Firewall issues on dual NIC server

I've just setup a new Windows Web Server 2008 machine.
I installed the OS and joined it to my domain, setup some shared folders and
copied some files on to it. I had it running really well on the LAN.
Then I insttaled a 2nd NIC which I connected directly to our external router
and assigned it a static internet IP.
I could see the preliminary "under construction" website and things were
looking good. I then ran a port scan on the external IP and it had lots of
stuff open.
I went into "Windows Firewall with Advanced Security" and found LOTS of
rules to allow "Core Networking" and "File and Printer Sharing". The Core
networking stuff looked fine, but the "File and Printer Sharing" definitions
existed 3 times each, one for each profile "Private", "Domain", and "Public".
So I remeoved the Public versions of each of those.
The the port scan only showed port 80 open ... again I thought all was well.
But now I can no longer find that machine or access its shares from the LAN
NIC!
But it can get to the other machines on the LAN.

Network and Sharing center shows the LAN NIC and a "Domain network" with
"Local only" access and the Internet NIC as "Public network" with "Local and
Internet" access. It also shows Network discovery as "Custom" and File
sharing a "On".

I tried turing the firewall off for the Private and Domain profiles, but it
makes no difference. No matter what I try, and I've tried a lot, I get one
of 3 things:
1) Nothing works
2) Everything works but leaves lots of open ports it Internet
3) Internet access is perfect but inbound LAN access doesn't work, outbound
ok.

Does anybody know how to get the firewall to either guard just the Internet
NIC, or how to have different rules for each NIC?

"Scott S." <(E-Mail Removed)> wrote in message
news:674CF386-37F7-48FE-9A46-(E-Mail Removed)...
> I've just setup a new Windows Web Server 2008 machine.
> I installed the OS and joined it to my domain, setup some shared folders
> and
> copied some files on to it. I had it running really well on the LAN.
> Then I insttaled a 2nd NIC which I connected directly to our external
> router
> and assigned it a static internet IP.
> I could see the preliminary "under construction" website and things were
> looking good. I then ran a port scan on the external IP and it had lots
> of
> stuff open.
> I went into "Windows Firewall with Advanced Security" and found LOTS of
> rules to allow "Core Networking" and "File and Printer Sharing". The Core
> networking stuff looked fine, but the "File and Printer Sharing"
> definitions
> existed 3 times each, one for each profile "Private", "Domain", and
> "Public".
> So I remeoved the Public versions of each of those.
> The the port scan only showed port 80 open ... again I thought all was
> well.
> But now I can no longer find that machine or access its shares from the
> LAN
> NIC!
> But it can get to the other machines on the LAN.
>
> Network and Sharing center shows the LAN NIC and a "Domain network" with
> "Local only" access and the Internet NIC as "Public network" with "Local
> and
> Internet" access. It also shows Network discovery as "Custom" and File
> sharing a "On".
>
> I tried turing the firewall off for the Private and Domain profiles, but
> it
> makes no difference. No matter what I try, and I've tried a lot, I get
> one
> of 3 things:
> 1) Nothing works
> 2) Everything works but leaves lots of open ports it Internet
> 3) Internet access is perfect but inbound LAN access doesn't work,
> outbound
> ok.
>
> Does anybody know how to get the firewall to either guard just the
> Internet
> NIC, or how to have different rules for each NIC?

Why did you decide to install a second NIC? This is not a good idea
unless you plan to use the server as a router. Are you trying to make the
web server accessible from the Internet? It is not a good idea to have a
domain connected server directly connected to the Internet.

If you lock down the firewall so that only port 80 is enabled you are
certainly going to lose the ability to use the machine as a file server. If
you want to expose your web server directly to the Internet, do not make it
a domain member. If you want your server to be a domain member, only give it
one NIC connected to the LAN. Use some other router/firewall device as the
Internet connection device and forward web traffic from there to the web
server on the LAN.

Oh, one other reason I need is because the new ASP.NET website needs access
to our SQL Server. I have no idea how that could be done across the Internet.

"Bill Grant" wrote:
>
> Why did you decide to install a second NIC? This is not a good idea
> unless you plan to use the server as a router. Are you trying to make the
> web server accessible from the Internet? It is not a good idea to have a
> domain connected server directly connected to the Internet.
>
> If you lock down the firewall so that only port 80 is enabled you are
> certainly going to lose the ability to use the machine as a file server. If
> you want to expose your web server directly to the Internet, do not make it
> a domain member. If you want your server to be a domain member, only give it
> one NIC connected to the LAN. Use some other router/firewall device as the
> Internet connection device and forward web traffic from there to the web
> server on the LAN.
>
>
>
>

"Scott S." <(E-Mail Removed)> wrote in message
news:BD642F31-2565-451E-98DF-(E-Mail Removed)...
> Oh, one other reason I need is because the new ASP.NET website needs
> access
> to our SQL Server. I have no idea how that could be done across the
> Internet.

That's not a problem.
If the web server and the SQL server on on the same LAN then the website
contacts the sql server directly while the Firewall Device (not the
host-based Firewall in the OS) make the website available to the Internet.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

I finally discovered a way ...
* Set up all the "Windows Firewall with Advanced Security" inbound and
outbound rules to make the machine closed to all but the ports wanted open on
the public NIC.
* Go to Control Panel, Windows Firewall, Change Settings wich gives a much
more basic interface to the firewall. Then on it's Advanced tab I found a
option not available in the Advanced Security interface. I could completely
turn off the firewall on the private NIC.

I makes the firewall settings area of Windows Security turn red and say that
"Windows Firewall is not using the recommended settings", but it then does
exactly what I needed.