Turned on Windows server 2003 firewall, now clients cant access the internet.

Hi

If I turn on the firewall on my server 2003 all the connected users via DHCP cant access the internet, when I turn it off again they can gain access.

How do I resolve this?

Is my routers built in firewall enough, do I leave this off?
navjumpAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kutesirCommented:
Do you have NAT configured anywhere.Your question does not add up a few details would help for example is there a possibility that you are using a router that is provided by the ISP other that there has to be a way in which your users IPs are translated to be routed over the Internet.Something does not add up.
0
navjumpAuthor Commented:
I should clarify in the DHCP settings of server 2003 I have my routers IP identified which has its firewall enabled, does that still work even though the router isn't sorting the DHCP?

Thanks
0
Dan CraciunIT ConsultantCommented:
That depends on the topology of your network. If your clients connect directly to your router, turning on the firewall on the server will provide no additional protection for your clients, just for that server.

Is that server by any chance the DNS server for your network? If so, add an exception in the firewall for the DNS service and all should be well.

HTH,
Dan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

navjumpAuthor Commented:
OK could you explain that in more detail for me please about the topology.

The server is the DNS so adding in the DNS exception sounds like it will work.

However I am now curious if without the windows firewall I have the protection of the router firewall?

My DHCP config points towards the router and the DNS (set from the network adaptor properties) is the server 2003.

WIll that still function as a firewall?

Also, if I set the server 2003 network card properties to have the DNS of the router as well as it being the gateway address will that be better?

Thanks

John
0
navjumpAuthor Commented:
Sorry in answer to the first question about NAT.

I am using a router provided by the ISP, its pretty standard, but the Firewall is turned on there, but not the DHCP.
0
kutesirCommented:
I do agree with Dan.Are you Using an ICS?
do an ipconfig with the dhcp server off and do an ipconfig when the dhcp server is on.
compare both the configurations.
0
Cliff GaliherCommented:
The windows firewall is *NOT* compatible with SBS 2003. In fact, attempting to turn it on throws a pretty big warning that you'd have to "ok" past to get it to turn on. Note that this is *SBS SPECIFIC* so general server 2003 advice does NOT apply here.

Is a router firewall "good enough?" I do not believe so in this day and age.
Should you be turning on the windows firewall in SBS 2003? NO.
What is the alternative? Upgrade your OS (SBS 2008 and above work fine with the Windows Firewall) or use a 3rd-party firewall program. That's it. This was a known design limitation of SBS 2003, was well documented, and SBS 2003 was released before Microsoft's pivot towards their "trustworthy computing" security initiative. So there was no reasonable way for them to go back and make all of the changes that would have been necessary to make the SBS features play nice with Windows Firewall. You simply cannot make this work reliably.

-Cliff
0
navjumpAuthor Commented:
I can't turn off DHCP right now, but I am concerned about the protection I have (or dont have) so currently the servers ipconfig with DHCP on is...

Hostname myservername
dns suffix mydetails.local
node type hybrid
ip routing enabled no
wins proxy enabled no
dns suffix searchlist mydetails.local

IP address 192.168.16.2
subnet 255.255.255.0
Default gateway 192.168.16.124
Primary DNS 192.168.16.2
primay win dns 192.168.16.2
0
kutesirCommented:
I gave a similar solution to a collegue on another platform-I believe the issue lies on the Firewall in windows server 2008 to allow DHCP client broadcasts, you will have to exclude them from the rule that is interupting or Blocking you DHCP. Please note that DHCP clients use the remote UDP port 67 for IPv4 now if you are using IP-based instead of port-based solution, exclude the broadcast address 255.255.255.255.
0
Dan CraciunIT ConsultantCommented:
The topology simply refers to the way your network works (https://en.wikipedia.org/wiki/Network_topology).

If your computers connect directly or through switches/AP's to the router and then to the internet, enabling a firewall on any of them won't increase protection for the rest.

You need a server/appliance with the firewall role that stays between the router and your network (or the router and the internet) to have a global impact.

A simple example would be if your server was connected to the router and then the rest of the network would connect to the internet using ICS on that server. Then, any firewall you use on the server would protect/kill your entire network.

HTH,
Dan
0
kutesirCommented:
More to that you can also

Check the Firewall logging to see if the traffic was blocked.
Go to Firewall, View Firewall Events, and check if there is traffic blocked:

Action: Blocked
Protocol: UDP
Source Port: 67
Destination: 255.255.255.255
Destination Port: 68

Create a global rule to fix the problem.
Go to Firewall, Advanced, Network Security Policy, Global Rules and click on [Add..]

Action: Allow
Protocol: UDP
Direction: In
Description: <leave empty>

Source Address: Any
Destination Address: 255.255.255.255
Source Port: A Single Port 67
Destination Port: A Single Port 68

Then press [Apply] and [Move Up] to set this as the first rule, press [OK] and go back to the command-box, now type ipconfig /renew, and DHCP should be fully functioning again.
0
Dan CraciunIT ConsultantCommented:
BTW, I do NOT recommend using ICS.

If you're serious about protecting your network get a hardware firewall. Cisco's ASA line have a pretty good track record.

HTH,
Dan
0
navjumpAuthor Commented:
Thankyou

So in short with my current setup

The routers firewall is offering some protection even though it is not providing DHCP?
0
Dan CraciunIT ConsultantCommented:
Yes, the router's firewall is independent from DHCP. It will work regardless.

HTH,
Dan
0
navjumpAuthor Commented:
Thankyou

In not sure how to allocate the points for this. My initial question was answered but it evolved.

Thanks

John
0
kutesirCommented:
welcome
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.