Hi Stuart, Thanks! The point is that the vendor is responsible for knowing the protocols their application uses. If they don't know, then you need to demand a refund. If they don't understand their application, think of the security issues related to that. "Ahhh, well you know, its uses ports XXX and XXX and XXX, we think...are we secure? Sure, yea, its secure. Why wouldn't it be secure?" Know what I mean? Security through obscurity has some value, but a vendor not understanding how their network enabled application works is not the type of obscurity that confers any level of security. So, what you need know: Inbound primary connections Inbound secondary connections Outbound primary connections Outbound secondary connections Connections defined by: Source IP and port number Destination IP and port number Without this information, you can make an avocation of the ISA firewall Web Proxy and firewall logs and your favorite packet sniffer. Make sure your company charges the vendor for your time as you figure out how *their* application works. /end rant :-) Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Stuart Pittwood [mailto:SPittwood@xxxxxxxxxxxxxxxxx] Sent: Friday, June 13, 2003 9:18 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Allow all http://www.ISAserver.org Excellent use of clipart Tom, I have all the ports published for inbound access and all the appropriate ports in protocol rules for outbound access. There are no packet filters applied for specified protocols (although packet filtering is enabled). Although there is a publishing rule for the inbound UDP 5162, the Packet filter log files tell me it's being blocked. This mess has been left to me by our software vendor who couldn't get it working either & although it's not urgent (doesn't go live till October) I'd like to get it working soon coz it's driving me nuts (or more so than normal) Any input you could offer is greatly appreciated. Thanks Stu -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: 13 June 2003 15:09 To: [ISAserver.org Discussion List] Subject: [isalist] Re: Allow all http://www.ISAserver.org Hi Stu, Before going any farther on this, check out: www.tacteam.net/openport.htm Get it? Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Stuart Pittwood [mailto:SPittwood@xxxxxxxxxxxxxxxxx] Sent: Friday, June 13, 2003 8:20 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Allow all http://www.ISAserver.org I'm having trouble with our webspeed application so I was going open everything up between those two boxes. I need to talk from the web server in the DMZ to the box on the internal lan on : UDP 5162 TCP 3055 TCP 3056 TCP 3057 From the box on the internal lan to the web server on the DMZ: UDP 1-65535 TCP 2202 - 2206 What I was planning to do is open up all communication between those servers, get the app working, see what is talking to what then close everything else. Thanks Stu -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: 13 June 2003 14:11 To: [ISAserver.org Discussion List] Subject: [isalist] Re: Allow all http://www.ISAserver.org That's a bad security model. What are you trying to pass between them? Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! http://www.ISAserver.org This is a probably a simple questionbut how do I allow all traffic to flow between a server on the internal lan and a server on the DMZ? _________________________ Stuart Pittwood, CCNA, MCSE IT Technician Amery-Parkes Solicitors ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: spittwood@xxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: spittwood@xxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')