W2K3 server SP1 firewall problem

Hi!

I used to have perfectly working pair of Windows 2003 Server (domain
controller) and Windows 2000 Pro workstation. Server built-in firewall was
ON but some ports were opened to allow normal file and printer sharing.

As soon as I installed W2K3 SP1, W2K workstation is almost dead:

It logs to the server in during 1-2 minutes instead of 3 seconds
Internet Explorer wouldn't start AT ALL
"My Computer" window shows nothing
other weird effects

If I log in locally (not to the domain) the workstation works fine and fast
as it was before.
If I turn OFF the firewall on the server the workstation works fine and fast
as it was before.

Please advise, what should I change in W2K3 SP1 built-in firewall to get
back normal Microsoft Networking?


--
Regards,
Dmitry Duginov

How about turning the windows server firewall OFF if this server is on an
internal network? If you are worried about security - don't be.
SMB-signing is enabled by default and for further security you can implement
IPSec if you want.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

"Dmitry Duginov" <(E-Mail Removed)> wrote in message
news:Oy$(E-Mail Removed)...
Hi!

I used to have perfectly working pair of Windows 2003 Server (domain
controller) and Windows 2000 Pro workstation. Server built-in firewall was
ON but some ports were opened to allow normal file and printer sharing.

As soon as I installed W2K3 SP1, W2K workstation is almost dead:

It logs to the server in during 1-2 minutes instead of 3 seconds
Internet Explorer wouldn't start AT ALL
"My Computer" window shows nothing
other weird effects

If I log in locally (not to the domain) the workstation works fine and fast
as it was before.
If I turn OFF the firewall on the server the workstation works fine and fast
as it was before.

Please advise, what should I change in W2K3 SP1 built-in firewall to get
back normal Microsoft Networking?


--
Regards,
Dmitry Duginov

"Todd J Heron" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> How about turning the windows server firewall OFF if this server is on an
> internal network? If you are worried about security - don't be.

The server is also a company Internet web-server, turning off the firewall
is not a good idea. That's why I'd prefer to know what implicit restrictions
were added to SP1 firewall and how to relax them explicitly
(ports/protocols)

--
Regards,
Dmitry Duginov


> SMB-signing is enabled by default and for further security you can
implement
> IPSec if you want.
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
> --------------------------------------------------------------------------
--
> This posting is provided "as is" with no warranties and confers no rights
>
> "Dmitry Duginov" <(E-Mail Removed)> wrote in message
> news:Oy$(E-Mail Removed)...
> Hi!
>
> I used to have perfectly working pair of Windows 2003 Server (domain
> controller) and Windows 2000 Pro workstation. Server built-in firewall was
> ON but some ports were opened to allow normal file and printer sharing.
>
> As soon as I installed W2K3 SP1, W2K workstation is almost dead:
>
> It logs to the server in during 1-2 minutes instead of 3 seconds
> Internet Explorer wouldn't start AT ALL
> "My Computer" window shows nothing
> other weird effects
>
> If I log in locally (not to the domain) the workstation works fine and
fast
> as it was before.
> If I turn OFF the firewall on the server the workstation works fine and
fast
> as it was before.
>
> Please advise, what should I change in W2K3 SP1 built-in firewall to get
> back normal Microsoft Networking?
>
>
> --
> Regards,
> Dmitry Duginov
>
>
>

Is this a multihomed server/gateway? If so, enable the firewall on the
external interface only, not the internal LAN interface. In the bindings
order, ensure the internal NIC is at the top of the list.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

"Dmitry Duginov" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

"Todd J Heron" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> How about turning the windows server firewall OFF if this server is on an
> internal network? If you are worried about security - don't be.

The server is also a company Internet web-server, turning off the firewall
is not a good idea. That's why I'd prefer to know what implicit restrictions
were added to SP1 firewall and how to relax them explicitly
(ports/protocols)

--
Regards,
Dmitry Duginov


> SMB-signing is enabled by default and for further security you can
implement
> IPSec if you want.
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
> --------------------------------------------------------------------------
--
> This posting is provided "as is" with no warranties and confers no rights
>
> "Dmitry Duginov" <(E-Mail Removed)> wrote in message
> news:Oy$(E-Mail Removed)...
> Hi!
>
> I used to have perfectly working pair of Windows 2003 Server (domain
> controller) and Windows 2000 Pro workstation. Server built-in firewall was
> ON but some ports were opened to allow normal file and printer sharing.
>
> As soon as I installed W2K3 SP1, W2K workstation is almost dead:
>
> It logs to the server in during 1-2 minutes instead of 3 seconds
> Internet Explorer wouldn't start AT ALL
> "My Computer" window shows nothing
> other weird effects
>
> If I log in locally (not to the domain) the workstation works fine and
fast
> as it was before.
> If I turn OFF the firewall on the server the workstation works fine and
fast
> as it was before.
>
> Please advise, what should I change in W2K3 SP1 built-in firewall to get
> back normal Microsoft Networking?
>
>
> --
> Regards,
> Dmitry Duginov
>
>
>

"Todd J Heron" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Is this a multihomed server/gateway?

