[isalist] Re: 0x800733f5 error & order of polices issue

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 16 May 2007 08:00:31 -0700

http://www.ISAserver.org
-------------------------------------------------------
  
Protocols = TCP 57017
..is only part of the definition.
What is the primary connection; outbound or inbound?
Any secondary connections?

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Danny
Sent: Wednesday, May 16, 2007 7:35 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: 0x800733f5 error & order of polices issue

No mention of HTTPS. Just TCP 57017. The parameters, as in the
properties of the policy? As simple as can be:

Order = 1
Action = Allow
Protocols = TCP 57017
From = Local Host
To = External (for testing purposes, otherwise would be destination
Internet IP) 
Users = All Users (default)
Schedule = Any tiiime (default)
Content Types = default




On 5/16/07, Amy Babinchak < amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
<mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> > wrote:

        https 57017? Are you serious? If so, that developer should be
fired.

         

        From: isalist-bounce@xxxxxxxxxxxxx [mailto:
isalist-bounce@xxxxxxxxxxxxx <mailto:isalist-bounce@xxxxxxxxxxxxx> ] On
Behalf Of Steve Moffat
        Sent: Tuesday, May 15, 2007 5:29 PM
        
        To: ISA Mailing List
        Subject: [isalist] Re: 0x800733f5 error & order of polices issue

         

        Add an https tunnel for that port and try it.......

         

        From: isalist-bounce@xxxxxxxxxxxxx [mailto:
isalist-bounce@xxxxxxxxxxxxx <mailto:isalist-bounce@xxxxxxxxxxxxx> ] On
Behalf Of Danny
        Sent: Tuesday, May 15, 2007 5:42 PM
        To: ISA Mailing List
        Subject: [isalist] Re: 0x800733f5 error & order of polices issue

         

        Thanks, Amy. I have created an all outbound rule to the
destination IP address and only see the connections to TCP 57017 denied
by the last rule (SBS Internet Access). Unfortunately I am being
challenged by:
        
        * The software developer insists the software must run on the
server; which happens to be SBS 2003 Prem. 
        * The software developer (at this point) will not go beyond
stating that TCP 57017 is the only necessary network traffic to be
permitted
        * The software is key this business and there really aren't many
alternatives 
        * The software runs on the SBS server which is also the ISA
server (which should still be possible to figure out)
        * ISA monitoring is not providing me anymore detail other than
the denied TCP 57017 connection; although I will run another test 
        * The software does not have any network settings or pseudo /
non-compatible CERN Web proxy settings
        * The all Outbound rule you suggested did not work; although I
will run another test
        * The software worked before the ISA firewall was installed
because they simply had NAT router without true firewall functionality 
        
        Cheers,
        
        ...D
        
        

        On 5/15/07, Amy Babinchak <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote: 

        Danny,

         

        The order of your policies is not being ignored. Isa will read
them top down. Since you're hitting the SBS Internet Access rule this
means that the traffic does not apply to the rule that you have created.
When that's the case, ISA moves on down checks the next rule. Finally it
reaches the SBS Internet Access Rule and since there's no authentication
it is denied. 

         

        So, as I said before, the rule isn't configured correctly. You
need to find out what that apps wants and the configure your rule
accordingly or take my suggestion and set up a rule allowing all
outbound to that specific IP address.

         

        Amy

         

        From: isalist-bounce@xxxxxxxxxxxxx [mailto:
isalist-bounce@xxxxxxxxxxxxx <mailto:isalist-bounce@xxxxxxxxxxxxx> ] On
Behalf Of Danny
        Sent: Tuesday, May 15, 2007 1:07 PM

        
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: 0x800733f5 error & order of polices issue

         

        Jim, 
        
        I appreciate your educational tidbits, but when you are dealing
with humans and software sometimes assumptions are inevitable. In fact,
it is clear that you are not immune to making assumptions.
        
        1) By stating the obvious that "Assumptions get you nowhere",
you assume that assuming is my favorite activity and always gets me
positive results 
        2) By providing a WSUS and AU 101, you assume that I did not
understand the difference between a WSUS client and an Internet-based
Automatic Update client, did not read the KB's, was not the one who
installed WSUS, and have no clue 
        3) By challenging my knowledge of who Amy is, you assume that I
had no idea who Amy is and didn't care. First of all, where did I not
show respect to Amy? Secondly, do you want all ISA list posts to begin
with "Yes, I know who Amy is, so um don't ask me"? 
        
        Anyway, yes, I did bring up some Microsoft pain points and I
will respond to any further responses offline. As you know this list has
been very flexible with OT posts, so my addition is nothing to call home
about. 
        
        Re: cutting off the thread, I would say 70% of the reply content
is redundant and has no value in the conversation. The archives should
be stored by threaded conversation, but I will respond in the format you
request. 
        
        I will analyze the ISAINFO output, but for future reference, can
you please direct me to documentation that will explain why the order of
polices is being ignored OR why I would not see all denied traffic in
the ISA 2004 SP2 monitoring default state (Log record type = Firewall or
Web Proxy & Log time = LiveConnection Status = live)? 
        
        Thanks,
        
        ...D
        
        
        On 5/15/07, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:

                http://www.ISAserver.org
                -------------------------------------------------------
                
                Assumptions get you nowhere.
                You brought up the plethora of pain-points - expect
someone to answer 
                them.
                WSUS and the Internet-based updates process works very
differently,
                because the WSUS server determines for the client what
is required and
                what is not.  Amy has a clue (several, actually); this
is a rare 
                commodity in the SBS community and you should feel free
to take
                advantage of it when it appears.
                
                Also, please stop cutting off the thread.  It makes
archive searches
                very nearly meaningless.
                
                Regarding the "custom app", the log snips you provide
clearly indicate 
                that your rule is not being applied, since the denying
rule is quoted as
                "SBS Internet Access Rule".
                The best way to express your ISA policies is to use
ISAInfo.
                You can respond offline if you like. 
                
                Jim
                
                -----Original Message-----
                From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] 
                On Behalf Of Danny
                Sent: Tuesday, May 15, 2007 7:53 AM
                To: isalist@xxxxxxxxxxxxx
                Subject: [isalist] Re: 0x800733f5 error & order of
polices issue
                
                
                On 5/15/07, Amy Babinchak <
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
                
                        Your rule must not be configured correctly. What
does your
                custom rule look like? The only reason that the SBS
Internet Access Rule 
                would deny anything outbound is if the app isn't
authenticating. It's
                not uncommon. My bet is that the app doesn't only
require that specific
                TCP high port but a range of them. I'd base the rule on
the IP address 
                it's trying to reach instead.
                
                
                The policy is: Custom Protcol TCP 57017 Outbound, from
Local Host, to
                External, All Users.
                
                
                Warning the following section is OT:
                
                
                        Yes, the SVCHOST issue is a nuisance. The
screeching is loud on 
                the mailing lists. It took me a while to figure out what
everyone was
                complaining about then I realized that I use WSUS
everywhere.  Implement
                WSUS you'll be much happier.
                
                You imply that WSUS clients are immune to this? Most of
our affected 
                systems are part of WSUS installs. My understanding is
the Automatic
                Update service (aka part of svchost.exe) scans the same
way a non-WSUS
                client does, therefore they are both affected.
                
                
                Sorry for bringing this OT item into the conversation,
but the last two 
                months in particular have been difficult to support
Microsoft
                environments when dealing with DNS RPC mgmt
vulnerability, ISA 2004 SP3
                install woes, a publicly unavailable (two hours MS PSS
phone call) KB
                for restoring the ability to publish Outlook forms to
the Organizational 
                Forms Library in Exchange, and this AU/svchost issue -
but looks like
                there is a follow-up:
        
http://blogs.technet.com/wsus/archive/2007/05/15/srvhost-msi-issue-follo

                w-up.aspx
                
                Anyway, can we focus on what I am doing wrong with this
ISA issue, that
                would be much appreciated.
                
                
                ...D
                
                
                All mail to and from this domain is GFI-scanned.
                
                ------------------------------------------------------ 
                List Archives:
//www.freelists.org/archives/isalist/
                ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp 
                ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
                ISA Server Blogs: http://blogs.isaserver.org/ 
                ------------------------------------------------------
                Visit TechGenix.com for more information about our other
sites:
                http://www.techgenix.com
                ------------------------------------------------------ 
                To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
                Report abuse to listadmin@xxxxxxxxxxxxx

        
        
        
        -- 
        CPDE - Certified Petroleum Distribution Engineer
        CCBC - Certified Canadian Beer Consumer 

        
        ExchangeDefender Message Security: Check Authenticity
<http://www.exchangedefender.com/verify.asp?id=l4FIaBX8016705&from=amy@h
arborcomputerservices.net>  

        
        
        
        -- 
        CPDE - Certified Petroleum Distribution Engineer
        CCBC - Certified Canadian Beer Consumer 

        
        ExchangeDefender Message Security: Check Authenticity
<http://www.exchangedefender.com/verify.asp?id=l4GCdjSa024528&from=amy@h
arborcomputerservices.net>  




-- 
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer 

All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

Other related posts: