"Outbound" On 5/16/07, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
Which direction is the protocol defined for? * Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) * ------------------------------ *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] *On Behalf Of *Danny *Sent:* Wednesday, May 16, 2007 9:35 AM *To:* isalist@xxxxxxxxxxxxx *Subject:* [isalist] Re: 0x800733f5 error & order of polices issue No mention of HTTPS. Just TCP 57017. The parameters, as in the properties of the policy? As simple as can be: Order = 1 Action = Allow Protocols = TCP 57017 From = Local Host To = External (for testing purposes, otherwise would be destination Internet IP) Users = All Users (default) Schedule = Any tiiime (default) Content Types = default On 5/16/07, Amy Babinchak < amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > https 57017? Are you serious? If so, that developer should be fired. > > > > *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > *On Behalf Of *Steve Moffat > *Sent:* Tuesday, May 15, 2007 5:29 PM > *To:* ISA Mailing List > *Subject:* [isalist] Re: 0x800733f5 error & order of polices issue > > > > Add an https tunnel for that port and try it……. > > > > *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > *On Behalf Of *Danny > *Sent:* Tuesday, May 15, 2007 5:42 PM > *To:* ISA Mailing List > *Subject:* [isalist] Re: 0x800733f5 error & order of polices issue > > > > Thanks, Amy. I have created an all outbound rule to the destination IP > address and only see the connections to TCP 57017 denied by the last rule > (SBS Internet Access). Unfortunately I am being challenged by: > > * The software developer insists the software must run on the server; > which happens to be SBS 2003 Prem. > * The software developer (at this point) will not go beyond stating that > TCP 57017 is the only necessary network traffic to be permitted > * The software is key this business and there really aren't many > alternatives > * The software runs on the SBS server which is also the ISA server > (which should still be possible to figure out) > * ISA monitoring is not providing me anymore detail other than the > denied TCP 57017 connection; although I will run another test > * The software does not have any network settings or pseudo / > non-compatible CERN Web proxy settings > * The all Outbound rule you suggested did not work; although I will run > another test > * The software worked before the ISA firewall was installed because they > simply had NAT router without true firewall functionality > > Cheers, > > ...D > > On 5/15/07, *Amy Babinchak* <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > Danny, > > > > The order of your policies is not being ignored. Isa will read them top > down. Since you're hitting the SBS Internet Access rule this means that the > traffic does not apply to the rule that you have created. When that's the > case, ISA moves on down checks the next rule. Finally it reaches the SBS > Internet Access Rule and since there's no authentication it is denied. > > > > So, as I said before, the rule isn't configured correctly. You need to > find out what that apps wants and the configure your rule accordingly or > take my suggestion and set up a rule allowing all outbound to that specific > IP address. > > > > Amy > > > > *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > *On Behalf Of *Danny > *Sent:* Tuesday, May 15, 2007 1:07 PM > > > *To:* isalist@xxxxxxxxxxxxx > *Subject:* [isalist] Re: 0x800733f5 error & order of polices issue > > > > Jim, > > I appreciate your educational tidbits, but when you are dealing with > humans and software sometimes assumptions are inevitable. In fact, it is > clear that you are not immune to making assumptions. > > 1) By stating the obvious that "Assumptions get you nowhere", you assume > that assuming is my favorite activity and always gets me positive results > 2) By providing a WSUS and AU 101, you assume that I did not understand > the difference between a WSUS client and an Internet-based Automatic Update > client, did not read the KB's, was not the one who installed WSUS, and have > no clue > 3) By challenging my knowledge of who Amy is, you assume that I had no > idea who Amy is and didn't care. First of all, where did I not show respect > to Amy? Secondly, do you want all ISA list posts to begin with "Yes, I know > who Amy is, so um don't ask me"? > > Anyway, yes, I did bring up some Microsoft pain points and I will > respond to any further responses offline. As you know this list has been > very flexible with OT posts, so my addition is nothing to call home about. > > Re: cutting off the thread, I would say 70% of the reply content is > redundant and has no value in the conversation. The archives should be > stored by threaded conversation, but I will respond in the format you > request. > > I will analyze the ISAINFO output, but for future reference, can you > please direct me to documentation that will explain why the order of polices > is being ignored OR why I would not see all denied traffic in the ISA 2004 > SP2 monitoring default state (Log record type = Firewall or Web Proxy & Log > time = LiveConnection Status = live)? > > Thanks, > > ...D > > > On 5/15/07, *Jim Harrison* <Jim@xxxxxxxxxxxx> wrote: > > http://www.ISAserver.org > ------------------------------------------------------- > > Assumptions get you nowhere. > You brought up the plethora of pain-points - expect someone to answer > them. > WSUS and the Internet-based updates process works very differently, > because the WSUS server determines for the client what is required and > what is not. Amy has a clue (several, actually); this is a rare > commodity in the SBS community and you should feel free to take > advantage of it when it appears. > > Also, please stop cutting off the thread. It makes archive searches > very nearly meaningless. > > Regarding the "custom app", the log snips you provide clearly indicate > that your rule is not being applied, since the denying rule is quoted as > "SBS Internet Access Rule". > The best way to express your ISA policies is to use ISAInfo. > You can respond offline if you like. > > Jim > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of Danny > Sent: Tuesday, May 15, 2007 7:53 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: 0x800733f5 error & order of polices issue > > > On 5/15/07, Amy Babinchak < amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > Your rule must not be configured correctly. What does your > custom rule look like? The only reason that the SBS Internet Access Rule > > would deny anything outbound is if the app isn't authenticating. It's > not uncommon. My bet is that the app doesn't only require that specific > TCP high port but a range of them. I'd base the rule on the IP address > it's trying to reach instead. > > > The policy is: Custom Protcol TCP 57017 Outbound, from Local Host, to > External, All Users. > > > Warning the following section is OT: > > > Yes, the SVCHOST issue is a nuisance. The screeching is loud on > the mailing lists. It took me a while to figure out what everyone was > complaining about then I realized that I use WSUS everywhere. Implement > WSUS you'll be much happier. > > You imply that WSUS clients are immune to this? Most of our affected > systems are part of WSUS installs. My understanding is the Automatic > Update service (aka part of svchost.exe) scans the same way a non-WSUS > client does, therefore they are both affected. > > > Sorry for bringing this OT item into the conversation, but the last two > months in particular have been difficult to support Microsoft > environments when dealing with DNS RPC mgmt vulnerability, ISA 2004 SP3 > install woes, a publicly unavailable (two hours MS PSS phone call) KB > for restoring the ability to publish Outlook forms to the Organizational > > Forms Library in Exchange, and this AU/svchost issue - but looks like > there is a follow-up: > http://blogs.technet.com/wsus/archive/2007/05/15/srvhost-msi-issue-follo > > w-up.aspx > > Anyway, can we focus on what I am doing wrong with this ISA issue, that > would be much appreciated. > > > ...D > > > All mail to and from this domain is GFI-scanned. > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > -- > CPDE - Certified Petroleum Distribution Engineer > CCBC - Certified Canadian Beer Consumer > > > *ExchangeDefender* Message Security: Check Authenticity<http://www.exchangedefender.com/verify.asp?id=l4FIaBX8016705&from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> > > > > > -- > CPDE - Certified Petroleum Distribution Engineer > CCBC - Certified Canadian Beer Consumer > > *ExchangeDefender* Message Security: Check Authenticity<http://www.exchangedefender.com/verify.asp?id=l4GCdjSa024528&from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> > -- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer
-- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer