Re: How to configure ISA 2004 to use secondary connection for rexe



"Phillip Windell" wrote:

"S.Stops" <SStops@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:32757B88-CF79-4590-ADDA-E73FAFB5E7F6@xxxxxxxxxxxxxxxx
I need to configure an ISA Server 2004 (SBS 2003 R2) to support a program
that is using rexec to call a server. The server then initiates two
secondary
connections back to the client. The problem is that there is NAT between
the
two networks.

Firewall Client is available and I generated a custom protocol allowing
outbound TCP connection on Port 512 and secondary incoming on all ports
from
1 to 65535 (for testing purposes).

The theory is sound but you have to be specific on that secondary port
range. Don't do 1-65535 because it is impossible,...never gonna
happen,...you can't have incomming on a port that is in use for something
else,...so don't try to tell ISA that it is OK to do so. If you do you may
end up with those secondary connections inadvertently slamming an SQL server
or Web Server or anything else that you may have published. Don't *begin* a
bad practice that you have to turn around a quit doing later.


Absolutly agree and i started out with 1025 to 65535 because the secondary
ports are absolutly random in the high-range but as a type of last resort I
increased the range to cover all ports. There is actually a secondary
incoming connection coming in on port 113 (IDENT) which is immediatly shut
down by the ISA Server.

Remember that the secondary connections are Inbound,...not Outbound like the
Primary connection.


I know and I implemented it that way.

The problem is that there is NAT between the two networks.

What does that mean? Of couse there is NAT (or Proxying) at the ISA,...but
does this mean there is an Upstream Nat Firewall beyond the ISA?


No I could have actually routing between the two networks and put an ISA in
between as firewall that's what I meant. So not only do I have the problem of
not knowing on which port the secondary connection will come in. I also have
to create the relationship somehow as all incoming secondary connection will
use the external IP of the ISA instead of the actual client address.
To address this I use Firewall Client as I am supposed to not needing a
filter.

Yet my problem is not solved.

If so you have to repeat the same config on this firewall as well (as if the
ISA never existed). You have to be able to place a machine running the
Application behind the firewall (between it and the ISA) and have the client
machine suceed when using only that firewall,...then setup the ISA for the
same thing and run the Client behind it. Remember the ISA is a "client" of
the upstream firewall and as far as this other firewall is concerned the ISA
*is* the "client" that all this is happening from because it will have no
concept of what is behind the ISA.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------


.

.

Relevant Pages

  • Re: Connection Timeout only on certain websites
    ... Is the "timeout" error you are seeing on the client machine or on the server ... If you go into the ISA mmc under Monitoring/Logging and set it to ... Microsoft Small Business Server Support ... >> may need to up the number for Connection limit per client and/or Custom ...
    (microsoft.public.windows.server.sbs)
  • Re: .Net Scalability problem
    ... LoadRunner will peak out a server with a few virtual users. ... To get an idea of load, ... Fire off the test client and watch the number of ... > So I think that the MTC generate concurrent connection and per ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: Connection lost at same time every hour (sometimes)
    ... After making the two following alterations on the server the problem seems ... After analyze your ipconfig on SBS and client, ... Then, other connection is good, ...
    (microsoft.public.windows.server.sbs)
  • Re: server disconnection - very often
    ... Reason of permanent popups is VMware server aplication on clients. ... Run CEICW to configure the network of SBS: ... Two network adapters - manual router connection to broadband ... Uninstall VMware on client. ...
    (microsoft.public.windows.server.sbs)
  • Re: CONNECT method through ISA server reports success, but no data is delivered
    ... The response I receive from the ISA server looks like this: ... < Connection: Keep-Alive ... Is there some setting I need to get our ISA admins to change to allow ... If it doesn't work with the machine as a NAT Client (which is probably ...
    (microsoft.public.isa)