Re: Denied Connection when rule allows

---

• From: "ZVR" <nospamever@xxxxxx>
• Date: Sun, 2 Oct 2005 14:59:51 -0400

---

You need to create a custom protocol definition for TCP port 443 (used with
SSL-enabled web servers), with secondary connections on the ports to which
the Authorize.Net service sends packets (if those are fixed and known). Then
create an allow rule based on that custom protocol, and configure your test
workstations as SNAT clients (they should have the internal address of ISA
as their default gateway and all proxy settings in IE should be unchecked).

This will work if Authorize.Net always sends the packets back on the same
ports; if it uses some random, "dynamic" ports for return packets, you will
not be able to make this work without installing 3rd party software on your
ISA machine.

Virgil



<docjohnboy@xxxxxxxxx> wrote in message
news:1128021088.084566.82320@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Our site has a payment system through Authorize.Net. We are trying to
> submit test payments on computers behind our ISA 2004 server. We have a
> rule to allow HTTPS traffic to the required addresses, and that part
> works fine (when client connects it is initiated and the log shows the
> rule).
>
> However, our problem comes in that Authorize.Net sends back some
> packets on ports that ISA deems "Unidentified IP Traffic." In the log
> it shows "denied connection" and does not state a rule.
>
> We have made an access rule to allow the incoming traffic from the
> Authorize.net IPs and destination ports we see in the log, and ISA
> still denies the connection. We also tried allowing "all outgoing
> connections" from the Authorize.net addresses to our internal network,
> but this also didn't help.
>
> Any suggestions would be greatly appreciated.
>
> Thank you,
> John
>


.

---

• Prev by Date: Re: examples of secondary connections
• Next by Date: Re: Server publishing on the same subnet
• Previous by thread: Re: examples of secondary connections
• Next by thread: Re: ISA 2004 Publish FTP Server, Inbound Traffic- DOS Clients Passive
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Help with Iptables on with RH linux ... several ports that it listens... ... any established connections are OK. ... If you are dropping packets in the FORWARD chain, ... You can adjust these rules to allow only certain protocols and ports. ... (RedHat) troubles defining firewall policies ... restricting high ports. ... I use RH 7.3 and my eth0 interfase is part of the class C network ... use the linux machine as their gateways so all the network traffic is ... Grant incoming connections for every IP of my network ... (RedHat) troubles defining firewall policies ... restricting high ports. ... I use RH 7.3 and my eth0 interfase is part of the class C network ... use the linux machine as their gateways so all the network traffic is ... Grant incoming connections for every IP of my network ... (RedHat) Re: ADAM - The Server is not operational (Joe Kaplan, question for you) ... You can also increase the # of ephemeral ports. ... Microsoft Windows Server Division ... If different credentials are used under high load with ADSI, ... Unless there is some magic happening whereby connections are reused ... (microsoft.public.windows.server.active_directory) Re: Port 135 ... The patch doesn't disable DCOM / RPC, so connections can still be made. ... That's why you need a firewall. ... the patch is not the thing to control ... control over your TCP/IP ports and services, ... (microsoft.public.security)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > ISA  > microsoft.public.isa  > 2005-10