by Robert Goere » Sat, 03 Feb 2001 18:31:40
Best Regards
Robert Goeres
by Jeff Middleton [SBS-MVP » Sun, 04 Feb 2001 00:22:00
Using RAS to enable IP Forwarding is required to make this happen, but that
would introduce security problems with Proxy. With RRAS, it's possible to
maintain a secure connection under Proxy with Packet Filters enabled.
Quote:> How or what is there to do to be able to connect to other workstations
when
> dialling in to the network through RAS?
> I dial-in and can only access the server (10.0.0.2) but I would also be
able
> to connect to the other workstations.
> Best Regards
> Robert Goeres
by Peter E Smit » Sun, 04 Feb 2001 10:54:36
################### DANGEROUS ###################, it exposes your entireQuote:> Check 'Entire Network' instead of 'This Computer Only'.
--
Mannesty Information Systems Ltd
"The life so short, the craft so long to learn." - Hippocrates
Quote:> How or what is there to do to be able to connect to other workstations
when
> dialling in to the network through RAS?
> I dial-in and can only access the server (10.0.0.2) but I would also be
able
> to connect to the other workstations.
> Best Regards
> Robert Goeres
by Martin Keene » Sat, 10 Feb 2001 23:43:30
> > How or what is there to do to be able to connect to other workstations
> when dialling in to the network through RAS?
> > I dial-in and can only access the server (10.0.0.2) but I would also be
> able to connect to the other workstations.
> > Best Regards
> > Robert Goeres
by Steve Foste » Sun, 11 Feb 2001 00:16:29
Steve Foster
> > Network Properties > Services > RAS properties > Network > Configure
> TCP/IP
> > > Check 'Entire Network' instead of 'This Computer Only'.
> > ################### DANGEROUS ###################, it exposes your
entire
> > LAN to the outside world. Share only one folder on the workstations,
call
> it
> > public, and don't leave any sensitive or private data in there.
> > Mannesty Information Systems Ltd
> > > How or what is there to do to be able to connect to other workstations
> > when dialling in to the network through RAS?
> > > I dial-in and can only access the server (10.0.0.2) but I would also
be
> > able to connect to the other workstations.
> > > Best Regards
> > > Robert Goeres
by Martin Keene » Sun, 11 Feb 2001 01:02:51
> Steve Foster
> > I too have the same requirement as Robert and my RAS properties already
> show
> > the same settings as below, but it still does not allow remote users to
> > access the workstations. Incidentally this was the default setting after
> SBS
> > installation!!!
> > Any other thoughts? Have you succeeded yet Robert?
> > Regards.
> > Martin Keenes
> > > Network Properties > Services > RAS properties > Network > Configure
> > TCP/IP
> > > > Check 'Entire Network' instead of 'This Computer Only'.
> > > ################### DANGEROUS ###################, it exposes your
> entire
> > > LAN to the outside world. Share only one folder on the workstations,
> call
> > it
> > > public, and don't leave any sensitive or private data in there.
> > > Mannesty Information Systems Ltd
> > > > How or what is there to do to be able to connect to other
workstations
> > > when dialling in to the network through RAS?
> > > > I dial-in and can only access the server (10.0.0.2) but I would also
> be
> > > able to connect to the other workstations.
> > > > Best Regards
> > > > Robert Goeres
by Steve Foste » Sun, 11 Feb 2001 02:12:22
Steve Foster
> > Can you ping workstations by number?
> > Steve Foster
> > > I too have the same requirement as Robert and my RAS properties
already
> > show
> > > the same settings as below, but it still does not allow remote users
to
> > > access the workstations. Incidentally this was the default setting
after
> > SBS
> > > installation!!!
> > > Any other thoughts? Have you succeeded yet Robert?
> > > Regards.
> > > Martin Keenes
message
> > > > Network Properties > Services > RAS properties > Network > Configure
> > > TCP/IP
> > > > > Check 'Entire Network' instead of 'This Computer Only'.
> > > > ################### DANGEROUS ###################, it exposes your
> > entire
> > > > LAN to the outside world. Share only one folder on the workstations,
> > call
> > > it
> > > > public, and don't leave any sensitive or private data in there.
> > > > Mannesty Information Systems Ltd
> > > > > How or what is there to do to be able to connect to other
> workstations
> > > > when dialling in to the network through RAS?
> > > > > I dial-in and can only access the server (10.0.0.2) but I would
also
> > be
> > > > able to connect to the other workstations.
