Have you tried adding an https tunnel for that? Have you tried an all out rule for it, just for log monitoring to see what is different if it's successful? From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny Sent: Tuesday, May 15, 2007 2:07 PM To: ISA Mailing List Subject: [isalist] Re: 0x800733f5 error & order of polices issue Jim, I appreciate your educational tidbits, but when you are dealing with humans and software sometimes assumptions are inevitable. In fact, it is clear that you are not immune to making assumptions. 1) By stating the obvious that "Assumptions get you nowhere", you assume that assuming is my favorite activity and always gets me positive results 2) By providing a WSUS and AU 101, you assume that I did not understand the difference between a WSUS client and an Internet-based Automatic Update client, did not read the KB's, was not the one who installed WSUS, and have no clue 3) By challenging my knowledge of who Amy is, you assume that I had no idea who Amy is and didn't care. First of all, where did I not show respect to Amy? Secondly, do you want all ISA list posts to begin with "Yes, I know who Amy is, so um don't ask me"? Anyway, yes, I did bring up some Microsoft pain points and I will respond to any further responses offline. As you know this list has been very flexible with OT posts, so my addition is nothing to call home about. Re: cutting off the thread, I would say 70% of the reply content is redundant and has no value in the conversation. The archives should be stored by threaded conversation, but I will respond in the format you request. I will analyze the ISAINFO output, but for future reference, can you please direct me to documentation that will explain why the order of polices is being ignored OR why I would not see all denied traffic in the ISA 2004 SP2 monitoring default state (Log record type = Firewall or Web Proxy & Log time = LiveConnection Status = live)? Thanks, ...D On 5/15/07, Jim Harrison <Jim@xxxxxxxxxxxx> wrote: http://www.ISAserver.org ------------------------------------------------------- Assumptions get you nowhere. You brought up the plethora of pain-points - expect someone to answer them. WSUS and the Internet-based updates process works very differently, because the WSUS server determines for the client what is required and what is not. Amy has a clue (several, actually); this is a rare commodity in the SBS community and you should feel free to take advantage of it when it appears. Also, please stop cutting off the thread. It makes archive searches very nearly meaningless. Regarding the "custom app", the log snips you provide clearly indicate that your rule is not being applied, since the denying rule is quoted as "SBS Internet Access Rule". The best way to express your ISA policies is to use ISAInfo. You can respond offline if you like. Jim -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny Sent: Tuesday, May 15, 2007 7:53 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: 0x800733f5 error & order of polices issue On 5/15/07, Amy Babinchak < amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: Your rule must not be configured correctly. What does your custom rule look like? The only reason that the SBS Internet Access Rule would deny anything outbound is if the app isn't authenticating. It's not uncommon. My bet is that the app doesn't only require that specific TCP high port but a range of them. I'd base the rule on the IP address it's trying to reach instead. The policy is: Custom Protcol TCP 57017 Outbound, from Local Host, to External, All Users. Warning the following section is OT: Yes, the SVCHOST issue is a nuisance. The screeching is loud on the mailing lists. It took me a while to figure out what everyone was complaining about then I realized that I use WSUS everywhere. Implement WSUS you'll be much happier. You imply that WSUS clients are immune to this? Most of our affected systems are part of WSUS installs. My understanding is the Automatic Update service (aka part of svchost.exe) scans the same way a non-WSUS client does, therefore they are both affected. Sorry for bringing this OT item into the conversation, but the last two months in particular have been difficult to support Microsoft environments when dealing with DNS RPC mgmt vulnerability, ISA 2004 SP3 install woes, a publicly unavailable (two hours MS PSS phone call) KB for restoring the ability to publish Outlook forms to the Organizational Forms Library in Exchange, and this AU/svchost issue - but looks like there is a follow-up: http://blogs.technet.com/wsus/archive/2007/05/15/srvhost-msi-issue-follo w-up.aspx Anyway, can we focus on what I am doing wrong with this ISA issue, that would be much appreciated. ...D All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx -- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer