[isalist] Re: 0x800733f5 error & order of polices issue

  • From: "Thor \(Hammer of God\)" <thor@xxxxxxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 16 May 2007 07:37:04 -0700

It is the server itself making the connection and not an internal client?

t
  ----- Original Message ----- 
  From: Danny 
  To: isalist@xxxxxxxxxxxxx 
  Sent: Wednesday, May 16, 2007 7:25 AM
  Subject: [isalist] Re: 0x800733f5 error & order of polices issue


  Local Host.


  On 5/15/07, D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR <DPietruszka@xxxxxx> 
wrote:
    What your rule said in the FROM tab, "internal or local host" ?

    --------------------------
    Sent from my BlackBerry Wireless Device


    -----Original Message-----
    From: isalist-bounce@xxxxxxxxxxxxx < isalist-bounce@xxxxxxxxxxxxx>
    To: isalist@xxxxxxxxxxxxx < isalist@xxxxxxxxxxxxx>
    Sent: Tue May 15 16:41:56 2007
    Subject: [isalist] Re: 0x800733f5 error & order of polices issue

    Thanks, Amy. I have created an all outbound rule to the destination IP 
address and only see the connections to TCP 57017 denied by the last rule (SBS 
Internet Access). Unfortunately I am being challenged by:

    * The software developer insists the software must run on the server; which 
happens to be SBS 2003 Prem.
    * The software developer (at this point) will not go beyond stating that 
TCP 57017 is the only necessary network traffic to be permitted
    * The software is key this business and there really aren't many 
alternatives
    * The software runs on the SBS server which is also the ISA server (which 
should still be possible to figure out)
    * ISA monitoring is not providing me anymore detail other than the denied 
TCP 57017 connection; although I will run another test
    * The software does not have any network settings or pseudo / 
non-compatible CERN Web proxy settings
    * The all Outbound rule you suggested did not work; although I will run 
another test
    * The software worked before the ISA firewall was installed because they 
simply had NAT router without true firewall functionality

    Cheers,

    ...D




    On 5/15/07, Amy Babinchak <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

            Danny,

            

            The order of your policies is not being ignored. Isa will read them 
top down. Since you're hitting the SBS Internet Access rule this means that the 
traffic does not apply to the rule that you have created. When that's the case, 
ISA moves on down checks the next rule. Finally it reaches the SBS Internet 
Access Rule and since there's no authentication it is denied. 

            

            So, as I said before, the rule isn't configured correctly. You need 
to find out what that apps wants and the configure your rule accordingly or 
take my suggestion and set up a rule allowing all outbound to that specific IP 
address. 

            

            Amy

            

            From: isalist-bounce@xxxxxxxxxxxxx [mailto: 
isalist-bounce@xxxxxxxxxxxxx <mailto:isalist-bounce@xxxxxxxxxxxxx> ] On Behalf 
Of Danny


            Sent: Tuesday, May 15, 2007 1:07 PM
           
            To: isalist@xxxxxxxxxxxxx
            Subject: [isalist] Re: 0x800733f5 error & order of polices issue
           
            

            Jim,
           
            I appreciate your educational tidbits, but when you are dealing 
with humans and software sometimes assumptions are inevitable. In fact, it is 
clear that you are not immune to making assumptions.
           
            1) By stating the obvious that "Assumptions get you nowhere", you 
assume that assuming is my favorite activity and always gets me positive results
            2) By providing a WSUS and AU 101, you assume that I did not 
understand the difference between a WSUS client and an Internet-based Automatic 
Update client, did not read the KB's, was not the one who installed WSUS, and 
have no clue 
            3) By challenging my knowledge of who Amy is, you assume that I had 
no idea who Amy is and didn't care. First of all, where did I not show respect 
to Amy? Secondly, do you want all ISA list posts to begin with "Yes, I know who 
Amy is, so um don't ask me"? 
           
            Anyway, yes, I did bring up some Microsoft pain points and I will 
respond to any further responses offline. As you know this list has been very 
flexible with OT posts, so my addition is nothing to call home about. 
           
            Re: cutting off the thread, I would say 70% of the reply content is 
redundant and has no value in the conversation. The archives should be stored 
by threaded conversation, but I will respond in the format you request. 
           
            I will analyze the ISAINFO output, but for future reference, can 
you please direct me to documentation that will explain why the order of 
polices is being ignored OR why I would not see all denied traffic in the ISA 
2004 SP2 monitoring default state (Log record type = Firewall or Web Proxy & 
Log time = LiveConnection Status = live)? 
           
            Thanks,
           
            ...D
           
           
            On 5/15/07, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:

                    http://www.ISAserver.org
                    -------------------------------------------------------
                   
                    Assumptions get you nowhere.
                    You brought up the plethora of pain-points - expect someone 
to answer
                    them.
                    WSUS and the Internet-based updates process works very 
differently,
                    because the WSUS server determines for the client what is 
required and
                    what is not.  Amy has a clue (several, actually); this is a 
rare
                    commodity in the SBS community and you should feel free to 
take
                    advantage of it when it appears.
                   
                    Also, please stop cutting off the thread.  It makes archive 
searches
                    very nearly meaningless.
                   
                    Regarding the "custom app", the log snips you provide 
clearly indicate
                    that your rule is not being applied, since the denying rule 
is quoted as
                    "SBS Internet Access Rule".
                    The best way to express your ISA policies is to use ISAInfo.
                    You can respond offline if you like.
                   
                    Jim
                   
                    -----Original Message-----
                    From: isalist-bounce@xxxxxxxxxxxxx [ 
mailto:isalist-bounce@xxxxxxxxxxxxx]
                    On Behalf Of Danny
                    Sent: Tuesday, May 15, 2007 7:53 AM
                    To: isalist@xxxxxxxxxxxxx
                    Subject: [isalist] Re: 0x800733f5 error & order of polices 
issue
                   
                   
                    On 5/15/07, Amy Babinchak < amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> 
wrote:
                   
                            Your rule must not be configured correctly. What 
does your
                    custom rule look like? The only reason that the SBS 
Internet Access Rule
                    would deny anything outbound is if the app isn't 
authenticating. It's
                    not uncommon. My bet is that the app doesn't only require 
that specific
                    TCP high port but a range of them. I'd base the rule on the 
IP address
                    it's trying to reach instead.
                   
                   
                    The policy is: Custom Protcol TCP 57017 Outbound, from 
Local Host, to
                    External, All Users.
                   
                   
                    Warning the following section is OT:
                   
                   
                            Yes, the SVCHOST issue is a nuisance. The 
screeching is loud on
                    the mailing lists. It took me a while to figure out what 
everyone was
                    complaining about then I realized that I use WSUS 
everywhere.  Implement
                    WSUS you'll be much happier.
                   
                    You imply that WSUS clients are immune to this? Most of our 
affected
                    systems are part of WSUS installs. My understanding is the 
Automatic
                    Update service (aka part of svchost.exe) scans the same way 
a non-WSUS
                    client does, therefore they are both affected.
                   
                   
                    Sorry for bringing this OT item into the conversation, but 
the last two
                    months in particular have been difficult to support 
Microsoft
                    environments when dealing with DNS RPC mgmt vulnerability, 
ISA 2004 SP3
                    install woes, a publicly unavailable (two hours MS PSS 
phone call) KB
                    for restoring the ability to publish Outlook forms to the 
Organizational
                    Forms Library in Exchange, and this AU/svchost issue - but 
looks like
                    there is a follow-up:

                    
http://blogs.technet.com/wsus/archive/2007/05/15/srvhost-msi-issue-follo 
<http://blogs.technet.com/wsus/archive/2007/05/15/srvhost-msi-issue-follo >
                    w-up.aspx
                   
                    Anyway, can we focus on what I am doing wrong with this ISA 
issue, that
                    would be much appreciated.
                   
                   
                    ...D
                   
                   
                    All mail to and from this domain is GFI-scanned.
                   
                    ------------------------------------------------------
                    List Archives: //www.freelists.org/archives/isalist/
                    ISA Server Newsletter: 
http://www.isaserver.org/pages/newsletter.asp < 
http://www.isaserver.org/pages/newsletter.asp>
                    ISA Server Articles and Tutorials: 
http://www.isaserver.org/articles_tutorials/ 
                    ISA Server Blogs: http://blogs.isaserver.org/ < 
http://blogs.isaserver.org/>
                    ------------------------------------------------------
                    Visit TechGenix.com for more information about our other 
sites:
                    http://www.techgenix.com
                    ------------------------------------------------------
                    To unsubscribe visit 
http://www.isaserver.org/pages/isalist.asp
                    Report abuse to listadmin@xxxxxxxxxxxxx

           
           
           
            --
            CPDE - Certified Petroleum Distribution Engineer
            CCBC - Certified Canadian Beer Consumer

                   
            ExchangeDefender Message Security: Check Authenticity < 
http://www.exchangedefender.com/verify.asp?id=l4FIaBX8016705&from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
 




    --
    CPDE - Certified Petroleum Distribution Engineer
    CCBC - Certified Canadian Beer Consumer





  -- 
  CPDE - Certified Petroleum Distribution Engineer
  CCBC - Certified Canadian Beer Consumer 

Other related posts: