Re: Controlling Outbound Ports


"Baboon" <baboon@xxxxxxxxxxxxxx> wrote in message
news:8B4945A2-610D-4F75-86A2-B25F3516B58E@xxxxxxxxxxxxxxxx

I can tell you that although I am in the habit of referring to our
"firewall", it's really just an ACL on our internet router and we have
public
IP addresses on the internal network, so no NAT.

Yes that would be the case. Actually Cisco in their material even refers
to a Router as a Broadcast Firewall even when there is no ACLs. So if you
run ACLs, then it is a NAT-less Firewall to me :-)

This wouldn't happen to be U of I in Illinois would it?

I believe that means the
connections are simply passing through to the Internet routers. But you
may
be correct that the Web server at the other end is behind a firewall, so
the
packets are probably being blocked somewhere on the way out.

That could be,...but I really don't think the Source Ports are the problem.

I misspoke slightly when I said XP machines only, as this also affects
Windows 2000 and 2003 as well. We have tried machines that are not part
of
our organization from our network via VPN and we can recreate the problem.
So it's not a configuration problem. It's not a browser problem, nor a
Java
or other application problem. *If I telnet to port 80 on the web server
from
XP, the connection also fails.* By now it seems you should be convinced
that
the lower port theory is at least a plausible one.

It isn't impossible, but *extremely* unlikely. The source ports are
considered "response traffic" to an already initiated connection. The
initial connection port (typically 80 for web sites) is what the Rule
Processing is based on and is what the whole thing of being "statefull" is
all about and would apply to ACL seven if NAT wasn't used. Maybe the Router
you have running the ACLs has a flaw in its "statefullness" and is causing
the problem. You need to setup logging at that Router and see if it is
stopping anything. The Source Ports would never be the problem if a device
operates according to Standards,...but if the Device has a flaw in its
OS,..that's another story.

I think you are probably correct that a utility with the capability I'm
looking for doesn't exist. My role is only to help prove the lower port
theory; the Network people are working on solving the problem. Although I
don't expect help with that, if someone comes up with an idea, then great.

What exactly are these "problem" web sites? It would be nice to not work in
the dark. it would also be useful to know the IP range of the workstations
having the problem.

When (if) this gets solved, I'll definitely post back here to let folks
know.

Sounds good.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------


.

Relevant Pages

  • Re: Controlling Outbound Ports
    ... that there is a proxy server on our network that can be used if desired. ... to a Router as a Broadcast Firewall even when there is no ACLs. ... the lower port theory is at least a plausible one. ...
    (microsoft.public.windows.server.networking)
  • Re: Port 119 blocked at work and I want it opened
    ... Is there any specific threat based on having port 119 opened for news ... You should be able to do this on both a firewall and a router. ... internet router is cisco...) ...
    (comp.security.firewalls)
  • Re: configuring Exchange to accept SMTP connections
    ... Yes, as far as I know there are no ACLs on the router, port 25 is wide open. ... > to do this would depend on what your firewall is. ...
    (microsoft.public.exchange.admin)
  • Re: Using Remote Desktop From an SBS Domain
    ... when you tried to RDP while attached directly to a port on your router? ... So if 3389 needs forwarded on the client end too then that is what the ... Hopefully next week I can attempt a connection while my ISP watches the ...
    (microsoft.public.windows.server.sbs)
  • How did they get behind my NAT?
    ... this point I panicked and shutdown the VNC service ASAP. ... My question is how the attacker got to my VNC port! ... the internet through the router. ... client connection using local port number 5900 (which was also being ...
    (alt.computer.security)