IP Filtering on W2K RRAS

[Martha Jamer]

Hello,

We have a "does it all" Windows 2000 server in our small business. It runs
as PDC, Terminal Server for those who work from home, and RRAS/NAT for those
who work from the office. I was able to configure the external NIC to allow
only incoming PPTP and RDP calls. This works great except for two main
problems:
- The office users can't connect to the Internet anymore. All outgoing
packets are allowed to pass through the external NIC, and I added an
"Any|Any|TCP (Established)|Any|Any" filter to the Incoming packets.
However, the only way to let inside employees to connect to the Internet is
to open the external NIC for all incoming UDP packets (Any|Any|UDP|Any|Any)
which is not a wise thing to do.
- I get Time server errors which indicates that the server cannot connect to
the external NTP server. The NTP protocol works fine if I open all incoming
ports. Opening UDP 123 didn't help.

Any idea on how to configure IP filtering without disrupting the outbound
Internet connections, or affecting NTP synchronization?
Please note that inbound VPN/RDP connections work without any problem, and
NAT works without any problem provided that the external NIC has all
incoming TCP (Established)/UDP ports opened.

Thanks,

Martha

 

[Kadirvel C Vanniarajan [MSFT]]

You should enable incoming for select ports based on the type of
applications that you want to work. For eg. for http requests to work, you
need to allow port 80 of both TCP/UDP.

 

[Martha Jamer]

Thanks for the reply, but this didn't answer my question. I know that if
you want remote users to access your web server you have to open port 80 for
incoming HTTP requests. However, my question was that internal users can't
access external web servers if I apply IP filtering on INCOMING interface
(the OUTGOING interface is wide open, i.e. there's no filtering at all).
This HTTP blockade happens even when incoming and outgoing TCP/UDP ports 80
are open (which makes sense). Something is blocking HTTP requests from
coming back to the inside users, and the only way to prevent that from
happening is to keep UDP wide open for ANY incoming traffic which is not a
wise thing to do. There must be a trick out there to fix this, but
unfortunately RRAS IP filtering is still like a taboo after all these years
of evolution in MS Networking.

M.J.

You should enable incoming for select ports based on the type of
applications that you want to work. For eg. for http requests to work, you
need to allow port 80 of both TCP/UDP.

--
Kadir

(e-mail address removed) [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Hello,

We have a "does it all" Windows 2000 server in our small business. It runs
as PDC, Terminal Server for those who work from home, and RRAS/NAT for those
who work from the office. I was able to configure the external NIC to allow
only incoming PPTP and RDP calls. This works great except for two main
problems:
- The office users can't connect to the Internet anymore. All outgoing
packets are allowed to pass through the external NIC, and I added an
"Any|Any|TCP (Established)|Any|Any" filter to the Incoming packets.
However, the only way to let inside employees to connect to the Internet is
to open the external NIC for all incoming UDP packets (Any|Any|UDP|Any|Any)
which is not a wise thing to do.
- I get Time server errors which indicates that the server cannot

connect

to
the external NTP server. The NTP protocol works fine if I open all incoming
ports. Opening UDP 123 didn't help.

Any idea on how to configure IP filtering without disrupting the outbound
Internet connections, or affecting NTP synchronization?
Please note that inbound VPN/RDP connections work without any problem, and
NAT works without any problem provided that the external NIC has all
incoming TCP (Established)/UDP ports opened.

Thanks,

Martha

 

[Kadir [MSFT]]

If you are using NAT with Basic firewall, you don't really require the
packet filters for the incoming traffic. May be i'm missing the scenario you
are having. The RAS users can then do a RDP.

Even otherwise, you might want to check if the name resolution for the web
sites (or proxy server if applicable) are occuring or not (UDP Port 53). A
packet sniff might help to see what is preventing the web access.

--
DISCLAIMER: This posting is provided "AS IS" with no warranties, and confers
no rights.

Thanks,
Kadir.

Thanks for the reply, but this didn't answer my question. I know that if
you want remote users to access your web server you have to open port 80 for
incoming HTTP requests. However, my question was that internal users can't
access external web servers if I apply IP filtering on INCOMING interface
(the OUTGOING interface is wide open, i.e. there's no filtering at all).
This HTTP blockade happens even when incoming and outgoing TCP/UDP ports 80
are open (which makes sense). Something is blocking HTTP requests from
coming back to the inside users, and the only way to prevent that from
happening is to keep UDP wide open for ANY incoming traffic which is not a
wise thing to do. There must be a trick out there to fix this, but
unfortunately RRAS IP filtering is still like a taboo after all these years
of evolution in MS Networking.

