[isalist] Re: 0x800733f5 error & order of polices issue

The allow all outbound that Amy mentioned is a good test, anyway keep in
mind that it is not unusual (at least I saw that several times) to have
ISA blocking traffic  and don't showing it on the live logging (ok I'm
ready for the replies about this J), the only way to discover it is
using ethereal or some other software.

 

Regards

Diego R. Pietruszka

MSC (USA) - Interlink Transport Technologies

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: Tuesday, May 15, 2007 2:44 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: 0x800733f5 error & order of polices issue

 

Danny,

 

The order of your policies is not being ignored. Isa will read them top
down. Since you're hitting the SBS Internet Access rule this means that
the traffic does not apply to the rule that you have created. When
that's the case, ISA moves on down checks the next rule. Finally it
reaches the SBS Internet Access Rule and since there's no authentication
it is denied. 

 

So, as I said before, the rule isn't configured correctly. You need to
find out what that apps wants and the configure your rule accordingly or
take my suggestion and set up a rule allowing all outbound to that
specific IP address.

 

Amy

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Danny
Sent: Tuesday, May 15, 2007 1:07 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: 0x800733f5 error & order of polices issue

 

Jim, 

I appreciate your educational tidbits, but when you are dealing with
humans and software sometimes assumptions are inevitable. In fact, it is
clear that you are not immune to making assumptions.

1) By stating the obvious that "Assumptions get you nowhere", you assume
that assuming is my favorite activity and always gets me positive
results 
2) By providing a WSUS and AU 101, you assume that I did not understand
the difference between a WSUS client and an Internet-based Automatic
Update client, did not read the KB's, was not the one who installed
WSUS, and have no clue 
3) By challenging my knowledge of who Amy is, you assume that I had no
idea who Amy is and didn't care. First of all, where did I not show
respect to Amy? Secondly, do you want all ISA list posts to begin with
"Yes, I know who Amy is, so um don't ask me"? 

Anyway, yes, I did bring up some Microsoft pain points and I will
respond to any further responses offline. As you know this list has been
very flexible with OT posts, so my addition is nothing to call home
about. 

Re: cutting off the thread, I would say 70% of the reply content is
redundant and has no value in the conversation. The archives should be
stored by threaded conversation, but I will respond in the format you
request. 

I will analyze the ISAINFO output, but for future reference, can you
please direct me to documentation that will explain why the order of
polices is being ignored OR why I would not see all denied traffic in
the ISA 2004 SP2 monitoring default state (Log record type = Firewall or
Web Proxy & Log time = LiveConnection Status = live)? 

Thanks,

...D


On 5/15/07, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:

        http://www.ISAserver.org
        -------------------------------------------------------
        
        Assumptions get you nowhere.
        You brought up the plethora of pain-points - expect someone to
answer 
        them.
        WSUS and the Internet-based updates process works very
differently,
        because the WSUS server determines for the client what is
required and
        what is not.  Amy has a clue (several, actually); this is a rare

        commodity in the SBS community and you should feel free to take
        advantage of it when it appears.
        
        Also, please stop cutting off the thread.  It makes archive
searches
        very nearly meaningless.
        
        Regarding the "custom app", the log snips you provide clearly
indicate 
        that your rule is not being applied, since the denying rule is
quoted as
        "SBS Internet Access Rule".
        The best way to express your ISA policies is to use ISAInfo.
        You can respond offline if you like. 
        
        Jim
        
        -----Original Message-----
        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] 
        On Behalf Of Danny
        Sent: Tuesday, May 15, 2007 7:53 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: 0x800733f5 error & order of polices issue
        
        
        On 5/15/07, Amy Babinchak < amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
        
                Your rule must not be configured correctly. What does
your
        custom rule look like? The only reason that the SBS Internet
Access Rule 
        would deny anything outbound is if the app isn't authenticating.
It's
        not uncommon. My bet is that the app doesn't only require that
specific
        TCP high port but a range of them. I'd base the rule on the IP
address 
        it's trying to reach instead.
        
        
        The policy is: Custom Protcol TCP 57017 Outbound, from Local
Host, to
        External, All Users.
        
        
        Warning the following section is OT:
        
        
                Yes, the SVCHOST issue is a nuisance. The screeching is
loud on 
        the mailing lists. It took me a while to figure out what
everyone was
        complaining about then I realized that I use WSUS everywhere.
Implement
        WSUS you'll be much happier.
        
        You imply that WSUS clients are immune to this? Most of our
affected 
        systems are part of WSUS installs. My understanding is the
Automatic
        Update service (aka part of svchost.exe) scans the same way a
non-WSUS
        client does, therefore they are both affected.
        
        
        Sorry for bringing this OT item into the conversation, but the
last two 
        months in particular have been difficult to support Microsoft
        environments when dealing with DNS RPC mgmt vulnerability, ISA
2004 SP3
        install woes, a publicly unavailable (two hours MS PSS phone
call) KB
        for restoring the ability to publish Outlook forms to the
Organizational 
        Forms Library in Exchange, and this AU/svchost issue - but looks
like
        there is a follow-up:
        
http://blogs.technet.com/wsus/archive/2007/05/15/srvhost-msi-issue-follo

        w-up.aspx
        
        Anyway, can we focus on what I am doing wrong with this ISA
issue, that
        would be much appreciated.
        
        
        ...D
        
        
        All mail to and from this domain is GFI-scanned.
        
        ------------------------------------------------------ 
        List Archives: http://www.freelists.org/archives/isalist/
        ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp 
        ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
        ISA Server Blogs: http://blogs.isaserver.org/ 
        ------------------------------------------------------
        Visit TechGenix.com for more information about our other sites:
        http://www.techgenix.com
        ------------------------------------------------------ 
        To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
        Report abuse to listadmin@xxxxxxxxxxxxx




-- 
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer 


ExchangeDefender Message Security: Check Authenticity
<http://www.exchangedefender.com/verify.asp?id=l4FIaBX8016705&from=amy@h
arborcomputerservices.net>  

Other related posts: