Downstream compromise

[thejamie]

Having trouble figuring out what is causing the downstream on the primary
router to be compromised. SQL Server 2008 SP1 running on Windows Server 2008
fully SP'd... Netopia Router, SBS 2003 R2/ISA 2004 Domain.

When a user connects to the Windows Server 2008, if there is any kind of a
time-out for any variety of reasons... insufficient permission for the user
on SQL, user connects via RDC and permissions fail because password is typed
in incorrectly, user connects to IIS on the server and permission fails (all
examples). For any of these, the downstream for the domain drops off usually
to about 384 which is pitiful. It isn't very fast to begin with (ATT ADSL,
end of the line - out three miles from the source so it only runs downstream
at 1536).

Cannot figure out why the downstream is being compromised - only clues are
general above plus what is in the log - which all appear as permission issues
in the security log. Is there a service on Windows 2008 that checks security
that goes above and beyond what is handled by ISA 2004 which I can turn off
until we can figure out exactly what causes the downstream to be compromised.

Have to reboot the router more than once a day. Not good practice.
--
Regards,
Jamie

 

[Dusko Savatovic]

Just a thought.
One man's downstream is another man's upstream.
It may be that your Windows Server is attached to ADSL which has poor
upstream, hence the poor performance on the downstream client.


"thejamie" wrote in message
news:A275C43D-7A5C-4757-9E1A-3BF322BE217A@microsoft.com...
> Having trouble figuring out what is causing the downstream on the primary
> router to be compromised. SQL Server 2008 SP1 running on Windows Server
> 2008
> fully SP'd... Netopia Router, SBS 2003 R2/ISA 2004 Domain.
>
> When a user connects to the Windows Server 2008, if there is any kind of a
> time-out for any variety of reasons... insufficient permission for the
> user
> on SQL, user connects via RDC and permissions fail because password is
> typed
> in incorrectly, user connects to IIS on the server and permission fails
> (all
> examples). For any of these, the downstream for the domain drops off
> usually
> to about 384 which is pitiful. It isn't very fast to begin with (ATT
> ADSL,
> end of the line - out three miles from the source so it only runs
> downstream
> at 1536).
>
> Cannot figure out why the downstream is being compromised - only clues are
> general above plus what is in the log - which all appear as permission
> issues
> in the security log. Is there a service on Windows 2008 that checks
> security
> that goes above and beyond what is handled by ISA 2004 which I can turn
> off
> until we can figure out exactly what causes the downstream to be
> compromised.
>
> Have to reboot the router more than once a day. Not good practice.
> --
> Regards,
> Jamie

 

[thejamie]

Thanks for the thought but the router has a excellent track record with zero
issues for nearly three years, --- until now that is.
--
Regards,
Jamie


"Dusko Savatovic" wrote:

> Just a thought.
> One man's downstream is another man's upstream.
> It may be that your Windows Server is attached to ADSL which has poor
> upstream, hence the poor performance on the downstream client.
>
>
> "thejamie" wrote in message
> news:A275C43D-7A5C-4757-9E1A-3BF322BE217A@microsoft.com...
> > Having trouble figuring out what is causing the downstream on the primary
> > router to be compromised. SQL Server 2008 SP1 running on Windows Server
> > 2008
> > fully SP'd... Netopia Router, SBS 2003 R2/ISA 2004 Domain.
> >
> > When a user connects to the Windows Server 2008, if there is any kind of a
> > time-out for any variety of reasons... insufficient permission for the
> > user
> > on SQL, user connects via RDC and permissions fail because password is
> > typed
> > in incorrectly, user connects to IIS on the server and permission fails
> > (all
> > examples). For any of these, the downstream for the domain drops off
> > usually
> > to about 384 which is pitiful. It isn't very fast to begin with (ATT
> > ADSL,
> > end of the line - out three miles from the source so it only runs
> > downstream
> > at 1536).
> >
> > Cannot figure out why the downstream is being compromised - only clues are
> > general above plus what is in the log - which all appear as permission
> > issues
> > in the security log. Is there a service on Windows 2008 that checks
> > security
> > that goes above and beyond what is handled by ISA 2004 which I can turn
> > off
> > until we can figure out exactly what causes the downstream to be
> > compromised.
> >
> > Have to reboot the router more than once a day. Not good practice.
> > --
> > Regards,
> > Jamie
>
>
>

 

[thejamie]

Actually, I'm not sure what you mean. Can you explain what you mean by the
upstream effecting the downstream?
--
Regards,
Jamie


"Dusko Savatovic" wrote:

