Windows 2008 Routing and Remote access server - access to the internet

Question

I have a windows 2008 r2 remote access server set up and running. The remote access works fine. My problem is that the remote access server itself doesn't have access to the internet. The box has two interfaces, an internal and an external. Inbound connections come in on the external interface and RRAS responds. All wall and nice.

I want to be able to use windows update, browse, etc from this box but can't as the outbound traffic just gets blocked.

I've tried going into the RRAS mmc tool and opening the interface properties, under which there are two buttons for inbound and outbound filters. There I tried adding ports 80 and 443, but this doesn't work completely. I can see the connection initiating (Syn goes out) but the session never establishes itself.

Anyone done this or got any suggestions?

Answer 1

I eventually found a solution to my problem. I hadn't realised it but RRAS has a built in firewall, which is not exactly brilliant. You would have thought that they would have dropped this for integration with the built in windows firewall - but no.

It has a sort of mini-firewall which requires you not only add an outbound rule for, say, http access but also an inbound rule for the responses to the outbound connections.

My error above was that I had only opened outbound http but hadn't included the second rule to permit responses. Seems a bit stupid to need to explicitly include this rule.

In any case, the various problems I had with this box are now solved.

Thanks

Ian

Answer 2

It sounds like your default route is back to the internal subnet, and not internet bound. Can you paste the results of the command route print so we can see what's happening?

Answer 3

For the life of me, I don't really why but you need to enable RRAS with the NAT option. Whatever RRAS is doing to the external connection, it effectively stops it being useful - that is why it stops responding to pings.

There are a few reports that this was done for "Best Practices" but they never match real world situations.

Answer 4

Had the same problem on Windows Server 2012 RRAS, HTTP okay but occasional delays and FTP not working at all except on the RRAS machine itself. Disabled then re-enabled RRAS (re-configured everything) and then it worked. But that is just avoiding the issue...

I've observed RRAS is extremely unreliable as a router even since Windows 2000, it occasionally goes into a situation where NAT fails and any attempt to reconfigure results in "data is invalid". This has been flagged with Microsoft but it seems like they can't be bothered to fix it, even after so many years and multiple reports. Seems like they don't consider RRAS a professional solution. I wonder what MS use themselves, or at least their own developers at home?

In 2012 Direct Access is slowly taking over but RRAS is still there and I don't have an IPv6 enabled ISP available. Attempts to configure local IPv6 ranges with Windows DNS and RRAS causes no end of trouble, so make sure you don't try that either.

Let's face it basic network with Windows is still stuck with IPv4 and WINS required and any attempt to do fancy stuff like IPv6 ends in disaster. I noted they've stripped the ability to set network types (public/domain/private) from the GUI in Windows 8 and 2012, maybe that is something to do with it. It's getting worse with each version not better, what a mess!