[isalist] Re: Question and confesion.
- From: D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR <DPietruszka@xxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 3 Feb 2010 09:05:42 -0500
OK got it. Will do some captures first with the craplication running.
Thanks again
I will do my best to have this failing :)
Regards
Diego R. Pietruszka
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Wednesday, February 03, 2010 8:53 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Question and confesion.
My script only gives you the GUIDS for the protocols.
You still have to use that information in the script provided in MSKB 917936.
..and this functionality requries that BOTH ends of the crapplication
connection participate in TCP keep-alives.
IOW, you'll need to get network captures to verify this behavior.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] on behalf of
D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR [DPietruszka@xxxxxx]
Sent: Wednesday, February 03, 2010 5:49 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Question and confesion.
Thanks, I will start with your script to see what happen
Regards
Diego R. Pietruszka
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Wednesday, February 03, 2010 8:35 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Question and confesion.
It may be possible for this to happen, but not the way the 1d10t'5 think.
Some time ago, we added a change to the firewall engine that allows
per-protocol TCP keep-alives.
The net effect is that IF the client/server pair can participate in TCP
keep-alives, ISA will keep their session open.
http://support.microsoft.com/kb/917936 is your reference. You'll have to use a
script to discover the UUID for your protocol (provided below) and replace the
one used in the script.
This is the right way to handle long-lived, quiet connections; NOT "keeping a
port open".
This way, the firewall can verify that each ends is still there and if not,
close the connection as it should.
This is the script to discover protocol GUIDs. Save it as "protocolguids.js"
and run it as cscript protocolguids.js.
var oFpc = new ActiveXObject( "FPC.Root" );
var oArray = oFpc.GetContainingArray();
var cProtocols = oArray.RuleElements.ProtocolDefinitions;
var oProtocol = null;
for( var inx = 1; inx <= cProtocols.Count; inx++ )
{
oProtocol = cProtocols.Item( inx );
WScript.Echo( oProtocol.Name + " == " + oProtocol.Guid );
}
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] on behalf of
D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR [DPietruszka@xxxxxx]
Sent: Wednesday, February 03, 2010 4:38 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Question and confesion.
Yeah, I understand, and to be honest before going into all the security
concerns I was looking for a "NO, THAT CAN'T BE DONE WITH ISA" by that way I
would pass the problem to them again.
The application was done with (I mentioned this crappy thing thousands of times
here) JINITIATOR, it is a ridiculous forms builder from Oracle, compatible with
nothing else but Oracle DBs and didn't respect any minimum standard of this
world. The problem is, on our business (transportation Vessels) there is a lot
of websites build based on Jinitiator apps.
Going back to the port opened for long time, is there a way to do it (I'm not
talking about exact 4 hours, but yes a bigger than usual amount of time), I
couldn't find anything on my own? If this is possible, then I will discuss with
my boss the security concerns and is going to be his call on that.
Thanks
Regards
Diego R. Pietruszka
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Wednesday, February 03, 2010 7:23 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Question and confesion.
4 hours?!? On what basis does this particular individual offer this sage (or
terragon) advice?
wattamaroon...
Let them reconnect. If hte application itself needed that much time, it can be
built to send "heartbeats", like any other appli cation that expects a long
idle time (EAS clients, ferinstance)
Asking to "leave a port permanently open" is asking for a DoS.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] on behalf of
D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR [DPietruszka@xxxxxx]
Sent: Tuesday, February 02, 2010 11:22 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Question and confesion.
OK, first the confession:
I'm migrating to TMG (well no for own decision but.....)
Now the question and is not related to that migration.
Our users needs to use an application that goes over internet on port 7778 (the
number is not really important but..), the problem is, my users work on this
application and then they decided to take a coffee in the kitchen living the
app opened. Since is an internet connection, the connection just become
disconnected for inactivity, then the user come back click on some option of
the app and receive an error, this is because the application doesn't have the
capability to reconnect.
What the provider suggest is to increase the timeout for that particular port
to 4 hours. My question is: Is there a way to do that on ISA (still 2006)?
Thanks
Regards
Diego R. Pietruszka
Other related posts:
