[isalist] Re: 0x800733f5 error & order of polices issue
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Tue, 15 May 2007 08:42:26 -0700
http://www.ISAserver.org
-------------------------------------------------------
Assumptions get you nowhere.
You brought up the plethora of pain-points - expect someone to answer
them.
WSUS and the Internet-based updates process works very differently,
because the WSUS server determines for the client what is required and
what is not. Amy has a clue (several, actually); this is a rare
commodity in the SBS community and you should feel free to take
advantage of it when it appears.
Also, please stop cutting off the thread. It makes archive searches
very nearly meaningless.
Regarding the "custom app", the log snips you provide clearly indicate
that your rule is not being applied, since the denying rule is quoted as
"SBS Internet Access Rule".
The best way to express your ISA policies is to use ISAInfo.
You can respond offline if you like.
Jim
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Danny
Sent: Tuesday, May 15, 2007 7:53 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: 0x800733f5 error & order of polices issue
On 5/15/07, Amy Babinchak <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Your rule must not be configured correctly. What does your
custom rule look like? The only reason that the SBS Internet Access Rule
would deny anything outbound is if the app isn't authenticating. It's
not uncommon. My bet is that the app doesn't only require that specific
TCP high port but a range of them. I'd base the rule on the IP address
it's trying to reach instead.
The policy is: Custom Protcol TCP 57017 Outbound, from Local Host, to
External, All Users.
Warning the following section is OT:
Yes, the SVCHOST issue is a nuisance. The screeching is loud on
the mailing lists. It took me a while to figure out what everyone was
complaining about then I realized that I use WSUS everywhere. Implement
WSUS you'll be much happier.
You imply that WSUS clients are immune to this? Most of our affected
systems are part of WSUS installs. My understanding is the Automatic
Update service (aka part of svchost.exe) scans the same way a non-WSUS
client does, therefore they are both affected.
Sorry for bringing this OT item into the conversation, but the last two
months in particular have been difficult to support Microsoft
environments when dealing with DNS RPC mgmt vulnerability, ISA 2004 SP3
install woes, a publicly unavailable (two hours MS PSS phone call) KB
for restoring the ability to publish Outlook forms to the Organizational
Forms Library in Exchange, and this AU/svchost issue - but looks like
there is a follow-up:
http://blogs.technet.com/wsus/archive/2007/05/15/srvhost-msi-issue-follo
w-up.aspx
Anyway, can we focus on what I am doing wrong with this ISA issue, that
would be much appreciated.
...D
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
