I would like some help with Windows Web Server 2008 connectivity issues Can not browse the web from Windows Web Server 2008, can resolve external DNS names to ip adresses but cannot ping them despitecorporate firewall allowing out ping from all hosts and Network and Sharing Centerred x between domain name and internet.Clicking red X to diagnose results in..."There is more than one active network connection on this computer"AlsoRight click of Local Area Connection -> Diagnosefrom Control Panel\Network and Internet\Network Connections results in...."The IP settings on this computer are not valid"This is a member server on an mixed mode Active Directory Domain Windows 2000 ServerFrom the Command promptipconfig /allWindows IP ConfigurationHost Name . . . . . . . . . . . . : WEB9000Primary Dns Suffix . . . . . . . : domain.comNode Type . . . . . . . . . . . . : HybridIP Routing Enabled. . . . . . . . : NoWINS Proxy Enabled. . . . . . . . : NoDNS Suffix Search List. . . . . . : domain.comEthernet adapter Local Area Connection:Connection-specific DNS Suffix . :Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network ConnectionPhysical Address. . . . . . . . . : 00-0F-1F-71-58-49DHCP Enabled. . . . . . . . . . . : NoAutoconfiguration Enabled . . . . : YesIPv4 Address. . . . . . . . . . . : 172.17.10.210(Preferred)Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 0.0.0.0172.17.10.250DNS Servers . . . . . . . . . . . : 172.17.10.103172.17.9.103Primary WINS Server . . . . . . . : 172.17.11.201NetBIOS over Tcpip. . . . . . . . : EnabledTunnel adapter Local Area Connection* 8:Media State . . . . . . . . . . . : Media disconnectedConnection-specific DNS Suffix . :Description . . . . . . . . . . . : isatap.{7568F2A8-6E88-495A-9721-32208AA9ECB1}Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0DHCP Enabled. . . . . . . . . . . : NoAutoconfiguration Enabled . . . . : YesOperating System: Windows Server 2008note: no IPV6 installed on the LAN nicOther symptoms,VPN clients on subnet 172.16.x.x get ping Destination Host unreachable.VPN clients on subnet 172.16.x.x cannot browse web applications published on this server.But I figured these might be effects of an incorrect Network connection which is what Windows Server seems to be claiming.Extra information, this server is behaving much like an ISA server or gatewaywould, if it did not have the subnet 172.16.x.xdefined as a "LOCAL" Network. Maybe at the firewall level or some incantation of NAP(local), IPsec or a security policy.The functionality of this webserver on the lan with subnets 172.17.10.x , 172.17.9.x has been flawless.How can I monitor that the traffic at the network card. I would like confirmation that this web server is seeing a ping or web request from172.17.x.x and compare that request pattern to 172.17.x.x. Is a utility like etherreal the only way, or does the Firewall monitoring portion ofWindows Server 2008 provide that functionality?

Hi, According to the description, it seems that the Windows Web Server 2008 functions well in the LAN. The system can resolve external DNS names to IP addresses. However, you cannot either ping through the external website or browse the external web. As you mentioned that there is a ISA server in your environment, please check you have a rule that allow the ICMP protocol and HTTP on the ISA server. This can ensure that all the ICMP and HTTP query can be allowed on the ISA server. Meanwhile, you may also monitor the network traffic on ISA server. ISA -> Monitoring -> Logging -> Start Query Q: How can I monitor that the traffic at the network card? Is a utility like ethereal the only way, or does the Firewall monitoring portion of Windows Server 2008 provide that functionality? A: There is a utility called Network Monitor 3.2 which is available via the following link. You can use it to capture all the network traffic on the selective network adapter to analysis this issue. Download: Microsoft Network Monitor 3.2 http://www.microsoft.com/downloads/details.aspx?FamilyID=f4db40af-1e08-4a21-a26b-ec2f4dc4190d&DisplayLang=en For more information, please refer to: How to use Network Monitor to capture network traffic http://support.microsoft.com/kb/812953 Besides, Windows Firewall with Advanced Security also has a built-in tool for monitoring firewall rules, computer connection security rules, and security associations. There is a Monitoring node within the Windows Firewall with Advanced Security Snap-in, you may simply view active firewall rules, active connection security rules and security associations which may affect the network traffic on the local Windows Server 2008 box. For more information, please refer to: Windows Firewall with Advanced Security Getting Started Guide http://technet.microsoft.com/en-us/library/cc748991.aspx#BKMK_6 Windows Firewall with Advanced Security Step-by-Step Guide - Deploying Firewall Policies http://www.microsoft.com/downloads/details.aspx?FamilyID=0B937897-CE39-498E-BB37-751C00F197D9&displaylang=en&displaylang=en Hope it helps.David Shen - MSFT

Thanks for thereply Mr. Shen.The ISA server was only for reference to the exhibited behavior as being similar to howISA or any gateway for that matter will behave if it employs the concepts of local/external subnet definitions, the network topology is such that ISA plays no role in this WebServer's exposure. We use a lone ISA server to publish some selective internal web applications to external customers, The ISA server does not serve as a network edge or gateway for theEnterprise. Other gateway/firewalls do that, our ISA sits in the DMZ. None of the ISA publishedweb applications reside on our new internal 2008 Web Server.This issue has been resolved and it was a simple one but far from obvious using the System as designed. There was an incorrect route table entry on the 2008 Webserver,that incorrect entry was persisted in the registry. How it got there we do not know. No one had usedthe route command on this server, Routing and Remote Access had not been installed. The Server had be restarted many times and had ample opportunity to construct a proper dynamic route table on it's own but none the less there was this forced non-sensical entry. The fault wasit called out two default gateways onthe singled homed host with one of the gateways being the IP address of the network card. Very difficult and inconsistant behavior resulted that affectedbuilt in functionality of Windows networking in non common ways.Obviously we had some fast lessons inWindows Firewall with Advanced Security. But I still don't understand the concept of the Monitoring node. I couldn't see how to configureit so it captures the communicationevent (block/allow) and the Rule in play when a communication is permitted or denied, if that event isn't there what does it"Monitor"? Without events it's just a rules list, not a Monitor. Much like Network Monitor IS a Monitor because it captures traffic events. Pretty confused about this.

Hi, Thanks for the reply. I am glad that the information is helpful. For the concern about the Monitoring node in the Windows Firewall with Advanced Security snap-in, we may just use this folder to monitor both firewall rules and connection security rules that is created using the Windows Firewall with Advanced Security snap-in. In the Windows Firewall with Advanced Security snap-in, Firewall node under the monitoring shows inbound and outbound rules that are currently being applied. Under Firewall, you can also view Connection Security Rules and Security Associations (Main Mode and Quick Mode) that are currently being applied. Formore information, please refer to: Monitoring Windows Firewall with Advanced Security http://technet.microsoft.com/en-us/library/cc725984.aspx Windows Firewall with Advanced Security http://technet.microsoft.com/en-us/library/cc754206.aspx To trouble Windows Firewall, we may need to configure the Widows Firewall with Advanced Security to create log file, for more information, please check the following TechNet document. Tools Used to Troubleshoot Windows Firewall http://technet.microsoft.com/it-it/library/cc749386.aspx#BKMK_10 Hope it helps.David Shen - MSFT