No, it's not. Same NIC/IP address serves both Internet clients and internal
clients. The router makes sure that internal traffic for the server doesn't
go outside.

And again, I would prefer to figure out how to fix the solution that used to
work reliably before SP1 installation rather than trying to implement a new
solution. That's why I'm asking if there any information that can help to
adjust new W2K3 firewall behaviour.

D.

> If so, enable the firewall on the
> external interface only, not the internal LAN interface. In the bindings
> order, ensure the internal NIC is at the top of the list.
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
> --------------------------------------------------------------------------
--
> This posting is provided "as is" with no warranties and confers no rights
>
> "Dmitry Duginov" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
> "Todd J Heron" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > How about turning the windows server firewall OFF if this server is on
an
> > internal network? If you are worried about security - don't be.
>
> The server is also a company Internet web-server, turning off the firewall
> is not a good idea. That's why I'd prefer to know what implicit
restrictions
> were added to SP1 firewall and how to relax them explicitly
> (ports/protocols)
>
> --
> Regards,
> Dmitry Duginov
>
>
> > SMB-signing is enabled by default and for further security you can
> implement
> > IPSec if you want.
> >
> > --
> > Todd J Heron, MCSE
> > Windows Server 2003/2000/NT; CCA
>
> --------------------------------------------------------------------------
> --
> > This posting is provided "as is" with no warranties and confers no
rights
> >
> > "Dmitry Duginov" <(E-Mail Removed)> wrote in message
> > news:Oy$(E-Mail Removed)...
> > Hi!
> >
> > I used to have perfectly working pair of Windows 2003 Server (domain
> > controller) and Windows 2000 Pro workstation. Server built-in firewall
was
> > ON but some ports were opened to allow normal file and printer sharing.
> >
> > As soon as I installed W2K3 SP1, W2K workstation is almost dead:
> >
> > It logs to the server in during 1-2 minutes instead of 3 seconds
> > Internet Explorer wouldn't start AT ALL
> > "My Computer" window shows nothing
> > other weird effects
> >
> > If I log in locally (not to the domain) the workstation works fine and
> fast
> > as it was before.
> > If I turn OFF the firewall on the server the workstation works fine and
> fast
> > as it was before.
> >
> > Please advise, what should I change in W2K3 SP1 built-in firewall to get
> > back normal Microsoft Networking?
> >
> >
> > --
> > Regards,
> > Dmitry Duginov
> >
> >
> >
>
>

With the firewall enabled you'll need to open the NetBIOS ports in the
Windows firewall, enable NetBIOS over TCP/IP, ensure File and Print Sharing
for MS networks is enabled on the network adapter.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

"Dmitry Duginov" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...

"Todd J Heron" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Is this a multihomed server/gateway?

No, it's not. Same NIC/IP address serves both Internet clients and internal
clients. The router makes sure that internal traffic for the server doesn't
go outside.

And again, I would prefer to figure out how to fix the solution that used to
work reliably before SP1 installation rather than trying to implement a new
solution. That's why I'm asking if there any information that can help to
adjust new W2K3 firewall behaviour.

D.

"Todd J Heron" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> With the firewall enabled you'll need to open the NetBIOS ports in the
> Windows firewall, enable NetBIOS over TCP/IP, ensure File and Print
Sharing
> for MS networks is enabled on the network adapter.

I already had to turn off that firewall because the server started to
"disappear" from time to time for 6 to 8 minutes. I.e. I can ping the
router, but no services (http, ftp, smtp, pop) respond. And nothing int the
logs, no traces of any problems. Since I turned the firewall off everything
works fine with no connection loss.


--
Regards,
Dmitry Duginov

> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
> --------------------------------------------------------------------------
--
> This posting is provided "as is" with no warranties and confers no rights
>
> "Dmitry Duginov" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>
> "Todd J Heron" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Is this a multihomed server/gateway?
>
> No, it's not. Same NIC/IP address serves both Internet clients and
internal
> clients. The router makes sure that internal traffic for the server
doesn't
> go outside.
>
> And again, I would prefer to figure out how to fix the solution that used
to
> work reliably before SP1 installation rather than trying to implement a
new
> solution. That's why I'm asking if there any information that can help to
> adjust new W2K3 firewall behaviour.
>
> D.
>