M.J.

You should enable incoming for select ports based on the type of
applications that you want to work. For eg. for http requests to work, you
need to allow port 80 of both TCP/UDP.

--
Kadir

(e-mail address removed) [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Hello,

We have a "does it all" Windows 2000 server in our small business. It runs
as PDC, Terminal Server for those who work from home, and RRAS/NAT for those
who work from the office. I was able to configure the external NIC to allow
only incoming PPTP and RDP calls. This works great except for two main
problems:
- The office users can't connect to the Internet anymore. All outgoing
packets are allowed to pass through the external NIC, and I added an
"Any|Any|TCP (Established)|Any|Any" filter to the Incoming packets.
However, the only way to let inside employees to connect to the

Internet
is

to open the external NIC for all incoming UDP packets (Any|Any|UDP|Any|Any)
which is not a wise thing to do.
- I get Time server errors which indicates that the server cannot

connect

to
the external NTP server. The NTP protocol works fine if I open all incoming
ports. Opening UDP 123 didn't help.

Any idea on how to configure IP filtering without disrupting the outbound
Internet connections, or affecting NTP synchronization?
Please note that inbound VPN/RDP connections work without any problem, and
NAT works without any problem provided that the external NIC has all
incoming TCP (Established)/UDP ports opened.

Thanks,

Martha

 

[Dusty Harper {MS}]

Of course they are going to be blocked. The packet will leave through your
router, but the packets that come back in will get dropped because they are
not PPTP nor RDP.

RRAS filtering gives you 2 options
block all traffic except
or
allow all traffic except

So in order to allow traffic to come back in, you need to know what
resources your users should be able to access from the external web servers,
and allow those ports / IPs.

You may need to get creative with how to apply these policies.

--
--
Dusty Harper
Microsoft Corporation
----------------------------------------------------------------------------
This posting is provided "AS IS", with NO warranties and confers NO rights
----------------------------------------------------------------------------

Thanks for the reply, but this didn't answer my question. I know that if
you want remote users to access your web server you have to open port 80 for
incoming HTTP requests. However, my question was that internal users can't
access external web servers if I apply IP filtering on INCOMING interface
(the OUTGOING interface is wide open, i.e. there's no filtering at all).
This HTTP blockade happens even when incoming and outgoing TCP/UDP ports 80
are open (which makes sense). Something is blocking HTTP requests from
coming back to the inside users, and the only way to prevent that from
happening is to keep UDP wide open for ANY incoming traffic which is not a
wise thing to do. There must be a trick out there to fix this, but
unfortunately RRAS IP filtering is still like a taboo after all these years
of evolution in MS Networking.

M.J.

You should enable incoming for select ports based on the type of
applications that you want to work. For eg. for http requests to work, you
need to allow port 80 of both TCP/UDP.

--
Kadir

(e-mail address removed) [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Hello,

We have a "does it all" Windows 2000 server in our small business. It runs
as PDC, Terminal Server for those who work from home, and RRAS/NAT for those
who work from the office. I was able to configure the external NIC to allow
only incoming PPTP and RDP calls. This works great except for two main
problems:
- The office users can't connect to the Internet anymore. All outgoing
packets are allowed to pass through the external NIC, and I added an
"Any|Any|TCP (Established)|Any|Any" filter to the Incoming packets.
However, the only way to let inside employees to connect to the

Internet
is

to open the external NIC for all incoming UDP packets (Any|Any|UDP|Any|Any)
which is not a wise thing to do.
- I get Time server errors which indicates that the server cannot

connect

to
the external NTP server. The NTP protocol works fine if I open all incoming
ports. Opening UDP 123 didn't help.

Any idea on how to configure IP filtering without disrupting the outbound
Internet connections, or affecting NTP synchronization?
Please note that inbound VPN/RDP connections work without any problem, and
NAT works without any problem provided that the external NIC has all
incoming TCP (Established)/UDP ports opened.

Thanks,

Martha