It is the server itself making the connection and not an internal client?
t
----- Original Message -----
*From:* Danny <nocmonkey@xxxxxxxxx>
*To:* isalist@xxxxxxxxxxxxx
*Sent:* Wednesday, May 16, 2007 7:25 AM
*Subject:* [isalist] Re: 0x800733f5 error & order of polices issue
Local Host.
On 5/15/07, D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR <
DPietruszka@xxxxxx> wrote:
>
> What your rule said in the FROM tab, "internal or local host" ?
>
> --------------------------
> Sent from my BlackBerry Wireless Device
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx < isalist-bounce@xxxxxxxxxxxxx>
> To: isalist@xxxxxxxxxxxxx < isalist@xxxxxxxxxxxxx>
> Sent: Tue May 15 16:41:56 2007
> Subject: [isalist] Re: 0x800733f5 error & order of polices issue
>
> Thanks, Amy. I have created an all outbound rule to the destination IP
> address and only see the connections to TCP 57017 denied by the last rule
> (SBS Internet Access). Unfortunately I am being challenged by:
>
> * The software developer insists the software must run on the server;
> which happens to be SBS 2003 Prem.
> * The software developer (at this point) will not go beyond stating that
> TCP 57017 is the only necessary network traffic to be permitted
> * The software is key this business and there really aren't many
> alternatives
> * The software runs on the SBS server which is also the ISA server
> (which should still be possible to figure out)
> * ISA monitoring is not providing me anymore detail other than the
> denied TCP 57017 connection; although I will run another test
> * The software does not have any network settings or pseudo /
> non-compatible CERN Web proxy settings
> * The all Outbound rule you suggested did not work; although I will run
> another test
> * The software worked before the ISA firewall was installed because they
> simply had NAT router without true firewall functionality
>
> Cheers,
>
> ...D
>
>
>
>
> On 5/15/07, Amy Babinchak <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Danny,
>
>
>
> The order of your policies is not being ignored. Isa will read
> them top down. Since you're hitting the SBS Internet Access rule this means
> that the traffic does not apply to the rule that you have created. When
> that's the case, ISA moves on down checks the next rule. Finally it reaches
> the SBS Internet Access Rule and since there's no authentication it is
> denied.
>
>
>
> So, as I said before, the rule isn't configured correctly. You
> need to find out what that apps wants and the configure your rule
> accordingly or take my suggestion and set up a rule allowing all outbound to
> that specific IP address.
>
>
>
> Amy
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:
> isalist-bounce@xxxxxxxxxxxxx
<mailto:isalist-bounce@xxxxxxxxxxxxx<isalist-bounce@xxxxxxxxxxxxx>>
> ] On Behalf Of Danny
> Sent: Tuesday, May 15, 2007 1:07 PM
>
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: 0x800733f5 error & order of polices issue
>
>
>
> Jim,
>
> I appreciate your educational tidbits, but when you are dealing
> with humans and software sometimes assumptions are inevitable. In fact, it
> is clear that you are not immune to making assumptions.
>
> 1) By stating the obvious that "Assumptions get you nowhere",
> you assume that assuming is my favorite activity and always gets me positive
> results
> 2) By providing a WSUS and AU 101, you assume that I did not
> understand the difference between a WSUS client and an Internet-based
> Automatic Update client, did not read the KB's, was not the one who
> installed WSUS, and have no clue
> 3) By challenging my knowledge of who Amy is, you assume that I
> had no idea who Amy is and didn't care. First of all, where did I not show
> respect to Amy? Secondly, do you want all ISA list posts to begin with "Yes,
> I know who Amy is, so um don't ask me"?
>
> Anyway, yes, I did bring up some Microsoft pain points and I
> will respond to any further responses offline. As you know this list has
> been very flexible with OT posts, so my addition is nothing to call home
> about.
>
> Re: cutting off the thread, I would say 70% of the reply content
> is redundant and has no value in the conversation. The archives should be
> stored by threaded conversation, but I will respond in the format you
> request.
>
> I will analyze the ISAINFO output, but for future reference, can
> you please direct me to documentation that will explain why the order of
> polices is being ignored OR why I would not see all denied traffic in the
> ISA 2004 SP2 monitoring default state (Log record type = Firewall or Web
> Proxy & Log time = LiveConnection Status = live)?
>
> Thanks,
>
> ...D
>
>
> On 5/15/07, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Assumptions get you nowhere.
> You brought up the plethora of pain-points - expect
> someone to answer
> them.
> WSUS and the Internet-based updates process works very
> differently,
> because the WSUS server determines for the client what
> is required and
> what is not. Amy has a clue (several, actually); this
> is a rare
> commodity in the SBS community and you should feel free
> to take
> advantage of it when it appears.
>
> Also, please stop cutting off the thread. It makes
> archive searches
> very nearly meaningless.
>
> Regarding the "custom app", the log snips you provide
> clearly indicate
> that your rule is not being applied, since the denying
> rule is quoted as
> "SBS Internet Access Rule".
> The best way to express your ISA policies is to use
> ISAInfo.
> You can respond offline if you like.
>
> Jim
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx<isalist-bounce@xxxxxxxxxxxxx>
> ]
> On Behalf Of Danny
> Sent: Tuesday, May 15, 2007 7:53 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: 0x800733f5 error & order of
> polices issue
>
>
> On 5/15/07, Amy Babinchak <
> amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Your rule must not be configured correctly. What
> does your
> custom rule look like? The only reason that the SBS
> Internet Access Rule
> would deny anything outbound is if the app isn't
> authenticating. It's
> not uncommon. My bet is that the app doesn't only
> require that specific
> TCP high port but a range of them. I'd base the rule on
> the IP address
> it's trying to reach instead.
>
>
> The policy is: Custom Protcol TCP 57017 Outbound, from
> Local Host, to
> External, All Users.
>
>
> Warning the following section is OT:
>
>
> Yes, the SVCHOST issue is a nuisance. The
> screeching is loud on
> the mailing lists. It took me a while to figure out what
> everyone was
> complaining about then I realized that I use WSUS
> everywhere. Implement
> WSUS you'll be much happier.
>
> You imply that WSUS clients are immune to this? Most of
> our affected
> systems are part of WSUS installs. My understanding is
> the Automatic
> Update service (aka part of svchost.exe) scans the same
> way a non-WSUS
> client does, therefore they are both affected.
>
>
> Sorry for bringing this OT item into the conversation,
> but the last two
> months in particular have been difficult to support
> Microsoft
> environments when dealing with DNS RPC mgmt
> vulnerability, ISA 2004 SP3
> install woes, a publicly unavailable (two hours MS PSS
> phone call) KB
> for restoring the ability to publish Outlook forms to
> the Organizational
> Forms Library in Exchange, and this AU/svchost issue -
> but looks like
> there is a follow-up:
>
http://blogs.technet.com/wsus/archive/2007/05/15/srvhost-msi-issue-follo
> <http://blogs.technet.com/wsus/archive/2007/05/15/srvhost-msi-issue-follo
> >
> w-up.aspx
>
> Anyway, can we focus on what I am doing wrong with this
> ISA issue, that
> would be much appreciated.
>
>
> ...D
>
>
> All mail to and from this domain is GFI-scanned.
>
> ------------------------------------------------------
> List Archives:
> //www.freelists.org/archives/isalist/
> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp <
> http://www.isaserver.org/pages/newsletter.asp>
> ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
>
> ISA Server Blogs: http://blogs.isaserver.org/
<http://blogs.isaserver.org/
> >
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other
> sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit
> http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
> --
> CPDE - Certified Petroleum Distribution Engineer
> CCBC - Certified Canadian Beer Consumer
>
>
> ExchangeDefender Message Security: Check Authenticity
<http://www.exchangedefender.com/verify.asp?id=l4FIaBX8016705&from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> >
>
>
>
>
> --
> CPDE - Certified Petroleum Distribution Engineer
> CCBC - Certified Canadian Beer Consumer
>
>
--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer
