SBS2003 with a Draytek 2820n - What ports to open?

We have just connected our server to a new BT broadband line (new static IP) through a Draytek Vigor 2820n modem/router.
The first thing after getting a live Internet connection was to open port 25 for our SMTP feed.

Our TAG name is changed to BT name server, MX/A records set and reverse DNS set up for the new IP address.

Under the NAT settings of the Vigor I have the option of [Port Redirection] or [Open Ports].
I chose [Open Ports] and enabled Open Ports for SMTP using TCP protocol Start = 25, End = 25 and the LocalComputer was the IP address of the server.
Our e-mail works on the LAN network and through the 5 Blackberries we have. Send and Receive = OK.
We can also connect to the Internet and browse from within the network (however this now seems to be bypassing the server and going directly through the router. I tried to browse from a computer that was not on the domani, just setup as on a workgroup and it connected to the Internet!)

I now want to enable the other services we use, specifically Outlook Web Access and Remote Web Workplace, but also VPN and Terminal Services.

So I have opened RDP port 443
Sharpoint opened port 444
RWW port 4125
VPN port 1723
Terminal Services port 3389
HTTP port 8080 (not sure of this one, but I read that I needed the HTTP port open which for the server is 8080)

All the above pointing at our server IP

when I type the external IP into a browser as I used to i.e.


I get a 404 Not Found!!! error

Could anyone tell me what I am doing wrong?
And point me in the right direction.

I can type the external IP address into a browser and get into the Vigor management page, and so make alterations from home and test as if I was one of the remote workers.

Thank you for your time in reading this.
Who is Participating?
Rob WilliamsCommented:
Another link provided by Draytek outlining port forwarding. You need to use both Port redirection and open ports:

Draytek instructions for PPTP VPN pass-through/forwarding:
Rob WilliamsCommented:
I would think you want port redirection rather than open ports. The latter sounds more like a firewall option, which you may need as well, but the port has to be forwarded (redirected) to the IP of the SBS.

Do you have 1 or 2 NIC's in the SBS? Regardless you need to run the CEICW (Configure E-mail and Connection Wizard located under server management | internet and e-mail | connect to the Internet). DHCP should be disabled on the Draytek if you are using 1 NIC. If you have 1 NIC the clients will connect directly to the router but get there DNS fro the SBS. The clients need to point ONLY to the SBS for DNS. If the SBS is the DHCP, which it should be, server this will be the case. If the server has 2 NIC's the switch should be between the SBS and the client machines with its WAN NIC connected to the Draytek. In this case the clients still use the SBS for DNS and DHCP, but also use the SBS as a gateway.

You do not need port 8080, nor 80.
Port 3389 is not necessary as you can manage the server using Remote Web Workplace using ports 443 and 4125 which is more secure.
look at command netstat -an and see what ports are opened on server ("LISTENING" state) - that might give you a clue about what ports do you have to forward
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Rob WilliamsCommented:
The following link may be helpful as to how to configure the port forwarding. It is for a Draytek 2800n, but I suspect the configuration screens are similar. The link is for port 25, but the others would be done in a similar way. (note click skip add in top right corner)

Also if you plan to use the VPN (port 1723) you need to enable GRE pass-through. I don't know how you do this on the Draytek, but it may e called "PPTP-Pass-through" under the firewall section. GRE is not a port but rather a protocol and is not forwarded in the same manor.
Rob WilliamsCommented:
PS- do not open all ports that are in the "listening state" you could wind up with some security holes as many are intended only for LAN use.
You only need to use one or the other, open ports or port redirection.  It is up to you.

You are getting 404 errors when you try to access your server via http because port 80 is not open on your router.  If you wanted to access your SBS this way you would need to open port 80 through to your server but this is not ideal, you should only enable https access which is port 443 which you have already opened.  To test this access you should be trying https://yourdomainip  Once it is working through IP address you should also be able to access through

You might need to go into the system management/management setup section of the Vigor configuration and turn off https management access (or change the default port for https access to something other than 443).  This will allow the Vigor to pass port 443 to your SBS.  Once you have everything else working you may want to disable management from the internet completely or change the default http access port to something other than 80, or your staff will continue to see the Draytek login page if they accidentally use http rather than https in the future.  Bear in mind that this will only allow you to manage the router from within the LAN so if you do this before you solve the remote access issues you may prevent yourself from accessing the router remotely to try different settings.

On the routrer configuratiion, you also need to go into the VPN and remote access section, Remote Access Control Setup, and turn off PPTP VPN.  This will allow the Vigor to pass port 1723 to your SBS.

You can close port 8080 as it is not needed.
NELMOAuthor Commented:

Got it working by turning of remote management in the router.
Not a perfect solution but gets us connected to OWA.
Will try access to router through different porst as suggested later.

Thanks again

Note: As a consequence of the changes (this can't be coincidence) we cannot access the 'CompanyWeb' from the LAN now! But I am posting this as a separate question.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.