SBS 2008 Public website on port 80 blocked

I have installed SBS 2008 with port 80 open on my router and a FQDN set up
with my DNS host. I have put some HTML and PHP content in my wwwroot folder,
and it is accessible internally from the LAN. It is also accessible by its
FQDN from the internal network. It is NOT accessible externally by its FQDN
from the internet.

It doesn't return any kind of error message other than a timeout.

In the Windows Firewall setting, it says that it is predefined, and I cannot
change anything. Or can I?

I have also tried disabling the Windows Firewall for the public part, but
there is no effect.

Please help.

Doubt you will find too much assistance in this regard as it's a Huge
security risk to host a publicly accessible website on port 80 on your
business network
Even enterprise businesses don't do this.

Spend the $5 a month with Godaddy or whomever and keep this off your
business network.

--
Cris Hanna [SBS - MVP]
Co-Author, Windows Small Business Server 2008 Unleashed
http://www.amazon.com/Windows-Small-...7269967&sr=8-1
------------------------------------
MVPs do not work for Microsoft
Please do not submit questions directly to me.

"Flo Wirehead" <FloWirehead@discussions.microsoft.com> wrote in message
news:066FCDE5-14B8-44ED-9255-9EB491524CEE@microsoft.com...
>I have installed SBS 2008 with port 80 open on my router and a FQDN set up
> with my DNS host. I have put some HTML and PHP content in my wwwroot
> folder,
> and it is accessible internally from the LAN. It is also accessible by its
> FQDN from the internal network. It is NOT accessible externally by its
> FQDN
> from the internet.
>
> It doesn't return any kind of error message other than a timeout.
>
> In the Windows Firewall setting, it says that it is predefined, and I
> cannot
> change anything. Or can I?
>
> I have also tried disabling the Windows Firewall for the public part, but
> there is no effect.
>
> Please help.

Flo Wirehead wrote:
> I have installed SBS 2008 with port 80 open on my router and a FQDN set up
> with my DNS host. I have put some HTML and PHP content in my wwwroot folder,
> and it is accessible internally from the LAN. It is also accessible by its
> FQDN from the internal network. It is NOT accessible externally by its FQDN
> from the internet.
>
> It doesn't return any kind of error message other than a timeout.
>
> In the Windows Firewall setting, it says that it is predefined, and I cannot
> change anything. Or can I?
>
> I have also tried disabling the Windows Firewall for the public part, but
> there is no effect.
>
> Please help.
Sounds more like a firewall publishing issue? What external firewall do
you have?

"Susan Bradley" wrote:

> Flo Wirehead wrote:
> > I have installed SBS 2008 with port 80 open on my router and a FQDN set up
> > with my DNS host. I have put some HTML and PHP content in my wwwroot folder,
> > and it is accessible internally from the LAN. It is also accessible by its
> > FQDN from the internal network. It is NOT accessible externally by its FQDN
> > from the internet.
> >
> > It doesn't return any kind of error message other than a timeout.
> >
> > In the Windows Firewall setting, it says that it is predefined, and I cannot
> > change anything. Or can I?
> >
> > I have also tried disabling the Windows Firewall for the public part, but
> > there is no effect.
> >
> > Please help.
> Sounds more like a firewall publishing issue? What external firewall do
> you have?

This is no other firewall -- only the Windows Firewall and the Linksys
router. No DMZ enabled on the router either.

Flo Wirehead wrote:
>
> "Susan Bradley" wrote:
>
>> Flo Wirehead wrote:
>>> I have installed SBS 2008 with port 80 open on my router and a FQDN set up
>>> with my DNS host. I have put some HTML and PHP content in my wwwroot folder,
>>> and it is accessible internally from the LAN. It is also accessible by its
>>> FQDN from the internal network. It is NOT accessible externally by its FQDN
>>> from the internet.
>>>
>>> It doesn't return any kind of error message other than a timeout.
>>>
>>> In the Windows Firewall setting, it says that it is predefined, and I cannot
>>> change anything. Or can I?
>>>
>>> I have also tried disabling the Windows Firewall for the public part, but
>>> there is no effect.
>>>
>>> Please help.
>> Sounds more like a firewall publishing issue? What external firewall do
>> you have?
>
> This is no other firewall -- only the Windows Firewall and the Linksys
> router. No DMZ enabled on the router either.

Thank God for that, at least. Then you need to configure the router to
forward port 80 to the SBS IP address.

You also need to consider the server and all PCs not isolated from it by
a good firewall to be expendable. Instruct all users that no valuable or
confidential data is ever to be stored on these machines. Set up a
schedule for very frequent backups, monitor the router continuously for
unexpected outgoing traffic, and budget for downtime to reformat and
reinstall the server from time to time.

