RWW does not work externally, but works internally though (second post)

Discussion in 'Windows Small Business Server' started by Jack Ping, Jul 23, 2004.

  1. Jack Ping

    Jack Ping Guest

    I am sorry I posted this question the second time.

    SBS2k3 Premium, 2 nic, 1 Netgear router, dynamic IP from ISP, ISA
    installed.
    We do not use Dynamic DNS, instead, we use the publick IP to run RWW.

    Two days ago, I noticed that RWW stopped working because the public IP
    changed. In order to continue using RWW, I re-run CEICW with the new
    IP. But no help.
    If i run "https://the_new_ip/remote" on any internal PC, it works, but
    not on any external PC though. (error: page can not be displayed....)

    On server, I can "telnet localhost 443", and the external NIC: "telnet
    192.168.0.2 443"
    But i can NOT "telnet the_new_IP 443" from any external PC.

    Of course, I forwarded 443 and 4125 in router (remember, RWW worked
    previously with the same router)
    I flashed the firmware and even replaced the router with a different
    known working one, still same thing.

    Where could the problem be? The ISA?


    Thanks a lot

    Jack
     
    Jack Ping, Jul 23, 2004
    #1
    1. Advertisements

  2. Hi,
    I am assuming that when you did the CEICW you created a new certificate to
    match the new IP, correct? Does the public IP reside on the router or on
    the SBS server? Assuming that the public IP is on the router, then the IP
    technically did not change on the SBS server level the only thing that
    should have changed is the certificate and the destination sets that are
    used by ISA to do the web publishing.

    A good test would be to configure a workstation with an IP on the same
    subnet as the external IP on the SBS box and try to connect it to the same
    physical network and then attempt to access the server to see if we are
    getting denied at that level.

    What error do you get when attempting to connect from an external machine?
    Usually if there are no matching destination sets in ISA for any web
    publishing rules you will get a Forbidden page.

    Regards,
    Damian




    --
    Damian N. Leibaschoff, MS IST, MCSE
    Microsoft Corporation

    Get Secure! - www.microsoft.com/security

    =====================================================

    When responding to posts, please "Reply to Group" via

    your newsreader so that others may learn and benefit

    from your issue.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Damian N Leibaschoff [MSFT], Jul 23, 2004
    #2
    1. Advertisements

  3. Jack Ping

    Jack Ping Guest

    Hi Damian
    Thank for the repley

    Yes, When i run CEICW, i created a new certificate to match the new
    IP. But even i did not do this, i still should be able to telnet the
    public IP from the external. So, wheather creating a new certificate
    is not the problem stopping me to telnet.

    Yes, the public IP resides on router

    It is a very smart idea, i will setup a PC parallel to the server
    then. and will let you know later

    The following message occurs when running "https://thepublicip/remote"
    on external PCs. It is quite long

    ------------------------------------------------------------------------------------------------------------------
    The page cannot be displayed
    The page you are looking for is currently unavailable. The Web site
    might be experiencing technical difficulties, or you may need to
    adjust your browser settings.
    ________________________________________
    Please try the following:
    " Click the Refresh button, or try again later.
    " If you typed the page address in the Address bar, make sure
    that it is spelled correctly.
    " To check your connection settings, click the Tools menu, and
    then click Internet Options. On the Connections tab, click Settings.
    The settings should match those provided by your local area network
    (LAN) administrator or Internet service provider (ISP).
    " If your Network Administrator has enabled it, Microsoft
    Windows can examine your network and automatically discover network
    connection settings.
    If you would like Windows to try and discover them,
    click Detect Network Settings
    " Some sites require 128-bit connection security. Click the Help
    menu and then click About Internet Explorer to determine what strength
    security you have installed.
    " If you are trying to reach a secure site, make sure your
    Security settings can support it. Click the Tools menu, and then click
    Internet Options. On the Advanced tab, scroll to the Security section
    and check settings for SSL 2.0, SSL 3.0, TLS 1.0, PCT 1.0.
    " Click the Back button to try another link.

    Cannot find server or DNS Error
    Internet Explorer
    ----------------------------------------------------------------------------------------------------------

    Thanks again

    Jack
     
    Jack Ping, Jul 23, 2004
    #3
  4. Hi,
    I am not really concerned about the certificate, but rather the destination
    sets that are configured and used by ISA on the web publishing rules, we use
    the information from the certificate to actually create them.
    The error you are receiving does not seem to be consistent with that problem
    though.

    Go ahead and run the following commands on the server and copy the output
    here:

    netstat -aon | find ":443"


    Regards,
    Damian

    --
    Damian N. Leibaschoff, MS IST, MCSE
    Microsoft Corporation

    Get Secure! - www.microsoft.com/security

    =====================================================

    When responding to posts, please "Reply to Group" via

    your newsreader so that others may learn and benefit

    from your issue.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Damian N Leibaschoff [MSFT], Jul 23, 2004
    #4
  5. Jack Ping

    Jack Ping Guest

    Hi Damian

    here is the result of "netstat -aon | find ":443"
    ---------------------------------------------------------------------------
    TCP 10.0.0.2:443 0.0.0.0:0 Listening 8036
    TCP 127.0.0.1:443 0.0.0.0:0 Listening 8036
    TCP 192.168.0.2:443 0.0.0.0:0 Listening 7712
    --------------------------------------------------------------------------

    Note: "10.0.0.2 " ----internal nic on server
    "192.168.0.2" --- external nic on server

    I also connected a PC ("192.168.0.3") to the router ("192.168.0.1")
    directly, parallel to the server ("192.168.0.2")
    On this PC, i can "telnet 192.168.0.2 443"

    Thanks a lot,
    Jack
     
    Jack Ping, Jul 24, 2004
    #5
  6. Hi,

    Based on this:
    Can you also open a browser on the PC and open https://192.168.0.2/remote ?

    It looks like something is going on at the router or the ISP that may be
    blocking port 443.

    Regards,
    Damian

    --
    Damian N. Leibaschoff, MS IST, MCSE
    Microsoft Corporation

    Get Secure! - www.microsoft.com/security

    =====================================================

    When responding to posts, please "Reply to Group" via

    your newsreader so that others may learn and benefit

    from your issue.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Damian N Leibaschoff [MSFT], Jul 26, 2004
    #6
  7. Jack Ping

    Jack Ping Guest

    Thanks Damian,

    I will check this as you instructed, and let you know later for sure.

    Thanks and have a nice day

    Jack
     
    Jack Ping, Jul 26, 2004
    #7
  8. Jack Ping

    Jack Ping Guest

    Thanks Damian a lot for the help.
    The ISP started blocking uncommonly used ports for dynamic ip users.
    We are switching to static ip, and this should fix the problem

    Thanks again

    Jack
     
    Jack Ping, Jul 28, 2004
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.