[isapros] Re: Server Publishing Rule
- From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Tue, 9 Jan 2007 14:14:05 -0500
I have to admit that I do like wizards. After having installed so many
SBS servers in a streak for a while there it was a rude awakening to
have to install a Windows 2003 new domain. My brain kept saying, "Are we
there yet? If you use the wizard we'd have been done 2 hours ago." That
part of my brain has a pretty annoying whine too. :-)
But I'm sure the ISA BPA is just my lack of memory. Brain is full so
things fall out of it now and then.
Amy Babinchak
Harbor Computer Services
________________________________
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Tuesday, January 09, 2007 1:37 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Server Publishing Rule
It never worked on ISA 2000.
If you tried and (could only have) failed, you weren't paying attention
to the error messages that said "not here, you don't..."
Yasilly, the wizard disease seems to be claiming another victim...
:-)
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: Tuesday, January 09, 2007 10:30 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Server Publishing Rule
Maybe I need to take a fresh look at it. I didn't find it helpful but
it's been a long time, maybe ISA 2000 long. Can't really remember.
Amy Babinchak
Harbor Computer Services
________________________________
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Tuesday, January 09, 2007 12:20 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Server Publishing Rule
Why in the world would you (of all people) make such a distinction?
Use ISABPA on any ISA 2004+ deployment - it's written to assist with ISA
troubleshooting regardless of the environment.
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: Tuesday, January 09, 2007 9:13 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Server Publishing Rule
OK, I'll run it. I don't usually bother with BPA on SBS boxes.
Amy Babinchak
Harbor Computer Services
________________________________
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Tuesday, January 09, 2007 9:41 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Server Publishing Rule
Nope; ISABPA includes a neato toy called ISABPAPack.
It will gather the most common data required for ISA behavioral
analysis.
Its use is covered in the docs that come with the package.
"isabpapack +repro" is the command line used to start the process.
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: Tuesday, January 09, 2007 5:43 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Server Publishing Rule
They are firewall clients. I'll see about gathering the data for you. By
repro data you mean the captures?
Amy Babinchak
Harbor Computer Services
________________________________
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Tuesday, January 09, 2007 12:11 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Server Publishing Rule
If internal clients are using ISA to reach the internal app, then your
problem isn't in the rule, but the client configuration.
Internal access of server publishing is necessarily SecureNET or FWC
clients only.
Got ISABPAPack +repro data?
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: Monday, January 08, 2007 8:21 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Server Publishing Rule
I would agree however when WalMart says you'll use this app if you want
to sell us product, then you use the app.
The nature of the fail doesn't show in ISA. If I have a range of ports
in my server publishing rule, then Internal clients attempting to access
the app server can't get there. ISA doesn't show any fails or denied.
NetMon running on the SBS server shows a successful packet to the app
server but the response from the app server is stack error 1250. If I
have a single port (tcp 1521) in the server publishing rule then
internal clients can get the app server just fine.
Since the server publishing rule only applies from External to the app
server why is this affecting internal workstation access to the app
server?
Amy Babinchak
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Monday, January 08, 2007 10:56 PM
To: isapros@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Server Publishing Rule
Amy,
Any time a vendoir tells you they need "all inbound ports", it's time to
shitcan that application and bitch-slap teh vendor back to their
Commodore Vic-20.
That said:
Q1 - what is the port range are you defining?
Q2 - what is the nature of "fails"?
________________________________
From: isapros-bounce@xxxxxxxxxxxxx on behalf of Amy Babinchak
Sent: Mon 1/8/2007 4:00 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Server Publishing Rule
I have published an internal server on port 1521. Works fine. However,
the vendor (an EDI application) says they need access over all inbound
ports. If I create a range published to this server, then Internal
access to the server fails.
Why?
Amy Babinchak
Harbor Computer Services
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
