Re: Controlling Outbound Ports

No, not the Univ of Ill., but close. We are a major higher ed institution.

There is only one website that we know of that is causing us this problem,
and it's www.springerlink.com. I can't give out the IP address range of our
machines in a public forum such as this.

Being that we are so disjointed here in our IT department, I didn't know
that there is a proxy server on our network that can be used if desired. If
I use the proxy, I am able to connect to the web site from XP. I know
nothing about the platform of the proxy, but it is accessed by typing a URL
as such:
http://proxy.xxxxx.edu/login?url=http://www.springerlink.com/home/main.mpx

So we have a workaround, but nobody has solved the problem yet.

At this point, I am not asking for help (though it certainly is welcomed),
but I figure I have your interest so I'm just keeping you informed in that
case.

Thanks.

"Phillip Windell" wrote:


"Baboon" <baboon@xxxxxxxxxxxxxx> wrote in message
news:8B4945A2-610D-4F75-86A2-B25F3516B58E@xxxxxxxxxxxxxxxx

I can tell you that although I am in the habit of referring to our
"firewall", it's really just an ACL on our internet router and we have
public
IP addresses on the internal network, so no NAT.

Yes that would be the case. Actually Cisco in their material even refers
to a Router as a Broadcast Firewall even when there is no ACLs. So if you
run ACLs, then it is a NAT-less Firewall to me :-)

This wouldn't happen to be U of I in Illinois would it?

I believe that means the
connections are simply passing through to the Internet routers. But you
may
be correct that the Web server at the other end is behind a firewall, so
the
packets are probably being blocked somewhere on the way out.

That could be,...but I really don't think the Source Ports are the problem.

I misspoke slightly when I said XP machines only, as this also affects
Windows 2000 and 2003 as well. We have tried machines that are not part
of
our organization from our network via VPN and we can recreate the problem.
So it's not a configuration problem. It's not a browser problem, nor a
Java
or other application problem. *If I telnet to port 80 on the web server
from
XP, the connection also fails.* By now it seems you should be convinced
that
the lower port theory is at least a plausible one.

It isn't impossible, but *extremely* unlikely. The source ports are
considered "response traffic" to an already initiated connection. The
initial connection port (typically 80 for web sites) is what the Rule
Processing is based on and is what the whole thing of being "statefull" is
all about and would apply to ACL seven if NAT wasn't used. Maybe the Router
you have running the ACLs has a flaw in its "statefullness" and is causing
the problem. You need to setup logging at that Router and see if it is
stopping anything. The Source Ports would never be the problem if a device
operates according to Standards,...but if the Device has a flaw in its
OS,..that's another story.

I think you are probably correct that a utility with the capability I'm
looking for doesn't exist. My role is only to help prove the lower port
theory; the Network people are working on solving the problem. Although I
don't expect help with that, if someone comes up with an idea, then great.

What exactly are these "problem" web sites? It would be nice to not work in
the dark. it would also be useful to know the IP range of the workstations
having the problem.

When (if) this gets solved, I'll definitely post back here to let folks
know.

Sounds good.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------



.

Relevant Pages

  • Re: Cost of setting up a network
    ... A router capable of acting as a VPN endpoint for more than one user simultaneously with four Ethernet ports or a switch to suit. ... The rationale for using a server here is basically that the router doesn't need to be able to decide which PC to route the connection to. ... If you are using a router which supports it, you can set up a port-forwarding inbound rule which also _translates_ the port supplied to the receiving port. ... You can use several of these connections to different machines simultaneously. ...
    (uk.comp.homebuilt)
  • Re: Still cant connect to RWW or OWA remotely
    ... No Phantom NICs as far as I can see. ... that it can not find the server. ... Configure your Router as an Eithernet Bridge. ... Once you have this then configure the Routers Firewall and Port ...
    (microsoft.public.windows.server.sbs)
  • Re: Still cant connect to RWW or OWA remotely
    ... No Phantom NICs as far as I can see. ... that it can not find the server. ... Configure your Router as an Eithernet Bridge. ... Once you have this then configure the Routers Firewall and Port ...
    (microsoft.public.windows.server.sbs)
  • Re: changed IP address: cant receive email & need to make domain name match IP address
    ... Port Forwarding for 2Wire 1701HG ... SBS CDs, but it's always a good idea to keep them handy. ... As you are set up now, your SBS server is "bare to the Internet" (not ... need to buy at least another inexpensive router to put between the SBS ...
    (microsoft.public.windows.server.sbs)
  • Re: Cant connect to Mailserver
    ... domain's zone files on the dyndns server, ... I'm presuming it's a simple port forward from WAN to LAN on ... When I telnet to port 25 I should get a response from your ... Are the correct ports open in the router? ...
    (microsoft.public.windows.server.sbs)