How to troubleshoot Internet Issue on Windows 2003 SBS?

Hello All, I have recently configured a Windows 2003 SBS as an Exchange Server running DNS services as well on my LAN.  Everything seems to be working correctly.  Email is flowing through, ns-lookups on lan are resolving, ns-lookup on google.com and other Iinternet addresses are resolving as non-authoritive.  DNS eventviewer is clear.  However, I cannot get the server to browse internet pages.  I believe my problem lies in the DNS Server settings but I would like some assistance with this.

Thank You in advance to all that decide to assist.
LVL 3
manny_lenisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
On the DNS server settings are you forwarding to your ISP's perferred DNS servers?    The SBS server is pointing to itself for DNS?
0
manny_lenisAuthor Commented:
Dont think so.  How can i check?
0
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Call you ISP ask for the perferred DNS server IPs.    I would get at least two.

Then open DNS Server and right click on the server select properties -->  Forwarders tab, populated this with the ISP perferred DNS servers you get from the ISP.

Then open the NIC properties and make sure you have the DNS server settings pointing to itself.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Alan HardistyCo-OwnerCommented:
If the clients are able to get onto the web, then the DNS sounds like it is setup properly and forwarding to the ISP's DNS server.
What are the IP settings on the Server's Network Card?  They should be set as static and may be wrong.
Start, Run, ncpa.cpl (enter)
Double-click on internet protocol (TCP/IP) and report on all the settings please.
Alternatively, open up IE, Click on Tools, Internet Options, Connections Tab, Lan Settings Button and make sure that all settings are unchecked.
Close IE down and try again.
0
manny_lenisAuthor Commented:
Ok i received my preffered DNS servers from my ISP. Forwarders seem to be correct.  And the nic card has itself as the preffered server then i have the 12.127.16.69 as the 2nd.
dns.doc
0
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Can you ping these two DNS servers?

Also for Active Directory to work properly they need to only query AD DNS servers.   So I would have the SBS box and all the workstations point to the SBS server
0
manny_lenisAuthor Commented:
Cannot ping those addresses.
0
Alan HardistyCo-OwnerCommented:
Have you read my comment yet?
0
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
This might be the issue can you ping 4.2.2.4 ?

If so for a test set this IP as the forwarder and remove the others.   See if you get internet.

If you can't there is some type of connectivity issue going on...firewall or other.
0
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
That is if you can't ping you have a connectivity issue...
0
manny_lenisAuthor Commented:
cannot ping that address.  I am receiving mail through that server and i am able to connect from outside to that server using https://domain.com/exchange
0
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
You have some odd connectivity going on more than likely at the firewall.    I would check the outbound logs to see what the story is or the rules.    See if port 80 is blocked or something else.

4.2.2.4, 12.127.16.68, and 12.127.16.69 are all pingable for me.
0
Alan HardistyCo-OwnerCommented:
Manny_lenis.
I offered some suggestions to you over half-an-hour ago.  Have you looked at my suggestions or should I stop monitoring this question and leave EndureKona to assist you.
The idea of Experts Exchange is that you may get several suggestions from more than one Expert and one or more of those suggestions may work.  It would be nice to know that I am not wasting my time trying to help you ;-)
0
manny_lenisAuthor Commented:
Im trying all that you have suggested. Still nothing.  Ill be looking at the firewall logs in a minute.
0
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Also hopefully you checked Alan's suggestion for the proxy settings in IE
0
Alan HardistyCo-OwnerCommented:
Thank you - can you please post the IP configuration info from your Network Card
Start, run, cmd (enter)
ipconfig /all >c:\ipconfig.txt
Then upload c:\ipconfig.txt to this question please.
0
manny_lenisAuthor Commented:
As per your request.
ipconfig.txt
0
manny_lenisAuthor Commented:
No prxy server address in IE
0
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Ok try to see if IE is having issues...install Firefox...pull the installer from one of your workstations.    

From the workstations that get internet you have the same default gateway?
0
manny_lenisAuthor Commented:
Ive tried Firefox before starting thread.  Same issue. Same gateway on server as all workstations
0
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
All your workstations are fine only the SBS server?   What type of firewall do you have?   Does it have limited (licenses) nodes?
0
manny_lenisAuthor Commented:
Only the SBS.  Watchguard firewall.
0
Alan HardistyCo-OwnerCommented:
Okay - that looks okay.
Can you test DNS on the server by clicking on Start, Programs, Administrative Tools, DNS.
Expand the DNS tree until you can see your server.  Right click on your server and choose properties.  Click on the monitoring tab and select both the simple and recursive queries.  Then click on the Test Now button.
If the results in the window below both say pass, uncheck both check boxes and close DNS down.
If all is well, then the problem is probably tcp/ip related, or may be IE related.
from a DOS prompt - please type nslookup www.microsoft.com >c:\nslookup.txt and copy the c:\nslookup.txt file to this question.
0
manny_lenisAuthor Commented:
PASSED
0
Alan HardistyCo-OwnerCommented:
I expected it would!
What about nslookup on the server?
0
manny_lenisAuthor Commented:
Here is the nslookup output
nslookup.txt
0
Alan HardistyCo-OwnerCommented:
Okay - so nslookup works, so have you checked the IE settings I mentioned?
If you have, please run from a DOS prompt
netsh winsock reset
then test again.
0
manny_lenisAuthor Commented:
Is restart a requirement?  I'd hate to take it down while users are logged on. Re-Checking IE
0
Alan HardistyCo-OwnerCommented:
No restart required.
0
Alan HardistyCo-OwnerCommented:
At least not immediately!  You will have to to complete the reset.
0
manny_lenisAuthor Commented:
IE looks good.  Still no Internet.
0
manny_lenisAuthor Commented:
Checking firewall....
0
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Watchguard -->  Under System Status --> Option -->  User Licenses how many are you licensed for?
0
Alan HardistyCo-OwnerCommented:
As this is SBS, if you have tried everything, re-run the Configure Email & Internet Connection Wizard.
Start, Server Management, To Do List, Connect To The Internet.
Run through to completion and that should sort it.
0
manny_lenisAuthor Commented:
alanhardisty i will try.
0
manny_lenisAuthor Commented:
EndureKona dont see those options on my watchguard Firebox X500
0
djclauseCommented:
Are you using 2 network cards in your SBS or 1??