> Just a thought.
> One man's downstream is another man's upstream.
> It may be that your Windows Server is attached to ADSL which has poor
> upstream, hence the poor performance on the downstream client.
>
>
> "thejamie" wrote in message
> news:A275C43D-7A5C-4757-9E1A-3BF322BE217A@microsoft.com...
> > Having trouble figuring out what is causing the downstream on the primary
> > router to be compromised. SQL Server 2008 SP1 running on Windows Server
> > 2008
> > fully SP'd... Netopia Router, SBS 2003 R2/ISA 2004 Domain.
> >
> > When a user connects to the Windows Server 2008, if there is any kind of a
> > time-out for any variety of reasons... insufficient permission for the
> > user
> > on SQL, user connects via RDC and permissions fail because password is
> > typed
> > in incorrectly, user connects to IIS on the server and permission fails
> > (all
> > examples). For any of these, the downstream for the domain drops off
> > usually
> > to about 384 which is pitiful. It isn't very fast to begin with (ATT
> > ADSL,
> > end of the line - out three miles from the source so it only runs
> > downstream
> > at 1536).
> >
> > Cannot figure out why the downstream is being compromised - only clues are
> > general above plus what is in the log - which all appear as permission
> > issues
> > in the security log. Is there a service on Windows 2008 that checks
> > security
> > that goes above and beyond what is handled by ISA 2004 which I can turn
> > off
> > until we can figure out exactly what causes the downstream to be
> > compromised.
> >
> > Have to reboot the router more than once a day. Not good practice.
> > --
> > Regards,
> > Jamie
>
>
>

 

[Dusko Savatovic]

ADSL is asymetric line, for example
10 Mbps for download
..5 Mbps (or 512 kbps) for upload

This means that if your server is on ADSL (10Mbps down/512 kbps up),
although your clients are capable of downloading at 10 MBps each, they will
all have to share 512 kbps because server will not be able to pump up more
than 512 kbps.

I'd suggest you contact your provider. They can usualy direct you to some
reliable bandwidth test.

OTOH, if you have symetric connection (typically 4MB up/4 MB down), again
contact ISP and ask for bandwidth measurement test. It's not uncommon that
they change gear at their end and forget to return users' settings. They
recon, if something's wrong, the user will call.


"thejamie" wrote in message
news:FDCE1184-9A79-46C1-B7FC-B26568F58757@microsoft.com...
> Actually, I'm not sure what you mean. Can you explain what you mean by
> the
> upstream effecting the downstream?
> --
> Regards,
> Jamie
>
>
> "Dusko Savatovic" wrote:
>
>> Just a thought.
>> One man's downstream is another man's upstream.
>> It may be that your Windows Server is attached to ADSL which has poor
>> upstream, hence the poor performance on the downstream client.
>>
>>
>> "thejamie" wrote in message
>> news:A275C43D-7A5C-4757-9E1A-3BF322BE217A@microsoft.com...
>> > Having trouble figuring out what is causing the downstream on the
>> > primary
>> > router to be compromised. SQL Server 2008 SP1 running on Windows
>> > Server
>> > 2008
>> > fully SP'd... Netopia Router, SBS 2003 R2/ISA 2004 Domain.
>> >
>> > When a user connects to the Windows Server 2008, if there is any kind
>> > of a
>> > time-out for any variety of reasons... insufficient permission for the
>> > user
>> > on SQL, user connects via RDC and permissions fail because password is
>> > typed
>> > in incorrectly, user connects to IIS on the server and permission fails
>> > (all
>> > examples). For any of these, the downstream for the domain drops off
>> > usually
>> > to about 384 which is pitiful. It isn't very fast to begin with (ATT
>> > ADSL,
>> > end of the line - out three miles from the source so it only runs
>> > downstream
>> > at 1536).
>> >
>> > Cannot figure out why the downstream is being compromised - only clues
>> > are
>> > general above plus what is in the log - which all appear as permission
>> > issues
>> > in the security log. Is there a service on Windows 2008 that checks
>> > security
>> > that goes above and beyond what is handled by ISA 2004 which I can turn
>> > off
>> > until we can figure out exactly what causes the downstream to be
>> > compromised.
>> >
>> > Have to reboot the router more than once a day. Not good practice.
>> > --
>> > Regards,
>> > Jamie
>>
>>
>>

 

[thejamie]

Not that simple. Checked the ATT bandwidth web site and my bandwidth is
fine. I have the 1536 downstream and have always only had 384 (should be
more) but that's another issue. The bandwidth is available but the router
itself has its downstream speed compromised. There are five IP addresses...
two unused but the other two support wireless routers. One is part of the
domain, one is not. ISA 2004 recognizes all five IP's and NATs them out.

This is a Windows 2008 Server issue. Nothing to do with the router, or, at
least, if it is the router, it picked a fine time to act up. And nothing to
do with ATT and nothing to do with Netopia.

"Exactly" the same time that Server 2008 is added to the mix [after a long
three plus years of zero issues], NOW (emphasis on NOW) there are downstream
issues? To fix, just unplug the router for twenty seconds, plug it back in
and no more SNAFU. If it is the router, the Netopia people are totally
convinced it has nothing to do with the router. They basically said, "Look,
if you can unplug the router for 20 seconds and you get your bandwidth back,
it isn't a problem with the router or with your ISP."

The bandwidth drop corresponds to a line in the security log (non DC) that
shows the server denied permission to someone or something on the network.
Until I can figure this out, I'd prefer that Windows Server 2008 not have
that kind of authority. Windows 2003 supports IPv4. I suspect it may have
something to do with the IPv6 - two platforms here - Yukon and Katmai for
SQL - not being well-versed in the server tech, but knowing a permission
issue when I see it... if I could turn off the server's nosey messing around
with domain permission, I think it may give me some time to figure this out.

Just need a way to turn that off on Windows Server 2008 for the time being.
All the desktops have already been set to use IPv4 which doesn't seem to make
a difference. Maybe someone is playing games on a Windows 7 machine?
Whatever it is, the router can't be rebooted this way for long.
--
Regards,
Jamie


"Dusko Savatovic" wrote:

> ADSL is asymetric line, for example
> 10 Mbps for download
> ..5 Mbps (or 512 kbps) for upload
>
> This means that if your server is on ADSL (10Mbps down/512 kbps up),
> although your clients are capable of downloading at 10 MBps each, they will
> all have to share 512 kbps because server will not be able to pump up more
> than 512 kbps.
>
> I'd suggest you contact your provider. They can usualy direct you to some
> reliable bandwidth test.
>
> OTOH, if you have symetric connection (typically 4MB up/4 MB down), again
> contact ISP and ask for bandwidth measurement test. It's not uncommon that
> they change gear at their end and forget to return users' settings. They
> recon, if something's wrong, the user will call.
>
>
> "thejamie" wrote in message
> news:FDCE1184-9A79-46C1-B7FC-B26568F58757@microsoft.com...
> > Actually, I'm not sure what you mean. Can you explain what you mean by
> > the
> > upstream effecting the downstream?
> > --
> > Regards,
> > Jamie
> >
> >
> > "Dusko Savatovic" wrote:
> >
> >> Just a thought.
> >> One man's downstream is another man's upstream.
> >> It may be that your Windows Server is attached to ADSL which has poor
> >> upstream, hence the poor performance on the downstream client.
> >>
> >>
> >> "thejamie" wrote in message
> >> news:A275C43D-7A5C-4757-9E1A-3BF322BE217A@microsoft.com...
> >> > Having trouble figuring out what is causing the downstream on the
> >> > primary
> >> > router to be compromised. SQL Server 2008 SP1 running on Windows
> >> > Server
> >> > 2008
> >> > fully SP'd... Netopia Router, SBS 2003 R2/ISA 2004 Domain.
> >> >
> >> > When a user connects to the Windows Server 2008, if there is any kind
> >> > of a
> >> > time-out for any variety of reasons... insufficient permission for the
> >> > user
> >> > on SQL, user connects via RDC and permissions fail because password is
> >> > typed
> >> > in incorrectly, user connects to IIS on the server and permission fails
> >> > (all
> >> > examples). For any of these, the downstream for the domain drops off
> >> > usually
> >> > to about 384 which is pitiful. It isn't very fast to begin with (ATT
> >> > ADSL,
> >> > end of the line - out three miles from the source so it only runs
> >> > downstream
> >> > at 1536).
> >> >
> >> > Cannot figure out why the downstream is being compromised - only clues
> >> > are
> >> > general above plus what is in the log - which all appear as permission
> >> > issues
> >> > in the security log. Is there a service on Windows 2008 that checks
> >> > security
> >> > that goes above and beyond what is handled by ISA 2004 which I can turn
> >> > off
> >> > until we can figure out exactly what causes the downstream to be
> >> > compromised.
> >> >
> >> > Have to reboot the router more than once a day. Not good practice.
> >> > --
> >> > Regards,
> >> > Jamie
> >>
> >>
> >>
>
>
>

 

[Ace Fekay [MCT]]

"thejamie" wrote in message
news:7560EC8C-7077-4CA0-9217-E29E4DA73D43@microsoft.com...
> Not that simple. Checked the ATT bandwidth web site and my bandwidth is
> fine. I have the 1536 downstream and have always only had 384 (should be
> more) but that's another issue. The bandwidth is available but the router
> itself has its downstream speed compromised. There are five IP
> addresses...
> two unused but the other two support wireless routers. One is part of the
> domain, one is not. ISA 2004 recognizes all five IP's and NATs them out.
>
> This is a Windows 2008 Server issue. Nothing to do with the router, or,
> at
> least, if it is the router, it picked a fine time to act up. And nothing
> to
> do with ATT and nothing to do with Netopia.
>
> "Exactly" the same time that Server 2008 is added to the mix [after a long
> three plus years of zero issues], NOW (emphasis on NOW) there are
> downstream
> issues? To fix, just unplug the router for twenty seconds, plug it back
> in
> and no more SNAFU. If it is the router, the Netopia people are totally
> convinced it has nothing to do with the router. They basically said,
> "Look,
> if you can unplug the router for 20 seconds and you get your bandwidth
> back,
> it isn't a problem with the router or with your ISP."
>
> The bandwidth drop corresponds to a line in the security log (non DC) that
> shows the server denied permission to someone or something on the network.
> Until I can figure this out, I'd prefer that Windows Server 2008 not have
> that kind of authority. Windows 2003 supports IPv4. I suspect it may
> have
> something to do with the IPv6 - two platforms here - Yukon and Katmai for
> SQL - not being well-versed in the server tech, but knowing a permission
> issue when I see it... if I could turn off the server's nosey messing
> around
> with domain permission, I think it may give me some time to figure this
> out.
>
> Just need a way to turn that off on Windows Server 2008 for the time
> being.
> All the desktops have already been set to use IPv4 which doesn't seem to
> make
> a difference. Maybe someone is playing games on a Windows 7 machine?
> Whatever it is, the router can't be rebooted this way for long.
> --
> Regards,
> Jamie

Curious, you said you are using ISA. If you disable ISA, does this all go
away?

It could also be:

NAT H.323 issue (if the server has 3 or more NICs).
MTU issue on the DLS unit (there are known issues with the reduced MTU size
that ADSL PPPoE needs).
Issue with the RSS/TCP Chimney feature.

Also, how is the ADSL router setup? Is it in bridge mode to another router
internally, then to Windows 2008, or is 2008 directly plugged in to it (not
recommended)? If plugged into it, I can see PPPoE causing issues.

But if you are saying it is a permissions thing, and you want 2008 not to
control access, maybe it's the ISA thing. Unless you are using VPN through
2008, which possibly is using NAP, which will stop the connection.

It could also be someone is nailing/attacking your system. You can look at
your ISA logs, or probably go a step further and get an IDS to determine
that.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

 

[thejamie]

--
Regards,
Jamie


"Ace Fekay [MCT]" wrote:

>
> Curious, you said you are using ISA. If you disable ISA, does this all go
> away?
Did not try that... will check first thing in the morning.
> It could also be:
>
> NAT H.323 issue (if the server has 3 or more NICs).
Yes - three NICs. One is not being used and is disabled but it is there
just the same.
> MTU issue on the DLS unit (there are known issues with the reduced MTU size
> that ADSL PPPoE needs).
I can't remember changing the MTU size. Will check though... good thought.
> Issue with the RSS/TCP Chimney feature.
>
Don't know what the RSS/TCP Chimney feature is... will look into it.
> Also, how is the ADSL router setup? Is it in bridge mode to another router
> internally, then to Windows 2008, or is 2008 directly plugged in to it (not
> recommended)? If plugged into it, I can see PPPoE causing issues.
>
Router is in bridge mode.

> But if you are saying it is a permissions thing, and you want 2008 not to
> control access, maybe it's the ISA thing. Unless you are using VPN through
> 2008, which possibly is using NAP, which will stop the connection.
>
I have a Window 7 machine that hits the network constantly through VPN.
Disabled the IPv6 on the Windows 7 - both to the user's Wireless and on the
Windows 2008.

> It could also be someone is nailing/attacking your system. You can look at
> your ISA logs, or probably go a step further and get an IDS to determine
> that.
>
The logs look okay. Thanks for the leads. Will get back after I check this
out.
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among
> responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>
>
>
>
>
>

 

[Ace Fekay [MCT]]

"thejamie" wrote in message
news:5ABBD9C1-F3B7-428D-8774-0CC1F11CF7EE@microsoft.com...
>
> --
> Regards,
> Jamie
>
>
> "Ace Fekay [MCT]" wrote:
>
>>
>> Curious, you said you are using ISA. If you disable ISA, does this all go
>> away?
> Did not try that... will check first thing in the morning.
>> It could also be:
>>
>> NAT H.323 issue (if the server has 3 or more NICs).
> Yes - three NICs. One is not being used and is disabled but it is there
> just the same.
>> MTU issue on the DLS unit (there are known issues with the reduced MTU
>> size
>> that ADSL PPPoE needs).
> I can't remember changing the MTU size. Will check though... good
> thought.
>> Issue with the RSS/TCP Chimney feature.
>>
> Don't know what the RSS/TCP Chimney feature is... will look into it.
>> Also, how is the ADSL router setup? Is it in bridge mode to another
>> router
>> internally, then to Windows 2008, or is 2008 directly plugged in to it
>> (not
>> recommended)? If plugged into it, I can see PPPoE causing issues.
>>
> Router is in bridge mode.
>
>> But if you are saying it is a permissions thing, and you want 2008 not to
>> control access, maybe it's the ISA thing. Unless you are using VPN
>> through
>> 2008, which possibly is using NAP, which will stop the connection.
>>
> I have a Window 7 machine that hits the network constantly through VPN.
> Disabled the IPv6 on the Windows 7 - both to the user's Wireless and on
> the
> Windows 2008.
>
>> It could also be someone is nailing/attacking your system. You can look
>> at
>> your ISA logs, or probably go a step further and get an IDS to determine
>> that.
>>
> The logs look okay. Thanks for the leads. Will get back after I check
> this
> out.