I would trust that all active web content has been written by a
professional web designer with plenty of experience of web security with
PHP and any other active protocols you are using. You might just get
away with static pages, but active content makes a public web server
very vulnerable to compromise, though there's no way of guessing how often.

If you are not familiar with the term 'cross-site scripting', here is a
basic introduction: http://en.wikipedia.org/wiki/Cross-site_scripting

"Joe" wrote:

> Flo Wirehead wrote:
> >
> > "Susan Bradley" wrote:
> >
> >> Flo Wirehead wrote:
> >>> I have installed SBS 2008 with port 80 open on my router and a FQDN set up
> >>> with my DNS host. I have put some HTML and PHP content in my wwwroot folder,
> >>> and it is accessible internally from the LAN. It is also accessible by its
> >>> FQDN from the internal network. It is NOT accessible externally by its FQDN
> >>> from the internet.
> >>>
> >>> It doesn't return any kind of error message other than a timeout.
> >>>
> >>> In the Windows Firewall setting, it says that it is predefined, and I cannot
> >>> change anything. Or can I?
> >>>
> >>> I have also tried disabling the Windows Firewall for the public part, but
> >>> there is no effect.
> >>>
> >>> Please help.
> >> Sounds more like a firewall publishing issue? What external firewall do
> >> you have?
> >
> > There is no other firewall -- only the Windows Firewall and the Linksys
> > router. No DMZ enabled on the router either.
>
> Thank God for that, at least. Then you need to configure the router to
> forward port 80 to the SBS IP address.

I have port 80 & 81 traffic forwarded to the SBS. It works when I add a
binding for the default web site to port 81, but not to port 80.

> You also need to consider the server and all PCs not isolated from it by
> a good firewall to be expendable. Instruct all users that no valuable or
> confidential data is ever to be stored on these machines. Set up a
> schedule for very frequent backups, monitor the router continuously for
> unexpected outgoing traffic, and budget for downtime to reformat and
> reinstall the server from time to time.

There will only be public documents on the public web server which will be
located in a separate building on a separate network from the office server.

> I would trust that all active web content has been written by a
> professional web designer with plenty of experience of web security with
> PHP and any other active protocols you are using. You might just get
> away with static pages, but active content makes a public web server
> very vulnerable to compromise, though there's no way of guessing how often.
>
> If you are not familiar with the term 'cross-site scripting', here is a
> basic introduction: http://en.wikipedia.org/wiki/Cross-site_scripting
>

Flo Wirehead wrote:
> "Joe" wrote:
>
>> Flo Wirehead wrote:
>>> "Susan Bradley" wrote:
>>>
>>>> Flo Wirehead wrote:
>>>>> I have installed SBS 2008 with port 80 open on my router and a FQDN set up
>>>>> with my DNS host. I have put some HTML and PHP content in my wwwroot folder,
>>>>> and it is accessible internally from the LAN. It is also accessible by its
>>>>> FQDN from the internal network. It is NOT accessible externally by its FQDN
>>>>> from the internet.
>>>>>
>>>>> It doesn't return any kind of error message other than a timeout.
>>>>>
>>>>> In the Windows Firewall setting, it says that it is predefined, and I cannot
>>>>> change anything. Or can I?
>>>>>
>>>>> I have also tried disabling the Windows Firewall for the public part, but
>>>>> there is no effect.
>>>>>
>>>>> Please help.
>>>> Sounds more like a firewall publishing issue? What external firewall do
>>>> you have?
>>> There is no other firewall -- only the Windows Firewall and the Linksys
>>> router. No DMZ enabled on the router either.
>> Thank God for that, at least. Then you need to configure the router to
>> forward port 80 to the SBS IP address.
>
> I have port 80 & 81 traffic forwarded to the SBS. It works when I add a
> binding for the default web site to port 81, but not to port 80.
>
>> You also need to consider the server and all PCs not isolated from it by
>> a good firewall to be expendable. Instruct all users that no valuable or
>> confidential data is ever to be stored on these machines. Set up a
>> schedule for very frequent backups, monitor the router continuously for
>> unexpected outgoing traffic, and budget for downtime to reformat and
>> reinstall the server from time to time.
>
> There will only be public documents on the public web server which will be
> located in a separate building on a separate network from the office server.
>
>> I would trust that all active web content has been written by a
>> professional web designer with plenty of experience of web security with
>> PHP and any other active protocols you are using. You might just get
>> away with static pages, but active content makes a public web server
>> very vulnerable to compromise, though there's no way of guessing how often.
>>
>> If you are not familiar with the term 'cross-site scripting', here is a
>> basic introduction: http://en.wikipedia.org/wiki/Cross-site_scripting
>>
Was this router used by another server?

I'm wondering if it's upnp connections have been mangled. You may need
to reset it to factory default and rerun the connect to internet wizard.

So if I understand correctly, you simply bought SBS as a cheap webserver? You're not running it for your business network?

--
Cris Hanna [SBS - MVP]
Co-Author, Windows Small Business Server 2008 Unleashed
http://www.amazon.com/Windows-Small-...7269967&sr=8-1
Owner, CPU Services, Belleville, IL
A Microsoft Registered Partner
------------------------------------
MVPs do not work for Microsoft
Please do not submit questions directly to me.

"Flo Wirehead" <FloWirehead@discussions.microsoft.com> wrote in message news:954A9FEE-D9E0-47BC-874C-DB1804B473EF@microsoft.com...
"Joe" wrote:

> Flo Wirehead wrote:
> >
> > "Susan Bradley" wrote:
> >
> >> Flo Wirehead wrote:
> >>> I have installed SBS 2008 with port 80 open on my router and a FQDN set up
> >>> with my DNS host. I have put some HTML and PHP content in my wwwroot folder,
> >>> and it is accessible internally from the LAN. It is also accessible by its
> >>> FQDN from the internal network. It is NOT accessible externally by its FQDN
> >>> from the internet.
> >>>
> >>> It doesn't return any kind of error message other than a timeout.
> >>>
> >>> In the Windows Firewall setting, it says that it is predefined, and I cannot
> >>> change anything. Or can I?
> >>>
> >>> I have also tried disabling the Windows Firewall for the public part, but
> >>> there is no effect.
> >>>
> >>> Please help.
> >> Sounds more like a firewall publishing issue? What external firewall do
> >> you have?
> >
> > There is no other firewall -- only the Windows Firewall and the Linksys
> > router. No DMZ enabled on the router either.
>
> Thank God for that, at least. Then you need to configure the router to
> forward port 80 to the SBS IP address.

I have port 80 & 81 traffic forwarded to the SBS. It works when I add a
binding for the default web site to port 81, but not to port 80.

> You also need to consider the server and all PCs not isolated from it by
> a good firewall to be expendable. Instruct all users that no valuable or
> confidential data is ever to be stored on these machines. Set up a
> schedule for very frequent backups, monitor the router continuously for
> unexpected outgoing traffic, and budget for downtime to reformat and
> reinstall the server from time to time.

There will only be public documents on the public web server which will be
located in a separate building on a separate network from the office server.

> I would trust that all active web content has been written by a
> professional web designer with plenty of experience of web security with
> PHP and any other active protocols you are using. You might just get
> away with static pages, but active content makes a public web server
> very vulnerable to compromise, though there's no way of guessing how often.
>
> If you are not familiar with the term 'cross-site scripting', here is a
> basic introduction: http://en.wikipedia.org/wiki/Cross-site_scripting
>

"Cris Hanna [SBS - MVP]" wrote:

> So if I understand correctly, you simply bought SBS as a cheap webserver? You're not running it for your business network?

It's a charitable non-profit org with SBS for the office LAN and another
SBS, co-located off-site for the public website. I am hoping to configure
them so that if one of the servers goes down for an extended period of time
(because the server hardware is donated), the other can function as an
interim backup without like a total re-configuration.

When's your book coming out? Do you have an e-version I can preview?

