SBS2003 with a Draytek 2820n - What ports to open?

Posted on 2010-01-03
Last Modified: 2013-11-21
We have just connected our server to a new BT broadband line (new static IP) through a Draytek Vigor 2820n modem/router.
The first thing after getting a live Internet connection was to open port 25 for our SMTP feed.

Our TAG name is changed to BT name server, MX/A records set and reverse DNS set up for the new IP address.

Under the NAT settings of the Vigor I have the option of [Port Redirection] or [Open Ports].
I chose [Open Ports] and enabled Open Ports for SMTP using TCP protocol Start = 25, End = 25 and the LocalComputer was the IP address of the server.
Our e-mail works on the LAN network and through the 5 Blackberries we have. Send and Receive = OK.
We can also connect to the Internet and browse from within the network (however this now seems to be bypassing the server and going directly through the router. I tried to browse from a computer that was not on the domani, just setup as on a workgroup and it connected to the Internet!)

I now want to enable the other services we use, specifically Outlook Web Access and Remote Web Workplace, but also VPN and Terminal Services.

So I have opened RDP port 443
Sharpoint opened port 444
RWW port 4125
VPN port 1723
Terminal Services port 3389
HTTP port 8080 (not sure of this one, but I read that I needed the HTTP port open which for the server is 8080)

All the above pointing at our server IP

when I type the external IP into a browser as I used to i.e.


I get a 404 Not Found!!! error

Could anyone tell me what I am doing wrong?
And point me in the right direction.

I can type the external IP address into a browser and get into the Vigor management page, and so make alterations from home and test as if I was one of the remote workers.

Thank you for your time in reading this.
Question by:NELMO
    LVL 77

    Expert Comment

    by:Rob Williams
    I would think you want port redirection rather than open ports. The latter sounds more like a firewall option, which you may need as well, but the port has to be forwarded (redirected) to the IP of the SBS.

    Do you have 1 or 2 NIC's in the SBS? Regardless you need to run the CEICW (Configure E-mail and Connection Wizard located under server management | internet and e-mail | connect to the Internet). DHCP should be disabled on the Draytek if you are using 1 NIC. If you have 1 NIC the clients will connect directly to the router but get there DNS fro the SBS. The clients need to point ONLY to the SBS for DNS. If the SBS is the DHCP, which it should be, server this will be the case. If the server has 2 NIC's the switch should be between the SBS and the client machines with its WAN NIC connected to the Draytek. In this case the clients still use the SBS for DNS and DHCP, but also use the SBS as a gateway.

    You do not need port 8080, nor 80.
    Port 3389 is not necessary as you can manage the server using Remote Web Workplace using ports 443 and 4125 which is more secure.
    LVL 6

    Expert Comment

    look at command netstat -an and see what ports are opened on server ("LISTENING" state) - that might give you a clue about what ports do you have to forward
    LVL 77

    Expert Comment

    by:Rob Williams
    The following link may be helpful as to how to configure the port forwarding. It is for a Draytek 2800n, but I suspect the configuration screens are similar. The link is for port 25, but the others would be done in a similar way. (note click skip add in top right corner)

    Also if you plan to use the VPN (port 1723) you need to enable GRE pass-through. I don't know how you do this on the Draytek, but it may e called "PPTP-Pass-through" under the firewall section. GRE is not a port but rather a protocol and is not forwarded in the same manor.
    LVL 77

    Expert Comment

    by:Rob Williams
    PS- do not open all ports that are in the "listening state" you could wind up with some security holes as many are intended only for LAN use.
    LVL 77

    Accepted Solution

    Another link provided by Draytek outlining port forwarding. You need to use both Port redirection and open ports:

    Draytek instructions for PPTP VPN pass-through/forwarding:
    LVL 8

    Assisted Solution

    You only need to use one or the other, open ports or port redirection.  It is up to you.

    You are getting 404 errors when you try to access your server via http because port 80 is not open on your router.  If you wanted to access your SBS this way you would need to open port 80 through to your server but this is not ideal, you should only enable https access which is port 443 which you have already opened.  To test this access you should be trying https://yourdomainip  Once it is working through IP address you should also be able to access through

    You might need to go into the system management/management setup section of the Vigor configuration and turn off https management access (or change the default port for https access to something other than 443).  This will allow the Vigor to pass port 443 to your SBS.  Once you have everything else working you may want to disable management from the internet completely or change the default http access port to something other than 80, or your staff will continue to see the Draytek login page if they accidentally use http rather than https in the future.  Bear in mind that this will only allow you to manage the router from within the LAN so if you do this before you solve the remote access issues you may prevent yourself from accessing the router remotely to try different settings.

    On the routrer configuratiion, you also need to go into the VPN and remote access section, Remote Access Control Setup, and turn off PPTP VPN.  This will allow the Vigor to pass port 1723 to your SBS.

    You can close port 8080 as it is not needed.

    Author Closing Comment


    Got it working by turning of remote management in the router.
    Not a perfect solution but gets us connected to OWA.
    Will try access to router through different porst as suggested later.

    Thanks again

    Note: As a consequence of the changes (this can't be coincidence) we cannot access the 'CompanyWeb' from the LAN now! But I am posting this as a separate question.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
    Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now