Info on TCP Chimney?RSS:

TCP Chimney and RSS Features May Cause Slow File Transfers or Cause
Connectivity Problems
http://msmvps.com/blogs/acefekay/archive/2...y-problems.aspx

You wouldn't have changed the MTU. It's a default thing that PPPoE uses 8
bits of each TCP packet, which drops the default MTU 1500 to 1492. It's
known to cause issues with internet connectivity. Hence, why I never suggest
ADSL for any of my customers. It's either FIOS, Cable, T1, or SDSL (in that
order). The 384 ceiling causes problems with GPOs and other AD functions,
because the default threshold for certain GPO and some other functions, is
500K. So if there are multiple clients coming in, the best you will get is
the least common denominator between the up/down speeds, and in your case,
it's 384k (ouch).

Ace

 

[thejamie]

Is the netsh feature you list for disabling the rss a possible solution here
that may resolve the downstream compromise? Is it only the Server 2008 which
requires the fix or is it also required on the Windows 7 machine?

As I recall, that upload speed should be half the download and my contract
shows 768 not 384. Not much to do about the ADSL only - we are in the
middle of nowhere and the only option is ADSL unless we go wireless which is
cost prohibitive for our operation.

There is a setting on the wireless router for MTU and it is 1500 - There is
something called MRU listed at 1500 on the Netopia router with 1492 showing
as:

Ethernet 100BT: ( up broadcast default rip-send v1 rip-receive v1 )
inet xxx.xxx.xxx.xxx netmask 255.255.255.248 broadcast xxx.xxx.xxx.xxx
physical address xx-xx-xx-xx-xx-xx mtu 1500

PPP over Ethernet vcc1: ( up broadcast default admin-disabled rip-send v1 )
inet xxx.xxx.xxx.xxx netmask 0.0.0.0 broadcast 255.255.255.255
physical address xx-xx-xx-xx-xx-xx mtu 1492

--
Regards,
Jamie


"Ace Fekay [MCT]" wrote:

> "thejamie" wrote in message
> news:5ABBD9C1-F3B7-428D-8774-0CC1F11CF7EE@microsoft.com...
> >
> > --
> > Regards,
> > Jamie
> >
> >
> > "Ace Fekay [MCT]" wrote:
> >
> >>
> >> Curious, you said you are using ISA. If you disable ISA, does this all go
> >> away?
> > Did not try that... will check first thing in the morning.
> >> It could also be:
> >>
> >> NAT H.323 issue (if the server has 3 or more NICs).
> > Yes - three NICs. One is not being used and is disabled but it is there
> > just the same.
> >> MTU issue on the DLS unit (there are known issues with the reduced MTU
> >> size
> >> that ADSL PPPoE needs).
> > I can't remember changing the MTU size. Will check though... good
> > thought.
> >> Issue with the RSS/TCP Chimney feature.
> >>
> > Don't know what the RSS/TCP Chimney feature is... will look into it.
> >> Also, how is the ADSL router setup? Is it in bridge mode to another
> >> router
> >> internally, then to Windows 2008, or is 2008 directly plugged in to it
> >> (not
> >> recommended)? If plugged into it, I can see PPPoE causing issues.
> >>
> > Router is in bridge mode.
> >
> >> But if you are saying it is a permissions thing, and you want 2008 not to
> >> control access, maybe it's the ISA thing. Unless you are using VPN
> >> through
> >> 2008, which possibly is using NAP, which will stop the connection.
> >>
> > I have a Window 7 machine that hits the network constantly through VPN.
> > Disabled the IPv6 on the Windows 7 - both to the user's Wireless and on
> > the
> > Windows 2008.
> >
> >> It could also be someone is nailing/attacking your system. You can look
> >> at
> >> your ISA logs, or probably go a step further and get an IDS to determine
> >> that.
> >>
> > The logs look okay. Thanks for the leads. Will get back after I check
> > this
> > out.
>
>
> Info on TCP Chimney?RSS:
>
> TCP Chimney and RSS Features May Cause Slow File Transfers or Cause
> Connectivity Problems
> http://msmvps.com/blogs/acefekay/archive/2...y-problems.aspx
>
> You wouldn't have changed the MTU. It's a default thing that PPPoE uses 8
> bits of each TCP packet, which drops the default MTU 1500 to 1492. It's
> known to cause issues with internet connectivity. Hence, why I never suggest
> ADSL for any of my customers. It's either FIOS, Cable, T1, or SDSL (in that
> order). The 384 ceiling causes problems with GPOs and other AD functions,
> because the default threshold for certain GPO and some other functions, is
> 500K. So if there are multiple clients coming in, the best you will get is
> the least common denominator between the up/down speeds, and in your case,
> it's 384k (ouch).
>
> Ace
>
>
>
>

