I have a colocated Windows Server 2008 machine that replies to PING from some machines but not others (not most machines). I'm not sure where to start to diagnose what the problem is.
The server is a slightly odd setup: The server itself (S1) is running Hyper-V and ADDS. It has one NIC connected via Hyper-V to a virtual machine (S2) which acts as my Remote Access server. This connects all the other VMs and the physical machine to the external virtual network – ie to the internet. This has port forwarding for HTTP and HTTPS to a separate VM running as an application server (S3). The remote access server also allows VPN connections, so I normally connect via VPN and then can Remote Desktop or do filesharing or whatever.
When I ping the server's external IP address from my machine or a colleague's machine (whether connected via VPN or not) I get a response. However, when I ping it from other machines (an amazon machine, various friend's machines, etc) it times out.
This was working fine some time back and I don't think I changed anything on the server, then it stopped working. Initially this made me think it was something to do with my colocation provider, but they don't think so. And I guess the most likely explanation is something is messed up on my server. But where to start?
In Windows Firewall on S2 (remote access server) I have "File & Printer Sharing (Echo Request – ICMPv4-In)" enabled. It has an IPv4 address. (I did check if enabling ICMPv6 rule made any difference, but no).
I also tried changing the default policy on Windows Firewall to Allow instead of Block. This didn't fix the problem so I changed back.
I think the Computer Browser service used to be what responded to ICMP so I've checked and see that's Disabled on the remote access server (S2). I tried enabling and starting it but it stopped immediately. So now I've set it back to disabled.
The three laptops that PING works from are all machines that we connect to the VPN from. I don't see why that would make a difference though. One laptop is part of the same domain, but the others are just part of a workgroup.
Any suggestions?
Also, what part of which machine should be responding to the PING? Is it the physical server or the VM running remote access?
Best Answer
Okay, first - browser service is unrelated to icmp/ping. That service operates at a different level in the network stack. Most likely you are on the right track looking at the firewall configuration.
One of the "delightful" aspects of Windows 2008 is the firewall definitions have multiple dimensions. If you open up Windows Firewall with Advanced Security you can see protocols and ports on one tab (pretty obvious), scope on another one (also pretty obvious), but look at the advanced tab. There are profiles defined here. Now this is not inherently a problem except from time to time, especially after rebooting, Windows 2008 will "helpfully" Change Its Mind. So a profile selection that used to work fine will suddenly stop working - which could very well be what you are encountering here. I've ended up myself resorting to configuring my rules to always have "All profiles" selected on this tab and then rely only on the Scope tab to define allowed in/out ranges, etc.
Hope this helps. Good luck.