1972bpm 10 Geschrieben 18. Oktober 2007 Melden Teilen Geschrieben 18. Oktober 2007 Hi, I am trying to configure the NAT/Firewall on our backup and emergency server running on 2K3 SBS SP2. The Firewall should be configured to allow HTTP and HTTPS on all available IP addresses, but under the services&ports tab I have to define one specific IP address for each port/service. So, my question is: How can I configure the NAT/Firewall same way like on 2K3 Standard Edition? Zitieren Link zu diesem Kommentar
dippas 10 Geschrieben 18. Oktober 2007 Melden Teilen Geschrieben 18. Oktober 2007 hello 1972bpm, welcome to our Board :) ok, to answer your question, I think we need some more detailed infos. Example: The Firewall should be configured to allow HTTP and HTTPS on all available IP addresses If there is more than 1 NIC in the Server, it´s not a bug, but a feature ;) Perhaps you don´t want to allow http-traffic incoming on NIC 1 but on NIC 2. Same if you have configurated more than 1 IP on 1 NIC (VLAN-Infrastructure?) What do you mean with "all available IP adresses"? IP-Adresses on the server, or Source-IP-Adresses? BTW the SBS-Server is a "normal" W2k3-based server with the full functionality of the w2k3-server (OK, no Domaintrusts, max. 75 Clients). please help us with some more infos about your infrastructure and then we can try to help you. One way to go is to shutdown the local firewall, but that would be a security-hole. greetings dippas Zitieren Link zu diesem Kommentar
1972bpm 10 Geschrieben 26. Oktober 2007 Autor Melden Teilen Geschrieben 26. Oktober 2007 Dear Dippas, Thanks for your reply! Well I think I was mixing up 2 different topics here... 1. The SBS server will act as a webserver and not as terminal- or exchange server, nor as domain controller. So I'd like to configure the server being part of a workgroup, but not acting as domain controller. So far I could not find any option to configure SBS like Windows Server 2003 Standard Edition. 2. For enabling VPN connections on SBS, Routing and RAS is enabled on SBS. But I'd also liek to activate the Windows Firewall. If RAS is enabled, using Windows Firewall is not possible, but it is possible to configure the RAS Firewall. However, when using the RAS Firewall, I have to determine one specific IP address for each protocol. While this is Ok for Remote Desktop, FTP, for http and https it is not. Because the SBS is acting as a webserver, there may be dozens of different IP addresses I have to add to the RAS Firewall, e.g. 192.168.0.*, but howto? Zitieren Link zu diesem Kommentar
IThome 10 Geschrieben 26. Oktober 2007 Melden Teilen Geschrieben 26. Oktober 2007 There is no way to run an SBS without being a Domain Controller ... How to install Small Business Server 2003 in an existing Active Directory domain "The following conditions must be true after you install the new SBS 2003 computer in an existing domain or the new SBS 2003 computer may display warnings and shut down periodically: • The new SBS 2003 computer must be a domain controller that is installed on the root of the domain. • The new SBS 2003 computer must hold all the Flexible Single Master Operation (FSMO) roles. • The new SBS 2003 computer must be a global catalog server and must be the licensing server. • There must not be any existing domain trusts or child domains. • Only one SBS server can exist on the domain. If SBS 2003 is installed, no other SBS 2003 or 2000 server can be installed on the same domain. Failure to meet these conditions may cause the SBS 2003 server to shut down." If RRAS is configured and running, there´s no way to activate the Windows Firewall. The RRAS Firewall is a Stateful Inspektion Firewall combined with Static Packet Filters. If you want to configure that only 1 Administration PC (IP-Address) can connect via RDP and all IP-Addresses can connect to the HTTP-Service on the Server, you configure under Services and Ports a Port Redirection for RDP and HTTP to 127.0.0.1 (originating that there is only 1 NIC in the Server , this NIC is configured als public Interface and only Firewall (not NAT) is activated). Then you configure Inbound (Static) Filters ... Filter 1 Source Network: 192.168.10.100 (Example for the Administrator PC) Source Mask: 255.255.255.255 Destination Network: 192.168.10.1 (Example for the Server) Destination Mask: 255.255.255.255 Protocol: TCP Source Port: empty Destination Port: 3389 Filter 2 Source Network: Empty Destination Network: 192.168.10.1 Destination Mask: 255.255.255.255 Protocol: TCP Source Port: empty Destination Port: 80 Inbound Filters are configured that all Packets are discarded except those declared in the Filters. If only 1 Filter is configured you have to configure ALL Communication separately. The two Filters above only allow Communication from Administrators PC IP-Address to the Server IP Address Port 3389 and All IP-Addresses to Server Port 80, nothing else. The Server itself is unable to lookup DNS Names from DNS-Servers nor to communicate with HTTP-Servers. You have to configure those Filters too ... Example Packet Filter for DNS-Lookup (external DNS-Server) and external HTTP Access with Inbound Static Filters Filter 1 Source Network: empty (or the IP-Address of the DNS-Server) Source Mask: greyed out or 32 Bit Mask when a Server is configured in Source Network Destination Network: 192.168.10.1 Destination Mask: 255.255.255.255 Protocol: UDP Source Port: 53 Destination Port: empty Filter 2 Source Network: empty Source Mask: empty Destination Network: 192.168.10.1 Destination Mask: 255.255.255.255 Protocol: TCP (established) Source Port: 80 Destination Port: empty For VPN Access you must also configure appropriate Filters and Port Redirections ... Zitieren Link zu diesem Kommentar
Empfohlene Beiträge
Schreibe einen Kommentar
Du kannst jetzt antworten und Dich später registrieren. Falls Du bereits ein Mitglied bist, logge Dich jetzt ein.