Re: Open Ports 25 & 110 on ISA Clients

"John" <john@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:udcZf7R6FHA.1148@xxxxxxxxxxxxxxxxxxxxxxx
> Hello Virgil
>
> After all my today's R&D I figured out something, which I will mention
> later. Before which I want to tell you about the RULE that I assiged;
>
> In FireWall Policies, I created a new Allow Rule (Name = Allow)
> Protocols = All Outbound Traffic
> From = Internal + Localhost
> To = All Networks + External

You did not mention the users. From what users is this allowed? "All Users"
or some specific users/groups. Remember that if you restrict access through
users/groups your clients need to authenticate somehow to firewall which is
done through the firewall clients. Anonymous rules, based on "All Users"
rather than specific users/groups, will work anyway.

> Now in the above setting I set TO as follows;
> TO = External (this is default that I have seen in all documents)
> nothing works and as soon as I add All Networks things start functioning.

Hmmm... this looks like a configuration problem. Did you choose the right
interface for the "Internal" network? More important, do you have the proper
network template in place? That is to say, how is your ISA configured - in a
"network edge" topology, "3-legged firewall", "back firewall" or what?

Last but not least you should have only one default gateway set - on ISA's
External interface.

> Also I want to know the basic or major difference between SECURE NAT
> Clients
> and FIREWALL Clients. Can you direct me to some site which will explain
> this
> difference.

I don't have a link at hand to give you but I'll try to explain it here.

Basically a firewall client is a machine running the ISA Firewall Client
software (often reffered as FWC). Only Windows clients can be "firewall
clients" because the FWC software only exists for Windows.

The way FWC works is by intercepting applications' calls to Winsock. Most of
the Windows applications these days have their network-related features
implemented as calls to the Winsock layer which is a Windows API
(application programming interface) that handles the gory "networking"
details on application's behalf. This is very similar to DirectX for
example - when game developers write a game, they do not program the game
for this video card or that video card (or sound card for that matter).
Instead they use DirectX, they program the game for DirectX which is another
Windows API, and DirectX handles the details making sure the right video
driver is being used etc.

So basically the moment an application makes a call to Winsock for some
network-related functionality, the ISA FWC intercepts that call, and
redirects it to ISA along with some information about the original
client/application (like for example the name of the user which is running
that application). ISA allows or denies that connection based on the rules
in place.

Two things we can infer about firewall clients:
- First is that they do not have to have ISA in the routing path for all
this to work, as traffic intercepted by the FWC will be sent directly to ISA
anyway. On a basic network this is equivalent to saying that firewall
clients do not have to have the internal address of ISA as their default
gateway.
- Second, the FWC mechanism will only work for Winsock-based applications as
those are the only ones that can be "intercepted" by the FWC. There are
also, albeit rare these days, applications that rely on their own code to
initiate network connections, transfer data etc. Those applications cannot
be handled by the FWC software as they do not make Winsock calls.

On the contrary, SNAT clients are those clients that have ISA in the routing
path, and are not running the FWC software. By definition Linux/Unix/Apple
etc machines can only be SNAT clients as there is no FWC software for those.
Again, on a basic network having ISA in the routing path amounts to setting
the default gateway on the SNAT client(s) to point to the internal interface
of ISA.

Traffic originating from SNAT clients will therefore still be processed by
ISA at some point because it is 'routed' through ISA sooner or later,
according to the definition of a SNAT client. The problem with SNAT clients
though is that the traffic that arrives at ISA is actually the un-modified
traffic generated by the applications the users run, and for most
protocols/applications that traffic does not include authentication data
(i.e. user logins etc). So you cannot use rules based on users/groups with
SNAT traffic. You can however restrict SNAT rules based on client IP, that
works fine.

The last thing I'd like to add about SNAT clients/connections is that they
are usually perceived as having a little more impact on the ISA server
performance than firewall client connections, but the difference should not
be significant if you're running ISA on modern hardware - Pentium 4 class,
with as much RAM as you can afford :-)

To make this even more confusing :-), you can actually configure your
(Windows) workstations as a combination of firewall and SNAT clients, by
installing the firewall client on the client machines and also configuring
their default gateway so that ISA is in their routing path. This way the
Winsock traffic will be intercepted by the FWC and re-directed to ISA
whereas for applications/protocols that are not Winsock-based it will fall
back to SNAT.

This should keep you busy for a while :-)

Virgil

P.S. And, one last thing. If you're determined to allow all kind of traffic
through your ISA, for all your clients, you might as well remove it and
replace it with a simple NAT router (a hardware router, that is). ISA is not
intended to be an "Internet-connection sharing" device, but rather a
controlling factor in the inbound/outbound traffic flow.


.

Relevant Pages

  • Re: Open Ports 25 & 110 on ISA Clients
    ... Now on the client computer with Firewall client I am able to browse internet ... > which is done through the firewall clients. ... That is to say, how is your ISA ... > Linux/Unix/Apple etc machines can only be SNAT clients as there is no FWC ...
    (microsoft.public.isaserver)
  • RE: SBS2000 w/ISA-Agencyware software wont access web
    ... Thanks Edward for the descriptive notes. ... > the web authentication on ISA. ... Create a Client Address Set to allow Clients out through SNAT. ... Create a Protocol Rule to allow SNAT Clients to pass through the ...
    (microsoft.public.windows.server.sbs)
  • Re: Removing ISA From SBS2k
    ... Hi - Yes, I did remove the Firewall client, and the LAN settings are blank, ... Removing ISA is the end result of a lot of time trying to sort the ISA ... The network only has 4 local desktop clients and 3 local/remote laptop ...
    (microsoft.public.windows.server.sbs)
  • RE: need to access web-based printserver interface from client worksta
    ... by default the ISA web proxy clients will submit all ... request to web server. ... 'Microsoft Firewall' service. ...
    (microsoft.public.windows.server.sbs)
  • Re: Outgoing VPN Error 619
    ... I've checked in local network rules and I do have a rule called VPN clients ... PPTP clients are configured to use ISA as a hop to the Internet ... SecureNAT Clients while still trying to have Web and Firewall Client ...
    (microsoft.public.isa.vpn)
Loading