Chapter 7. Routing and Remote Access Service, VPN, and Firewalls
IN THIS CHAPTER
The Routing and Remote Access service (RRAS) is a vital component of Small Business Server 2003. The role of this service has been expanded from previous versions to provide new functionality that greatly improves security. Also, new wizards are available to automatically configure many aspects of remote access. These improvements are not limited only to the server portion but also to the client configuration as well.
In this chapter you learn the fundamentals of the RRAS along with examples on how to configure the most common options. Also, detailed information on accessing your server remotely is presented to give you some insight on the different methods available and when to use them.
Routing and Remote Access Service Basics
RRAS provides many essential services to your SBS network. However, many of its functions are determined by the way your server and network are configured.
The four major functions of RRAS are to provide the following services:
In SBS 2003 Standard Edition all these functions are handled by RRAS. If you have ISA Server 2004 installed (as part of SBS 2003 Premium Edition), the first two functions are taken over by ISA Server.
If you have ISA Server 2004 installed, you can skip the following sections up to the "Remote Access Basics" section because they do not apply to you. See Chapter 23, "Internet Security and Acceleration Server 2004 Basics," for information on configuring ISA Server as your firewall.
Using the RRAS Firewall
If you already ran the Configure Email and Internet Connection Wizard (CEICW) it is likely that you have configured the built-in firewall without much effort (or maybe without even knowing). Because the process is relatively simple, this chapter focuses on detailing the particulars of this service and providing in-depth information about certain common features.
Let's start by describing the main function of a firewall. The job of any firewall is to separate your internal (trusted) network from an external (not trusted) network, such as the Internet. This is an important function because it reduces the surface attack area of your network by exposing only those services that need to be accessed from outside.
For a firewall to be effective, both networks must be physically separated. Hence, one of the requirements to use RRAS as a firewall is that you must have two network cards. One card is connected to the local network, and the other card is connected to the Internet side, as shown in Figure 7.1.
Figure 7.1. Network diagram of a typical installation using SBS as the firewall.
RRAS acts as a basic firewall because it can filter traffic only at the network layer (based the properties of the IP packet). Although it is not as fancy as ISA Server 2004, you still can protect your network effectively by restricting access not only by port number but also by source or destination address among other things.
Remember that although firewalls are important, they are not the be-all and end-all of network security. There are ways around firewalls (such as VPNs), and there is always the potential for having a vulnerable service behind an open port. Also, keep in mind that an improperly configured firewall can create a false sense of security.
CEICW and the RRAS Firewall
Although CEICW takes care of most of the firewall configuration, you might be wondering exactly what it does. Understanding why and how ports are opened by the wizard is an important step toward improving your network security.
Table 7.1 lists the most common ports used in a typical SBS installation. By default, eight ports (marked with an asterisk) can be opened by the CEICW. Also, you can manually add other ports if you deem it necessary.
Which ports are opened by the CEICW depends on the choices you make running it. For example, TCP port 444 will be opened only if you select Windows SharePoint Services Intranet Site on the Web Services Configuration screen.
One nice feature of configuring your firewall using the CEICW is that if you have a hardware router/firewall installed on your network it can be automatically configured. If the device supports Universal Plug and Play (UPnP) the CEICW will not only open the ports on the RRAS firewall but also will open/forward the appropriate ports on the device. This eliminates much of the guesswork when manually configuring the hardware firewall.
Configuring the RRAS Firewall
As previously mentioned, the CEICW configures most basic functions of the RRAS firewall. However, there are a couple of things that you might want to do that are not directly configurable using the wizard. This section presents an overview of three common scenarios for configuring the firewall in an SBS network.
Creating a Packet Filter
At some point you might need to open an uncommon port to remotely access a service that resides on the server. For example, you might have a handheld device that needs IMAP4 or POP3 access to your mailbox in Exchange. Although opening another port in not really a best practice, sometimes you don't have a choice (although in this case you might want to consider buying a device that supports Exchange ActiveSync).
To create a packet filter to allow IMAP4 access (port TCP 143) through the RRAS firewall, follow these steps. These steps assume that the CEICW has been already run at least once.
If the Microsoft Exchange IMAP4 service is running (which is disabled by default), you should be able to access the service externally.
Packet Forwarding to Another Device
There are cases where you need to allow access to an internal resource not allocated on the server. For example, you might have a web cam running on your network that you want to access remotely. For the purpose of this example, assume that the camera can be accessed via TCP port 8080.
The following steps outline how to forward a port from the external interface of your SBS box to a device located on the internal network:
You should be able to access the webcam remotely by using the public IP of your server.
One interesting feature that the RRAS firewall provides is port address translation. In other words, you can redirect traffic from one port on the external interface to another port on the target.
This is particularly useful for companies that have a single static IP. For example, assume that you have a Terminal Server alongside an SBS box, and you need to be able to access them both using RDP directly. You could change the listening port number on one of the servers, but that would prevent using Remote Web Workplace (RWW) to access it. A better alternative would be to leave both at 3389, but create forward port 3390 on the external interface and translate it to 3389 on the internal network. RWW keeps working, you have direct RDP access, and everybody is happy!
In some circumstances you might want to block certain IPs from reaching your server. For example, if you have seen numerous wrong password attempts from a specific IP, it might be wise to prevent it from even knocking at your door. Another use would be to block SMTP traffic (TCP port 25) from a specific IP address to curb spam.
With RRAS you can filter connections based on the source or destination IP address, port number, and protocol. The following steps outline the procedure to block a specific IP address from connecting to the server:
After completing the procedure the offending machine should be blocked at the firewall from attempting to contact your server. If you feel adventurous, you might want to play with those settings to restrict traffic based on the protocol and port number.