navjump
asked on
Turned on Windows server 2003 firewall, now clients cant access the internet.
Hi
If I turn on the firewall on my server 2003 all the connected users via DHCP cant access the internet, when I turn it off again they can gain access.
How do I resolve this?
Is my routers built in firewall enough, do I leave this off?
If I turn on the firewall on my server 2003 all the connected users via DHCP cant access the internet, when I turn it off again they can gain access.
How do I resolve this?
Is my routers built in firewall enough, do I leave this off?
Do you have NAT configured anywhere.Your question does not add up a few details would help for example is there a possibility that you are using a router that is provided by the ISP other that there has to be a way in which your users IPs are translated to be routed over the Internet.Something does not add up.
ASKER
I should clarify in the DHCP settings of server 2003 I have my routers IP identified which has its firewall enabled, does that still work even though the router isn't sorting the DHCP?
Thanks
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK could you explain that in more detail for me please about the topology.
The server is the DNS so adding in the DNS exception sounds like it will work.
However I am now curious if without the windows firewall I have the protection of the router firewall?
My DHCP config points towards the router and the DNS (set from the network adaptor properties) is the server 2003.
WIll that still function as a firewall?
Also, if I set the server 2003 network card properties to have the DNS of the router as well as it being the gateway address will that be better?
Thanks
John
The server is the DNS so adding in the DNS exception sounds like it will work.
However I am now curious if without the windows firewall I have the protection of the router firewall?
My DHCP config points towards the router and the DNS (set from the network adaptor properties) is the server 2003.
WIll that still function as a firewall?
Also, if I set the server 2003 network card properties to have the DNS of the router as well as it being the gateway address will that be better?
Thanks
John
ASKER
Sorry in answer to the first question about NAT.
I am using a router provided by the ISP, its pretty standard, but the Firewall is turned on there, but not the DHCP.
I am using a router provided by the ISP, its pretty standard, but the Firewall is turned on there, but not the DHCP.
I do agree with Dan.Are you Using an ICS?
do an ipconfig with the dhcp server off and do an ipconfig when the dhcp server is on.
compare both the configurations.
do an ipconfig with the dhcp server off and do an ipconfig when the dhcp server is on.
compare both the configurations.
The windows firewall is *NOT* compatible with SBS 2003. In fact, attempting to turn it on throws a pretty big warning that you'd have to "ok" past to get it to turn on. Note that this is *SBS SPECIFIC* so general server 2003 advice does NOT apply here.
Is a router firewall "good enough?" I do not believe so in this day and age.
Should you be turning on the windows firewall in SBS 2003? NO.
What is the alternative? Upgrade your OS (SBS 2008 and above work fine with the Windows Firewall) or use a 3rd-party firewall program. That's it. This was a known design limitation of SBS 2003, was well documented, and SBS 2003 was released before Microsoft's pivot towards their "trustworthy computing" security initiative. So there was no reasonable way for them to go back and make all of the changes that would have been necessary to make the SBS features play nice with Windows Firewall. You simply cannot make this work reliably.
-Cliff
Is a router firewall "good enough?" I do not believe so in this day and age.
Should you be turning on the windows firewall in SBS 2003? NO.
What is the alternative? Upgrade your OS (SBS 2008 and above work fine with the Windows Firewall) or use a 3rd-party firewall program. That's it. This was a known design limitation of SBS 2003, was well documented, and SBS 2003 was released before Microsoft's pivot towards their "trustworthy computing" security initiative. So there was no reasonable way for them to go back and make all of the changes that would have been necessary to make the SBS features play nice with Windows Firewall. You simply cannot make this work reliably.
-Cliff
ASKER
I can't turn off DHCP right now, but I am concerned about the protection I have (or dont have) so currently the servers ipconfig with DHCP on is...
Hostname myservername
dns suffix mydetails.local
node type hybrid
ip routing enabled no
wins proxy enabled no
dns suffix searchlist mydetails.local
IP address 192.168.16.2
subnet 255.255.255.0
Default gateway 192.168.16.124
Primary DNS 192.168.16.2
primay win dns 192.168.16.2
Hostname myservername
dns suffix mydetails.local
node type hybrid
ip routing enabled no
wins proxy enabled no
dns suffix searchlist mydetails.local
IP address 192.168.16.2
subnet 255.255.255.0
Default gateway 192.168.16.124
Primary DNS 192.168.16.2
primay win dns 192.168.16.2
I gave a similar solution to a collegue on another platform-I believe the issue lies on the Firewall in windows server 2008 to allow DHCP client broadcasts, you will have to exclude them from the rule that is interupting or Blocking you DHCP. Please note that DHCP clients use the remote UDP port 67 for IPv4 now if you are using IP-based instead of port-based solution, exclude the broadcast address 255.255.255.255.
The topology simply refers to the way your network works (https://en.wikipedia.org/wiki/Network_topology).
If your computers connect directly or through switches/AP's to the router and then to the internet, enabling a firewall on any of them won't increase protection for the rest.
You need a server/appliance with the firewall role that stays between the router and your network (or the router and the internet) to have a global impact.
A simple example would be if your server was connected to the router and then the rest of the network would connect to the internet using ICS on that server. Then, any firewall you use on the server would protect/kill your entire network.
HTH,
Dan
If your computers connect directly or through switches/AP's to the router and then to the internet, enabling a firewall on any of them won't increase protection for the rest.
You need a server/appliance with the firewall role that stays between the router and your network (or the router and the internet) to have a global impact.
A simple example would be if your server was connected to the router and then the rest of the network would connect to the internet using ICS on that server. Then, any firewall you use on the server would protect/kill your entire network.
HTH,
Dan
More to that you can also
Check the Firewall logging to see if the traffic was blocked.
Go to Firewall, View Firewall Events, and check if there is traffic blocked:
Action: Blocked
Protocol: UDP
Source Port: 67
Destination: 255.255.255.255
Destination Port: 68
Create a global rule to fix the problem.
Go to Firewall, Advanced, Network Security Policy, Global Rules and click on [Add..]
Action: Allow
Protocol: UDP
Direction: In
Description: <leave empty>
Source Address: Any
Destination Address: 255.255.255.255
Source Port: A Single Port 67
Destination Port: A Single Port 68
Then press [Apply] and [Move Up] to set this as the first rule, press [OK] and go back to the command-box, now type ipconfig /renew, and DHCP should be fully functioning again.
Check the Firewall logging to see if the traffic was blocked.
Go to Firewall, View Firewall Events, and check if there is traffic blocked:
Action: Blocked
Protocol: UDP
Source Port: 67
Destination: 255.255.255.255
Destination Port: 68
Create a global rule to fix the problem.
Go to Firewall, Advanced, Network Security Policy, Global Rules and click on [Add..]
Action: Allow
Protocol: UDP
Direction: In
Description: <leave empty>
Source Address: Any
Destination Address: 255.255.255.255
Source Port: A Single Port 67
Destination Port: A Single Port 68
Then press [Apply] and [Move Up] to set this as the first rule, press [OK] and go back to the command-box, now type ipconfig /renew, and DHCP should be fully functioning again.
BTW, I do NOT recommend using ICS.
If you're serious about protecting your network get a hardware firewall. Cisco's ASA line have a pretty good track record.
HTH,
Dan
If you're serious about protecting your network get a hardware firewall. Cisco's ASA line have a pretty good track record.
HTH,
Dan
ASKER
Thankyou
So in short with my current setup
The routers firewall is offering some protection even though it is not providing DHCP?
So in short with my current setup
The routers firewall is offering some protection even though it is not providing DHCP?
Yes, the router's firewall is independent from DHCP. It will work regardless.
HTH,
Dan
HTH,
Dan
ASKER
Thankyou
In not sure how to allocate the points for this. My initial question was answered but it evolved.
Thanks
John
In not sure how to allocate the points for this. My initial question was answered but it evolved.
Thanks
John
welcome