>
> --
> Cris Hanna [SBS - MVP]
> Co-Author, Windows Small Business Server 2008 Unleashed
> http://www.amazon.com/Windows-Small-...7269967&sr=8-1
> Owner, CPU Services, Belleville, IL
> A Microsoft Registered Partner
> ------------------------------------
> MVPs do not work for Microsoft
> Please do not submit questions directly to me.
>
> "Flo Wirehead" <FloWirehead@discussions.microsoft.com> wrote in message news:954A9FEE-D9E0-47BC-874C-DB1804B473EF@microsoft.com...
> "Joe" wrote:
>
> > Flo Wirehead wrote:
> > >
> > > "Susan Bradley" wrote:
> > >
> > >> Flo Wirehead wrote:
> > >>> I have installed SBS 2008 with port 80 open on my router and a FQDN set up
> > >>> with my DNS host. I have put some HTML and PHP content in my wwwroot folder,
> > >>> and it is accessible internally from the LAN. It is also accessible by its
> > >>> FQDN from the internal network. It is NOT accessible externally by its FQDN
> > >>> from the internet.
> > >>>
> > >>> It doesn't return any kind of error message other than a timeout.
> > >>>
> > >>> In the Windows Firewall setting, it says that it is predefined, and I cannot
> > >>> change anything. Or can I?
> > >>>
> > >>> I have also tried disabling the Windows Firewall for the public part, but
> > >>> there is no effect.
> > >>>
> > >>> Please help.
> > >> Sounds more like a firewall publishing issue? What external firewall do
> > >> you have?
> > >
> > > There is no other firewall -- only the Windows Firewall and the Linksys
> > > router. No DMZ enabled on the router either.
> >
> > Thank God for that, at least. Then you need to configure the router to
> > forward port 80 to the SBS IP address.
>
> I have port 80 & 81 traffic forwarded to the SBS. It works when I add a
> binding for the default web site to port 81, but not to port 80.
>
> > You also need to consider the server and all PCs not isolated from it by
> > a good firewall to be expendable. Instruct all users that no valuable or
> > confidential data is ever to be stored on these machines. Set up a
> > schedule for very frequent backups, monitor the router continuously for
> > unexpected outgoing traffic, and budget for downtime to reformat and
> > reinstall the server from time to time.
>
> There will only be public documents on the public web server which will be
> located in a separate building on a separate network from the office server.
>
> > I would trust that all active web content has been written by a
> > professional web designer with plenty of experience of web security with
> > PHP and any other active protocols you are using. You might just get
> > away with static pages, but active content makes a public web server
> > very vulnerable to compromise, though there's no way of guessing how often.
> >
> > If you are not familiar with the term 'cross-site scripting', here is a
> > basic introduction: http://en.wikipedia.org/wiki/Cross-site_scripting
> >

I am not the primary author of the book. I don't know if there will be a
preview chapter on Amazon when the book becomes available. However you
should be able to check it out at borders or barnes and noble around Dec
10th

There is no "fail over" to standby server with SBS. Each SBS server
creates its own Active Directory Forest/Domain and must be the first server
in that forest/domain. Unless you are using Shadowprotect or other product
that allows for Hardware independent restores, you would have to reinstall
the offsite SBS server up to the service pack of the current SBS server and
then restore your backup to the new server. Even if you could "fail over"
to the off site server, by using it as a webserver, it's integrity is
compromised because of access on port 80.

SBS was never designed to be a publically facing webserver. Yes it does
have IIS, but the primary purpose behind that is to support Outlook Web
Access, Remote Web Workplace, and Sharepoint.

They'd be better off, as indicated previously with a $5/month hosted website
at Godaddy or someother nationally recognized web hosting company.

--
Cris Hanna [SBS - MVP]
Co-Author, Windows Small Business Server 2008 Unleashed
http://www.amazon.com/Windows-Small-...7269967&sr=8-1
------------------------------------
MVPs do not work for Microsoft
Please do not submit questions directly to me.

"Flo Wirehead" <FloWirehead@discussions.microsoft.com> wrote in message
news:2D4C9792-73C2-406B-8873-FB8E1D57C280@microsoft.com...
> "Cris Hanna [SBS - MVP]" wrote:
>
>> So if I understand correctly, you simply bought SBS as a cheap webserver?
>> You're not running it for your business network?
>
> It's a charitable non-profit org with SBS for the office LAN and another
> SBS, co-located off-site for the public website. I am hoping to configure
> them so that if one of the servers goes down for an extended period of
> time
> (because the server hardware is donated), the other can function as an
> interim backup without like a total re-configuration.
>
> When's your book coming out? Do you have an e-version I can preview?
>
>>
>> --
>> Cris Hanna [SBS - MVP]
>> Co-Author, Windows Small Business Server 2008 Unleashed
>> http://www.amazon.com/Windows-Small-...7269967&sr=8-1
>> Owner, CPU Services, Belleville, IL
>> A Microsoft Registered Partner
>> ------------------------------------
>> MVPs do not work for Microsoft
>> Please do not submit questions directly to me.
>>
>> "Flo Wirehead" <FloWirehead@discussions.microsoft.com> wrote in message
>> news:954A9FEE-D9E0-47BC-874C-DB1804B473EF@microsoft.com...
>> "Joe" wrote:
>>
>> > Flo Wirehead wrote:
>> > >
>> > > "Susan Bradley" wrote:
>> > >
>> > >> Flo Wirehead wrote:
>> > >>> I have installed SBS 2008 with port 80 open on my router and a
>> FQDN set up
>> > >>> with my DNS host. I have put some HTML and PHP content in my
>> wwwroot folder,
>> > >>> and it is accessible internally from the LAN. It is also
>> accessible by its
>> > >>> FQDN from the internal network. It is NOT accessible externally
>> by its FQDN
>> > >>> from the internet.
>> > >>>
>> > >>> It doesn't return any kind of error message other than a timeout.
>> > >>>
>> > >>> In the Windows Firewall setting, it says that it is predefined,
>> and I cannot
>> > >>> change anything. Or can I?
>> > >>>
>> > >>> I have also tried disabling the Windows Firewall for the public
>> part, but
>> > >>> there is no effect.
>> > >>>
>> > >>> Please help.
>> > >> Sounds more like a firewall publishing issue? What external
>> firewall do
>> > >> you have?
>> > >
>> > > There is no other firewall -- only the Windows Firewall and the
>> Linksys
>> > > router. No DMZ enabled on the router either.
>> >
>> > Thank God for that, at least. Then you need to configure the router
>> to
>> > forward port 80 to the SBS IP address.
>>
>> I have port 80 & 81 traffic forwarded to the SBS. It works when I add a
>> binding for the default web site to port 81, but not to port 80.
>>
>> > You also need to consider the server and all PCs not isolated from it
>> by
>> > a good firewall to be expendable. Instruct all users that no valuable
>> or
>> > confidential data is ever to be stored on these machines. Set up a
>> > schedule for very frequent backups, monitor the router continuously
>> for
>> > unexpected outgoing traffic, and budget for downtime to reformat and
>> > reinstall the server from time to time.
>>
>> There will only be public documents on the public web server which will
>> be
>> located in a separate building on a separate network from the office
>> server.
>>
>> > I would trust that all active web content has been written by a
>> > professional web designer with plenty of experience of web security
>> with
>> > PHP and any other active protocols you are using. You might just get
>> > away with static pages, but active content makes a public web server
>> > very vulnerable to compromise, though there's no way of guessing how
>> often.
>> >
>> > If you are not familiar with the term 'cross-site scripting', here is
>> a
>> > basic introduction: http://en.wikipedia.org/wiki/Cross-site_scripting
>> >

Cris Hanna [SBS MVP] wrote:
> I am not the primary author of the book. I don't know if there will be
> a preview chapter on Amazon when the book becomes available. However
> you should be able to check it out at borders or barnes and noble around
> Dec 10th
>
> There is no "fail over" to standby server with SBS. Each SBS server
> creates its own Active Directory Forest/Domain and must be the first
> server in that forest/domain. Unless you are using Shadowprotect or
> other product that allows for Hardware independent restores, you would
> have to reinstall the offsite SBS server up to the service pack of the
> current SBS server and then restore your backup to the new server.
> Even if you could "fail over" to the off site server, by using it as a
> webserver, it's integrity is compromised because of access on port 80.
>
> SBS was never designed to be a publically facing webserver. Yes it does
> have IIS, but the primary purpose behind that is to support Outlook Web
> Access, Remote Web Workplace, and Sharepoint.
>
> They'd be better off, as indicated previously with a $5/month hosted
> website at Godaddy or someother nationally recognized web hosting company.
>
And non profits can get cheap software from TechSoup.

and I bet the colocation cost for that 2nd SBS FAR exceeds the cost of www
'virtual hosting'.

Charity org with money to throw away to no good purpose. Doesn't really
surprise me much.

"Susan Bradley" <sbradcpa@pacbell.net> wrote in message
news:OvvoIxEUJHA.3492@TK2MSFTNGP03.phx.gbl...
> Cris Hanna [SBS MVP] wrote:
>> I am not the primary author of the book. I don't know if there will be a
>> preview chapter on Amazon when the book becomes available. However you
>> should be able to check it out at borders or barnes and noble around Dec
>> 10th
>>
>> There is no "fail over" to standby server with SBS. Each SBS server
>> creates its own Active Directory Forest/Domain and must be the first
>> server in that forest/domain. Unless you are using Shadowprotect or
>> other product that allows for Hardware independent restores, you would
>> have to reinstall the offsite SBS server up to the service pack of the
>> current SBS server and then restore your backup to the new server. Even
>> if you could "fail over" to the off site server, by using it as a
>> webserver, it's integrity is compromised because of access on port 80.
>>
>> SBS was never designed to be a publically facing webserver. Yes it does
>> have IIS, but the primary purpose behind that is to support Outlook Web
>> Access, Remote Web Workplace, and Sharepoint.
>>
>> They'd be better off, as indicated previously with a $5/month hosted
>> website at Godaddy or someother nationally recognized web hosting
>> company.
>>
> And non profits can get cheap software from TechSoup.