If only 1, then the "connect to the Internet" will not run, it is designed to use a public and private nic, and if you have an external firewall I am guessing 1 network card.
0
manny_lenisAuthor Commented:
1 NIC.  Still no luck after running  Configure Email & Internet Connection Wizard.
0
Alan HardistyCo-OwnerCommented:
djclause - the Wizard will run happily - not sure why you think it won't.
0
Alan HardistyCo-OwnerCommented:
Reboot the server when you can they try again.
0
manny_lenisAuthor Commented:
Rebooting......
0
manny_lenisAuthor Commented:
Not sure if this plays a role but I have a 1-to-1 Nat setup on my firewall where all traffic from mail.eaglebrands.com goes to my mail servers local ip.
0
manny_lenisAuthor Commented:
Im pinging google.com and i dont even see the pings on the firewall traffic log
0
Alan HardistyCo-OwnerCommented:
Have you reset IE settings?
Tools, Internet Options, Advanced Tab. Restore and Reset settings.
Close and then re-open IE and test.
0
manny_lenisAuthor Commented:
Still no luck.
0
manny_lenisAuthor Commented:
im going to upload 2 tracert files. one from a workstation the other from the sbs. Please take a look. 192.168.100.1 is my firewall.
from-workstation.txt
from-sbs.txt
0
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Can you power cycle the watchguard?
0
manny_lenisAuthor Commented:
Rebooting...
0
Alan HardistyCo-OwnerCommented:
Certainly seems to be firewall related!
0
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Sorry guys I have played around too much today and need to do some work.   I agree with Alan on the firewall issue with the tracert you posted.    My one question about the user licenses I know there are firewalls out there like watchguard, Cisco Pix, and Sonicwalls (and others) that have limited outbound licenses.   You might want to look at this on the Watchguard.    This will come and go...lets say you have 10 lices and 10 workstations your SBS server is 11th...then the next two you have two users out...and the SBS box will work.

Or there is really something wrong with the watchguard...
0
Alan HardistyCo-OwnerCommented:
No problems EndureKona - I'm at home getting dinner ready, so will be near my computer for the rest of the evening.  You go do some real work ;-)
Alan
0
manny_lenisAuthor Commented:
Thanks EndureKona for your help
0
Alan HardistyCo-OwnerCommented:
Manny_lenis - did you reboot the firewall?
Any joy yet?
0
manny_lenisAuthor Commented:
Rebooted.  No Joy.
0
Alan HardistyCo-OwnerCommented:
Can you put the server in the DMZ for a moment or two - would not normally suggest this, but need to rule out the firewall.  Test then take out of the DMZ.
0
manny_lenisAuthor Commented:
oK just to do a test i changed the servers ip to something else and it let me get on the internet no problem.
0
Alan HardistyCo-OwnerCommented:
Okay - then your firewall config is blocking the IP of your server by the looks of things.
Are you a Watchguard guru?
0
manny_lenisAuthor Commented:
Not really more of a cisco guy.  Im doing this as a favor for one of my buddies.  The only thing that I can see is that the one-to-one nat has something to do with it.
0
Alan HardistyCo-OwnerCommented:
Would you permit me to jump on remotely to look at the Firewall?
0
Alan HardistyCo-OwnerCommented:
Alternatively, get the people who manage / configure the firewall to check it out and correct the issue.
0
manny_lenisAuthor Commented:
can you vnc?
0
Alan HardistyCo-OwnerCommented:
No.  But we can use www.teamviewer.com
Please refer to my profile for contact details.
0
manny_lenisAuthor Commented:
340 162 837
0
manny_lenisAuthor Commented:
4822
0
Alan HardistyCo-OwnerCommented:
You have a NAT Exception for your Server's internal IP Address.  If you remove it, you will gain internet access.
Open up Watchguard Firewall
Click on Setup, NAT.
Click on the Advanced Button
Click on Dynamic NAT Exceptions Tab
Remove the Exception for your mail server
Save the configuration to the Watchguard.
Surf away!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
manny_lenisAuthor Commented:
alanhardisty, very professional and patient and knowledgeable.  

Thanks

Manny Lenis
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.