This blog post was written by MVP, Alexander Kent. Alexander is the founder and principal of Kentdome LLC, a Los Angeles, California based company specializing in enterprise security, custom software engineering, network infrastructure and co-location services. In recent years Alexander has taken a particular interest in the Windows Home Server platform. As a result, Kentdome LLC has produced a number of WHS solutions under his architectural guidance. In addition Alexander has been a very active technology evangelist, sharing his excitement for the WHS platform. Today he will share some information about Remote Access challenges. Enjoy!
Windows Home Server is generally considered a great file server and backup solution for home users. A lesser known fact is that it also provides superb Remote Access capabilities. The “Remote Access” feature allows you to control your computers and access files on your Windows Home Server over any internet connection, from anywhere in the world.
Have you ever traveled somewhere and realized that important files were left at home? Now, with the help of the Windows Home Server Remote Access technology, you can securely reach your home network and interact with it from any machine on the Internet.
Enabling the Remote Access feature prompts the Windows Home Server to try and automatically configure the network to allow inbound connections. Seven times out of ten times this works perfectly, but given the sheer number of different devices, and the ever increasing complexity of home networks, the process of configuring your network for Remote Access may have to be more hands on.
This article explains the most frequent Remote Access challenges and then walks you through the steps of making your Windows Home Server accessible across the Internet.
#1) UPnP is not enabled or supported by your router
The Windows Home Server Remote Access Configuration Wizard attempts to auto configure your router over universal plug and play (UPnP) standards. UPnP represents a set of networking protocols that allow devices to connect, interoperate, and be configured. In order for this to work, your router must have the UPnP feature enabled, and must support the correct UPnP version.
If your router does not support the UPnP protocol, or if your router has UPnP disabled, then the Windows Home Server Remote Access Wizard will report a failure when attempting to configure the router through the Remote Access settings interface.
Figure 1.0: Router configuration failed
In many cases, downloading and installing a firmware update on the router adds UPnP support or fixes UPnP issues. If you have not done any firmware updates, visit your router manufacturer's website to see if any updates are available. We recommend installing the firmware update, enabling UPnP on your router (if applicable), and try running the Windows Home Server Remote Access Configuration Wizard again.
In some cases, Windows Home Server will report an error with the automatic router configuration, but the Remote Access functionality proceeds to work without a problem. This occurs in cases where the UPnP protocol may not be implemented properly on the router and Windows Home Server cannot confirm whether or not configuration was successful.
Figure 2.0: Router configuration failed but remote Web site is available from the Internet. (Okay to proceed!)
If the above information does not solve your problem or UPnP is not available on your router, then you must manually configure port forwarding from your router to your Windows Home Server. To learn more, please visit the Broadband Router Configuration wiki produced by the Home Server Land team in conjunction with the Windows Home Server Remote Access feature team at Microsoft.
WHS Remote Access UPnP Problems from HomeServerLand on Vimeo.
#2) Double NAT
Network Address Translation (NAT) refers to the translation of an Internet Protocol address (IP address) used within one network to a different IP address known within another network. For example, a translation from the Local Area Network (LAN: the private home network) to the Wide Area Network (WAN: the public Internet).
A good example of a NAT device is the network router which can be thought of as the agent between the public Internet and the private home network.
A typical home network is made up of a single network router (NAT), usually with a built-in 4-port switch, and a basic DSL or Cable modem that connects to the Internet.
Figure 3.0: Typical Home Network Diagram
For the Windows Home Server Remote Access website to be available from the Internet, the router needs to be configured to forward inbound web traffic from the Internet to the Windows Home Server on the local network. Therefore, if another NAT device is introduced into the network, it too must be configured accordingly!
A home network containing two devices routing traffic and performing Network Address Translation is known as a Double NAT. Such devices can include a combination of routers, modems, firewalls, wireless access points, and other network devices.
What people often fail to realize is that DSL Modems that employ Point-to-Point Protocol over Ethernet (PPPoE) are frequently performing NAT and other roles such as Internet authentication and DHCP functions.
Figure 4.0: Double NAT network diagram
In a Double NAT environment, the UPnP protocol can only be used to automatically configure the nearest NAT device. Under these conditions, the Remote Access functionality will not work properly, and the Windows Home Server will report a failure when attempting to configure the router through the Remote Access Settings interface.
How do I know if I am behind a double NAT?
To determine whether or not a Double NAT exists, check the WAN (outside) IP address on the router nearest to the Windows Home Server. It should match the public IP address assigned by your Internet Service Provider (ISP). One way to check your public IP address is by visiting a site like http://whatismyipaddress.com/ from your home network.
If the WAN IP address on the router nearest to the Windows Home Server is a private IP address, meaning a non-routable IP address reserved for private use, you are dealing with a Double NAT scenario.
Figure 5.0: IP Address ranges reserved for private use
The solution would be to reconfigure your home network so that only one device is routing data in a NAT configuration. Many network devices, including Cable and DSL modems, support a “bridged” or "transparent" mode of operation, which disables all of the routing and NAT in the device. This effectively puts your other router into the position of managing the Internet authentication and network address translation. Consult your modem manufacturer documentation or contact your ISP for support.
Another common network setup mistake is made by people who wish to add wireless functionality without replacing their existing modem or router. As a result, if you attach another router behind or in-front of your existing router, you are effectively creating a Double NAT.
Figure 6.0: Double NAT by means of two routers
In this case, the solution would be to consolidate both devices into a single unit that can route traffic to the wired and wireless networks, or to configure port forwarding from the first NAT device to the second NAT device. Alternatively, circumvent the double NAT by attaching the Windows Home Server directly to the first NAT device on the network.
WHS Remote Access: Double NAT from HomeServerLand on Vimeo.
#3) Internet Service Provider is blocking Remote Access Ports
The Remote Access website requires inbound port 80 (HTTP), port 443 (HTTPS) and port 4125 (Remote Web Workplace or RWW for short) to be available from the Internet. However, many internet service providers block email related internet ports to curb spam or unsolicited commercial usage. In some cases ISPs block additional ports such as the ones required by Windows Home Server Remote Access: inbound port 80 and port 443.
If you have configured your network for Remote Access but the remote access website is still not available over the Internet, then contact your ISP to confirm whether or not inbound connectivity on TCP ports 80, 443 or 4125 are being blocked.
Alternatively you can determine whether or not ports are blocked with the Internet Connectivity Evaluation Tool.
WHS Remote Access: ISP Blocking Ports from HomeServerLand on Vimeo.
The Windows Home Server Remote Access functionality is a powerful and convenient feature that is well worth the effort to set up correctly and securely.
Hopefully the above breakdown of some of the most common Windows Home Server Remote Access challenges has been helpful. The Windows Home Server Remote Access feature team at Microsoft and the WHS communities are continuously engaged in improving and compiling data around compatibility and other home network issues. Feedback is always welcome and should you need additional help, please give us a shout in the forums where we can help you further.
-Alexander Kent
More...
Windows Home Server is generally considered a great file server and backup solution for home users. A lesser known fact is that it also provides superb Remote Access capabilities. The “Remote Access” feature allows you to control your computers and access files on your Windows Home Server over any internet connection, from anywhere in the world.
Have you ever traveled somewhere and realized that important files were left at home? Now, with the help of the Windows Home Server Remote Access technology, you can securely reach your home network and interact with it from any machine on the Internet.
Enabling the Remote Access feature prompts the Windows Home Server to try and automatically configure the network to allow inbound connections. Seven times out of ten times this works perfectly, but given the sheer number of different devices, and the ever increasing complexity of home networks, the process of configuring your network for Remote Access may have to be more hands on.
This article explains the most frequent Remote Access challenges and then walks you through the steps of making your Windows Home Server accessible across the Internet.
#1) UPnP is not enabled or supported by your router
The Windows Home Server Remote Access Configuration Wizard attempts to auto configure your router over universal plug and play (UPnP) standards. UPnP represents a set of networking protocols that allow devices to connect, interoperate, and be configured. In order for this to work, your router must have the UPnP feature enabled, and must support the correct UPnP version.
If your router does not support the UPnP protocol, or if your router has UPnP disabled, then the Windows Home Server Remote Access Wizard will report a failure when attempting to configure the router through the Remote Access settings interface.
Figure 1.0: Router configuration failed
In many cases, downloading and installing a firmware update on the router adds UPnP support or fixes UPnP issues. If you have not done any firmware updates, visit your router manufacturer's website to see if any updates are available. We recommend installing the firmware update, enabling UPnP on your router (if applicable), and try running the Windows Home Server Remote Access Configuration Wizard again.
In some cases, Windows Home Server will report an error with the automatic router configuration, but the Remote Access functionality proceeds to work without a problem. This occurs in cases where the UPnP protocol may not be implemented properly on the router and Windows Home Server cannot confirm whether or not configuration was successful.
Figure 2.0: Router configuration failed but remote Web site is available from the Internet. (Okay to proceed!)
If the above information does not solve your problem or UPnP is not available on your router, then you must manually configure port forwarding from your router to your Windows Home Server. To learn more, please visit the Broadband Router Configuration wiki produced by the Home Server Land team in conjunction with the Windows Home Server Remote Access feature team at Microsoft.
WHS Remote Access UPnP Problems from HomeServerLand on Vimeo.
#2) Double NAT
Network Address Translation (NAT) refers to the translation of an Internet Protocol address (IP address) used within one network to a different IP address known within another network. For example, a translation from the Local Area Network (LAN: the private home network) to the Wide Area Network (WAN: the public Internet).
A good example of a NAT device is the network router which can be thought of as the agent between the public Internet and the private home network.
A typical home network is made up of a single network router (NAT), usually with a built-in 4-port switch, and a basic DSL or Cable modem that connects to the Internet.
Figure 3.0: Typical Home Network Diagram
For the Windows Home Server Remote Access website to be available from the Internet, the router needs to be configured to forward inbound web traffic from the Internet to the Windows Home Server on the local network. Therefore, if another NAT device is introduced into the network, it too must be configured accordingly!
A home network containing two devices routing traffic and performing Network Address Translation is known as a Double NAT. Such devices can include a combination of routers, modems, firewalls, wireless access points, and other network devices.
What people often fail to realize is that DSL Modems that employ Point-to-Point Protocol over Ethernet (PPPoE) are frequently performing NAT and other roles such as Internet authentication and DHCP functions.
Figure 4.0: Double NAT network diagram
In a Double NAT environment, the UPnP protocol can only be used to automatically configure the nearest NAT device. Under these conditions, the Remote Access functionality will not work properly, and the Windows Home Server will report a failure when attempting to configure the router through the Remote Access Settings interface.
How do I know if I am behind a double NAT?
To determine whether or not a Double NAT exists, check the WAN (outside) IP address on the router nearest to the Windows Home Server. It should match the public IP address assigned by your Internet Service Provider (ISP). One way to check your public IP address is by visiting a site like http://whatismyipaddress.com/ from your home network.
If the WAN IP address on the router nearest to the Windows Home Server is a private IP address, meaning a non-routable IP address reserved for private use, you are dealing with a Double NAT scenario.
Figure 5.0: IP Address ranges reserved for private use
The solution would be to reconfigure your home network so that only one device is routing data in a NAT configuration. Many network devices, including Cable and DSL modems, support a “bridged” or "transparent" mode of operation, which disables all of the routing and NAT in the device. This effectively puts your other router into the position of managing the Internet authentication and network address translation. Consult your modem manufacturer documentation or contact your ISP for support.
Another common network setup mistake is made by people who wish to add wireless functionality without replacing their existing modem or router. As a result, if you attach another router behind or in-front of your existing router, you are effectively creating a Double NAT.
Figure 6.0: Double NAT by means of two routers
In this case, the solution would be to consolidate both devices into a single unit that can route traffic to the wired and wireless networks, or to configure port forwarding from the first NAT device to the second NAT device. Alternatively, circumvent the double NAT by attaching the Windows Home Server directly to the first NAT device on the network.
WHS Remote Access: Double NAT from HomeServerLand on Vimeo.
#3) Internet Service Provider is blocking Remote Access Ports
The Remote Access website requires inbound port 80 (HTTP), port 443 (HTTPS) and port 4125 (Remote Web Workplace or RWW for short) to be available from the Internet. However, many internet service providers block email related internet ports to curb spam or unsolicited commercial usage. In some cases ISPs block additional ports such as the ones required by Windows Home Server Remote Access: inbound port 80 and port 443.
If you have configured your network for Remote Access but the remote access website is still not available over the Internet, then contact your ISP to confirm whether or not inbound connectivity on TCP ports 80, 443 or 4125 are being blocked.
Alternatively you can determine whether or not ports are blocked with the Internet Connectivity Evaluation Tool.
WHS Remote Access: ISP Blocking Ports from HomeServerLand on Vimeo.
The Windows Home Server Remote Access functionality is a powerful and convenient feature that is well worth the effort to set up correctly and securely.
Hopefully the above breakdown of some of the most common Windows Home Server Remote Access challenges has been helpful. The Windows Home Server Remote Access feature team at Microsoft and the WHS communities are continuously engaged in improving and compiling data around compatibility and other home network issues. Feedback is always welcome and should you need additional help, please give us a shout in the forums where we can help you further.
-Alexander Kent
More...