Re: Firewall Client Question
- From: "David Dellanno" <ddellanno@xxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 31 Jul 2002 10:49:32 -0400
Hi Jim,
This is a big request. Third-party application our company is
developing. The workstation is a developers box, that requires at least 2
nics in their PC. In short, my goal is to switch our current Access Policy
for outbound settings (Anonymous/All ports allowed) to (Authentication/All
ports allowed). This change will cause the developers application to fail.
Below is a describtion from the Developer's standpoint. Please let me know
if you have any quesitons.
Application requirements:
1. peer-to-peer LAN-only advertisement, discovery, and communication.
requires:
* binding all UDP ports and TCP ports in this section to a
single specified IP address even on a multihomed system
* bind UDP port 1900, set multicast TTL and interface and join
multicast group - needed for advertisement
* bind arbitrary UDP port (port '0' passed into bind to allow
stack to choose), set multicast TTL and interface and join multicast group -
needed for discovery
* bind configurable TCP port, typically 8180, used to accept
and service communication from the same machine or other machines on the LAN
* bind arbitrary TCP port, used to connect to port 8180 on same
machine or other machines on the LAN
2. connect unbound TCP port to port 80 on an arbitrary CDDB server on
the internet
3. we do not have any need or desire to publish any services - no ports
need bound to be let in through the proxy
Current scenarios attempted to make this work with ISA in authenticated mode
(Dave check the term for this):
* If machine running application is not running firewall client, or is
running firewall client but with an entry to disable for this application,
then all local LAN requirements of the application (1) work, but CDDB
communication out (2) fails - the connection to the outside server succeeds
and then is immediately dropped and any reads give error 10054 (socket reset)
* If machine running application is running firewall client and without
an entry to disable it for this app, then CDDB communication (2) works, but
all multicast binding in (1) fails. specifically, setting multicast TTL and
interface socket options fail with error 10022 (invalid parameter).
* If the application code is modified to ignore the return code from
setting the socket options, or if proxy options LocalBindUdpPorts is set up
for 0 and 1900, then the multicast sockets will appear to bind,
advertisement/discovery via UDP multicast appears to work, but the TCP
communication to other machines on the LAN or even the same machine fails
with error 10038 (operation performed on non-socket)
* Entering even full range of UDP and TCP ports
(LocalBindUdpPorts=0-65535 and LocalBindTcpPorts=0-65535) behaved the same as
above
* We still have no solution under which communication needed in (1) and
(2) both work
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Saturday, July 27, 2002 1:35 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Firewall Client Question
http://www.ISAserver.org
It's very probable that the FW client could be interfering if it's
running on that workstation.
Have him disable it and then test his app to see if anything changes.
If things improve, then you'll need to enter his application into the
Client Configuration, Firewall Clients, Application Settings with "Disable=1"
After you do that, then force a refresh at his workstation and all
should be well.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!
----- Original Message -----
From: David Dellanno <mailto:ddellanno@xxxxxxxxxxxxxxx>
To: [ISAserver.org Discussion List]
<mailto:isalist@xxxxxxxxxxxxx>
Sent: Friday, July 26, 2002 2:34 PM
Subject: [isalist] Firewall Client Question
http://www.ISAserver.org
Hi Jim,
It has been a very long time to ask a question. There is
a developer with two nics on his workstation, and he is trying to perform a
multicast function on one of the nics, but it looks like the Firewall Client
is giving him issues performing such a task. Would the Firewall Client
conflict a workstation with two nics?
Dave
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: jim@xxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: ddellanno@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
