• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

PCANYWHERE on more than 1 internal server

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> Web Publishing >> PCANYWHERE on more than 1 internal server Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
PCANYWHERE on more than 1 internal server - 6.Aug.2003 10:04:00 PM   
Strac

 

Posts: 8
Joined: 6.Aug.2003
Status: offline
I have PCanywhere set up on my ISA server and I can connect to it over the internet just fine. I can't seem to figure out how I can attach to other server on my internal network. I bought both books and they don't help much with this.
I wish to set it up that I can get to other servers on my internal network over the internet.
Post #: 1
RE: PCANYWHERE on more than 1 internal server - 6.Aug.2003 10:21:00 PM   
hm_attack_688

 

Posts: 3
Joined: 7.Apr.2003
From: Alberta Canada
Status: offline
I am not 100% about PCAnywhere, But I can give you an alternative product to try. It is call RAdmin 2.1. THis product works over the Internet to your ISA Server.. In the programs setup you can re-route the connection in to any server on the inside. It is a lot faster than PCAnywhere and more cost effective... I use to use PCAnywhere to manage my network through a VPN or a dialup.

Sorry can't help you with PCAnywhere. [Frown]

(in reply to Strac)
Post #: 2
RE: PCANYWHERE on more than 1 internal server - 7.Aug.2003 3:29:00 AM   
CrazyRussian

 

Posts: 53
Joined: 3.Apr.2003
From: Phoenix, AZ
Status: offline
I will be working on the same issue next week, but I think it's relatively easy. I think there are 2 ways to handle it: pocket filtering and server publishing. Let's say I have ISA with PCA running on default ports, and 3 internal servers that i want to access from outside. pcANYWHERE uses 2 connections, so those 3 internal server needs to have TCP ports changed to eliminate conflict. Default ports for PCA are 5631 (Data port) and 5632(status port), PCA on ISA will use these, so you need to setup pocket filter to allow trafic comming to those ports in. Other 3 internal servers need these ports modified to be unique (so PCA on server 1 could be configured to use ports 5633 and 5634, server 2 5635 and 5636...), then you setup for each one of them porotocol using specific ports you difined, then publish that PCA as a server.
I will resttict access to those ports from ouside to spcific IP address for greater security

(in reply to Strac)
Post #: 3
RE: PCANYWHERE on more than 1 internal server - 7.Aug.2003 4:08:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Strac:
I have PCanywhere set up on my ISA server and I can connect to it over the internet just fine. I can't seem to figure out how I can attach to other server on my internal network. I bought both books and they don't help much with this.
I wish to set it up that I can get to other servers on my internal network over the internet.

Hi Strac,

Check out the Server Publishing info. You'll see that you need an IP address each time you publish the same service. Or else you get socket contention and that doens't work.

So, if you want to publish two pcA servers, you need two IP addresses.

HTH,
Tom

(in reply to Strac)
Post #: 4
RE: PCANYWHERE on more than 1 internal server - 9.Aug.2003 5:11:00 AM   
CrazyRussian

 

Posts: 53
Joined: 3.Apr.2003
From: Phoenix, AZ
Status: offline
tshinder, so, you're saying that even configuring pcANYWHERE on different computers using different ports wont work? No way? No pocket filter and no protocol definition for each instance of PCA will help?

(in reply to Strac)
Post #: 5
RE: PCANYWHERE on more than 1 internal server - 11.Aug.2003 3:18:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi CR,

If you know of a way to change the listening ports ON THE pcA HOSTS on the internal network, then yes, you can use a the same address on the external interface.

HTH,
Tom

(in reply to Strac)
Post #: 6
RE: PCANYWHERE on more than 1 internal server - 11.Aug.2003 8:49:00 PM   
Barryh

 

Posts: 44
Joined: 20.Mar.2002
From: Kirkland, WA
Status: offline
I did this successfully with Laplink (similar to PCAnywhere) using server publishing with a separate IP for each connection.
-Barry

(in reply to Strac)
Post #: 7
RE: PCANYWHERE on more than 1 internal server - 11.Aug.2003 9:33:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Barry,

No problem with pcA if you have multiple addresses on the ISA firewall's external interface. However, if can't use the same sockets twice to publish two different servers. Its a TCP/IP thing, no an ISA issue.

HTH,
Tom

(in reply to Strac)
Post #: 8
RE: PCANYWHERE on more than 1 internal server - 14.Aug.2003 5:57:00 PM   
Strac

 

Posts: 8
Joined: 6.Aug.2003
Status: offline
This is my configuration:

On my ISA Server I have defined several external addresses. 12.159.171.178 and 12.159.171.179

In ISA Server:

I made 4 protocol definitions:
pcanytcp5631
pcanytcp5632
pcanyudp5631
pcanyudp5632

I set these up like the examples.

I also made 8 packet filters:
pcany5631tcp-178
pcany5632tcp-178
pcany5631upd-178
pcany5631udp-178

These I pointed to the specific ISA exteranal port 12.159.171.178

pcany5631tcp-179
pcany5632tcp-179
pcany5631udp-179
pcany5632udp-179

These I pointed to the specific ISA external server port 12.159.171.179

I then make some publishing rules

My 2 servers I wish to access from PCANYWHERE are 10.0.0.1 (my isa server) and 10.0.0.150 (server2)

In server publishing rules I created:

PCANYServer1tcp31 pcanytcp5631 10.0.0.1 12.159.171.178

PCANYserver1tcp32 pcanytcp5632 10.0.0.1 12.159.171.178

PCANYserver1udp31 pcanyudp5631 10.0.0.1 12.159.171.178

PCANYserver1udp32 pcanyudp5632 10.0.0.1 12.159.171.178

I then created the same set for my 2nd server:

pcanyserver2tcp31 pcanytcp5631 10.0.0.150 12.159.171.179

pcanyserver2tcp32 pcanytcp5632 10.0.0.150 12.159.171.179

pcanyserver2udp31 pcanyudp5631 10.0.0.150
12.159.171.179

pcanyserver2udp32 pcanyudp5632 10.0.0.150
12.159.171.179

When I attach to either 12.159.171.178 or 12.159.171.179 I get 10.0.0.1 responding, I can never get to 10.0.0.150.

Any clues what I am doing wrong?

I figure since I explicitly set them a particular external ip adress that I could use the same ports.

(in reply to Strac)
Post #: 9
RE: PCANYWHERE on more than 1 internal server - 14.Aug.2003 6:29:00 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
why not make it much, much easier and VPN into the network using ISA - you can then PCanywhere to the internal NIC to control ISA and PCanywhere to the internal IP's of internal hosts...this also ensures your PCanywhere traffic is encrypted and allows you to use other services like ping, telnet, terminal services etc....

JJ

(in reply to Strac)
Post #: 10
RE: PCANYWHERE on more than 1 internal server - 14.Aug.2003 9:33:00 PM   
Strac

 

Posts: 8
Joined: 6.Aug.2003
Status: offline
I have a requirement from an external vendor that wants to use pcanywhere to get to the second server. I need it to work, and as far as I been able to find out it should work.

(in reply to Strac)
Post #: 11
RE: PCANYWHERE on more than 1 internal server - 15.Aug.2003 4:57:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Strac,

If you create the correct Protocol Definitions and used them in the Server Publishing Rules, it should work. Packet filters are DEFINITELY NOT REQUIRED.

However, if DSL is involved, esp the dreaded PPPoE, then all bets are off [Eek!]

HTH,
Tom

(in reply to Strac)
Post #: 12
RE: PCANYWHERE on more than 1 internal server - 15.Aug.2003 9:32:00 PM   
Strac

 

Posts: 8
Joined: 6.Aug.2003
Status: offline
I removed the packet filters and it broke it completely. I could not connect to any servers. I added the filters back in and was able to connect.

What is happening now is I end up connecting 10.0.0.1 no matter what ip I put in to connect to. I thought the way this worked was to connect to 10.0.0.1 I would use 12.159.171.178 in pcanywhere and for 10.0.0.150 I would use 12.159.171.179. It does not matter which IP I connect to 10.0.0.1 is the one that answers.

I am not using a DSL circuit. This is a full T1 Circuit.

[ August 15, 2003, 09:33 PM: Message edited by: Strac ]

(in reply to Strac)
Post #: 13
RE: PCANYWHERE on more than 1 internal server - 16.Aug.2003 7:01:00 PM   
eleventy5

 

Posts: 5
Joined: 15.Aug.2003
Status: offline
what version of pcanywhere are you using?? I believe 9.2 and above will allow you to change the ports in the host configuration. I know 10.0 and above will. for 9.0 and below there is a registry hack to change the listening ports for the host,
http://service1.symantec.com/SUPPORT/pca.nsf/docid/1999110411575512
shows how to edit registry to change the ports.

(in reply to Strac)
Post #: 14
RE: PCANYWHERE on more than 1 internal server - 18.Aug.2003 11:02:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Strac:
I removed the packet filters and it broke it completely. I could not connect to any servers. I added the filters back in and was able to connect.

What is happening now is I end up connecting 10.0.0.1 no matter what ip I put in to connect to. I thought the way this worked was to connect to 10.0.0.1 I would use 12.159.171.178 in pcanywhere and for 10.0.0.150 I would use 12.159.171.179. It does not matter which IP I connect to 10.0.0.1 is the one that answers.

I am not using a DSL circuit. This is a full T1 Circuit.

Hi Strac,

That is impossible. You can NOT publish internal servers, or allow outbound access from internal clients, using packet filters.

There's something seriously whack going on!

Tom

(in reply to Strac)
Post #: 15
RE: PCANYWHERE on more than 1 internal server - 19.Aug.2003 6:53:00 AM   
CrazyRussian

 

Posts: 53
Joined: 3.Apr.2003
From: Phoenix, AZ
Status: offline
Strac, here is what you need to do:
1. Delete all of your packet filters and protocol defenitions.
2. Create new protocol defenition as follow:
Port 5631, TCP, inbound with secondary connection on port 5632, UDP, direction: receive.
Call this protocol "pcANYWHERE Server"
Then publish your first server as follow:
Name: Server 1 (next)
IP address of internal server: 10.0.0.1
External IP on ISA server: 12.159.171.178 (next)
Apply the rule to this protocoal: "pcANYWHERE Server" (next)
Apply the rule to requests from: choose either "All", or pick your client set
(next)
(finish)

Then do it again for your second server:
Name: Server 2 (next)
IP address of internal server: 10.0.0.150
External IP on ISA server: 12.159.171.179 (next)
Apply the rule to this protocoal: "pcANYWHERE Server" (next)
Apply the rule to requests from: choose either "All", or pick your client set
(next)
(finish)

Let me know how it'll go

P.S. And as Tom said: NO FILTERS NEEDED TO PUBLISH ANY OF YOUR SERVERS, DONT EVEN THINK OF THEM

[ August 19, 2003, 06:54 AM: Message edited by: Crazy Russian ]

(in reply to Strac)
Post #: 16
RE: PCANYWHERE on more than 1 internal server - 19.Aug.2003 2:05:00 PM   
Strac

 

Posts: 8
Joined: 6.Aug.2003
Status: offline
I made it work and this is how I did it.

I created the 4 protocol definitions as described in the instuctions from Microsoft and on this site. These defs were for ports 5631 and 5632 tcp and udp.

I set up PCanywhere on my ISA Server on ports 5633 and 5634. I added 4 protocol filters for those 2 ports (2 for tcp and 2 for udp). I am told you don't need these protocol filters and you don't for the other internal servers you wish to connect to, but I found that my ISA server's pcanywhere would not work without them. (I am speculating it has to do with how PCanywhere is set up on the ISA server. I pointed my PCanywhere on my ISA server to the a specific external address. It starts up before ISA server so it grabs the ports on that NIC before ISA server. The filters allow the traffic to pass through ISA server to the PCanywhere on the server. I bet if I were to tell PCanywhere on the ISA server to accept calls only on its internal nic card then you could use the same method to setting up as all the other servers. Basically, setting up publishing rules listed below for the ISA server itself.

This took care of the ISA Server working with PCanywhere.

For my other servers I did the following.

I added an external IP address to my ISA Servers external card for each server I wanted to talk to internally.

Then I added server publishing rules for each one using the 4 protocol defs I created and pointed each one from a specific external address to its internal address. Each server I used port 5631 and 5632.

Something like this:

Server publishing rules:

PCANYServer1 Protocoldef1 internal ip of the server External IP for this server

for example:

Internal server ip 10.0.0.70
External ip address 12.159.171.179

PCANYserver15631tcp Protocoldef5631tcp 10.0.0.70 12.159.171.179

PCANYserver15632tcp Protocoldef5632tcp 10.0.0.70 12.159.171.179

PCANYserver15631udp Protocoldef5631udp 10.0.0.70 12.159.171.179

PCANYserver15632udp Protocoldef5632udp 10.0.0.70 12.159.171.179

Do this for each server you wish to access from the outside world. Note: To add external ips to your ISA server, just go into the properties of your ISA server NIC and add addresses(These must be valid external addresses of you network) Windows2000 and NT can have many IP's bound to the same nic. This is used quite a lot in networks involving the internet and web sites.

Made 4 for each server and it worked!

Thanks for the help you guys gave me and some experimentation it is finally working.

One key factor that I was missing all along. The ISA server's PCanywhere does not need a publishing rule. It actually makes a conflict if you start up PCANYWHERE on start up of the server. Basically PCanywhere starts up before ISA server and you get port contention on the ports you are trying to use. You will know this because in the event log you will see firewall warning that the fire wall could not bind to the port.

(in reply to Strac)
Post #: 17
RE: PCANYWHERE on more than 1 internal server - 19.Aug.2003 2:13:00 PM   
Strac

 

Posts: 8
Joined: 6.Aug.2003
Status: offline
The wackyness Tom mentioned is most likely due to the way things start up on my server, ie the order it starts up. PCanywhere starting before ISA server to be specific. It also has to do with the PCanywheres host configuration on the server, the default is listen on all ip addresses. If left to the default it will listen on those ports for every IP you define on the ISA server. This is most likely something you don't want. I suggest changing the default to point to a specific IP address you wish to access pcanywhere from. I used the first external address on mine. You do this by changing the options in your host configuration of PCanywhere. The same place you change the ports you want it to listen on. Make it listen on the address you wish it to, by changing it to the number you want it on. You may have to experiment on this, because it is listed 0 thru 9. You have to set it and look at what IP it is using when launched to figure out which one you just changed it too.

Again, I hope this helps the next person who does this. 8 or 9 days of taking your ISA server up and down ever 10 minutes makes people upset that thier internet is messed up.

BTW, Tom maybe you should move this post to Server publishing where it belongs, so others can find it who need it. I knew basically nothing about ISA server when I started this thread and I put it in the wrong spot.

[ August 19, 2003, 02:14 PM: Message edited by: Strac ]

(in reply to Strac)
Post #: 18
RE: PCANYWHERE on more than 1 internal server - 19.Aug.2003 9:31:00 PM   
CrazyRussian

 

Posts: 53
Joined: 3.Apr.2003
From: Phoenix, AZ
Status: offline
I would not use packet filter for PCA on ISA simply because you have very limited control of to which connection filters to apply. If you connect only from one external IP to ISA, then it's fine - you can limit those filters to that IP, but if you connect to it from more than one - you have no choce but to have filter applied to "All Remote computers", which is pretty wide hole IMHO. Having PCA configured to listen on interlnal NIC (which PCA 11 is capable of doing - there is an option to which NIC PCA will listen to) and then just publish it and have that published server "Applies to" set for client set is much more secure and gives you options to add IPs that allowed to use it

P.S. To find out which IP Address has which index for PCA host configuration, simply run ipconfig in command prompt, first IP listed has index 0, second is index 1 and so on. More on this here: How to specify the IP address that pcAnywhere should wait on

[ August 19, 2003, 09:45 PM: Message edited by: Crazy Russian ]

(in reply to Strac)
Post #: 19
RE: PCANYWHERE on more than 1 internal server - 20.Aug.2003 3:49:00 PM   
CrazyRussian

 

Posts: 53
Joined: 3.Apr.2003
From: Phoenix, AZ
Status: offline
Tom,
Stac is absolutelly correct saying that with no packet filters PCA wont work on ISA (on w2k)! I just tried that: on windows 2000 server, ISA in integreted mode: if I try to publish PCA (setting up protocol and all, and then publishing it), once publishing rule starts pcanywhere wont start! If i shut pcanywhere publishing rule down then PCA starts ok, but restarting rule generate an eventlog errer saying that rule cannot be started. Specifying what IP PCA is binds to has no effect (in host configuration). So, it looks like to have PCA running on w2k with ISA is only by creating packet filters....

(in reply to Strac)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> Web Publishing >> PCANYWHERE on more than 1 internal server Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts