We help IT Professionals succeed at work.

SMB share over internet

I'm trying to share a folder over the internet from win 2k8 r2 server. The SMB share works internally.

The server has a static IP and I've opened the following ports in the firewall:

TCP      Any -> 135-139
        Any -> 445
        Any -> 3389

UDP      Any -> 135-139
        Any -> 445

Any thoughts? What am I missing?
Comment
Watch Question

Bradley FoxLAN/WAN Systems Administrator
CERTIFIED EXPERT

Commented:
I won't give you a big lecture about how dangerous it is to open these ports in your firewall other than to say that.  

Now to get this working you need a NAT policy on your firewall to direct inbound traffic from your Public IP to the specific IP you are sharing this folder from.

Can you tell me what type of internet firewall you are using?

I believe you only need TCP 445 for SMB file shares as well. You won't need NetBIOS (137) or RPC. (135) or RDP (3389).  You shouldn't need any of the UDP either.

Author

Commented:
I know the danger - need it for one specific instance - but thank you for the concern.

Its got its own external static IP - no NAT policy needed to forward ports to access the server - just had to make sure the firewall won't kill the connection. I've got 445 open and still no SMB. Other services are working, like HTTP, HTTPS, and Remote desktop, over their respective ports.

Thanks
Yes, just TCP port 445 is what is required to access the file server. You do not need any other ports.

From the firewall can you telnet to your file server on port 445?

As mcsween suggested this could be related to NAT.
Bradley FoxLAN/WAN Systems Administrator
CERTIFIED EXPERT

Commented:
Check the Firewall on the server itself.  TCP 445 may only be open to specific subnets.  

How is the server connected to the LAN?  
Do you have multiple interfaces on the server?

Author

Commented:
For troubleshooting purposes, I bypassed the firewall entirely and disabled windows firewall. Right now the box is hooked directly to the ISP with its static external IP.

I cannot telnet to 445 - unable to connect to remote host. Is there some service that should be running and isn't?
Bradley FoxLAN/WAN Systems Administrator
CERTIFIED EXPERT

Commented:
Your ISP could be blocking TCP 445

Author

Commented:
To the best of my knowledge, Verizon doesn't block any of our ports, but I am double checking with them right now (on hold).

This should work right off the bat once theres a folder being shared (and if smb shares were internally accessible on the network), assuming no firewall issues, right?
Bradley FoxLAN/WAN Systems Administrator
CERTIFIED EXPERT

Commented:
Yes; it should.  You are trying to access by \\PublicIP correct?

Author

Commented:
Yes, trying with public IP as well as fqdn, with \\IP\share and just \\IP\, \\IP etc. No luck...
Bradley FoxLAN/WAN Systems Administrator
CERTIFIED EXPERT

Commented:
I would setup MS Network Monitor or Wireshark on this system, start a capture, and try to access the share to see if any packets are making it to the server at all.  If you have the ability to put a HUB between the server and ISP then capture from a 3rd workstation connected to the HUB you will get a bit more insight as to what is going on as you will see packets that are blocked at the server.  You will have to use a HUB, not a switch unless it is managed and is setup for port mirroring.

I prefer Wireshark but MS Network Monitor is easier to use IMHO.

http://www.microsoft.com/download/en/details.aspx?id=4865

http://www.wireshark.org/

Thanks for all your help mcsween.

I've removed this server from our managed switch for troubleshooting purposes but I'll add it back, port mirror a spare laptop to it and see what I'm picking up. Again, thanks for your help, and hopefully this will show where this is going wrong.

Author

Commented:
unresolved