Get pass the firewall

Discussion in 'Server Networking' started by Ricky, Jul 18, 2006.

  1. Ricky

    Ricky Guest

    I've created a virtual machine (VMWARE 5.5) where the host machine is a DC
    Windows 2003

    (AD+DNS+DHCP) and the guest is just a normal Windows 2003.

    I need someone could help or give some tips in what kind of rules i must
    create in the windows
    firewall of the host server so the guest machine can ping the host server
    and put it in the domain.


    []'s
    Ricky
     
    Ricky, Jul 18, 2006
    #1
    1. Advertisements

  2. This newsgroup only supports Microsoft Virtual Server. If your question
    isn't answered by someone in here, then try
    microsoft.public.windows.server.security
     
    Colin Barnhorst, Jul 18, 2006
    #2
    1. Advertisements

  3. Ricky

    Bill Grant Guest

    Normal practice is to run DCs on a LAN with the firewall disabled.
    Firewalls are only required between the LAN and the outside world.
     
    Bill Grant, Jul 18, 2006
    #3
  4. Colin,

    Is there a FAQ that says that ONLY Virtual Server is supported, or that
    ONLY Microsoft products are supported at the exclusion of every other
    vendor in the world?

    Nonsense. Ricky isn't bashing a Microsoft product or evangelizing
    VMWare over Virtual Server. He's just stating a fact: he uses VMWare.
    Period. And he isn't asking why he should use VMWare instead of Virtual
    Server, or vice versa. His question is a basic Windows networking
    question and deserves full attention.

    Ricky, in the Windows Firewall of the host, you'll most likely only need
    to enable the File & Printer Sharing exception to enable the guest
    server to join the host domain, as well as the "allow incoming echo
    request" ICMP entry (in Advanced tab) if you want to be able to ping the
    host.

    However, if that doesn't help, you can also try this KB article for
    advanced configuration. It may answer your questions:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;179442

    Yours,
    Brad



    _______________________________________________
    Bradley J. Dinerman, MVP - Windows Server Networking
    President, New England Information Security Group
    http://www.neisg.org





     
    Brad Dinerman [MVP - Windows Server Networking], Jul 18, 2006
    #4
  5. To say that firewalls are only required between the LAN and the outside
    world is a gross misunderstanding of the need for firewalls and will get
    lots of people into big trouble. If this were truly the case, then
    Microsoft would never have released Windows Firewall or made it
    available on DCs.

    Firewalls protect not only against the outside threat, but also against
    the inside ones. What if a user runs malicious code, intentionally or
    not, from his workstation? A firewall on a serer or workstation will
    protect the device from that scenario. (Of course, the ideal situation
    would be to have policies, procedures and other countermeasures in
    place to protect against that, but that's another story entirely.)

    I think that perhaps instead of writing "normal practice is to run DCs
    on a LAN with the firewall disabled," perhaps we should write "COMMON
    practice is to run..." Then we can separate high-security servers from
    moderate-security or low-security ones.

    -Brad



    _______________________________________________
    Bradley J. Dinerman, MVP - Windows Server Networking
    President, New England Information Security Group
    http://www.neisg.org





     
    Brad Dinerman [MVP - Windows Server Networking], Jul 18, 2006
    #5
  6. Ricky

    Bill Grant Guest

    It's a pretty fine distinction between "normal" and "common" practice,
    but I take your point.

    That said, most of the points you make are not really relevant in the
    context of the original posting. We were talking about a fairly simple
    network situation in which I would never consider running a firewall.

    Bill Grant (also an MVP - Networking)
     
    Bill Grant, Jul 18, 2006
    #6
  7. I wasn't referring to VMWare but to the fact that the question concerned
    Windows firewall rules with 2003 host and guest. In other words it did not
    sound like a VS issue.

     
    Colin Barnhorst, Jul 18, 2006
    #7
  8. For what it's worth, I happen to agree with you. I also do not run a
    firewall on my domain controller. But here is a user who does, and
    assuming that he understands the implications of this, we need to find a
    solution for him...

    -Brad


    _______________________________________________
    Bradley J. Dinerman, MVP - Windows Server Networking
    President, New England Information Security Group
    http://www.neisg.org





     
    Brad Dinerman [MVP - Windows Server Networking], Jul 18, 2006
    #8
  9. Ricky

    Ricky Guest

    Hi

    At first place i want to greatful all the help/tips to all you guys who
    concern were to get me in the right way of solving this issue.

    Now i'm going to explain what i did based on your tips but unfornutatly
    didn't work well.

    I have two network adapters (1.Lan; 2.Cable modem) in the HOST Server and
    one virtual network adapter at the GUEST VIRTUAL Server (Windows Firewall
    Desactivaded).

    In the windows firewall Exception (HOST Server) i've already had done what
    Brad advice me. Now based in the microsoft link i accomplish of Exceptions
    in the firewall that are:

    Exceptions -> Programs and Services -> Custom List
    add the following ports/protocol:

    135; 42; 389; 636; 3268; 3269; 53; 88 [All TCP]

    What should i do now?...
    []'s
    Ricky



     
    Ricky, Jul 18, 2006
    #9
  10. Ricky

    Bill Grant Guest

    Let's get this straight. You have a multihomed machine which is directly
    connected to the Internet through a cable modem. This machine is a domain
    controller, with no protection except the Windows firewall. You now want to
    weaken the firewall security to allow access for a local domain client to
    this server.

    There is probably a way to do this fairly safely, but I would never do
    it. I pass. Good luck.
     
    Bill Grant, Jul 19, 2006
    #10
  11. OK, now things are very complicated, and I'm going to backpedal my
    suggestions based on this new information. We did not realize that
    there were two NICs in the host; this adds a new layer to the problem.

    Server:
    First, make sure that you have disabled everything except TCP/IP on the
    untrusted (Internet) NIC. Then within TCP/IP on that NIC, disable
    NetBIOS. This is only for security reasons.

    On the trusted (LAN) NIC, you can enable Client For M'Soft Networks as
    well as NetBIOS within TCP/IP. This will be the NIC that communicates
    with the guest PC.

    Second, disable the Windows Firewall if you are using it.

    Third, use RRAS to configure Internet access for your guest system if
    you need it. You can configure RRAS to also provide the firewall
    services that you disabled in the previous step.

    Fourth, ignore everything I've suggested, go buy a real firewall such as
    a SonicWall and use only a single NIC in the server/host system.
    (Apologies to the individual yesterday who suggested that a firewall is
    only for Internet access. Although I still state that a firewall is
    also for hosts, in this particular case, facts have sufficiently changed
    to warrant a hardware-based firewall.)

    Fifth, if you need more information on RRAS configuration, please read
    my book which has just hit the shelves. It will take you through all
    the steps.
    http://www.amazon.com/gp/product/1590597133/ref=sr_11_1/102-8058608-3587323?ie=UTF8

    -Brad



    _______________________________________________
    Bradley J. Dinerman, MVP - Windows Server Networking
    President, New England Information Security Group
    http://www.neisg.org




     
    Brad Dinerman [MVP - Windows Server Networking], Jul 19, 2006
    #11
  12. Ricky

    Ricky Guest

    Hi

    I've already solve one part of the problem. I mean that now i can ping from
    host OS to guest OS and the inverse but i stell can't get internet in the
    guest OS. What should i do?...

    Thanks
    Ricky

     
    Ricky, Jul 24, 2006
    #12
  13. HOLD ON HERE...
    I only skimmed through your posts BUT...here is a question for you.

    How is your network on the Virtual Server setup? Make sure it is setup as
    'External Network' and not 'Internal Only'.

    Internal Only will still give you a DHCP Address but it will not let your VM
    leave that network...just a suggestion.

    -Stephen

     
    Stephen Yorke, Jul 30, 2006
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.