PDA

Bekijk Volledige Versie : Windows Server Firewall Error



Ber|Art
16/04/08, 10:55
Hoi,

Ik ben op onze nieuwe VPS server (Windows Server 2003 R2 Datacenter Edition met Microsoft Virtual Server) een VPS met Windows Server 2003 R2 Standard Edition SP2 Plesk 8.3 aan het testen (allebei verse en nieuwe standaard installaties) en loop tegen een Microsoft Firewall probleem aan. Als ik de firewall wil starten krijg ik deze melding:

Windows Error:

Windows firewall cannot run because another program or service that might use the network address translation component (lpnet.sys)

Plesk Errors:

Error: Set default component failed: defpackagemng failed: Execute winfwmng.exe "<?xml version=\"1.0\" encoding=\"UTF-8\"?><command><set><opmode/><mode value=\"disable\"/><profile type=\"current\"/></set></command>" failed: Exception from HRESULT: 0x8007030E.
winfwmng failed: Exception from HRESULT: 0x8007030E.
---------------------- Debug Info -------------------------------
0: C:\Program Files\SWsoft\Plesk\admin\plib\common_func.php3:151
psaerror(string 'winfwmng failed: Exception from HRESULT: 0x8007030E.')
1: C:\Program Files\SWsoft\Plesk\admin\plib\firewallmng.php:35
firewallmng->_call(string '<command><show><opmode/><profile type="current"/></show></command>')
2: C:\Program Files\SWsoft\Plesk\admin\plib\firewallmng.php:49
firewallmng->firewall_get_status()
3: C:\Program Files\SWsoft\Plesk\admin\htdocs\server\firewall.ph p:14

Nu heb ik even gezocht en het enige wat is zie is dat RRAS disabled moet worden. Dit heb ik dus gedaan maar de melding blijft hetzelfde. In de logs zie ik niet veel staan. Ook heb ik de Virusscanner een keer gede-installeerd maar het probleem bleef hetzelfde.

Iemand die een oplossing voor dit probleem heeft? M.a.w. hoe krijg ik de Microsoft Firewall aan?

Hollanda
16/04/08, 11:26
Waarom perse windows firewall, ik zou liever ipsec gebruiken...

Ber|Art
16/04/08, 11:32
Liever gebruik ik de Windows Firewall. Die word ook gezien door Plesk. Ik weet niet hoe dat is met ipsec? Moet dit apart geinstalleerd worden?

Hollanda
16/04/08, 11:40
IPSEC kan je veel beter instellen (in- en uitgaande poorten). IPSEC werkt prima onder windows met plesk. Zoek maar even naar 'secpol.msc'

GlobalServe
16/04/08, 11:46
De fout die je krijgt is omdat er een NAT interface aanwezig is op je systeem.
Wanneer je routing en remote access gaat uitschakelen zal je gewoon de windows firewall kunnen gaan gebruiken.

Ber|Art
16/04/08, 18:25
Ja maar dan heb ik geen Remote access meer :( ik vind dat Microsoft hier ernstig in tekort schiet, ik kan dus de Windows Firewall niet gebruiken als ik en Remote acess en plesk wil draaien en nu moet er dus een third party firewall geinstalleerd worden :( Is er goede software waar er gebruik gemaakt wordt van IPSEC?

GlobalServe
16/04/08, 18:27
Via de remote access kan je nu filteren en portmappings maken...
Maar je kan de plesk firewall inderdaad niet meer gebruiken.

Waarom heb je remote access nodig?

Ber|Art
16/04/08, 19:30
Om het OS te onderhouden, logs te lezen etc.. etc.. ik vind dat makkelijker als via SSH ofzo, het is gewoon vreemd dat Microsoft dit niet heeft gezien :( mss dat Bram hier nog wat over wil/kan zeggen?

gjtje
16/04/08, 19:40
Remote Access leunt zwaar op IPSEC, en IPSEC combineren met de Windows Firewall levert een onduidelijk bagger van rules op, dus vandaar. ;)

Glenn
16/04/08, 19:43
Als je Routing en Remote Access uitschakelt heb je nog gewoon RDP.

GlobalServe
16/04/08, 20:11
Stuur me een PM als je een probleem hebt, help ik u wel aan aan oplossing of voeg me toe op MSN.

bramveen
18/04/08, 11:23
Hi all,

Het is mij niet helemaal duidelijk wat precies het probleem is. Met routing en remote access kan een een VPN of inbel verbinding maken. Dit heeft niets te maken met remote desktop.

Remote desktop gebruikt port TCP 3389 dus als je een ipsec filter maakt voor 3389 kan je gebruik maken van RDP.

In Server 2003 zou ik aanraden IPSEC filters te gebruiken. De firewall in Windows Server 2008 is ontzettend verbeterd. Ik raad iedereen aan op 2008 naar de windows firewall te kijken.

Groet

Bram

Ber|Art
18/04/08, 17:40
Mja, dan moeten we eerst weer een hoop kosten maken om over te gaan naar 2008 en dat geld is er nu niet. Ik las een stuk op het net wat de zaak duidelijk maakt, zo voelde ik me ook toen ik ging uitzoeken welke security ik nu voor Windows moest gaan gebruiken. Alle deze meneer brengt het wat duidelijker onder woorden ;)


“ "...my wait has mostly been in vain. Every time I think I have found the ultimate Windows firewall solution, I end up being disappointed one way or another." ”

I have a problem: I can't seem to find a good host based firewall for my Windows servers. In fact, people constantly ask me what I recommend and I find myself with no good answer.

Even though most of my servers are already behind firewalls, I like having additional protection on the server itself. Sometimes I use remotely co-located servers where I have no firewall, and that makes me completely dependent upon software on the server itself.

It seems like the solution would be simple enough. I have been patiently waiting for someone to come along with a capable, full-featured Windows firewall so I can stop explaining to everyone why the right way to go is probably Linux with iptables. But my wait has mostly been in vain. Every time I think I have found the ultimate Windows firewall solution, I end up being disappointed in one way or another. Let's consider our current offerings.

Sure, there's TCP/IP filtering. It's actually quite fast. But it is also so limited that it's only good for the most basic filtering of incoming traffic. If you use TCP/IP filter, you will definitely need additional layers of protection.

IPSec is better, once you sort out the difference between rules, rulesets, filters, and filtersets. You can use either the UI or the scripting interface, but they are both just as confusing. Once you finally get it up and running, you might notice the network is slower -- because IPSec with packet filtering alone can slow down the network by 10%-15%. Oh, and here's the thing I hate most about IPSec: it logs to the Windows EventLog. If you want to browse your firewall logs, you either have click on each event to view the properties or export them to another format. That's enough to make me avoid it altogether.

The Internet Connection Firewall (ICF) in Windows 2003 is somewhat better. It has decent performance and some flexibility with the rules. When Windows 2003 SP1 comes around, the new Windows Firewall will be even better. Windows Firewall is a big improvement and it has Group Policy support. Unfortunately, Windows Firewall doesn't let you set any rules on outgoing traffic. Furthermore, it requires turning on the Remote Access Connection Manager and Telephony services -- something I normally wouldn't need to do on, say, a mail or web server that I'm trying to secure.

What about RAS? You may have noticed that it has packet filtering capabilities, and in fact there is a good API for other tools to set these filters. But these filters do not let you control low-level traffic such as ICMP, so it's not very useful.

There are plenty of personal firewalls out there that work quite well for desktop computers, but they all fall short for server use. Some are obviously better than others, but all are plagued with common problems such as poor logging facilities, limited configuration capabilities, slow performance, and worst of all, many of them seem to be prone to blue screens when traffic gets very high.

The problem with personal firewalls is the way they integrate with Windows. There are actually numerous ways to intercept packets in Windows, each with their own disadvantages and weaknesses. All approaches are poorly documented. Many of them involve intercepting kernel-mode functions or writing device drivers. This works, sure, but you had better make sure the code is solid or you will experience frequent blue screens. Lo and behold, with heavy traffic we often do. Another problem is that these methods usually don't interact well with others -- don't try installing two personal firewalls aFor something as simple as a firewall for Windows servers, a good solution just doesn't exist.t once, for example, or chances are you will have strange problems. And of course, writing hooks into other drivers can sometimes cause problems when installing service packs or hotfixes. There are just more places for things to break.

Personal firewall don't work well for unattended servers, either. Many of them have pop-up windows asking the user to allow certain network packets. This obviously doesn't work on an unattended server. Some firewalls I have tried rely on a tray icon that you cannot even access via Terminal Services!

My last attempt to find the holy grail of a Windows server firewall was with installing ISA Server 2004. To my surprise, it worked quite well. Its footprint was a bit hefty and it was total overkill for something used for little more than a personal firewall, but it still worked well in that role. There's just one problem: the ISA Server software license costs more than the server itself. That makes it far too difficult to justify its use.

What do I do now? I find myself buying small hardware firewalls to sit on top of the server -- just because I'm a little too paranoid to leave it standing alone.

Not all hope is lost, at least. Microsoft is working on a new Windows Filtering Platform (WFP) for the upcoming Longhorn OS, due to be released perhaps in the next few years. WFP is basically a packet filtering engine built into the OS. Third party firewall companies will simply tap into this single interface and configure the rules. WFP provides access to packets at various layers of the new TCP/IP protocol stack and it has support for filtering traffic after it has been decrypted. It even has IPv6 suppport. WFP sounds great, but it still doesn't help me today. It's some ways off. And it also remains to be seen how effective and stable this feature turns out.

You would think the answer is simple, but it's not. It still amazes me that that an adequate, affordable firewall solution for Windows servers just doesn't exist. bron (http://www.securityfocus.com/columnists/307)