Re: SBSServer processes Port 80 blocked

From: Fred Blum (h.f.blum_at_marketconnectnospam.nl)
Date: 12/02/04 

Date: Thu, 2 Dec 2004 09:18:01 +0100

Your explanation is in line with my understanding of how ISA works. I can't
check McAfee Auto Update architects service account settings (i'm sure it
was administrator member of the Backoffice Internet users group, proxy
settings and auth provided for the AutoUpdate client). as we replaced it
with Sophos. This works fine with the proxy settings provided.

McAfee autoupdate client used HTTP port 80 to downlad the latest update
information and data files. This showed up as blocked outbond on port 80 in
my logs. Only creating the allow packet rule made it work. The developed
sync app has the same problem (proxy settings and auth provided in Vbasic
code), sending flat txt via xml works but binary data send via xml port 80
and reassambled at the other site not. Porbably McAfee used the same method.
This sync app is scheduled in task scheduler and provided with the
administrator auth. Is this normall protection behaviour to block?

On the server connecting to this newsgroup on port 119 is also not allowed
for the adminsitrator logged on locally. He is in the BackOffice internet
users group allow all protocols rule. The only difference with a workstation
is the firewall client.

I'm trying to understand the basic undelying principle of what is normally
allowed on the server and what is not.

TIA,

Fred

"Eugene Tan" <insights-[dropthis]@post1.com> wrote in message
news:%23DcCv8$1EHA.1260@TK2MSFTNGP12.phx.gbl...
> hi Fred,
>
> At first, I didn't understand the situation in your original post.
> Now, I think I've got the issue...
>
> In SBS2000, the default settings define a rule which permits only members
> of SBS Internet Users access to the Internet. This means not all users
> have access to the Internet, just those you permit. If you create user
> accts
> using the SBS wizard, you can choose the Internet users template which
> will make the user account a memeber of SBS IU. If you use ADUC to
> create a user account, the default is DomainUser which doesn't have any
> access to the Internet.
>
> Now, if you login at the server as administrator, no doubt you can surf
> the Internet. What process is running McAfee etc which doesn't have
> access? You probably need another rule or modify the existing rule to
> provide access by either another user account or group, or by IP addr
> (Client address set).
>
> As for the apps issue, Steve is right, XML is today all plain text, no
> binary involved. However, your apps may be doing a FTP or something
> like that, perhaps over port 80. In this case, you need to create an
> allow outbound rule. You don't have to provide an IP destination but
> it is better as this would limit the permission to just this IP addr.
>
> Hope this helps,
> Eugene Tan
>
> ===========================
> "Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
> news:OuxX9B41EHA.304@TK2MSFTNGP11.phx.gbl...
>>
>> I had the problem in the past that processes running on the SBS server
>> could not connect outbound on port 80 and would show up in the log as
>> Blocked.
>> According to Marina everything running on the server would be allowed
>> outbound port 80 and was it my ISA configuration.
>> For example McAfee Autoupdate would not connect (even with option use
>> explorer proxy settings or manually entered proxy configuration) or
>> programs connecting to the internet for a software update.
>>
>> Marina has reinstalled ISA and configured it out of the box. I still have
>> this problem now with our application using XML to sync with a providors
>> SQL database. Normal XML flat txt data uploads work fine but in case of
>> binary data (product pictures) uploaded via xml port 80, will be blocked
>> and only an allow rule with destination IP adress will make it work. The
>> program is set to use and authenticate with the proxy, but it seems that
>> tunneling is detected by ISA and blocked by default. This seems logical
>> as a leak and trojan protection.
>>
>> Is this the case? Are allow rules the only solution? This problem is
>> only at the SBS server itself. Workstations running Firewall client will
>> work fine. (moving it to a workstation is not an option due to 24h sync)
>>
>> TIA,
>>
>> Fred
>>
>>
>>
>>
>>
>
>

Relevant Pages

  • RE: SharePoint
    ... I can log into the router config page via the internet from home using ... Sharepoint TCP 444 to Private IP port 444 ... Do these settings look correct? ...
    (microsoft.public.windows.server.sbs)
  • Re: Help!!! with a Trial SSL Cert
    ... First of all you really shouldn't run an SSL site on port ... >search for topics titled About Security, ... >browser settings. ... >then click Internet Options. ...
    (microsoft.public.inetserver.iis.security)
  • Re: SBS 2003 with Exchange recieving Mial problem
    ... If it's still not working for you, you're probably not doing it from an external location that has outbound access on port 25. ... Hard to verify your settings without more info. ... If you would post your internet domain name we can do some checking for you. ... How to configure Internet access in Windows Small Business Server 2003http://support.microsoft.com/kb/825763/en-us ...
    (microsoft.public.windows.server.sbs)
  • New Computer - XP
    ... can stop it (Mcafee support tell me that im on the ... Your Internet port 139 does not appear to exist! ... Unable to connect with NetBIOS to your computer. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Netgear DM602 - Linksys WRT54G - Axis 205 ip camera. Cant access?
    ... > port in the back of the linksys and is viewable from all internal PCs, ... > able to view over any internet connection I have no joy. ... > I can see the WAN address from the DM602 status settings but when I ... > need to allocate static IPs to the routers. ...
    (comp.security.firewalls)