Firewall App on Win Server 2003

[Gunnar23]

I need a Firewall Software [eg Zone Alarm] that works well with Windows Server 2003.
I have a Windows Server 2003 that serves as my Domain Controller, ISS, FTP, VPN, DHCP, DNS, File Server.
Everything works except the VPN from outside my network. The VPN works internally, I am using Routing and Remote Access.
I was thinking of installing a firewall and putting my server in the DMZ.
I have a Linksys WRT54G router, I forwarded port 1723 and enabled VPN pass through,
When I try to connect over the internet from a remote location I get a Verifying username and password and then Error 721 after about a minute.

I am open to suggestions.

Thanks.

 

[schtek]

everything you want to do is available in ISA 2004, firewall/DMZ/VPN/proxy/caching loads of fun so this is my suggestion for u!!

+ keep u busy learning!!



"Research is what I'm doing when I don't know what I'm doing."

 

[porkchopexpress]

Win2k3 SP1 has a pretty good inbound firewall built in, it's no match for a hardware firewall but better than nothing. You might find alot of third party software firewalls interfere with a DC and require a bit of fiddling to get sorted.

 

[porkchopexpress]

Sorry i misread that thinking you we're wanting a firewall right on the box.

schtek is right ISA will provide the fuctionality that you are looking for.

 

[Gunnar23]

I only have one server.
I read that running ISA on your Domain Controller is bad news.
I actually tried it a few months ago and I couldn’t even get my clients to join the domain.

 

[Gunnar23]

So you guys are suggesting that I run an ISA server between the internet and my internal network?
Would have to add a second server?

 

[porkchopexpress]

Yes if you use ISA then it should be on a seperate box with nothing else installed, i wouldn't put it on a DC.

 

[porkchopexpress]

You might want to look into a budget hardware firewall rather than put your DC in the DMZ.

 

[Gunnar23]

I am new to ISA.
If you guys can help me.
So I install ISA on separate box with two NICs connect one nic to the cable modem and the second nic to a hub.
Then I have to set up rules on the ISA box to allow all my services, how hard is this step for a newbie to ISA?
And could I plug a linksys wireless router to that hub.

Thanks.

 

[porkchopexpress]

ISA is quite a beast to setup, there are a few tutorials on the ISA server site.

http://www.isaserver.org/

 

[monsterjta]

It's a good idea to put your FTP, email, and IIS services out on the DMZ, and forward these ports. However, placing a DC onto the DMZ is very risky. I would suggest the DC, file, DNS and DHCP inside.

I would also suggest a hardware solution for a firewall, with 2 configurable ports for the inside.

WAN connection, E0=DMZ, E1=Inside.

You can pick up a PIX 500 series firewall for a fair price these days (especially if you shop around). The Cisco IOS isn't very intuitive, but there's plenty of doc to get you up and running. And once it's up you basically never touch it again (except for maybe firmware upgrades).

Hope This Helps,

Good Luck!

(I do what I can with what I know)

 

[Gunnar23]

The suggestion keep getting harder, I don't know anything about Cisco, does the PIX 500 have a GUI?
If not I would probably have better luck trying to configure ISA.

 

[schtek]

well as i suggested it ill have have my 2 pennies, thanks by the way porkchop (love the nic)i have learnt ISA since june. bought a book tom shinder's ISa 2004 in there there is a 30 min read on getting the vitals going so it took me 1 hr to get back onto the internet..msn/clients proxy all set. it does say to use a seperate box and iam,there is another web site ISAserver.org. lots of great info there on all types of subjects for ISA..

Hardware i have but once you tinker with this baby i think u will find its a lot better!!

It's not as hard as it looks and seems

good luck on what ever you chooooose...


"Research is what I'm doing when I don't know what I'm doing."

 

[monsterjta]

There is a web interface for the PIX IOS, with plenty of doc. Although, there are certain limitations to using the GUI vs using the CLI. But, everything that you need in particular will probably be provided via the GUI.

Nonetheless, there are 'templates' floating around out there that guides you through the exact syntax and commands to setup just about any scenario (they do get fairly advanced). Simply drop in your port's and IP's.

The thing about a software solution is that there is a base operating system which needs to be patched and maintained which, I believe, any experienced hacker could infiltrate with little effort. Not that one couldn't hack a PIX, but there are less opportunities to do so. I hope you find the right solution for your environmnet!

Hope This Helps,

Good Luck!

(I do what I can with what I know)

 

[porkchopexpress]

I know this has been debated in many locations but tom shinder has argued strongly against that position, saying that the whole idea is that ISA protects the underlying OS on all interfaces. Of course it is still a good idea to harden the underlying OS.

But as i say thats a big debate.

 

[Gunnar23]

Thanks for all your help and replies.
I fixed my problem by forwarding these ports 500, 50, 1723, 47 on my Linksys Router.
I will probably upgrade my router next year, but will have to make due with my basic Linksys router for now.

I still have a problem, I had a friend connect to me via VPN, that proved the VPN worked. But once he was connected he was unable to surf the web and was not able to open the share I created for him on my server and I could not ping him.

I am new to VPN (obviously), I think that the problem is that I did not configure the DNS correctly or that I need to add some kind of static route.

Can someone please go over the how to set up a DNS server so that is handles DNS queries for my internal network plus VPN clients and local PC trying to reach the internet.

Big thanks.

 

[monsterjta]

Gunnar23,

possibly best to start a new post on this topic. The initial query seems to have changed.

Hope This Helps,

Good Luck!

(I do what I can with what I know)