 

[Ace Fekay [MCT]]

"thejamie" wrote in message
news:63C2EF20-D496-4C4D-B335-32805CF06475@microsoft.com...
> Is the netsh feature you list for disabling the rss a possible solution
> here
> that may resolve the downstream compromise? Is it only the Server 2008
> which
> requires the fix or is it also required on the Windows 7 machine?
>
> As I recall, that upload speed should be half the download and my contract
> shows 768 not 384. Not much to do about the ADSL only - we are in the
> middle of nowhere and the only option is ADSL unless we go wireless which
> is
> cost prohibitive for our operation.
>
> There is a setting on the wireless router for MTU and it is 1500 - There
> is
> something called MRU listed at 1500 on the Netopia router with 1492
> showing
> as:
>
> Ethernet 100BT: ( up broadcast default rip-send v1 rip-receive v1 )
> inet xxx.xxx.xxx.xxx netmask 255.255.255.248 broadcast xxx.xxx.xxx.xxx
> physical address xx-xx-xx-xx-xx-xx mtu 1500
>
> PPP over Ethernet vcc1: ( up broadcast default admin-disabled rip-send
> v1 )
> inet xxx.xxx.xxx.xxx netmask 0.0.0.0 broadcast 255.255.255.255
> physical address xx-xx-xx-xx-xx-xx mtu 1492
>
> --
> Regards,
> Jamie

The MTU is automatic when it comes to PPPoE and probably can't change it,
and if you do, PPPoE will fail, because that 8 bit field contains data
pertaining to the connection stream.

I would disable it on the server, and work from there. It's a feature to
offload TCP functions to the card.

I hope you can work it out with your ISP.

Ace

 

[thejamie]

ISP found a line error. They are on their way to fix it. Thanks for the
help. I am wiser.
--
Regards,
Jamie


"Ace Fekay [MCT]" wrote:

> "thejamie" wrote in message
> news:63C2EF20-D496-4C4D-B335-32805CF06475@microsoft.com...
> > Is the netsh feature you list for disabling the rss a possible solution
> > here
> > that may resolve the downstream compromise? Is it only the Server 2008
> > which
> > requires the fix or is it also required on the Windows 7 machine?
> >
> > As I recall, that upload speed should be half the download and my contract
> > shows 768 not 384. Not much to do about the ADSL only - we are in the
> > middle of nowhere and the only option is ADSL unless we go wireless which
> > is
> > cost prohibitive for our operation.
> >
> > There is a setting on the wireless router for MTU and it is 1500 - There
> > is
> > something called MRU listed at 1500 on the Netopia router with 1492
> > showing
> > as:
> >
> > Ethernet 100BT: ( up broadcast default rip-send v1 rip-receive v1 )
> > inet xxx.xxx.xxx.xxx netmask 255.255.255.248 broadcast xxx.xxx.xxx.xxx
> > physical address xx-xx-xx-xx-xx-xx mtu 1500
> >
> > PPP over Ethernet vcc1: ( up broadcast default admin-disabled rip-send
> > v1 )
> > inet xxx.xxx.xxx.xxx netmask 0.0.0.0 broadcast 255.255.255.255
> > physical address xx-xx-xx-xx-xx-xx mtu 1492
> >
> > --
> > Regards,
> > Jamie
>
> The MTU is automatic when it comes to PPPoE and probably can't change it,
> and if you do, PPPoE will fail, because that 8 bit field contains data
> pertaining to the connection stream.
>
> I would disable it on the server, and work from there. It's a feature to
> offload TCP functions to the card.
>
> I hope you can work it out with your ISP.
>
> Ace
>
>
>

 

[Ace Fekay [MCT]]

"thejamie" wrote in message
newsF4A9B0D-ED9D-4BCD-800A-FFF79DAD2611@microsoft.com...
> ISP found a line error. They are on their way to fix it. Thanks for the
> help. I am wiser.
> --
> Regards,
> Jamie

Good to hear you were able to nail it down. I hope they resolve it for you.

Ace

 

[thejamie]

While I was on vacation they brought in an ATT lineman who reset the router
to "NOT" use bridge mode. Apparently the lineman did this to allow the
wireless routers with a DNS address to route to the internet without having
the login and password to the ISP (which the Netopia router saves).

It didn't become a problem until after the 2008 server was installed.
Short of reconfiguring wireless routers with an ISP password, is there an
alternate method available to remove anything on the Windows 2008 server that
will disable its ability to recognize and block the pnp Netopia router.

I am in the dark here again about what is going on. I know bridge mode is
an important aspect of the 2003 SBS configuration.
--
Regards,
Jamie


"Ace Fekay [MCT]" wrote:

> "thejamie" wrote in message
> newsF4A9B0D-ED9D-4BCD-800A-FFF79DAD2611@microsoft.com...
> > ISP found a line error. They are on their way to fix it. Thanks for the
> > help. I am wiser.
> > --
> > Regards,
> > Jamie
>
> Good to hear you were able to nail it down. I hope they resolve it for you.
>
> Ace
>
>
>

 

[Ace Fekay [MCT]]

"thejamie" wrote in message
news:286434A4-A579-43AB-A5A0-0FDCE350ADF5@microsoft.com...
> While I was on vacation they brought in an ATT lineman who reset the
> router
> to "NOT" use bridge mode. Apparently the lineman did this to allow the
> wireless routers with a DNS address to route to the internet without
> having
> the login and password to the ISP (which the Netopia router saves).
>
> It didn't become a problem until after the 2008 server was installed.
> Short of reconfiguring wireless routers with an ISP password, is there an
> alternate method available to remove anything on the Windows 2008 server
> that
> will disable its ability to recognize and block the pnp Netopia router.
>
> I am in the dark here again about what is going on. I know bridge mode
> is
> an important aspect of the 2003 SBS configuration.
> --
> Regards,
> Jamie
>

I'm not following the reason the lineman disabled bridge mode and with all
due respect, it doesn't make sense. Allow wireless routers with a DNS
address to route to the internet wtih a password to the ISP? What DNS
address, and why would a router need a password to access the internet,
unless it's ISA, Proxy server or similar type of device/service?

Either way, whether I understand the reason or not, basically you have your
infrastructure devices configured a certain way for your solution, and a
technician decided to change the router settings without consulting with you
first?

As for UPnP, that's basically 'network discovery.' By default, the Function
Discovery Resource Publication service is Manual. SSDP and UPnP Discovery
service are Disabled. If you want to enable Network Discovery, you may make
sure the following services are enabled and running. But keep in mind, SBS'
CEICW wizard configures this for you
- DNS Client
- Function Discovery Resource Publication
- SSDP Discovery
- UPnP Device Host

As for bridged mode, it's not that bridge mode is an important aspect for
SBS, rather that bridged mode is imporant in every aspect, because it allows
YOU to control internet access traffic with YOUR router, not the ISP's
low-end, designed for their own network, router/modem. The functionality
with the SBS wizard "assists" small business owners to configure a router
for them using UPnP, hence why it enabled or at least uses UPnP to do this.

I hope that makes sense?

 

[thejamie]

I'm still mystified as to why a security violation on the non-DC server
effect the router downstream. Win08 should only see what ISA lets it see.
Win08's remote desktop is turned on -
Examples: port 1723/3389 seems to be controlled on the 08 server instead of
through the DC - that part causes a downstream problem - DC can't RDC into
08.
Visual Sourcesafe Service (VSS) on the 2008 machine had to be removed and
transferred to the DC to prevent one of the permission violations which also
caused a downstream problem anytime the developer saved a project.
IIS is off at the moment so Reporting Services are turned off.

Apparently 08 is verifying what it feels is important and not what the
domain tells it is important.

Does this part make sense? Not to me, it doesn't. If the server is part
of the domain and the domain dictates security permissions, the server should
follow those rules, not its own. I expect to tear off the features and roles
over the weekend and add them gradually until the downstream fails again.
Perhaps then it will be obvious which service on 08 causes it. Its as though
the 08 server had control of DNS of DHCP, of RRAS?????

>
> I'm not following the reason the lineman disabled bridge mode and with all
> due respect, it doesn't make sense. Allow wireless routers with a DNS
> address to route to the internet wtih a password to the ISP? What DNS
> address, and why would a router need a password to access the internet,
> unless it's ISA, Proxy server or similar type of device/service?

With bridge mode, the isp username/password is not in the chain to the ISP
so it would be up to the wireless to have this part of the chain to
communicate with the ISP it its setup. Lineman was told to get things
running in anyway possible. Without me present, there was no
username/password (it was there but no one could find it - nor was I called).
SBS PIC knew how to run CEICW so it was handled without me.

>
> Either way, whether I understand the reason or not, basically you have your
> infrastructure devices configured a certain way for your solution, and a
> technician decided to change the router settings without consulting with you
> first?
>
> As for UPnP, that's basically 'network discovery.' By default, the Function
> Discovery Resource Publication service is Manual. SSDP and UPnP Discovery
> service are Disabled. If you want to enable Network Discovery, you may make
> sure the following services are enabled and running. But keep in mind, SBS'
> CEICW wizard configures this for you
> - DNS Client
> - Function Discovery Resource Publication
> - SSDP Discovery
> - UPnP Device Host
>
> As for bridged mode, it's not that bridge mode is an important aspect for
> SBS, rather that bridged mode is imporant in every aspect, because it allows
> YOU to control internet access traffic with YOUR router, not the ISP's
> low-end, designed for their own network, router/modem. The functionality
> with the SBS wizard "assists" small business owners to configure a router
> for them using UPnP, hence why it enabled or at least uses UPnP to do this.
>
> I hope that makes sense?

Sure - makes sense.
--
Regards,
Jamie

 

[Ace Fekay [MCT]]

"thejamie" wrote in message
news:1309DF9C-7EB3-4BB0-A2A7-2F0C2332CDD9@microsoft.com...
> I'm still mystified as to why a security violation on the non-DC server
> effect the router downstream. Win08 should only see what ISA lets it see.
> Win08's remote desktop is turned on -

That depends on how you have ISA setup, if using the firewall client, or
simply using it as a web caching device.

> Examples: port 1723/3389 seems to be controlled on the 08 server instead
> of
> through the DC - that part causes a downstream problem - DC can't RDC into
> 08.

You can only port re-map one port per IP. If the remap is going to the 2008
server, you can RDP from that into any other machine.

> Visual Sourcesafe Service (VSS) on the 2008 machine had to be removed and
> transferred to the DC to prevent one of the permission violations which
> also
> caused a downstream problem anytime the developer saved a project.
> IIS is off at the moment so Reporting Services are turned off.

Not sure how this has anything to do with bandwidth and the downstream
problem. The ATT tech changed your confguration unknowing to you, which is
what I see as the issue.

>
> Apparently 08 is verifying what it feels is important and not what the
> domain tells it is important.

??

>
> Does this part make sense?

Not with the explanation provided.

> Not to me, it doesn't. If the server is part
> of the domain and the domain dictates security permissions, the server
> should
> follow those rules, not its own.

That depends if you have GPOs controlling it. There are only certain
security features controlled, unless you dictate othewise.

> I expect to tear off the features and roles
> over the weekend and add them gradually until the downstream fails again.

What roles are you talking about?

> Perhaps then it will be obvious which service on 08 causes it. Its as
> though
> the 08 server had control of DNS of DHCP, of RRAS?????

Are you saying that the 2008 machine has DHCP, DNS and RRAS installed on it,
as well as the SBS2003? DHCP would be a conflict, the others would be just
services running for no reason, unless 2008 is the edge device or you want
it to be the DNS and RRAS server for VPN, etc.. So I don't quite understand
this and how it relates to the original problem posted.

>
>>
>> I'm not following the reason the lineman disabled bridge mode and with
>> all
>> due respect, it doesn't make sense. Allow wireless routers with a DNS
>> address to route to the internet wtih a password to the ISP? What DNS
>> address, and why would a router need a password to access the internet,
>> unless it's ISA, Proxy server or similar type of device/service?
>
>
> With bridge mode, the isp username/password is not in the chain to the ISP
> so it would be up to the wireless to have this part of the chain to
> communicate with the ISP it its setup. Lineman was told to get things
> running in anyway possible. Without me present, there was no
> username/password (it was there but no one could find it - nor was I
> called).
> SBS PIC knew how to run CEICW so it was handled without me.
>

Oh, so you are saying their router did not have your account settings in it.
The way you explained it threw me off. Now I see. It's not that it's "in the
chain" (which I did not understand what that meant), it's that when put into
bridged mode, that you have to supply your credentials in their router for
it to provide access. See, now that you've explained it this way, I now
understand this part of it.

Either way, as the IT point of contact, you would need to be present
whenever such calls are requested, and for good reason!

Ace

 

[thejamie]

No... but it behaves as though it did.
> Are you saying that the 2008 machine has DHCP, DNS and RRAS installed on it,
> as well as the SBS2003? DHCP would be a conflict, the others would be just
> services running for no reason, unless 2008 is the edge device or you want
> it to be the DNS and RRAS server for VPN, etc.. So I don't quite understand
> this and how it relates to the original problem posted.
>
>
> Either way, as the IT point of contact, you would need to be present
> whenever such calls are requested, and for good reason!
>
Small Businesses, unlike corporate structures, operate autonomously. They
plan to call me if it happens again.

 

[Ace Fekay [MCT]]

"thejamie" wrote in message
news:7F97DCEB-2544-44BF-A0FA-B0E790D32DCC@microsoft.com...
>
> No... but it behaves as though it did.
>> Are you saying that the 2008 machine has DHCP, DNS and RRAS installed on
>> it,
>> as well as the SBS2003? DHCP would be a conflict, the others would be
>> just
>> services running for no reason, unless 2008 is the edge device or you
>> want
>> it to be the DNS and RRAS server for VPN, etc.. So I don't quite
>> understand
>> this and how it relates to the original problem posted.
>>
>>
>> Either way, as the IT point of contact, you would need to be present
>> whenever such calls are requested, and for good reason!
>>
> Small Businesses, unlike corporate structures, operate autonomously. They
> plan to call me if it happens again.

That's a good idea. Autonomous or not, a presence helps to make sure things
keep rolling!

Ace