Jump to content
RESET Forums (homeservershow.com)

Problem using Anywhere Access with Dynamic IP


doliveira
 Share

Recommended Posts

Hi,

 

At my home office i have a server running “Windows Server 2012 R2 Essentials” and I have already setup the Anywhere Access + VPN and all is working fine.

 

But there is one problem that I explain bellow:

 

My internet uses a Dynamic IP address that is shared to all the ISP clients in my street and city.

 

The problem is that I have tested to browse the internet dynamic IP instead of using the mycompany.remotewebaccess.com url it will open my server Anywhere Access page.

 

In a simple way, if I type on my browser my internet IP as: 111.111.111.111.remotewebaccess.com it will open the same page as if I type mycompany.remotewebaccess.com

 

---

 

I think this is a security risk and also if someone else on my street or city is using Anywhere Access it can conflict with my own install.

 

So does anyone knows what I need to do in order to resolve this problem? 

 

IMPORTANT NOTE: My internet ISP does not allows static IP’s, so that is not an option in my case.

 

Thanks

Link to comment
Share on other sites

This is a classic DNS issue.  The record is not getting updated thru the DNS server.  Who is hosting the DNS?  I was having a similar issue with 2011 a couple of weeks ago and it has cleared itself up.

Link to comment
Share on other sites

This is a classic DNS issue.  The record is not getting updated thru the DNS server.  Who is hosting the DNS?  I was having a similar issue with 2011 a couple of weeks ago and it has cleared itself up.

 

Hi jmwills,

 

The DNS is not running on the server. Instead its setup and running on my router (TP-Link TP-ER5120) where i'm using the Google Public DNS service (8.8.8.8 / 8.8.4.4).

 

What this what you wanted to know? Can you help me with my problem?

 

Thanks

Link to comment
Share on other sites

Hi jmwills,

 

The DNS is not running on the server. Instead its setup and running on my router (TP-Link TP-ER5120) where i'm using the Google Public DNS service (8.8.8.8 / 8.8.4.4).

 

What this what you wanted to know? Can you help me with my problem?

 

Thanks

Sorry if I am hijacking this thread but would like to know more about TP-ER5120, router.  Why did you choose it and any pros or cons?

Link to comment
Share on other sites

 

Hi,
 
At my home office i have a server running “Windows Server 2012 R2 Essentials” and I have already setup the Anywhere Access + VPN and all is working fine.
 
But there is one problem that I explain bellow:
 
My internet uses a Dynamic IP address that is shared to all the ISP clients in my street and city.
 
The problem is that I have tested to browse the internet dynamic IP instead of using the mycompany.remotewebaccess.com url it will open my server Anywhere Access page.
 
In a simple way, if I type on my browser my internet IP as: 111.111.111.111.remotewebaccess.com it will open the same page as if I type mycompany.remotewebaccess.com
 
---
 
I think this is a security risk and also if someone else on my street or city is using Anywhere Access it can conflict with my own install.

 

 

Are you actually typing "111.111.111.111.remotewebaccess.com" or just "111.111.111.111"?  I'm assuming that 111.111.111.111 is your public IP that you got from the router.  Assuming that you are typing just the IP, then this is the typical behavior for a server - it provides the same page regardless of access by IP or by DNS name (actually, with SSL it usually has to provide the same page).

 

I'm a little confused what you mean by "Dynamic IP address that is shared to all the ISP clients in my street and city".  It's typical that dynamic IP's jump around between clients in the same area, but no two clients should have the same public IP, unless the ISP is using NAT, in which case you'd definitely run into some problems if someone else wanted to use remote web access.  Is the IP that you're using the same one that you see if you check the WAN connection status on your router?  As long as your router has a public IP assigned to it, you should be fine.  The only issue that may crop up from time to time is that if your IP changes (usually unlikely unless the router reboots), it may change and may take a little while for the change to propagate through DNS before the server can be accessed by name again.

 

What security risk do you see, can you explain your thoughts there a little better?

Link to comment
Share on other sites

First i want to thank you all for your advices and help on this issue.

 

Did you use a custom Domain name or a Microsoft provided one?

 

I'm using the Free domain provided by Microsoft (xxx.remotewebaccess.com).

 

 

Sorry if I am hijacking this thread but would like to know more about TP-ER5120, router.  Why did you choose it and any pros or cons?

 

Im choose the TP-ER5120 because of i needed a enterprise level router for my small office that must had multi-wan and good security settings and also to handle propely wan fiber connections up to 200Mbps (this router has a NAT Throughput of. 350Mbps)... all this at a good price, so i found TP-Link brand to offer all this and i bought the router. It's running at almost 2 years and until now, no problem at all. 

 

Anyway if it was today i would buy the TP-ER6120 model, just because it has VPN build in feature. The only downside of the TP-ER6120 is that only supports 2 WAN ports, when the TP-ER5120 is capable of having 4 WAN ports.. but i only need 2 to maintain internet redundancy.

 

In a resume way, im very satisfied with TP-Link brand. It seems to have one of the best price/quality/features combination on the market. The only downside i see is their software that is good but could be better. You can see for yourself on their website where they have available the TP-ER6120 admin interface live version (the software on TP-ER5120 is equal, except the VPN and number of WAN options):

 

http://www.tp-link.us/emulators.html 

 

Are you actually typing "111.111.111.111.remotewebaccess.com" or just "111.111.111.111"?  I'm assuming that 111.111.111.111 is your public IP that you got from the router.  Assuming that you are typing just the IP, then this is the typical behavior for a server - it provides the same page regardless of access by IP or by DNS name (actually, with SSL it usually has to provide the same page).

 

I'm a little confused what you mean by "Dynamic IP address that is shared to all the ISP clients in my street and city".  It's typical that dynamic IP's jump around between clients in the same area, but no two clients should have the same public IP, unless the ISP is using NAT, in which case you'd definitely run into some problems if someone else wanted to use remote web access.  Is the IP that you're using the same one that you see if you check the WAN connection status on your router?  As long as your router has a public IP assigned to it, you should be fine.  The only issue that may crop up from time to time is that if your IP changes (usually unlikely unless the router reboots), it may change and may take a little while for the change to propagate through DNS before the server can be accessed by name again.

 

What security risk do you see, can you explain your thoughts there a little better?

 

I'm typing "my-dynamic-ip-address.remotewebaccess.com". 

 

My internet uses a Dynamic IP, but now you raise a good question about if my Dynamic IP is or not used by more than one client at the same time. I will call my ISP to ask them about this.

 

About NAT, my ISP provides its own router and the option was to put the ISP router in Bridge Mode and then connect to the WAN port of my own router that is making the NAT. 

 

When i browse to www.whatismyipaddress.com to find my internet public IP address the resultis: 217.129.199.XX. I also leave bellow the WAN settings on my own router and an example traceroute from my computer to a example website for you to see if with this you can help me more to see how is my internet/NAT setup and how this can relate with the issue being discuss here.

 

WAN Dynamic IP Status
IP Address: 217.129.199.XX
Subnet Mask: 255.255.248.X 
Default Gateway: 217.129.192.X 
Primary DNS: 8.8.8.8
Secondary DNS: 8.8.4.4

 

C:\>tracert sapo.pt
 
Tracing route to sapo.pt [213.13.146.138] over a maximum of 30 hops:
 
  1    <1 ms    <1 ms    <1 ms  192.168.0.1  >> This is my own router
  2     7 ms     7 ms     7 ms  10.29.0.1  >> I think this is my ISP router that is in bridge mode
  3     7 ms     6 ms     7 ms  pa1-84-91-1-145.netvisao.pt [84.91.1.145]  >> This is already my ISP 
  4    20 ms    20 ms    20 ms  pa1-84-91-0-198.netvisao.pt [84.91.0.198] >> >> This is already my ISP
  5    25 ms    21 ms    21 ms  te0-7-0-1.rcr21.lis01.atlas.cogentco.com [149.6.144.73]
  ....
 10    68 ms    68 ms    69 ms  sapo.pt [213.13.146.138]
 
Trace complete.
 
--
 
The security risk i see is that is someone types my public IP address as: "dynamic-ip.remotewebaccess.com" it goes to the same page if they browse "mycompanyname.remotewebaccess.com". So if my dynamic IP is shared by many people (at the same time or not i still don't know. i will have to call my isp to ask), this can be a security risk, specially in case of the same IP is being used by more than 1 client at the same time. Just imagine if my next door neighbour is using the same IP and it types on its browser the IP.remotewebaccess.com, it will have access to my server login page that i want to keep private. Also what will happen if my neighbour is also using a Windows Server with the setup equal to mine. What will happen when both we type the ip.remotewebaccess.com... that can be a conflit.
 
Now this is just an idea that i don't know if its possible: if i use a Dynamic DNS just like no-ip.com can solve it this issue? With a Dynamic DNS service will i be able to give my server to have a "static name / address" instead of using the dynamic ip provided by my ISP?

 

 

Can you give us the URL of the remote webaccess?

 

If needed yes. But for security reasons not in a public way. I can send you a personal PM. Is this ok with you?

 

Link to comment
Share on other sites

The only way two computers can have the same public IP is if NAT is in use.  Given that you have a public IP showing on your router, I doubt that is the case.  However, I am slightly confused about your traceroute, it doesn't show the default gateway that your router has in it.  You mention needing two WAN connections for redundancy, are both of them active right now?  If so, I suspect that one of your connections two NAT's in place (not sure if it's the ISP router or at the ISP data center) and the other one does not.  In the case of having multiple computers on the same public IP running server essentials, even if your site was configured to only respond to remote.remotewebaccess.com and the other server responded to home.remotewebaccess.com, there's the possibility that you going to remote.remotewebaccess.com actually takes you to your neighbor's server.  Things like remote web access and VPN require that you have a publicly routed IP address on the router.

 

If you want the server login page to be private, then don't let it be mapped to a public IP.  As long as it's available on the internet, people can access it and generally speaking, security through obscurity isn't much security.  Even if people can find the login page, it is meant to be exposed to the internet in general, that's part of why it uses SSL.  Even if no one else knows the URL or IP address, it's still possible for someone to stumble into the site by accident through other means.

 

By the way, even if you have two connections for your internet, I don't think that your remote web access/VPN connection is taking advantage of them at all.  The dynamic DNS is only going to configure itself for one of your WAN connections, so I'm not sure what would happen if it goes down.  I suspect that if it's down long enough things may reconfigure onto the second WAN connection, depending on how your router behaves.  I'd also worry a little bit that since one of your WAN connections appears to have a double NAT if the server tries to connect through it once, it will break your remote web access completely until the connection reconfigures for the other WAN connection again.

 

While we're discussing security, just in case you're using UPNP right now (default way for the server to configure the router), many people around here strongly recommend that you configure the port forwarding for Server 2012 manually in the router instead.  I believe that the only ports needed anymore are 80 and 443 (that's all I use).  It also reduces the number of errors the server reports about a misconfigured router because something hasn't rebooted or timed out properly yet.

Link to comment
Share on other sites

If 192.168.0.1 is your router why is the gateway set to:

 

Default Gateway: 217.129.192.X

 

did you set this up manually or let the utility set it up?  I'd recommend doing it manually.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Similar Content

    • rhbkweb
      By rhbkweb
      Hi all,
       
      As you may all know, in the last days where discovered 2 big security flaws on CPUs named Meltdown and Spectre (https://spectreattack.com/)
       
      I have a HP Microserver N40L and after search the HP support site I did not find any information about how and if HP will release any patch or update to the N40L in order to fix this security issues.
       
      Does anyone has any news or information about how HP is handling this?
       
      Edit: Just found the HP page about this at: http://h22208.www2.hpe.com/eginfolib/securityalerts/SCAM/Side_Channel_Analysis_Method.html and I don't see any mention to HP microserver N40L
       
      Thanks
    • Dave
      By Dave
      I've been a big fan of this product and have it running in my home.  It's now $20 off if you follow this link.
       
      http://mbsy.co/circlemedia/mccabeio
       

       
      There is an Amazon link to buy it and December 17th to 22nd it will also be $20 off on the Circle website.  So heads up!
       
      Take a look at the video below for a better understanding of what it can do for you.  In my house, if anything hops on my wifi the box will notify me immediately.  I've set it up so anything that jumps on is put in a KID friendly profile.  I look at what they are seeing on their iPads and can turn off apps. YouTube, Safari, App Store = Off.
       
       
    • TheFreaker86
      By TheFreaker86
      Hallo!
      I am new here. I am a little desperate because despite the fact my job is IT I don't get it to work. My homeserver is running Server 2012 R2 Essentials and because somehow the AD and file shares did not work properly anymore I decided to reinstall the OS from scratch. After reinstallation I reconfigured anywhere access and reobtained my remotewebaccess.com-subdomain which worked fine except for the the remotedesktopgateway did not get the certificate properly which I fixed with this guide here. This step was not necessary when I installed the OS some years ago for the first time.
       
      Up until the first forced reconnect from my ISP the IP-adress of my router matched with the one in the DNS-record. But after that it did not refresh anymore. The error message in the Dashboard says (I hope this matches the english version of the message): The dynamic DNS information cannot be updated. Details to this message says furthermore: The DNS-information cannot be updated because no connection to the domain name provider can not be established. Contact your domain name provider. And after the lifespan of the DNS-record expires additionally the error message appears that the domain name can not be resolved...Unsurprisingly.
       
      The weird thing is that DynDNS for AnywhereAccess/RemoteWebAccess has never been an issue with the old and now overwritten OS installation. In desparation I made a bare metal recovery from the old OS installation to check the behaviour of DynDNS which worked still just fine. A second WS2012R2E-installation inside a VM was a bit contradictory. The original remotewebaccess.com-domain could not be reinstated but a new one registered. Though I haven't checked if the new domain can update the DNS-record.
       
      Now with the once again reinstalled OS DynDNS acts as described above. Port forwarding (Port 443) on my router has been set up for testing purposes both via UPnP and after that manually. Didn't matter before reinstallation because it worked both ways. I deliberately left out Port 80 for security reasons.
       
      I have searched through the eventlog and the Internet, to no avail. The only remotely useful hint was to change the Windows Live-password had no effect. And the Eventlog is so overwhelmingly packed with events of any kind I also ran several times the repair wizard from the Dashboard with always the same error. I even was unable to release my subdomain through the configuration wizard.
       
      I can imagine that the public certificate from GoDaddy needs to be imported somewhere for authentication to make DNS-record updates possible. But that would make the Windows Live-login obsolete.
       
      Has someone any advice how I can get the DynDNS-service back up running? Or where I have to search for more detailed hints for the cause? I have already considered that it is not a "broken service" of the OS but rather an external issue beyond my control (which suggests the error message). But that contradicts the fact that the recovered installation was able to update the external DNS-record. If the cause is really external who is the correct contact? GoDaddy or Microsoft?
       
      Edit: Maybe do I miss some windows updates or update rollups that do not come through Windows Update? I have updated the OS only via the OS-internal Windows Update function and right after installation some with wsusoffline.
    • ultimusrex
      By ultimusrex
      Hey everyone. First of all, I'm unsure if this is the best place for this thread, so admins, feel free to move it, if necessary.   As I am just starting (or trying to get started) setting up a smart home/home automation system, and I am a huge technophile, it has always been a dream of mine to have a cool (and useful) central touchscreen control panel in my house. As I was dreaming up future plans for my smart home, I revisited this concept. At first it was a fleeting and fanciful dream, since there is no way that, on our budget, I am going to waste an expensive tablet computer to act as a mostly dedicated wall-mounted control panel. But then my eyes got wide, along with my grin, as I remembered the likes of www.gearbest.com -- with a huge selection of relatively dirt cheap off-brand smart phones and tablets. So now I've been thinking very seriously about this possibility and searching for a good tablet at a good price, as well as some nice wall-mount hardware.   So I'm wondering what you all think about the DIY touchscreen control panel for the smart home. Do any of you already have something implemented? I am trying to compile a list of possible uses for such a device, to make it as useful (and cool) as possible. If you have any ideas, or know any good apps for this purpose, please include them in a reply. The ultimate version of this idea would be to have a tablet eventually in most rooms of the house, maybe a larger, slightly more expensive one near the home entry, and smaller, cheaper satellite devices throughout. I personally would prefer an Android tablet for this, but if you have any ideas for an iPad (or Windows), please share those, too.   Here are some of my own ideas: Home Automation Control Center -- most likely using the mobile app for whichever smart home ecosystem you have decided to go with in your home Weather Station -- Lately I've been really happy with an Android app called "Weather Timeline" that I think would look good and work well Music Player -- I don't think this would work very well if you're a big audiophile, but using the tablet's bluetooth, you could connect it to bluetooth speakers in the room or a bluetooth receiver in your media center and play Pandora, Spotify, or whatever over them, or find a more robust whole-home music system that has an tablet app available for control. Video Phone -- using Skype, Google Hangouts, or whatever. Motion Sensor/Security Cam -- I know there are ways, with combinations of apps and the likes of Tasker, to have the built-in (front-facing) camera watch for motion then start recording or broadcasting when it sees something. Intercom -- if you have tablets mounted in multiple rooms and don't feel like shouting across the house to your spouse or children, you could "call" them on the tablet network. I know there has to be some walkie-talkie-type apps available, or there's always Google Hangouts with voice calls and video calls. Note/Message Center -- you could keep a notepad or sticky notes widget, or an audio note app, on the home screen so you can leave memos to your family, manage your shopping list, etc. Household Calendar -- using Google Calendar (or whatever app/service your household uses), you could keep track of everybody's agenda. Security System Control Center -- Currently, we have an ADT system, but once our contract is up, I'm hoping to cancel them and set up a self-managed system and use a mounted tablet for controlling and activating it.  
      I'm sure I'll think of some other ways to use a wall-mounted tablet, and I'll try to add them to this list as they come to me (or as I add them to my own mounted tablet).
    • Server Grunt
      By Server Grunt
      Hi,
       
       
      Long time since my last visit her on the forums, so it feels good to be back.
       
       
      I am changing a lot in my IT-environment set-up and one of the outcomes of this re-structuring is that I need to get rid of a large number of hard drives.
       
       
      I am a little paranoid with my personal data, so I have deleted files, then re-formatted and done both empty space write over and a normal 3-pass overwrite (DoD-level).
       
       
      To check I use 3 separate file recovery tools and they all come up with that the only files that are recoverable are - $Extend\$Rmmetadata\$Txflog\$Txflog.
       
       
      My understanding is that this was something used in Vista and server 2003 and 2008. My drives have all been in server 2008 and Home Server environments so that explains why it is there. Not e that the machines doing the “cleaning” are all Win7 machines.
       
       
      However, my question is, what information can one get out of these logs. Are there anything that might reveal any actual information or is it just metadata from the management system? 
      To clarify: Can anyone recover any senitive dta from these $Txflog-files?
×
×
  • Create New...