RE: Firewall dropping packets from some machines
- From: "Kenny Mann" <Kennymann@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 16 Feb 2005 09:03:56 -0600
So I found the problem (which illustrates that I didn't know as much as
I thought I did of ISA 2000).
The problem was the ports I was using (For example, SSH 22 TCP Outbound)
was not listed in the protocol definitions.
I merely assumed (ok, lesson learned there -- being in the support field
for a while I should have known better) that having a protocol rule of
'all ip traffic' allowed would just work. I was wrong (or either have my
firewall misconfigured).
For some reason I also found a few dupes (such as FTP) -- so I cleaned
those out as well.
I thought I would post to the list and let everyone know what my issue
was, incase someone else runs across this.
Have a great day and thanks for the help!
Kenny
-----Original Message-----
From: Kenny Mann
Sent: Tuesday, January 25, 2005 8:24 AM
To: '[ISAserver.org Discussion List]'
Subject: RE: [isalist] RE: Firewall dropping packets from some machines
Indeed.
Actually here's the history.
About two and a half years ago, I got hired here -- knowing barely the
basics of server stuff, networking etc. About a month after I'm hired,
I'm told "Hey, were getting this server, it does our mail and firewall
and stuff. Watch the guy install it and ask questions.... You're going
to be taking care of it." Since them I've been learning and fighting
mgmt to do things "the right way" from what I learn from this mailing
list and stuff I've read from book stores. Originally we had ISA,
Exchange, Symantec (+ Exchange filter), and ISS all on a single mahcine
for 50 people. It eventually started getting hickups so we ended up
doing a move to another server and doing stuff signifigantly better.
Originally the guy who installed it didn't seem to care about all ip i/o
and thought I was overly paranoid about too many things... While he did
point out it was foolish of my to have my name everywhere in creation
instead of placing it in domain admin (or administrators or something
equivalent instead -- or heck, even just staying user and using the
administrator account).
Since then I've been going through and going "ughhh no, that's just
bad... I think" So, I do appreciate your words of wisdom. Thinking about
it now, I should probably run netstat and do some serious limiting about
what's going on here.
After spending some time yesterday going through everything and getting
a full mental map of how things are versus how they (ideally) should
be... I've got a ton of work to do.
I'll say again, I really do appreciate your advice.
Kenny
-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx]
Sent: Monday, January 24, 2005 2:27 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Firewall dropping packets from some machines
http://www.ISAserver.org
Hi Kenny....don't take this the wrong way.
What do you mean all ip access in and out...for what
protocols???....that's just stupid, exchange should be published and
only allow the protocols from it that it needs...ie smtp out and ftp for
GFI. Very very bad security.
________________________________
From: Kenny Mann [mailto:Kennymann@xxxxxxxxxxx]
Sent: Monday, January 24, 2005 4:17 PM
To: ISA Mailing List
Subject: [isalist] RE: Firewall dropping packets from some machines
http://www.ISAserver.org
Sorry, I should clarify further.
Exchange has all ip access in and out.
Back when I first started working here, I foolishly added myself to
everywhere in creation as an admin. I've recently learned the error in
my ways and am plugging the bugs. I'm still going through the services
and telling it to launch as it's own account (for example: gfi_updater
account becuase we use Firefox and my boss says he wants to track where
everyone goes, thusly we need to force a proxy).
ISA firewall client is installed on all machines except, of course, the
non Windows PC's (Linux and QNX 4.25). These PC's are having issues as
well (but I think that' becuase I've set the firewall to ask for
authentication from anon users). This particular issue is a "You usually
use HTTPS over port 443, you were trying on port 80 which isn't
allowed..." -- my trying to use rsync. I thought that giving this IP
block unrestricted IP access would fix this, but apparantly not. I
should research the ladder of ISA and see where in the ladder what
happens.
I have some money... I'm going to buy an ISA book... I don't know enough
as I should... While I'm not a beginner in this field, I believe I have
much to learn... I've the first and only admin here... so a whole lot of
"oops, what was I thinking?!" are cropping up about now as I'm going
over these things.
I think, over time, the error in my ways (adding myself in many 'o
places ) is biting me and is causing permission weirdness. I say this
becuase when I deny access over SSH Putty says it can't communicate or
something of the equivalent. However what I'm seeing is it connect and
then disconnect. Remote desktop does this as well.
Hmm.
Kenny
-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx]
Sent: Monday, January 24, 2005 1:58 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Firewall dropping packets from some
machines
http://www.ISAserver.org
A couple of things.... Exchange has godly
rights...why??...should be published...and an ftp rule to allow updates
from GFI only.
Is the firewall client installed on the workstations, if not how
is ISA to know who is using these protocols.
If I was you...and I'm not....:), give the authorized users dhcp
reservations and create an address set for then within ISA for the
protocols you want to allow them.
S
________________________________
From: Kenny Mann [mailto:Kennymann@xxxxxxxxxxx]
Sent: Monday, January 24, 2005 3:49 PM
To: ISA Mailing List
Subject: [isalist] RE: Firewall dropping packets from some
machines
http://www.ISAserver.org
Sorry, I neglected to give hardware/os specs.
ISA 2000 - dedicated mode w/ Windows Server 2003.
Machine is a Compaq Prolient ML330 with 2GB of memory.
Kenny
-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx]
Sent: Monday, January 24, 2005 1:17 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Firewall dropping packets from
some machines
http://www.ISAserver.org
Which version of ISA??
S
________________________________
From: Kenny Mann [mailto:Kennymann@xxxxxxxxxxx]
Sent: Monday, January 24, 2005 12:30 PM
To: ISA Mailing List
Subject: [isalist] Firewall dropping packets from some
machines
http://www.ISAserver.org
I'm having some issues that are difficult to pin down
what is going on.
I currently use SSH to get out of my network here (work)
to get into my box at home.
I use Putty.
It's not only SSH that has this problem, but it's enough
to relate to right now...
For a while, life was good and it all worked hunkey dory
(sp?).
Then out of no where (gasp?) it stopped. More than
likely I tweaked a setting, added a patch, or did something stupid and
didn't notice it.
Here is where the fun part comes in.
If I create a Client Address Set and create a protocol
rule to allow full outbound access to whatever I want, it works as if by
magic.
However, if I create a protocol rule and allow certain
users (such as myself) full outbound access, it does not work.
When I say it doesn't work, instead of blocking my
packets directly, it just drops them.
What happens is Putty tries to connect, makes the first
connection, then ISA blocks it.
Many other programs are running into the same issues.
I really don't like adding tons of Client Address Set
for this because it just sounds wrong and insecure -- and difficult
(DHCP -- except for our mail server and ISA server).
Has anyone ran into this before?
I've paid to have someone come out here and spend an
hour trying to figure out what the heck is going on, but he couldn't
figure it out and needed more time.
At the time it was only SSH and remote desktop, which I
was able to deal without at the time and live with the CAS method. Now
it seems, other things aren't working that I didn't notcie.
I got MailEssentials for Exchange and it says it fails
to update (yes, it's on the mail server -- which should have godly
rights -- and still doesn't work).
Yes, in the previously paragraph I say the Client
Address Set method doesn't work for that computer and yet in the passage
before that one, I say it works. I should say that it's picky about the
machines it wants to work on.
I have looked at my logs and it shows nothing.
I'm half way tempted to reinstall ISA Server just
becuase this is a little too weird to be a config problem... Thoughts?
Kenny
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking:
http://www.windowsnetworking.com
Leading Network Software Directory:
http://www.serverfiles.com
No.1 Exchange Server Resource Site:
http://www.msexchange.org
Windows Security Resource Site:
http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as: isalist@xxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking:
http://www.windowsnetworking.com
Leading Network Software Directory:
http://www.serverfiles.com
No.1 Exchange Server Resource Site:
http://www.msexchange.org
Windows Security Resource Site:
http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as: kennymann@xxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: isalist@xxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: kennymann@xxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
kennymann@xxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
