Which direction is the protocol defined for?
*
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
*
------------------------------
*From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
*On Behalf Of *Danny
*Sent:* Wednesday, May 16, 2007 9:35 AM
*To:* isalist@xxxxxxxxxxxxx
*Subject:* [isalist] Re: 0x800733f5 error & order of polices issue
No mention of HTTPS. Just TCP 57017. The parameters, as in the properties
of the policy? As simple as can be:
Order = 1
Action = Allow
Protocols = TCP 57017
From = Local Host
To = External (for testing purposes, otherwise would be destination
Internet IP)
Users = All Users (default)
Schedule = Any tiiime (default)
Content Types = default
On 5/16/07, Amy Babinchak < amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> https 57017? Are you serious? If so, that developer should be fired.
>
>
>
> *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> *On Behalf Of *Steve Moffat
> *Sent:* Tuesday, May 15, 2007 5:29 PM
> *To:* ISA Mailing List
> *Subject:* [isalist] Re: 0x800733f5 error & order of polices issue
>
>
>
> Add an https tunnel for that port and try it…….
>
>
>
> *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> *On Behalf Of *Danny
> *Sent:* Tuesday, May 15, 2007 5:42 PM
> *To:* ISA Mailing List
> *Subject:* [isalist] Re: 0x800733f5 error & order of polices issue
>
>
>
> Thanks, Amy. I have created an all outbound rule to the destination IP
> address and only see the connections to TCP 57017 denied by the last rule
> (SBS Internet Access). Unfortunately I am being challenged by:
>
> * The software developer insists the software must run on the server;
> which happens to be SBS 2003 Prem.
> * The software developer (at this point) will not go beyond stating that
> TCP 57017 is the only necessary network traffic to be permitted
> * The software is key this business and there really aren't many
> alternatives
> * The software runs on the SBS server which is also the ISA server
> (which should still be possible to figure out)
> * ISA monitoring is not providing me anymore detail other than the
> denied TCP 57017 connection; although I will run another test
> * The software does not have any network settings or pseudo /
> non-compatible CERN Web proxy settings
> * The all Outbound rule you suggested did not work; although I will run
> another test
> * The software worked before the ISA firewall was installed because they
> simply had NAT router without true firewall functionality
>
> Cheers,
>
> ...D
>
> On 5/15/07, *Amy Babinchak* <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Danny,
>
>
>
> The order of your policies is not being ignored. Isa will read them top
> down. Since you're hitting the SBS Internet Access rule this means that the
> traffic does not apply to the rule that you have created. When that's the
> case, ISA moves on down checks the next rule. Finally it reaches the SBS
> Internet Access Rule and since there's no authentication it is denied.
>
>
>
> So, as I said before, the rule isn't configured correctly. You need to
> find out what that apps wants and the configure your rule accordingly or
> take my suggestion and set up a rule allowing all outbound to that specific
> IP address.
>
>
>
> Amy
>
>
>
> *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> *On Behalf Of *Danny
> *Sent:* Tuesday, May 15, 2007 1:07 PM
>
>
> *To:* isalist@xxxxxxxxxxxxx
> *Subject:* [isalist] Re: 0x800733f5 error & order of polices issue
>
>
>
> Jim,
>
> I appreciate your educational tidbits, but when you are dealing with
> humans and software sometimes assumptions are inevitable. In fact, it is
> clear that you are not immune to making assumptions.
>
> 1) By stating the obvious that "Assumptions get you nowhere", you assume
> that assuming is my favorite activity and always gets me positive results
> 2) By providing a WSUS and AU 101, you assume that I did not understand
> the difference between a WSUS client and an Internet-based Automatic Update
> client, did not read the KB's, was not the one who installed WSUS, and have
> no clue
> 3) By challenging my knowledge of who Amy is, you assume that I had no
> idea who Amy is and didn't care. First of all, where did I not show respect
> to Amy? Secondly, do you want all ISA list posts to begin with "Yes, I know
> who Amy is, so um don't ask me"?
>
> Anyway, yes, I did bring up some Microsoft pain points and I will
> respond to any further responses offline. As you know this list has been
> very flexible with OT posts, so my addition is nothing to call home about.
>
> Re: cutting off the thread, I would say 70% of the reply content is
> redundant and has no value in the conversation. The archives should be
> stored by threaded conversation, but I will respond in the format you
> request.
>
> I will analyze the ISAINFO output, but for future reference, can you
> please direct me to documentation that will explain why the order of polices
> is being ignored OR why I would not see all denied traffic in the ISA 2004
> SP2 monitoring default state (Log record type = Firewall or Web Proxy & Log
> time = LiveConnection Status = live)?
>
> Thanks,
>
> ...D
>
>
> On 5/15/07, *Jim Harrison* <Jim@xxxxxxxxxxxx> wrote:
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Assumptions get you nowhere.
> You brought up the plethora of pain-points - expect someone to answer
> them.
> WSUS and the Internet-based updates process works very differently,
> because the WSUS server determines for the client what is required and
> what is not. Amy has a clue (several, actually); this is a rare
> commodity in the SBS community and you should feel free to take
> advantage of it when it appears.
>
> Also, please stop cutting off the thread. It makes archive searches
> very nearly meaningless.
>
> Regarding the "custom app", the log snips you provide clearly indicate
> that your rule is not being applied, since the denying rule is quoted as
> "SBS Internet Access Rule".
> The best way to express your ISA policies is to use ISAInfo.
> You can respond offline if you like.
>
> Jim
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
>
> On Behalf Of Danny
> Sent: Tuesday, May 15, 2007 7:53 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: 0x800733f5 error & order of polices issue
>
>
> On 5/15/07, Amy Babinchak < amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Your rule must not be configured correctly. What does your
> custom rule look like? The only reason that the SBS Internet Access Rule
>
> would deny anything outbound is if the app isn't authenticating. It's
> not uncommon. My bet is that the app doesn't only require that specific
> TCP high port but a range of them. I'd base the rule on the IP address
> it's trying to reach instead.
>
>
> The policy is: Custom Protcol TCP 57017 Outbound, from Local Host, to
> External, All Users.
>
>
> Warning the following section is OT:
>
>
> Yes, the SVCHOST issue is a nuisance. The screeching is loud on
> the mailing lists. It took me a while to figure out what everyone was
> complaining about then I realized that I use WSUS everywhere. Implement
> WSUS you'll be much happier.
>
> You imply that WSUS clients are immune to this? Most of our affected
> systems are part of WSUS installs. My understanding is the Automatic
> Update service (aka part of svchost.exe) scans the same way a non-WSUS
> client does, therefore they are both affected.
>
>
> Sorry for bringing this OT item into the conversation, but the last two
> months in particular have been difficult to support Microsoft
> environments when dealing with DNS RPC mgmt vulnerability, ISA 2004 SP3
> install woes, a publicly unavailable (two hours MS PSS phone call) KB
> for restoring the ability to publish Outlook forms to the Organizational
>
> Forms Library in Exchange, and this AU/svchost issue - but looks like
> there is a follow-up:
> http://blogs.technet.com/wsus/archive/2007/05/15/srvhost-msi-issue-follo
>
> w-up.aspx
>
> Anyway, can we focus on what I am doing wrong with this ISA issue, that
> would be much appreciated.
>
>
> ...D
>
>
> All mail to and from this domain is GFI-scanned.
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
> --
> CPDE - Certified Petroleum Distribution Engineer
> CCBC - Certified Canadian Beer Consumer
>
>
> *ExchangeDefender* Message Security: Check
Authenticity<http://www.exchangedefender.com/verify.asp?id=l4FIaBX8016705&from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
>
>
>
>
> --
> CPDE - Certified Petroleum Distribution Engineer
> CCBC - Certified Canadian Beer Consumer
>
> *ExchangeDefender* Message Security: Check
Authenticity<http://www.exchangedefender.com/verify.asp?id=l4GCdjSa024528&from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
>
--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer
