) service could not start because another program or service is running that might use the network address translation component (Ipnat.sys). This can occur when Routing and Remote Access is enabled. If this is the case, you must disable Routing and Remote Access before the Windows Firewall/Internet Connection Sharing (ICS) service can start."
I then disabled remote access via CIECW and rebooted. The ICS service started successfully and my lan was restored.
icsproperties.jpg
ASKER
BTW, for whatever it's worth, RWW is also enabled on this server.
Interesting I don't know how it is running with a single NIC.
That is true enabling RRAS will disable ICS as you stated.
I am assuming you do not have something like a PPPoE internet service that requires a piece of client software to run, to access the internet:
On the SBS check each network connection under control panel/network connections by right clicking on it and choosing properties, then select the advanced tab. On the connection that has ICS enable there should be an ICS section with "Allow other network user to connect through this computer" checked. Un-check that.
Then you will have to re-run the CEICW.
The CEICW you referred to earlier is actually the "Configure remote access" wizard. You want the "connect to the Internet" wizard on the same page.
The following document is the Microsoft outline for configuring networking with your SBS:
How to configure Internet access in Windows Small Business Server 2003
http://support.microsoft.com/kb/825763
RWW will have no ill effects.
That is true enabling RRAS will disable ICS as you stated.
I am assuming you do not have something like a PPPoE internet service that requires a piece of client software to run, to access the internet:
On the SBS check each network connection under control panel/network connections by right clicking on it and choosing properties, then select the advanced tab. On the connection that has ICS enable there should be an ICS section with "Allow other network user to connect through this computer" checked. Un-check that.
Then you will have to re-run the CEICW.
The CEICW you referred to earlier is actually the "Configure remote access" wizard. You want the "connect to the Internet" wizard on the same page.
The following document is the Microsoft outline for configuring networking with your SBS:
How to configure Internet access in Windows Small Business Server 2003
http://support.microsoft.com/kb/825763
RWW will have no ill effects.
ASKER
Thank you very much for your efforts, I really appreciate your help.
"I am assuming you do not have something like a PPPoE internet service that requires a piece of client software to run, to access the internet:"
No I do not. It is an Actiontec M1000 dsl modem/router with nat firewall. DHCP is disabled on the M1000. It's lan IP is 192.168.5.1.
"On the SBS check each network connection under control panel/network connections by right clicking on it and choosing properties, then select the advanced tab. On the connection that has ICS enable there should be an ICS section with "Allow other network user to connect through this computer" checked."
There is no such option on the advanced tab of my server's (only) lan connection properties screen. BTW, my only lan adapter is a Broadcom NetXtreme Gigabit Ethernet - driver verison 10.26.0.0. See the screen shot below.
Here are the current settings that I have in the connect to the internet wizard. I have not allowed the wizard to automatically configured the M1000.
Connection Type - Broadband
Broadband Connection - a local router device with an IP address
Router Connection:
Preferred DNS server - 205.171.3.65 (Qwest dns server)
Alternate DNS server - 205.171.2.65 (Qwest dns server)
Local IP address of router - 192.168.5.1
My server uses a single network connection for both internet and lan box is checked.
I have already seen the document for configuring SBS 2003 internet access and networking that you reference. I seems to me that I have everything configured according to the document.
lan-advanced-settings.jpg
"I am assuming you do not have something like a PPPoE internet service that requires a piece of client software to run, to access the internet:"
No I do not. It is an Actiontec M1000 dsl modem/router with nat firewall. DHCP is disabled on the M1000. It's lan IP is 192.168.5.1.
"On the SBS check each network connection under control panel/network connections by right clicking on it and choosing properties, then select the advanced tab. On the connection that has ICS enable there should be an ICS section with "Allow other network user to connect through this computer" checked."
There is no such option on the advanced tab of my server's (only) lan connection properties screen. BTW, my only lan adapter is a Broadcom NetXtreme Gigabit Ethernet - driver verison 10.26.0.0. See the screen shot below.
Here are the current settings that I have in the connect to the internet wizard. I have not allowed the wizard to automatically configured the M1000.
Connection Type - Broadband
Broadband Connection - a local router device with an IP address
Router Connection:
Preferred DNS server - 205.171.3.65 (Qwest dns server)
Alternate DNS server - 205.171.2.65 (Qwest dns server)
Local IP address of router - 192.168.5.1
My server uses a single network connection for both internet and lan box is checked.
I have already seen the document for configuring SBS 2003 internet access and networking that you reference. I seems to me that I have everything configured according to the document.
lan-advanced-settings.jpg
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Hi Rob,
"Does disabling it (ICS service) actually break your network connections?"
Once the server rebooted for the first time with remote access/RRAS enabled and the ICS service did not start, I lost the ability to connect via VPN or remote desktop to the server from my home office (remote location) and had to race to the office to troubleshoot the problem.
Once I arrived at the office I saw the following behaviors to the best of my recollection:
1. the server continued to have internet access but could not ping any of the workstations
2. the workstations lost connection to the internet and to shared folders on the server and could not ping the server or web sites.
3. the workstations could not renew their IP address after ipconfig/release and renew commands.
I then disabled remote access using the wizard and rebooted the server. I don't recall if i ran CEICW at that time. After the reboot my lan functioned fine due the ICS service having started.
Unless you have additional suggestions or thoughts, I will go to the office, stop the ICS service, wait a few minutes and see if lan connectivity and internet access is working on the workstations. If not, I will run CEICW again, reboot the server and see what happens. I will let you know.
Thank You,
Brad
"Does disabling it (ICS service) actually break your network connections?"
Once the server rebooted for the first time with remote access/RRAS enabled and the ICS service did not start, I lost the ability to connect via VPN or remote desktop to the server from my home office (remote location) and had to race to the office to troubleshoot the problem.
Once I arrived at the office I saw the following behaviors to the best of my recollection:
1. the server continued to have internet access but could not ping any of the workstations
2. the workstations lost connection to the internet and to shared folders on the server and could not ping the server or web sites.
3. the workstations could not renew their IP address after ipconfig/release and renew commands.
I then disabled remote access using the wizard and rebooted the server. I don't recall if i ran CEICW at that time. After the reboot my lan functioned fine due the ICS service having started.
Unless you have additional suggestions or thoughts, I will go to the office, stop the ICS service, wait a few minutes and see if lan connectivity and internet access is working on the workstations. If not, I will run CEICW again, reboot the server and see what happens. I will let you know.
Thank You,
Brad
So far those are the only suggestions I have. A word of caution, don't make network configuration changes remotely :-) Been there done that :-)
Reviewing steps 1,2, & 3 above again, sounds like you configured RRAS/VPN and might have enabled NAT, this in tern would stop the firewall/ICS service, then rebooted the server, because ICS was set to automatic it tried to start but couldn't because RRAS was enabled, then LAN access was lost probably due to NAT within RRAS. Disabling RRAS more likely fixed the problem than re-enabling ICS.
Curious to hear how you make out.
--Rob
Curious to hear how you make out.
--Rob
ASKER
Hi Rob,
Just an update, I will be on site tonight and will try the the suggestions above regarding ICS. I should have some feedback for you tomorrow morning. BTW, I will not be configuring remote access at this time.
Based on the reading that I have done comparing RWW to SBS VPN, my current thinking is that RWW may be the better solution for remote access as it does not expose the server to possible infections from the connecting computer as VPN does. Additionally, RWW appears to be just as secure as VPN as long as the RWW group membership is controlled. If you have a different opinion about this, I welcome it.
Thanks,
Brad
Just an update, I will be on site tonight and will try the the suggestions above regarding ICS. I should have some feedback for you tomorrow morning. BTW, I will not be configuring remote access at this time.
Based on the reading that I have done comparing RWW to SBS VPN, my current thinking is that RWW may be the better solution for remote access as it does not expose the server to possible infections from the connecting computer as VPN does. Additionally, RWW appears to be just as secure as VPN as long as the RWW group membership is controlled. If you have a different opinion about this, I welcome it.
Thanks,
Brad
I definitely agree with your thoughts on RWW. As you may have noticed by my profile, I am fairly familiar with, and a big fan of VPN's. VPN's are very secure in that they protect the traffic between the remote site an office, but there is no protection from the computer that is being used to make the connection, or in some cases, if split-tunneling enabled, no protection from the whole remote network, such as Johny in the next room playing video games. Server/SBS 2008 will better address this with NAP (Network Access Protection), however, currently RWW offers more security in that it gives you security with SSL, and there is actually no connection between the two sites, just graphics being forwarded.
As for controlling group membership, it is the same concern with a VPN. I can scan your site, see that port 1723 is open and then just start guessing user names and passwords. The important thing is to enable secure password policies that include complex passwords, and locking the account after x wrong guesses.
Unfortunately RWW is only available with SBS. (and EBS 2008)
Let us know how you make out.
As for controlling group membership, it is the same concern with a VPN. I can scan your site, see that port 1723 is open and then just start guessing user names and passwords. The important thing is to enable secure password policies that include complex passwords, and locking the account after x wrong guesses.
Unfortunately RWW is only available with SBS. (and EBS 2008)
Let us know how you make out.
ASKER
Hi Rob,
I can't explain why or how, but after stopping the ICS service, disabling it and rebooting the server, all lan functions were working fine without having to re-run CEICW. This was definitely not the case on my last visit as previously discussed. Makes no sense to me...
I intent on awarding you the points for your efforts and extreme helpfulness. Is there a way I can ask for your help specifically on any future issues?
Thanks,
Brad
I can't explain why or how, but after stopping the ICS service, disabling it and rebooting the server, all lan functions were working fine without having to re-run CEICW. This was definitely not the case on my last visit as previously discussed. Makes no sense to me...
I intent on awarding you the points for your efforts and extreme helpfulness. Is there a way I can ask for your help specifically on any future issues?
Thanks,
Brad
Hi Brad, don't you love the Windows X factor :-)
Bizarre, but good to hear. Thanks for updating, and points.
Sure, if you ever want to contact me just use the e-mail address on my profile (click on RobWill).
Cheers !
--Rob
Bizarre, but good to hear. Thanks for updating, and points.
Sure, if you ever want to contact me just use the e-mail address on my profile (click on RobWill).
Cheers !
--Rob