Wednesday, October 10th, 2012
Windows Server 2012 Essentials is different from previous versions of SBS as it’s designed to work with 3 different types mail systems. As a result the ports you need to have open on your firewall is also different.
If you have a uPnP router then the configuration wizards in Windows Server 2012 Essentials will do the work for you. If you like me elect to disable uPnP then you will need to configure the firewall port forwarding manually.
Here’s the list of ports you need to open on your firewall for Windows Server 2012 Essentials. Note that not ALL of them need to be open in order for things to work.
Port 25 – is NOT required to be open if you are using a cloud based mail system such as Office 365 then this port can and should be closed. ONLY if you have an onpremise Exchange or other mail server should you open this port to your network. If you have an onpremise Exchange or other mail server, then you will port forward this port to that server and not the Windows Server 2012 Essentials server. If you have no external email filtering or antispam software then you will need to leave this open for all external IPs. If however you are using something like ExchangeDefender or Trend IMHS then you will need to lock down the external IPs that this port can talk to.
Port 80 - does NOT need to be open at all in reality. It’s there to provide an easy redirect for our users when they go to access the Anywhere Access feature of Windows Server 2012 Essentials (formerly known as Remote Web Access). Having this port open allows the user to type in remote.mycompany.com into a web browser which will then go direct to our server. The server will immediately redirect the user to https://remote.mycompany.com/remote so that all traffic is encrypted. You can safely close this port to reduce your attack profile but you will need to train your users to type in the full URL of https://remote.mycompany.com/remote. My advice is to train your users – put this URL on the back of a business card for them to make it easy to handle.
Port 443 – this is a mandatory one. This needs to be open and forwarded to your Windows Server 2012 Essentials server to allow access to the Anywhere Access website. All traffic over this connection is encrypted so it’s safe and secure. If this is not open then none of these functions will work outside your office. This port is also used by default for the SSTP VPN protocol which is the default protocol in Windows Server 2012 Essentials.
Port 1723 – is an optional port on Windows Server 2012 Essentials. You see – the default protocol for VPN is now SSTP which runs over port 443. You will only need to open port 1723 if you have client PCs that can not use SSTP to access your server. Make sure if you have a more advanced router to also allow the GRE protocol (type 47) over this port.
Tuesday, April 5th, 2011
The default installation of SBS 2011 Essentials and SBS 2011 Standard has Internet Explorer configured in Hard Admin mode. Microsoft made the decision to do this in order to protect the server itself when people attempt to surf the Internet from it.
The downside to this is that many server applications such as Trend Micro WFBS, use a web interface to manage the product itself. Accessing this on the server console is the typical method of configuration of the product and therefore IE Enhanced Security being configured in Hard Admin mode makes it more troublesome.
In these circumstances, the easiest way to resolve this problem is to disable Internet Explorer Enhanced Security Configuration for the Administrator users. You should of course NEVER use the servers Internet Explorer to access the Internet as this could lead to your system becoming compromised.
To disable Internet Explorer Enhanced Security Configuration on the SBS 2011 Server, follow this procedure.
1. Select the Server Manager from the Start menu
2. Select the Configure IE ESC wizard under the Security Information section on the right hand pane.
3. Change the default option for Administrators from On to Off and select OK.
4. If you had Internet Explorer open, close it and restart it.
5. Internet Explorer will now be running in Soft Admin mode.
Ok – so that’s it. If you’ve followed this procedure then things like Trend Micro WFBS Security Console will work just fine on the server itself now.
NOTE: IT IS NEVER RECOMMENDED TO ACCESS THE INTERNET USING THE INTERNET EXPLORER ON THE SERVER CONSOLE. USE A WORKSTATION INSTEAD TO ENSURE YOUR NETWORK REMAINS SECURE.
Friday, February 25th, 2011
Small Business Server 2011 Essentials (SBS 2011 Essentials) is a little different from previous versions of SBS that we’ve all come to know and appreciate. SBS 2011 Essentials does not have an on premise mail server, or Sharepoint Companyweb. As a result it requires fewer ports open than SBS 2011 Standard or previous versions of SBS.
If you have a uPnP router then all the hard work is done for you by the Internet Address Management Wizard that you run during configuration of the server. It will automatically open port 80 and 443 which is all you need.
If however you are like me and want to control the router/firewall directly then you will need to manually configure the following ports to be open and forwarded to your SBS 2011 Essentials server.
Port 80 – does NOT need to be open at all in reality. It’s there to provide an easy redirect for our users when they go to access the Remote Web Access feature of SBS 2011 Essentials. Having this port open allows the user to type in remote.mycompany.com into a web browser which will then go direct to our server. The server will immediately redirect the user to https://remote.mycompany.com/remote so that all traffic is encrypted. You can safely close this port to reduce your attack profile but you will need to train your users to type in the full URL of https://remote.mycompany.com/remote. My advice is to train your users – put this URL on the back of a business card for them to make it easy to handle.
Port 443 – this is a mandatory one. This needs to be open and forwarded to your SBS 2011 Essentials server to allow access to the Remote Web Access website. All traffic over this connection is encrypted so it’s safe and secure. If this is not open then none of these functions will work outside your office.
That’s it really – SBS 2011 Essentials, due to it’s reduced on premise functionality requires fewer ports to be opened on your firewall and an easier configuration all round.
Tuesday, February 22nd, 2011
Small Business Server 2011 Standard (SBS 2011 Standard) needs to have a few ports open on your firewall router to allow specific traffic to flow into your SBS 2011 server for proper operation. You can use the uPnP protocol to automatically configure your firewall if you permit it. To do so ensure that uPnP is enabled on your firewall and run the Internet Address Management Wizard – it will do the rest. If however you, like me are more security conscious, you will want to manually make any changes to your firewall settings and you will want to disable uPnP. I do this routinely as I’ve had scenarios where a user on the network has loaded a third party application and that application has then redirected critical ports such as port 443 to it and therefore breaking remote access to applications o the SBS 2011 server.
So if you are going to control things manually you will need to have the following ports open. Note that you do NOT have to have them ALL open – but you need to open them IF you wish to use that functionality. Certain ports such as port 25 and 3389 may well need additional configuration to secure them in the best manner.
Port 25 – is required for all SMTP inbound mail. If you have no external email filtering or antispam software then you will need to leave this open for all external IPs. If however you are using something like ExchangeDefender or Trend IMHS then you will need to lock down the external IPs that this port can talk to. If this port is NOT open then you will not be able to receive external email.
Port 80 – does NOT need to be open at all in reality. It’s there to provide an easy redirect for our users when they go to access the Remote Web Access feature of SBS 2011. Having this port open allows the user to type in remote.mycompany.com into a web browser which will then go direct to our server. The server will immediately redirect the user to https://remote.mycompany.com/remote so that all traffic is encrypted. You can safely close this port to reduce your attack profile but you will need to train your users to type in the full URL of https://remote.mycompany.com/remote
Port 443 – this is a mandatory one. This is the secret behind SBS 2011 and over this encrypted channel you will be able to access Remote Web Access (RWA), Outlook Web Access, Activesync for your mobile devices and Outlook Anywhere. If this is not open then none of these functions will work outside your office.
Port 987 – this port is used for SSL encrypted access to the CompanyWeb. It uses the same SSL certificate as the one you installed with the Certificate Wizard and will provide external access to Companyweb. If this port is not open then you will not have external access tom Companyweb at all.
Port 1723 – is an optional port. You will need this open if you wish to use VPN to access the network remotely.
Port 3389 – DOES NOT NEED TO BE OPEN at all. May people believe they need this open to access the server from remote locations – that is incorrect. Having this port open to the Internet without restriction is a security issue as it then gives remote people direct console access to attempt to penetrate your server. If you must have it open for remote support purposes then install a two factor authentication agent like AuthAnvil or lock the port down so it’s accessible from your remote IP only.
So in a nutshell, you only really need port 25 and 443 open to the Internet on your firewall to allow MOST of the functionality of SBS 2011 and it’s Remote Web Access.
Saturday, September 5th, 2009
Small Business Server 2008 (SBS 2008) requires a number of ports open on your firewall to allow inbound traffic from the Internet in to your network. SBS 2008 needs a lower number of ports open than SBS 2003 did. You will only need to open the ports below to enable all SBS 2008 functionality if you are using all facilities. If you do not need a specific function open then there is no need to allow that port to be open inbound to the server.
Port 25 This is required for inbound mail using the SMTP protocol – this will be needed on MOST SBS 2008 servers. If you are using an external third party mail filtering service such as Trend Micro Internet Messaging Security then you will want to restrict this port to be open ONLY to their servers. Closing this port to all traffic will prevent ANY inbound mail to your SBS 2008 server.
Port 80 This port is used to redirect requests to the Remote Web Workplace for http://remote.mycompany.com through to the secured site on port 443. You do not need to have this port open for SBS 2008 to work, but if you close it then you must get your users to use https://remote.mycompany.com to get to their Remote Web Workplace. Closing this port will result in errors when users try to access Remote Web Workplace via http://remote.mycompany.com
Port 443 This is the secured sockets layer (SSL) access to the Remote Web Workplace. All traffic over this port is encrypted for security. This port needs to be open in order for Remote Web Workplace to work. Closing this port will result in the Remote Web Workplace not being accessible outside of the office from the Internet.
Port 987 This is another secured sockets layer (SSL) port that is used to allow access to the Companyweb from the Internet. It uses the same digital certificate as that on port 443. Closing this port will result in the Companyweb not being accessible outside of the office from the Internet.
Port 1723 This port is used for the PPTP VPN in SBS 2008. It only needs to be enabled if you have already configured the SBS 2008 server to be used as a VPN server. You can do this via the SBS 2008 console on the Network Tab using the Enable VPN wizard. Closing this port will result in the VPN not being accessible from the Internet.
SBS 2008 does NOT require the following ports to be opened BY DEFAULT.
Port 21 This port is used for FTP access from the Internet to the SBS 2008 server. The SBS 2008 server is NOT configured as an FTP server by default. It is NOT recommended that you configure your SBS 2008 server as an FTP server as by default any password used to access it will go over the Internet in clear or plain text. This means that someone else can easily read your password and potentially compromise your network security.
Port 3389 This port is used for DIRECT access to the SBS 2008 servers console via the RDP protocol of the Remote Desktop Connection software. Allowing this port to be open to the Internet WILL increase the potential of your server being compromised via a password brute force attack. If you MUST have this port open to the Internet, it is recommended that you implement a two factor authentication solution called AuthAnvil from Scorpion Software
Sunday, November 3rd, 2002
At the core of SBS2000 is the Windows 2000 Serevr platform. Inherent in this is the tighter security and related to security is accurate time synchronisation. SBS 2000 can have it’s time clock synchronised with one of the many Internet time server (NTP servers) which will prevent it from excessive variations. You need to ensure that your time zone settings on each workstation are also correct. If not then you will have problems with scheduled meetings within Outlook if people within a company have different time zone settings. To setup your SBS network correctly follow this procedure.
SBS 2000 Server
ISA first needs to be configured to allow SBS to talk to the NTP servers on the internet.
1. Start the SBS Administrator Console
2. Drill down into the ISA Server node in the tree (called Internet Security and Acceleration Server 2000)
3. Expand the Servers and Arrays node
4. Expand the actual server itself
Wednesday, November 28th, 2001
Here’s the solution for enabling Quicken 2001 Internet Update features through ISA Server (QuickBooks thru ISA Server is a little different, as detailed below):
You must enable Basic Authentication for Outgoing Web Requests. Apparently, Quicken uses IE’s Integrated Authentication capability for some Internet functions, but then uses its own code to perform other Internet functions. When its own code is used, it can only provide Basic Authentication, which fails unless Basic Authentication is enabled in ISA.
In the ISA Server Properties dialog (under Servers and Arrays, right-click the server name and select Properties), choose the Outgoing Web Requests tab. In the Identification area, your server name should appear in the white area. Highlight the server and click Edit. At the next dialog, under Authentication, Integrated is the only method selected by default. To enable Quicken to successfully authenticate, select “Basic with this domain” as well. You can ignore the Select Domain button/field unless authentication needs to be sent to a domain
other than the one this ISA server belongs to.
Additionally, make sure that you have configured Quicken to use the correct ISA server and provide valid user authentication info via Quicken’s Internet Connection Setup. The ISA server should be input as just “ServerName” (use your server name–no other characters required), with Port 8080. In the Authentication dialog, just provide a valid user
account that has access to the Internet through ISA Server, according to your ISA policies.
QuickBooks seems to be able to use IE’s Integrated Authentication capabilities and so Proxy settings are not required within the QuickBooks Internet Connection Setup. All that is required is that the QuickBooks user has access to the Internet thru ISA.
For reference, I have my ISA Server configured so that all LAN clients have the Firewall Client installed AND they are configured as Web Proxy clients. On ISA, I set the HTTP Redirector to ignore all web requests from Firewall and SecureNAT clients in order to force Web Proxy to be used for web traffic (allows detailed user logs and allows for user/group-based web access rules). Finally, under Outgoing Web Requests, I check “Ask Unauthenticated Users for Identification”.
I believe that Basic Authentication in this case will not present an Internet security risk, since clear-text passwords are only being transmitted internally, from the client to the ISA server. Please correct me if I’m wrong on this! However, it does present the opportunity for password sniffing on the internal LAN, so I use a special user account with very limited rights to “stand in” as the account used by Quicken/QuickBooks for Basic Authentication.