Not had the pleasure yet myself, but I'd imagine either Guffer or Callum might have an idea..
Techie question
I was wondering if anyone had experience with the SMS 2003 SP1 beta, or more specifically how to get it to run on the internet. We're using Satcom for download and 512/256 ADSL for upload. The central servers are running Windows server 2003 Enterprise edition and the computers we're trying to connect to are using Windows XP Professional. Also this will have to go through dual Cisco 1024 pix firewalls. I can't imagine this will get a good response but any help would be appreciated.
6 Replies and 3615 Views in Total.
Had very little to do with SMS myself, but my first question would be -- are you using VPN?
Relatedly, depending on what you're wanting to do with SMS, and on the extent to which SMS is already rolled out and is a part of your proceses, you may want to look at ManageSoft, this may simplify things massively for you.
Edit: fixed assorted tpyos
(Edited by Callum 18/06/2004 11:19)
Relatedly, depending on what you're wanting to do with SMS, and on the extent to which SMS is already rolled out and is a part of your proceses, you may want to look at ManageSoft, this may simplify things massively for you.
Edit: fixed assorted tpyos
(Edited by Callum 18/06/2004 11:19)
This is a relevant question. Exactly how these machines are trying to connect to each other may help us to understand the nature of the problem better.
by Callum
Not very little to do with SMS myself, but my first question would be -- are you using VPN?
I too am not familiar with the workings of SMS, but it sounds as though you are describing a process where a connection is made from to the 2003 servers out to the XP machines. If we are dealing with VPN connectivity this may have a specific bearing on the matter.
If the machines are initiating the VPN (i.e. there is a piece of software running on each XP machine) then, often or not, the connection can only be made from that end of the link. Any servers contacted will be able to respond and communicate, but in the cases of many VPNs this type of connection is uni-directional and therefore the servers will not be able to initiate the conversation.
If there is another device sitting outside the XP machines which is handling the VPN comms this should allow bi-directional communication (though this is dependant on the config of the VPNs - it's possible to have a site-to-site VPN which connects two networks together but only one is allowed to initiate a coversation).
Try to find out more and I will have a think...
There will be a proxy server handling the communications at the laptops end. We were using VPN but unfortunately had decided to remove it form our systems (don't know why though). At the moment we're still in the testing stages with plans to implement it fully, however we've been setting it up for one of our clients as they have no such system in place, at the moment though the clients aren't recognising they management server and vice-versa.
Knowing that you are trying to get this through a firewall this may be the cause. Microsoft networking protocols and firewalls don't usually mix too well. I speak from painfull experience.
Two key factors being network address translation (which 90% of firewalls perform to "hide" the main network address range from the outside world - and the proxy server may be doing the same thing from laptop's end of the connection) and the fact that many Microsoft network-based services tend to use random port numbers for communication. When you've got a firewall sitting in the way it will almost certainly be configured to block everything except the ports for commonly required services (HTTP, SMTP, FTP etc...).
From my experience of trying to get MS networking services through a firewall you may find that some registry hacking is required to lock the communication down to a handfull of specific ports which can then be configured to pass through the firewall. Basic principal of firewalling is such that the fewer ports you open the more secure the network will be. Those poor sods who open all ports over 1024 (which MS often uses in it's random port range) to try and solve the problem may as well not have a firewall in place...
I suggest that you have a look through the Microsoft knowledgebase. Enter the word "Firewall" in the search criteria against the SMS product and you may well get some results.
(Edited by gobstopper 18/06/2004 17:18)
Two key factors being network address translation (which 90% of firewalls perform to "hide" the main network address range from the outside world - and the proxy server may be doing the same thing from laptop's end of the connection) and the fact that many Microsoft network-based services tend to use random port numbers for communication. When you've got a firewall sitting in the way it will almost certainly be configured to block everything except the ports for commonly required services (HTTP, SMTP, FTP etc...).
From my experience of trying to get MS networking services through a firewall you may find that some registry hacking is required to lock the communication down to a handfull of specific ports which can then be configured to pass through the firewall. Basic principal of firewalling is such that the fewer ports you open the more secure the network will be. Those poor sods who open all ports over 1024 (which MS often uses in it's random port range) to try and solve the problem may as well not have a firewall in place...
I suggest that you have a look through the Microsoft knowledgebase. Enter the word "Firewall" in the search criteria against the SMS product and you may well get some results.
(Edited by gobstopper 18/06/2004 17:18)
The firewalls configured to only allow traffic from known I.P addresses, i.e. other servers, routers, laptops (all static I.P). SMS however runs on static not random ports, still, I've set up a one server one client system outside of the Pix to see if that's the problem, they're also off fresh installations just in case I messed up the settings