[isalist] Re: 0x800733f5 error & order of polices issue
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Wed, 16 May 2007 10:00:34 -0500
Which direction is the protocol defined for?
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny
Sent: Wednesday, May 16, 2007 9:35 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: 0x800733f5 error & order of polices issue
No mention of HTTPS. Just TCP 57017. The parameters, as in the
properties of the policy? As simple as can be:
Order = 1
Action = Allow
Protocols = TCP 57017
From = Local Host
To = External (for testing purposes, otherwise would be
destination Internet IP)
Users = All Users (default)
Schedule = Any tiiime (default)
Content Types = default
On 5/16/07, Amy Babinchak < amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
<mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> > wrote:
https 57017? Are you serious? If so, that developer
should be fired.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:
isalist-bounce@xxxxxxxxxxxxx <mailto:isalist-bounce@xxxxxxxxxxxxx> ] On
Behalf Of Steve Moffat
Sent: Tuesday, May 15, 2007 5:29 PM
To: ISA Mailing List
Subject: [isalist] Re: 0x800733f5 error & order of
polices issue
Add an https tunnel for that port and try it.......
From: isalist-bounce@xxxxxxxxxxxxx [mailto:
isalist-bounce@xxxxxxxxxxxxx <mailto:isalist-bounce@xxxxxxxxxxxxx> ] On
Behalf Of Danny
Sent: Tuesday, May 15, 2007 5:42 PM
To: ISA Mailing List
Subject: [isalist] Re: 0x800733f5 error & order of
polices issue
Thanks, Amy. I have created an all outbound rule to the
destination IP address and only see the connections to TCP 57017 denied
by the last rule (SBS Internet Access). Unfortunately I am being
challenged by:
* The software developer insists the software must run
on the server; which happens to be SBS 2003 Prem.
* The software developer (at this point) will not go
beyond stating that TCP 57017 is the only necessary network traffic to
be permitted
* The software is key this business and there really
aren't many alternatives
* The software runs on the SBS server which is also the
ISA server (which should still be possible to figure out)
* ISA monitoring is not providing me anymore detail
other than the denied TCP 57017 connection; although I will run another
test
* The software does not have any network settings or
pseudo / non-compatible CERN Web proxy settings
* The all Outbound rule you suggested did not work;
although I will run another test
* The software worked before the ISA firewall was
installed because they simply had NAT router without true firewall
functionality
Cheers,
...D
On 5/15/07, Amy Babinchak
<amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Danny,
The order of your policies is not being ignored. Isa
will read them top down. Since you're hitting the SBS Internet Access
rule this means that the traffic does not apply to the rule that you
have created. When that's the case, ISA moves on down checks the next
rule. Finally it reaches the SBS Internet Access Rule and since there's
no authentication it is denied.
So, as I said before, the rule isn't configured
correctly. You need to find out what that apps wants and the configure
your rule accordingly or take my suggestion and set up a rule allowing
all outbound to that specific IP address.
Amy
From: isalist-bounce@xxxxxxxxxxxxx [mailto:
isalist-bounce@xxxxxxxxxxxxx <mailto:isalist-bounce@xxxxxxxxxxxxx> ] On
Behalf Of Danny
Sent: Tuesday, May 15, 2007 1:07 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: 0x800733f5 error & order of
polices issue
Jim,
I appreciate your educational tidbits, but when you are
dealing with humans and software sometimes assumptions are inevitable.
In fact, it is clear that you are not immune to making assumptions.
1) By stating the obvious that "Assumptions get you
nowhere", you assume that assuming is my favorite activity and always
gets me positive results
2) By providing a WSUS and AU 101, you assume that I did
not understand the difference between a WSUS client and an
Internet-based Automatic Update client, did not read the KB's, was not
the one who installed WSUS, and have no clue
3) By challenging my knowledge of who Amy is, you assume
that I had no idea who Amy is and didn't care. First of all, where did I
not show respect to Amy? Secondly, do you want all ISA list posts to
begin with "Yes, I know who Amy is, so um don't ask me"?
Anyway, yes, I did bring up some Microsoft pain points
and I will respond to any further responses offline. As you know this
list has been very flexible with OT posts, so my addition is nothing to
call home about.
Re: cutting off the thread, I would say 70% of the reply
content is redundant and has no value in the conversation. The archives
should be stored by threaded conversation, but I will respond in the
format you request.
I will analyze the ISAINFO output, but for future
reference, can you please direct me to documentation that will explain
why the order of polices is being ignored OR why I would not see all
denied traffic in the ISA 2004 SP2 monitoring default state (Log record
type = Firewall or Web Proxy & Log time = LiveConnection Status = live)?
Thanks,
...D
On 5/15/07, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:
http://www.ISAserver.org
-------------------------------------------------------
Assumptions get you nowhere.
You brought up the plethora of pain-points -
expect someone to answer
them.
WSUS and the Internet-based updates process
works very differently,
because the WSUS server determines for the
client what is required and
what is not. Amy has a clue (several,
actually); this is a rare
commodity in the SBS community and you should
feel free to take
advantage of it when it appears.
Also, please stop cutting off the thread. It
makes archive searches
very nearly meaningless.
Regarding the "custom app", the log snips you
provide clearly indicate
that your rule is not being applied, since the
denying rule is quoted as
"SBS Internet Access Rule".
The best way to express your ISA policies is to
use ISAInfo.
You can respond offline if you like.
Jim
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Danny
Sent: Tuesday, May 15, 2007 7:53 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: 0x800733f5 error & order
of polices issue
On 5/15/07, Amy Babinchak <
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Your rule must not be configured
correctly. What does your
custom rule look like? The only reason that the
SBS Internet Access Rule
would deny anything outbound is if the app isn't
authenticating. It's
not uncommon. My bet is that the app doesn't
only require that specific
TCP high port but a range of them. I'd base the
rule on the IP address
it's trying to reach instead.
The policy is: Custom Protcol TCP 57017
Outbound, from Local Host, to
External, All Users.
Warning the following section is OT:
Yes, the SVCHOST issue is a nuisance.
The screeching is loud on
the mailing lists. It took me a while to figure
out what everyone was
complaining about then I realized that I use
WSUS everywhere. Implement
WSUS you'll be much happier.
You imply that WSUS clients are immune to this?
Most of our affected
systems are part of WSUS installs. My
understanding is the Automatic
Update service (aka part of svchost.exe) scans
the same way a non-WSUS
client does, therefore they are both affected.
Sorry for bringing this OT item into the
conversation, but the last two
months in particular have been difficult to
support Microsoft
environments when dealing with DNS RPC mgmt
vulnerability, ISA 2004 SP3
install woes, a publicly unavailable (two hours
MS PSS phone call) KB
for restoring the ability to publish Outlook
forms to the Organizational
Forms Library in Exchange, and this AU/svchost
issue - but looks like
there is a follow-up:
http://blogs.technet.com/wsus/archive/2007/05/15/srvhost-msi-issue-follo
w-up.aspx
Anyway, can we focus on what I am doing wrong
with this ISA issue, that
would be much appreciated.
...D
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives:
//www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about
our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer
ExchangeDefender Message Security: Check Authenticity
<http://www.exchangedefender.com/verify.asp?id=l4FIaBX8016705&from=amy@h
arborcomputerservices.net>
--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer
ExchangeDefender Message Security: Check Authenticity
<http://www.exchangedefender.com/verify.asp?id=l4GCdjSa024528&from=amy@h
arborcomputerservices.net>
--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer
Other related posts:
