Client machines unable to get Gateway address ? 1

[vrcatherine]

We have server (domain controller,DNS,DHCP,Proxy ..etc)
this will give away ip addresses to all the client
computers.
This is how its setup on server

Network card with public address

216.x.x.x.
255.x.x.x
216.x.x.1

DNS 172.x.x.x
172.x.x.x


Network card with internal(private IP address)

192.168.1.300
255.x.x.x
empty blank ( no gaetway)

DNS 192.168.1.300


Now everything is working clients gets the IP address
from the sever and they are able to logon to internet
without any problem.


Now only thing is

1) clients cannot ping to external IP address on the internet.( They cannot ping to any public ip address on
the internet).

When i check IP config on the client machines,it gives

192.168.1.303
255.x.x.x
empty blank( no gateway)


Does it has anything to do with my DNS settings on the
server ??


-- Cathy

 

[vrcatherine]

Hey ashley,

You guys r tek gurus , its acutally 192.168.1.100

can't hide things from you guys now.

--cathy

 

[RobBoberts]

Thanks for the star Ashley

Televison will make radio obsolete.

 

[dholbrook]

Ashley, I stand corrected, you are absolutely correct, the 192 range is totally correct. It is late in the day, what can I say? However, all the rest still applies, always check the cables first! (I.E., when it does not work, and the light is not green, plug it in!)

David

 

[vrcatherine]

RobBoerts,

I have a real quick question.

I have a cable coming from outside DSL company
and that cable is directly hooked to my server.

This server has 2 NIC's as above.
This server has its own DNS server.

I have Winproxy installed on this server which
basically is for internet sharing.
So all user connect to internet using this winproxy
(proxy server)

This winproxy has a Firewall also by default.

This is how it is now:


DSL CABLE
||
||
SERVER ( external NIC with Public IP address)
||
||
HUB ( internal NIC with Private address192.168.1.100)


All the client computers are connected to this HUB
to get the DHCP address.

Is the above structure good and safe.


Or

is it better to put a ROUTER between the
DSL cable and SERVER.



--Catherine

 

[RobBoberts]

An extra layer of security is always good. You say winproxy has a built in firewall. I am not familliar enough with winproxy to tell you if it is a good enough solution or not. Typically the secuity experts recommend a dedicated firwall between the internet and your systems, somthing like a Cisco PIX. In your case that would be between the DSL router and a hub/switch that you would plug the server and the rest of your network in. The Firwall would become your gateway/router in ipconfig. Very basically all computers use a combination of ip address and ports for different services. A web server is port 80, an email server uses ports 25 and 110, etc.. The firewall is there to only let the internet see that ports that absolutelly need to be seen on the internet. You may consider having someone familliar with firewalls come in and help you set it up. If you do go the way of a dedicated hardware firewall like I am talking about, it would replace winproxy. There are many good firewalls besides the Cisco Pix, but at the moment I can't seem to remember there names.

Televison will make radio obsolete.

 

[dholbrook]

Cathy,

The DSL to Server to Hub configuration is perfectly fine as long as you are using this server as the firewall, and not as a file server. Using this as a file server exposes alot of information to the Internet side, and puts a lot more load on the server.

This server is being asked to handle all the Internet traffic for your network, plus the firewall function, so do not load it up with other functions like DNS, etc., or you will see a performance hit on the network operation.

Putting a router between the DSL and the server does not make sense, unless you also move all the firewall functions out to the router. The server you show is a router in the configuration you show, so another router between the DSl and the existing router really does not accomplish much, as it will just be a pass through function, not a real routing function (unless it also provides the firewall function), and does not help the load on the server.

If you want to install a router, then connect the hub to the router to the DSl, and add firewall functions to the router (or a firewall box between the router and hub). Once you do this, then the firewall function on the server, as well as one of the network cards can be turned off, and the server then functions as a only server without all the additional routing and firewall functions, which will improve its performance as a file server also.

HTH

David

 

[vrcatherine]

Are there any GUI tool which would tell
me as what all ports are open in Windows 2000 server ?


Instead of the command line, if i have
a GUI interface which shows me what all
ports are open and close.


--cathy

 

[RobBoberts]

Not that I know of. Close all the ports, except the ones you need. You tell me what services you need to access from the internet and I will tell you which ports to open, (some firewall software will run a log of incomming communication and you can tell from that also).

Televison will make radio obsolete.

 

[vrcatherine]

When i install w2k server i am not sure
as what all ports it keeps open or close.


Lets talk about 2 servers in my network here:

======================================================
SERVER1:
Which is our gateway to our whole network.
It has 2 NIC's ( external one is configured to the
public static IP address what we have). Internal NIC
is configured to the private IP address.
Its a domain controller.
Its a DHCP server.
We have Winproxy(for internet sharing) on this server.


64.1.x.x (static public IP)
192.168.1.100( internal private ip)

=========================================================

SERVER2:
Basic w2k server where we have our application/database
loaded. Everyone in the network connect to this server
to access our application.

WE HAVE CONFIGURED AN FTP SERVER IN THIS BOX

Has only 1 NIC with private IP address 192.168.1.25

=========================================================



Now everyone goes out on internet through the Winproxy.
64.1.x.x is the gateway.


Now can i use this Public IP address 64.1.x.x for
my FTP server. Like if some logs to ftp://64.1.x.x it
should go and get into my 192.168.1.25

64.1.x.x ===> 192.168.1.25


1) Is there any w2k server feature which will enable me
do this routing. Or do i have to use some firewall
(which is in my winproxy) to do this mapping or routing ?



2) How can i close ports on a w2k server machine ?

 

[RobBoberts]

The firewall would have to be configured to point a your Internet address to the internal FTP server ip address with only the ports open that FTP needs (port 20, and 21?). Normally a firewall will let say what service you are running (in this case FTP) instead of you having to know it is port 20.

Q. How can I close ports on a w2k server machine?
A. You don't close the ports on the server you close the ports on the firewall.


Televison will make radio obsolete.

 

[dholbrook]

Sorry Rob, you can close ports on any server if you want to do so. There are good reasons to do this on some servers to increase security, as well as on the firewall locations.

Here is how you can set ports on any Win2000 Server:

Right click on My Network Places,properties,and select the local area connection.
Right click on the local area connection, properties,select the TCP/IP, properties, advanced tab.
In the advanced TCP/IP window, select options tab, then select TCP/IP Filtering in the optional settings, then properties, and guess what, you can lock down the server to your hearts content, selecting UDP ports, TCP ports, and IP Protocols that you will allow, etc. IF YOU DO THIS, remember that ONLY the ones you select are allowed, and it appies on all the nics!

By the way, this can also be done On NT systems, and it is part of the procedure to harden the servers.

Have great fun, but remember to select all the ports your applications need or you will begin to see some really strange things happening and you will become very popular really quick!

David

 

[vrcatherine]

David,

I have checked the advanced options and TCP/IP filtering.
I guess this is the place where we can stop all the ports.

Now my main concern is how will i know what all
ports i need to open for a generic server.


Like say we have a w2k server which is not in firewall
and with an Open public static IP address and on these
server i keep seeing all kinds of POPUP messages from
the internet being displayed. This server was the one
which was effected by the recent w32.blast virus last
week. (like they say some 443 port vulnerability).
So i guess there might be some ports which are open in this
system which i wanted to close.

 

[minxca]

Hi, you can use netstat -an to check your port, I'm using nmap and analyzer to check my open port from outside.
You said that you have firewall, I don't think you need to close the port from TCP/IP filtering. If I'm not mistaken it applies to all adapters.

I don't know about your firewall but usually it blocks everything until you create the packet filter.

About pop ups, disable messenger services.

Don't forget enable only TCP/IP and QOS on external interface (no FPS, Client, Netbios)

 

[vrcatherine]

I went to services and disabled the MESSENGER service.


I could not get this :

>>Don't forget enable only TCP/IP and QOS on external >>interface (no FPS, Client, Netbios)


How can i do this ?