> > > > > Best Regards
> > > > > Robert Goeres
by mikew5.. » Sun, 11 Feb 2001 03:00:33
Someone else who gets a royalty for each LMHOSTS file? ;)Quote:> Then you have a name resolution problem. To which the (fairly
standard)
> answer is a HOSTS & LMHOSTS file on the RAS client.
Seriously, I was having all kinds of trouble too, but not now. Check out
my post entitled "Browsing problem SOLVED!!!" for an outline of what it
took to make things work for me (and without a LMHOSTS file at that!)
Regards,
MJW
Sent via Deja.com
http://www.deja.com/
by Martin Keene » Mon, 12 Feb 2001 03:59:42
> Someone else who gets a royalty for each LMHOSTS file? ;)
> Seriously, I was having all kinds of trouble too, but not now. Check out
> my post entitled "Browsing problem SOLVED!!!" for an outline of what it
> took to make things work for me (and without a LMHOSTS file at that!)
> Regards,
> MJW
> Sent via Deja.com
> http://www.deja.com/
by Martin Keene » Wed, 14 Feb 2001 19:23:42
DHCP Manager.
Under DHCP Servers, double-click Local Machine and select the DHCP scope you
wish to enable.
On the DHCP Manager menu bar, click DHCP Options and then click Global. The
DHCP Options: Global page will appear.
Under Unused options, select 044 WINS/NBNS Servers and click Add.
Click Value, click Edit Array and type the IP address of the WINS server.
Click OK.
Under Unused options, select 046 WINS/NBT Node Type and click Add.
Click Value.
In the Byte box, type 0x8 and click OK.
Close the DHCP Manager.
This procedure will provide DHCP clients with IP addresses and WINS server
name resolution when they obtain an IP lease from DHCP server. This will let
a RAS client access all computers on the network.
My remaining question is.... how dangerous is this if using Proxy Server.
What are the issues?
by Jeff Middleton [SBS-MVP » Wed, 14 Feb 2001 22:24:50
Quote:> Thanks for the pointers guys, I Fixed it....
> On RAS admin "allow remote TCP clients to access - entire network" -
> obviously.....
> DHCP Manager.
> Under DHCP Servers, double-click Local Machine and select the DHCP scope
you
> wish to enable.
> On the DHCP Manager menu bar, click DHCP Options and then click Global.
The
> DHCP Options: Global page will appear.
> Under Unused options, select 044 WINS/NBNS Servers and click Add.
> Click Value, click Edit Array and type the IP address of the WINS server.
> Click OK.
> Under Unused options, select 046 WINS/NBT Node Type and click Add.
> Click Value.
> In the Byte box, type 0x8 and click OK.
> Close the DHCP Manager.
> This procedure will provide DHCP clients with IP addresses and WINS server
> name resolution when they obtain an IP lease from DHCP server. This will
let
> a RAS client access all computers on the network.
> My remaining question is.... how dangerous is this if using Proxy Server.
> What are the issues?
by Martin Keene » Thu, 15 Feb 2001 01:57:39
> > Thanks for the pointers guys, I Fixed it....
> > On RAS admin "allow remote TCP clients to access - entire network" -
> > obviously.....
> > DHCP Manager.
> > Under DHCP Servers, double-click Local Machine and select the DHCP scope
> you
> > wish to enable.
> > On the DHCP Manager menu bar, click DHCP Options and then click Global.
> The
> > DHCP Options: Global page will appear.
> > Under Unused options, select 044 WINS/NBNS Servers and click Add.
> > Click Value, click Edit Array and type the IP address of the WINS
server.
> > Click OK.
> > Under Unused options, select 046 WINS/NBT Node Type and click Add.
> > Click Value.
> > In the Byte box, type 0x8 and click OK.
> > Close the DHCP Manager.
> > This procedure will provide DHCP clients with IP addresses and WINS
server
> > name resolution when they obtain an IP lease from DHCP server. This will
> let
> > a RAS client access all computers on the network.
> > My remaining question is.... how dangerous is this if using Proxy
Server.
> > What are the issues?
by Jeff Middleton [SBS-MVP » Thu, 15 Feb 2001 02:18:42
In general, NT doesn't leak between RAS sessions, and this is basically what
we are talking about in your case. It's more susceptible to leaking between
RAS and multi-NIC connections.
If you really want a bold review of it, you could go to the NT routing group
and post the question, but they will probably say something like:
NT RAS sessions are going to be PPP, therefore the IP forwarding in one
session is going to go to the others. Having Proxy Server means that
traffic that originated on the LAN doesn't get to the interface that the
Proxy Server is bound to provided the LAT is properly configured so that's
okay. Having RRAS installed with Proxy Server is the most secure method
because it ensures that each interface secures the routes only of interest,
no leaking. It's possible for someone to sniff Netbios on an interface
bound to Client for MS networking, so you don't want to bind that to the TA
connecting to the Web. MS documents that RAS with IP forwarding can have
stray packets leak and Proxy with Packet Filters will prevent that, provided
that you do not have IP Forwarding on the NICs enabled.
I have always interpreted your situation as a pretty low risk, but this
depends a bit upon your concern about the difference between "always"
routing information to the web (like a misconfigured multi-home would do) or
binding MS Networking to the web interface, as opposed to the occasional
possibility that stray packets would get out due to errors in the handling
of the NT internal routing stack.
You answer is that it's probably not worth worrying about, or else you
install RRAS and you no longer have to worry about this potential defect.
If you plan to go to SBS 2K soon, it gets resolve cleanly there in entirety.
> > The recommended practice if you want to enable IP Forwarding on any
> > interfaces on a computer running Proxy is to use RRAS, the enable Proxy
> > Packet filters. By default, NT uses a single IP routing stack, RRAS
> changes
> > that....this is what it's intended to accomplish. Without RRAS, there
is
> a
> > chance that you are sending internal LAN data out the external
interfaces,
> > in particular if you have more than one NIC in the server.
> > > Thanks for the pointers guys, I Fixed it....
> > > On RAS admin "allow remote TCP clients to access - entire network" -
> > > obviously.....
> > > DHCP Manager.
> > > Under DHCP Servers, double-click Local Machine and select the DHCP
scope
> > you
> > > wish to enable.
> > > On the DHCP Manager menu bar, click DHCP Options and then click
Global.
> > The
> > > DHCP Options: Global page will appear.
> > > Under Unused options, select 044 WINS/NBNS Servers and click Add.
> > > Click Value, click Edit Array and type the IP address of the WINS
> server.
> > > Click OK.
> > > Under Unused options, select 046 WINS/NBT Node Type and click Add.
> > > Click Value.
> > > In the Byte box, type 0x8 and click OK.
> > > Close the DHCP Manager.
> > > This procedure will provide DHCP clients with IP addresses and WINS
> server
> > > name resolution when they obtain an IP lease from DHCP server. This
will
> > let
> > > a RAS client access all computers on the network.
> > > My remaining question is.... how dangerous is this if using Proxy
> Server.
> > > What are the issues?
by Martin Keene » Thu, 15 Feb 2001 19:14:22
> In general, NT doesn't leak between RAS sessions, and this is basically
what
> we are talking about in your case. It's more susceptible to leaking
between
> RAS and multi-NIC connections.
> If you really want a bold review of it, you could go to the NT routing
group
> and post the question, but they will probably say something like:
> NT RAS sessions are going to be PPP, therefore the IP forwarding in one
> session is going to go to the others. Having Proxy Server means that
> traffic that originated on the LAN doesn't get to the interface that the
> Proxy Server is bound to provided the LAT is properly configured so that's
> okay. Having RRAS installed with Proxy Server is the most secure method
> because it ensures that each interface secures the routes only of
interest,
> no leaking. It's possible for someone to sniff Netbios on an interface
> bound to Client for MS networking, so you don't want to bind that to the
TA
> connecting to the Web. MS documents that RAS with IP forwarding can have
> stray packets leak and Proxy with Packet Filters will prevent that,
provided
> that you do not have IP Forwarding on the NICs enabled.
> I have always interpreted your situation as a pretty low risk, but this
> depends a bit upon your concern about the difference between "always"
> routing information to the web (like a misconfigured multi-home would do)
or
> binding MS Networking to the web interface, as opposed to the occasional
> possibility that stray packets would get out due to errors in the handling
> of the NT internal routing stack.
> You answer is that it's probably not worth worrying about, or else you
> install RRAS and you no longer have to worry about this potential defect.
> If you plan to go to SBS 2K soon, it gets resolve cleanly there in
entirety.
> > Jeff, I only have 1 NIC on the server in question and it uses an ISDN TA
> for
> > web connection on demand via Proxy.
> > There is only 1 workstation that needs to be accessed via RAS and there
is
> a
> > second NT FileServer on the network that also needs to be accessed. The
> 2nd
> > server is configured with a different domain name and requires a
separate
> > login.
> > Do you think I am at risk of exposing anything to the outside world?
> > Cheers.
> > Martin Keenes
by Jeff Middleton [SBS-MVP » Fri, 16 Feb 2001 00:43:33
After looking at W2k an ISA on this, I just decided it was madness to sort
out anything more with NT4/SBS4.5 if it could possibly be avoided. I have
quite seriously refused to do deployments on related issue for my clients
for the past 4-6 months unless they either agreed to pay an unreasonable sum
for me to implement it, or bought a router to isolate the concerns in one
place. This is not to say that it can't be done in SBS 4.5 or that I'm not
willing to help my clients, rather it's a basic fact that what it costs me
to deploy things to my clients is what I base my charges to them, right? As
soon as I saw that all of the NT *effectively disappears from the radar
at the next upgrade, I was faced with the reality that for me to deploy the
VPN/reverse proxy and security issues involved and recoup the cost of my own
research, implementation and troubleshooting of the configuration could not
possibly be recovered in such a short life-cycle before SBS 2K ships.
For myself, I'm looking at the most obvious answer for my clients is to go
to SBS 2K if they want to address any of these VPN/RRAS/firewall and remote
access issues other than with a private dialup or WAN connection. So much of
SBS 2K and W2K has been updated to make this work right, that it seems the
most obvious answer....sort of the idea of why would you take a 5 yr old car
to a shop and tell them "replace everything to make it like new" rather than
take it to the dealer and trade up to a new car? The vast majority of my
experiences with W2K have been good, with the only notable exceptions being
when I was seeking information about how to use W2K based applications and
services in an NT4 domain.....which seems to be a blind-eye for MS. Moving
to AD is the key answer to so many issues on the horizon, if not already
here, that to me the first excuse to get SBS to SBS 2K is going to make the
costs of future support and deployment at that site much more manageable.
> > If the web connection is an ISDN TA with DOD, then this means that it's
> not
> > up all the time which makes a big difference in exposure. A practical
> > answer is that you probably don't have to be really worried provided
that
> > you don't have either of these connections open constantly. This is the
> > security by moving target concept, even though there's the possibility
> that
> > you could have some leaks.
> > In general, NT doesn't leak between RAS sessions, and this is basically
> what
> > we are talking about in your case. It's more susceptible to leaking
> between
> > RAS and multi-NIC connections.
> > If you really want a bold review of it, you could go to the NT routing
> group
> > and post the question, but they will probably say something like:
> > NT RAS sessions are going to be PPP, therefore the IP forwarding in one
> > session is going to go to the others. Having Proxy Server means that
> > traffic that originated on the LAN doesn't get to the interface that the
> > Proxy Server is bound to provided the LAT is properly configured so
that's
> > okay. Having RRAS installed with Proxy Server is the most secure method
> > because it ensures that each interface secures the routes only of
> interest,
> > no leaking. It's possible for someone to sniff Netbios on an interface
> > bound to Client for MS networking, so you don't want to bind that to the
> TA
> > connecting to the Web. MS documents that RAS with IP forwarding can
have
> > stray packets leak and Proxy with Packet Filters will prevent that,
> provided
> > that you do not have IP Forwarding on the NICs enabled.
> > I have always interpreted your situation as a pretty low risk, but this
> > depends a bit upon your concern about the difference between "always"
> > routing information to the web (like a misconfigured multi-home would
do)
> or
> > binding MS Networking to the web interface, as opposed to the occasional
> > possibility that stray packets would get out due to errors in the
handling
> > of the NT internal routing stack.
> > You answer is that it's probably not worth worrying about, or else you
> > install RRAS and you no longer have to worry about this potential
defect.
> > If you plan to go to SBS 2K soon, it gets resolve cleanly there in
> entirety.
> > > Jeff, I only have 1 NIC on the server in question and it uses an ISDN
TA
> > for
> > > web connection on demand via Proxy.
> > > There is only 1 workstation that needs to be accessed via RAS and
there
> is
> > a
> > > second NT FileServer on the network that also needs to be accessed.
The
> > 2nd
> > > server is configured with a different domain name and requires a
> separate
> > > login.
> > > Do you think I am at risk of exposing anything to the outside world?
> > > Cheers.
> > > Martin Keenes
1. RAS Configuration - Browse whole network?
On the network configuration under RAS, the option to "Browse whole network"
(or words to that effect) is shown above "This machine only". We intend to
set up VPN links to get to an application server on 10.0.0.77 and I assume I
need to check the "whole network" box.
Are there any security issues I should know about before doing this?
Mike
2. Problem in Viewing HTML on PIE
3. any software can backup whole whole system not only data??
5. Can whole LAN RAS and Proxy packet filtering coexist/co-locate?
7. RAS Access server but not other PCs on the network
9. RAS unable to access network
10. SBS Server 1 -> RAS into SBS Server 2, Clients on SBS1 Get Network Errors???
11. RAS Clients can't access the network
12. Browse entire network over RAS
13. RAS/Network Neighborhood problem.