none
Configuring Windows Firewall in Windows Server 2003 SP2

    Question

  • Could someone please shed some light on how to configure Windows Firewall correctly when using Windows Server 2003 SP2. When enabled, the server machine has no problem accessing the Internet. However, client machines which look at the server as their DNS controller loose all access to network shares and indeed the Internet. As well as the default exceptions within Windows Firewall, I have setup every exception I can think of, as well as precisely following Microsoft Knowledge Base Article 555381 (support.microsoft.com/kb/555381) to no avail.

    We have a network of around 8 nodes including 6 client PC's although they are not part of a domain.

    Hope this helps and thanks so much in advance!
    Saturday, October 10, 2009 12:50 PM

Answers

  • > DNS should work if the port 53 is open

    Just to clarify - UDP 53 port is required (TCP not required in most cases).

    To ensure if DNS works correctly, take following actions:
    1) Disable firewall on server
    2) on clients computers run the following commands:
    nslookup server_short_name
    nslookup server.FQDN_name (if applicable)
    3) Enable firewall on server
    4) on clients run the following commands:
    nslookup server_short_name
    nslookup server.FQDN_name (if applicable)

    if clients will be unable to reach your DNS server in step 4, add UDP 53 port to firewall exceptions. Also you may add TCP 53 port to exceptions. Depending on your network configuration you may need to configure DNS listening on multihomed server.

    to Joson, Ondrej:
    I don't sure if here is talking about domain. I think, thread author should clarify this moment.


    [http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! © Flowering Weeds
    Tuesday, October 13, 2009 12:14 PM
  • if the server is DC, then you should rather use Security Configuration Wizard, which will configure the whole thing for you automatically. You can install it from Add Windows Components wizard and the find it in administrative tools. its quite self descriptive.

    ondrej.
    • Marked as answer by Richie-B Saturday, October 31, 2009 10:16 AM
    Saturday, October 10, 2009 12:58 PM
  • Hi,

     

    DNS should work if the port 53 is open. Does everything work fine if the firewall is disabled on the DC?

    In addition, you can use PortQry2.exe utility to check the port status.

     

    New features and functionality in PortQry version 2.0

    http://support.microsoft.com/kb/832919


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, October 13, 2009 7:16 AM
    Moderator

All replies

  • if the server is DC, then you should rather use Security Configuration Wizard, which will configure the whole thing for you automatically. You can install it from Add Windows Components wizard and the find it in administrative tools. its quite self descriptive.

    ondrej.
    • Marked as answer by Richie-B Saturday, October 31, 2009 10:16 AM
    Saturday, October 10, 2009 12:58 PM
  • Hi,

     

    DNS should work if the port 53 is open. Does everything work fine if the firewall is disabled on the DC?

    In addition, you can use PortQry2.exe utility to check the port status.

     

    New features and functionality in PortQry version 2.0

    http://support.microsoft.com/kb/832919


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, October 13, 2009 7:16 AM
    Moderator
  • > DNS should work if the port 53 is open

    Just to clarify - UDP 53 port is required (TCP not required in most cases).

    To ensure if DNS works correctly, take following actions:
    1) Disable firewall on server
    2) on clients computers run the following commands:
    nslookup server_short_name
    nslookup server.FQDN_name (if applicable)
    3) Enable firewall on server
    4) on clients run the following commands:
    nslookup server_short_name
    nslookup server.FQDN_name (if applicable)

    if clients will be unable to reach your DNS server in step 4, add UDP 53 port to firewall exceptions. Also you may add TCP 53 port to exceptions. Depending on your network configuration you may need to configure DNS listening on multihomed server.

    to Joson, Ondrej:
    I don't sure if here is talking about domain. I think, thread author should clarify this moment.


    [http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! © Flowering Weeds
    Tuesday, October 13, 2009 12:14 PM
  • Just to say a big thank you to everyone for responding to this thread. My apologies for not responding sooner, but the Security Configuration Wizard worked a dream - all roles and services on the server are running perfectly, and clients are able to connect, with Windows Firewall now on. So thank you in particular to Ondrej Sevecek, but all your inputs have been invaluable.

    Thank you again.
    Saturday, October 31, 2009 10:20 AM