Server 2k8 Port Issue?

Question

I am having an issue, I have configred wf.msc to allow the following ports through: 80, 443, 3306, 1433, 21, 22, 8889

My report is showing that most are not open and/or listening, let alone established. I'm trying to get this server setup for hosting internal websites, internal MySQL and MSSQL databases, FTP, and SFTP, along with a custom RDP port... yet, the only thing that works so far is a local connection to the RDP.

None, of the remote connections work (ie... ftp://o7t.in fails, but ftp://MY.Loc.Cal.IP works)

Here are the logs from a couple netstats:

Listening:

TCP    0.0.0.0:21             0.0.0.0:0              LISTENING
TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
TCP    0.0.0.0:515            0.0.0.0:0              LISTENING
TCP    0.0.0.0:1433           0.0.0.0:0              LISTENING
TCP    0.0.0.0:3306           0.0.0.0:0              LISTENING
TCP    0.0.0.0:8889           0.0.0.0:0              LISTENING
TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49157          0.0.0.0:0              LISTENING
TCP    127.0.0.1:1434         0.0.0.0:0              LISTENING
TCP    127.0.0.1:14147        0.0.0.0:0              LISTENING
TCP    192.168.2.98:139       0.0.0.0:0              LISTENING
TCP    192.168.56.1:139       0.0.0.0:0              LISTENING
TCP    [::]:21                [::]:0                 LISTENING
TCP    [::]:80                [::]:0                 LISTENING
TCP    [::]:135               [::]:0                 LISTENING
TCP    [::]:445               [::]:0                 LISTENING
TCP    [::]:515               [::]:0                 LISTENING
TCP    [::]:1433              [::]:0                 LISTENING
TCP    [::]:8889              [::]:0                 LISTENING
TCP    [::]:47001             [::]:0                 LISTENING
TCP    [::]:49152             [::]:0                 LISTENING
TCP    [::]:49153             [::]:0                 LISTENING
TCP    [::]:49154             [::]:0                 LISTENING
TCP    [::]:49155             [::]:0                 LISTENING
TCP    [::]:49156             [::]:0                 LISTENING
TCP    [::]:49157             [::]:0                 LISTENING
TCP    [::1]:1434             [::]:0                 LISTENING
TCP    [::1]:14147            [::]:0                 LISTENING

Established:

TCP    192.168.2.98:8889      192.168.2.8:58526      ESTABLISHED
TCP    192.168.2.98:49165     216.52.233.137:443     ESTABLISHED
TCP    192.168.2.98:49168     69.25.30.42:443        ESTABLISHED
TCP    192.168.2.98:49177     65.54.191.47:443       ESTABLISHED
TCP    192.168.2.98:49179     65.54.191.47:443       ESTABLISHED
TCP    192.168.2.98:49180     65.54.191.47:443       ESTABLISHED
TCP    192.168.2.98:49287     157.56.100.28:443      ESTABLISHED
TCP    192.168.2.98:49288     65.54.191.47:443       ESTABLISHED
TCP    192.168.2.98:49291     65.54.191.47:443       ESTABLISHED
TCP    192.168.2.98:49292     65.54.191.47:443       ESTABLISHED
TCP    192.168.2.98:49296     69.25.30.42:443        ESTABLISHED

Is there something other than Windows Firewall Advanced that I am supposed to be configuring here? The routes through my router are already set for the correct ports to the correct IP address...

Please help?!?

Looks like your machine is already listening on all the ports you want open except 443 (HTTPS). Check your firewall rules. Also, try to connect locally to these ports (use telnet for that if you don't have the proper client installed). — Stephane, Apr 29 '13 at 12:30
ok, trying to connect via telnet to the internal IP address. Ports 443, 22 do not connect. Using the domain o7t.in (which points to my WAN IP address), cannot connect to anything. I have configured my router correctly to allow these ports through to the proper internal IP address — Kevin, Apr 29 '13 at 12:35
I have even gone so far as setting this internal IP as DMZ, and still no dice — Kevin, Apr 29 '13 at 12:36
Ah, I missed port 22: nothing is listening on that either. You're sure you've installed (and started) a SSH server software on that system ? And that you've setup a HTTPS server ? — Stephane, Apr 29 '13 at 12:46
Then check your software because they aren't binding to these ports. once you have all these configured correctly, you can start checking the network layer (firewall and such). You'll need to describe the network environment (you seem to have mentioned something that sounds like NAT and you must get that right - in particular with stuff like FTP). — Stephane, Apr 29 '13 at 12:54
ISP -> My Cable Modem -> LinkSys Router -> 3 PC's, and 1 Server. I'm really not concerned about ssl and sftp right now, my main concern is http. http://test.cloudcms.co is simply an h1 tag that says Works, but nothing comes up — Kevin, Apr 29 '13 at 12:56
If no web site or virtual directory is bound to port 443 then Windows will not listen on it. Double check that the ssh service is running double-check any settings that may have it using a non-standard port by default. — David V, Apr 29 '13 at 12:58
right, and right now, there isn't one on ssl. (there will be once I get it working correctly though) Something a bit odd I notice. When I try to ping o7t.in from another machine on the internal network, the request times out... but when I try to ping it from my routers management page, it pings great.... — Kevin, Apr 29 '13 at 13:01
That is common. There is not DNS entry set up for the site internally so the firewall is probably stopping the ping from coming back in on since the source/dest IP is the same (external IP of firewall). — David V, Apr 29 '13 at 13:03
yeah, I just verified that I can bring up the site via my phone, and RDP via my phone. So, how do I configure it to come up with my internal machines? — Kevin, Apr 29 '13 at 13:09
You could just use the name/IP of the webserver (http://webserver-name/pagename) or create a DNS entry for the site internally (test.example.com = IP of webserver.) — David V, Apr 29 '13 at 13:46
I'm sorry David, but I do not know how to do that. The server does not have a DNS server if that helps any? If you can direct me how to do this in an answer... — Kevin, Apr 29 '13 at 13:49

score 1 · Accepted Answer · answered Apr 29 '13 at 14:00

1

To resolve the address internally you will need to set up an A record on an internal DNS server. In this case you want o7t.in to resolve to the IP address of the web server, you can do the same for the external site if you'd like, but other than shaving a few milliseconds off the connection time you won't see a huge benefit. If you don't have access to the DNS server then contact your sysad/network manager and give them the internal site name and the IP of the web server and they should be able to put the record in for you.

answered Apr 29 '13 at 14:00

David V

840
1
8
15

:) I am sysad LOL. There is no DNS server on the machine, so I assume I should set one up for it? – Kevin Apr 29 '13 at 14:09
What if I just use my ISP DNS servers? – Kevin Apr 29 '13 at 14:24
The DNS server doesn't have to be on that machine, just on the internal network. Is there a LDAP/AD server or maybe a standalone DNS machine on the internal network? It would take some special firewall/port forwarding to get an ISPs DNS servers to serve internal request like that and it's probably way more hassle than it's worth honestly. – David V Apr 29 '13 at 14:39
actually.. yeah, I have to have it on that machine. my network is 1 server, 2 clients. i'll get back to you soon – Kevin Apr 29 '13 at 15:06
alight, I configured an A record with a domain, and it is still not working from any of my clients. Do I have to configure them to use the server as DNS server? – Kevin Apr 29 '13 at 15:11
Yes you can set it as a secondary if you'd like but the will need to contact it to resolve. Given how small the network is there is another alternative. You could just put it in the Hosts file on the client machines and it will resolve from there as well. – David V Apr 29 '13 at 15:15
i thin i wil probaby do that instead. ill get back to u in a bit – Kevin Apr 29 '13 at 15:48
that worked, however it is not an optimal solution due to the fact that I would then have to to this for every domain I add to the server, on every machine connected to the network... – Kevin Apr 29 '13 at 17:00
the weird thing is, everything worked perfectly fine on this same machine until I went and lost the system drive and had to reinstall win2k8 – Kevin Apr 29 '13 at 17:00

Server 2k8 Port Issue?

1 Answers1