Hello I have a LAN connected to a NETOPIA 3347W router and recently installed on the server (win2k server) Terminal Services Application Mode, we access from a different country this server...

Before setting up TS on it, we could not access the server because it's internal IP address is: 192.x.x.x so from the router we setup a bridge and applied a valid IP address (in this case 65.x.x.x) and of course we're able to remote control very good.

Now, we're looking for a secure way to protect our data at the Win2k Server, so what do you recommend?

VPN, Firewall, what?

Thanks for your time,

Cheers,
Jac. :thumb:

Get it back behind the NAT firewall ASAP!!!!!!!

And simply forward port 3389 to the LAN IP of the server.

And from the outside, you'll connect your remote desktop or TS client to the WAN IP that the router obtains.

Ok now I dont have access to the web admin of the router, I will try it tomorrow, and check because I really don't know how to do that. Thank you.

Netopias are usually 192.168.1.254 (I have one myself, although a 3546 model)
Admin for password, and often the serial number on the bottom of the unit for the password.

Server hanging out there unprotected, with Server and Workstation services bound to that NIC...oh boy! Oh boy! :nope: Don't want that at all! All ports are exposed...virtually hanging the servers butt out there naked, waiting to be pillaged and plundered. Hope you have strong passwords on it at least. Windows updates, good antivirus, etc.

Bottom line. Get it back on a private LAN IP behind that NAT protection...fast as you can.

Hi, yes that's our main worry. I went to the router web administration page, at "security" button I saw: ClearSailing, SilentRunning and LANdlocked, so I wonder which of these options should I use? Thanks.

Not there...those are various settings for the router:
ClearSailing...the router runs NAT, but responds to some outside probes, like PING.
SilentRunning..you're running completely hidden (what I used when I ran this router)
LANlocked...completely shuts off traffic in both directions, nobody can get in or out...basically the router is running, but effectively shut down.

What you want is the port forwarding section...but Netopia calls it "Pinholes".

Read up on it here:
http://www.netopia.com/en-us/support/technotes/hardware/CQG_025.html

Ok I only need Win2k Server provided TS for my clients, not other services, I supposed I need add a pinhole to the specify port of the TS and that's all?

And also leave as it is the router (ClearSailing) checked button?

Yes, only create a pinhole for TS to come through, forwarding to the LAN IP of the server. Server should be a static IP address, not dynamic. Is your server running as a DC? Any other servers on the network?

I'd go with Silent Running, that's what I was using on my Netopia router at home when I was using it.

Yes, we're using a DC, and also from the router we have VoIP, does these changes affect? Thanks.

I'm not overly familiar with VOIP services. You running that from another hardware device? Did it work when your server was behind NAT before?

I was asking about the DC stuff, just to review your TCP/IP settings on the server, since you have to have it on a static IP address.

Examle,
Server IP
192.168.1.11
Subnet 255.255.255.0

Gateway
192.168.1.254 (assuming that's the LAN IP your router is at)

DNS
192.168.1.11 (Server should only use itself as the one and only DNS server, unless you're running DNS on another DC on your LAN if you have more than 1 server)

WINS (if you're running that for Win9X clients)
192.168.1.11 (if your do run WINS on that same box)

Any/all Win 2K/XP based clients should use the server running DNS as their onw and only DNS server.

Yes, it was working before doing the bridge to the win2kserver, actually it's working now, but the server is unsecure. The example you mentioned is very similar to what we have.

Put in a firewall between sites and setup VPN connections between them.