How To: Enable TCP/IP Filtering on Windows 2003 Server for use with Ensim Webhosting

WARNING!!!! Use at your own risk! Failure to successfully complete this howto or not following it correctly could require manual intervention to enable you to reconnect to the box. I tested this on 2 servers without issue.

Connect to the Windows 2003 Server with Remote Desktop
Login to the Server.
Go to Start -> Control Panel -> Network Connections -> Local Area Connection
Click Properties
Click Internet Protocol (TCP/IP)
Click Properties
Click Advanced
Click the Options Tab
Highlight TCP/IP filtering and then Click Properties
Check the box labeled "Enable TCP/IP Filtering (All adapters)"

At this point, you should select the TCP/UDP/IP Ports and Protocols necessary to operate the server. You will select "Permit Only" and list the ports or protocols you will permit to pass through the filter.
Here are the ones I selected and what they are used for.

TCP Ports
20 - FTP
21 - FTP
25 - SMTP
53 - DNS
80 - HTTP
110 - POP3
443 - HTTPS
3389 - RDP - Remote Desktop Connection !!!!IF YOU DON'T DO THIS, YOU WILL NOT BE ABLE TO GET BACK INTO THE SERVER!!!!
8080 - Urchin Webserver
19638 - Ensim


UDP Ports
53 - DNS

IP Protocols
1 - ICMP (Optional - Used for ping and other administrative packets)
6 - TCP
17 - UDP

Select OK, OK, OK, OK, then Yes to REBOOT

Hopefully if you have performed this correctly, you should be able to reconnect to your server after approximately 5 minute reboot.

FYI as a followup to the above. Ensim creates anonymous ftp connections for each domain and uses a nonstandard port number for each site starting at around 10003. If you will be supporting anonymous ftp on name based sites with these numbers, you will need to enable the tcp ports used by each site that will use anonymous ftp on name based sites.

Thx for the How-To m8.. but there are big troubles with Multiple ips with this way.. pls read here http://forum.rackshack.net/showthread.php?...&threadid=29424

Also, don't forget to add in TCP port 8098 if you want to get to the default-installed Web management.

How does tcp/ip filtering affect the speed of your servers? It seems to slow down noticebly for me.

dandan, would this be the same for a 2003 standard server ?

thanks
chuck

Same here. I noticed a significant and annoying slowdown when enabling filtering. It's almost too much a price to pay.

What are the diferences between:

1) TCP/IP Filtering

2) ICF, Internet Connection Firewall

I have try the first and after activating TCP/UDP 53, the DNS server was working but cannot receive the responses about DNS queries.

Best Regards,

Ruben.

anyone?

TCP/IP filtering is just that : a filter for TCP/IP. the Internet Connection Firewall is a sad excuse for blocking a few ports.

I highly recommend a good stateul packet-inspection firewall, such as visnetic.

This is probably a really dumb question, but...

I've got TCP/IP filtering enabled, and I've got all the ports listed above "allowed", but now I am no longer able to browse/ping websites while logged in via RDP. All sites and everything else work great though. Am I missing a port or something?

Not such a dumb question I guess... nobody knows?

Well, I've narrowed it down to UDP. If I do "Permit All" for UDP I can browse the internet from the server. The only port I've got enabled for UDP is 53. Are there any others I need?

I found out that (I think) the DNS request gets sent out on port 53 and comes back on ports >1023. So that was the issue.

Another port you might want to add to that list is 143 for IMAP.

Also, for anyone using Helm:
Make sure to open port 445 or the file manager in the control panel won't work. You'll also get errors when you do a "System Diagnosis" if it's not open.