ICF on 2k3 Not Allowing Port 80 Traffic

I've seen this issue posted before, ICF allows some ports (FTP and
Terminal Services for me) but not others (can't enable 80 for HTTP
traffic to IIS no matter what I try), and the responses seem to be ICF
is not suited for use on a server and that we should instead use RRAS.
The RRAS documentation it says it requires 2 NICs and NAT ... so
should I set up the server to listen on IP 2, and route all incoming
traffic on IP 1 to 2 and let the RRAS firewall do its magic?

Despite the problem that I've got a hosted box with only one NIC and
no real way to get another one in it, isn't enabling two server
functions not really related in any, you know, direct way to
firewalling just to get a firewall running on the Server (since the
'real' firewall isn't suitable for servers, did I mention that?) just
a few too many hoops to get a firewall running?

Oh, did I mention there are virtually NO 3rd party firewalls available
for 2k3? Are we supposed to just wait until the "2h 2004" release of
SP1 or have I missed some other solutions - sincere question! Any
help is greatly appreciated.

What exactly are you doing? Don't explain the method, just explain the
cirucumstances, environment, and the desired goal,...leave the "method" up
to us to figure out.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"sucka" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> I've seen this issue posted before, ICF allows some ports (FTP and
> Terminal Services for me) but not others (can't enable 80 for HTTP
> traffic to IIS no matter what I try), and the responses seem to be ICF
> is not suited for use on a server and that we should instead use RRAS.
> The RRAS documentation it says it requires 2 NICs and NAT ... so
> should I set up the server to listen on IP 2, and route all incoming
> traffic on IP 1 to 2 and let the RRAS firewall do its magic?
>
> Despite the problem that I've got a hosted box with only one NIC and
> no real way to get another one in it, isn't enabling two server
> functions not really related in any, you know, direct way to
> firewalling just to get a firewall running on the Server (since the
> 'real' firewall isn't suitable for servers, did I mention that?) just
> a few too many hoops to get a firewall running?
>
> Oh, did I mention there are virtually NO 3rd party firewalls available
> for 2k3? Are we supposed to just wait until the "2h 2004" release of
> SP1 or have I missed some other solutions - sincere question! Any
> help is greatly appreciated.

"what am I trying to do" - I'm trying to firewall a 2k3 webserver,
specifically I'd like to dissallow all traffic save ports 21, 80, 3389
& ICMP. I've attempted to do this w/ ICF which allows FTP, TS and
ICMP but will not allow HTTP (through port 80) through. I've used the
default Web Server setting, and tried making custom rules both to no
avail. Thanks very much for any help you can provide, i'm really
stumped (and frustrated ).

Below is one line from my log while port 80 was supposed to be open (I
x'd out the server's IP)

2004-06-16 13:02:01 DROP TCP 216.103.248.49 xx.xx.xx.xx 1626 80 587 AP
1566970466 2380999911 64512 - - -

"Phillip Windell" <@.> wrote in message news:<(E-Mail Removed)>...
> What exactly are you doing? Don't explain the method, just explain the
> cirucumstances, environment, and the desired goal,...leave the "method" up
> to us to figure out.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
> "sucka" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > I've seen this issue posted before, ICF allows some ports (FTP and
> > Terminal Services for me) but not others (can't enable 80 for HTTP
> > traffic to IIS no matter what I try), and the responses seem to be ICF
> > is not suited for use on a server and that we should instead use RRAS.
> > The RRAS documentation it says it requires 2 NICs and NAT ... so
> > should I set up the server to listen on IP 2, and route all incoming
> > traffic on IP 1 to 2 and let the RRAS firewall do its magic?
> >
> > Despite the problem that I've got a hosted box with only one NIC and
> > no real way to get another one in it, isn't enabling two server
> > functions not really related in any, you know, direct way to
> > firewalling just to get a firewall running on the Server (since the
> > 'real' firewall isn't suitable for servers, did I mention that?) just
> > a few too many hoops to get a firewall running?
> >
> > Oh, did I mention there are virtually NO 3rd party firewalls available
> > for 2k3? Are we supposed to just wait until the "2h 2004" release of
> > SP1 or have I missed some other solutions - sincere question! Any
> > help is greatly appreciated.

Eureka! I was under the impression that I couldn't use TCP/IP
filtering b/c of unspecified problems w/ my hosting company (and this
was the case before, I'd turned on filtering, enabled the few ports I
need and BAM the server went off line). Just for giggles I tried it
again, this time only filtering TCP and leaving all UDP and IP open
and it works! I'm going to work on filtering the other two
protocols now, but at least I got TCP done.

Still no idea why ICF failed but I'm happy I found a work around.


"Phillip Windell" <@.> wrote in message news:<(E-Mail Removed)>...
> What exactly are you doing? Don't explain the method, just explain the
> cirucumstances, environment, and the desired goal,...leave the "method" up
> to us to figure out.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
> "sucka" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > I've seen this issue posted before, ICF allows some ports (FTP and
> > Terminal Services for me) but not others (can't enable 80 for HTTP
> > traffic to IIS no matter what I try), and the responses seem to be ICF
> > is not suited for use on a server and that we should instead use RRAS.
> > The RRAS documentation it says it requires 2 NICs and NAT ... so
> > should I set up the server to listen on IP 2, and route all incoming
> > traffic on IP 1 to 2 and let the RRAS firewall do its magic?
> >
> > Despite the problem that I've got a hosted box with only one NIC and
> > no real way to get another one in it, isn't enabling two server
> > functions not really related in any, you know, direct way to
> > firewalling just to get a firewall running on the Server (since the
> > 'real' firewall isn't suitable for servers, did I mention that?) just
> > a few too many hoops to get a firewall running?
> >
> > Oh, did I mention there are virtually NO 3rd party firewalls available
> > for 2k3? Are we supposed to just wait until the "2h 2004" release of
> > SP1 or have I missed some other solutions - sincere question! Any
> > help is greatly appreciated.

Ok. Well I haven't done anything with ICF and don't really know what to do
with that. I just don't like "local running" firewall applications, but
rather would run firewall software on a dedicated Firewall machines and then
put servers behind it and "publish" them as required.

I would suggest a more straight-forward approach of just securiting the
server itself. Ports don't do anything if nothing is listening on them, so
to prevent things like WINS and the Netbios ports you would simply unbind
the Windows Networking and File & Print Sharing from the Internet connection
while still allowing it on the other NIC. This is done directly within the
Properties of "Network Places", then the Properties of the connection
representing the Internet connection. Just uncheck the box for each of those
on the Internet Connection.

The following links will give you additional things to do, but just be
careful not to go "over-board" and be realistic about things. There is a lot
there, so be careful not to go down a path that isn't proper for your
situation.

Hardening Windows Server 2003 Bastion Hosts
http://www.microsoft.com/technet/sec...secmod127.mspx

Microsoft Security Guidance Center: Windows Server 2003 Index
http://www.microsoft.com/security/gu...erver2003.mspx

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com



"sucka" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> "what am I trying to do" - I'm trying to firewall a 2k3 webserver,
> specifically I'd like to dissallow all traffic save ports 21, 80, 3389
> & ICMP. I've attempted to do this w/ ICF which allows FTP, TS and
> ICMP but will not allow HTTP (through port 80) through. I've used the
> default Web Server setting, and tried making custom rules both to no
> avail. Thanks very much for any help you can provide, i'm really
> stumped (and frustrated ).
>
> Below is one line from my log while port 80 was supposed to be open (I
> x'd out the server's IP)
>
> 2004-06-16 13:02:01 DROP TCP 216.103.248.49 xx.xx.xx.xx 1626 80 587 AP
> 1566970466 2380999911 64512 - - -
>
> "Phillip Windell" <@.> wrote in message
news:<(E-Mail Removed)>...
> > What exactly are you doing? Don't explain the method, just explain the
> > cirucumstances, environment, and the desired goal,...leave the "method"
up
> > to us to figure out.
> >
> > --
> >
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> >
> >
> > "sucka" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed) om...
> > > I've seen this issue posted before, ICF allows some ports (FTP and
> > > Terminal Services for me) but not others (can't enable 80 for HTTP
> > > traffic to IIS no matter what I try), and the responses seem to be ICF
> > > is not suited for use on a server and that we should instead use RRAS.
> > > The RRAS documentation it says it requires 2 NICs and NAT ... so
> > > should I set up the server to listen on IP 2, and route all incoming
> > > traffic on IP 1 to 2 and let the RRAS firewall do its magic?
> > >
> > > Despite the problem that I've got a hosted box with only one NIC and
> > > no real way to get another one in it, isn't enabling two server
> > > functions not really related in any, you know, direct way to
> > > firewalling just to get a firewall running on the Server (since the
> > > 'real' firewall isn't suitable for servers, did I mention that?) just
> > > a few too many hoops to get a firewall running?
> > >
> > > Oh, did I mention there are virtually NO 3rd party firewalls available
> > > for 2k3? Are we supposed to just wait until the "2h 2004" release of
> > > SP1 or have I missed some other solutions - sincere question! Any
> > > help is greatly appreciated.