Re: opening ISA Ports
From: Chad A. Gross [SBS MVP] (chad.gross_at_laytonflower.nospam.com)
Date: 03/19/05
- Next message: Linc: "Cannot print faxes"
- Previous message: JohnB: "With Forms Based Authentication turned on OWA just goes to a blank white screen."
- In reply to: DL: "Re: opening ISA Ports"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 18 Mar 2005 19:30:22 -0600
It is very possible that they need inbound access for this. We have a
client that is a bar & grill - and their restaurant POS system has built-in
credit card processing. The way the processing works is that the POS app
initiates an outbound connection to the front-end cc processing server.
That server dynamically forwards the processing request to another server
(based on processing load, etc.). The processing server that is assigned
the transaction then initiates a connection back to the POS system. Even
though the POS system initiated the outbound connection, since the return is
coming from a different server, it is not recognized as part of the
conversation initiated by the POS system, and ISA (or any stateful packet
inspecting firewall) blocks the traffic. Hence the need for allowing
inbound traffic . . .
-- Chad A. Gross - SBS MVP SBS ROCKS! www.msmvps.com/cgross www.gosbs.org DL wrote: > I will try this. > > I am not trying to be secretive. I am waiting to hear back from > support regaring specifics. It is a credit card application to put > payments into. I understand why outbound is needed, no idea why > inbound would be needed. I do not know how it is connecting but > trying to find out some more details. > thanks for the help so far. Much appreciated! > > "Phillip Windell" <@.> wrote in message > news:u9lEew9KFHA.156@TK2MSFTNGP10.phx.gbl... >> "DL" <DL@dl.com> wrote in message >> news:WoCdnYAet9ifYaffRVn-tQ@speakeasy.net... >>> They gave me a port range for outbound traffic of 2100-4000 >>> An inbound port of 8100 >>> >>> A FQDN of xxx.xxx.net >> >> It's backwards. The Application must be the one initiating the >> connection, connections are initiated on a single outbound port. >> >> Protocol Definitions used for client applications are always a >> single port initial connections outbound, with inbound secondary >> connections that are often random ports within a range. >> >> Definitions with inital connections inbound (still single port) with >> ranges >> on the outbound side are for using in Publishing situations. For >> example, compare the FTP Definition (client) with the FTP Server >> Definition used for >> publishing an internal FTP Server to the outside. The Client FTP >> begins with oubound, but the FTP Server begins with inbound. >> >> Adjust the Definition to: >> >> Port: 8100 >> Type: TCP >> Direction: Outbound >> >> Leave the Secondary Connection blank for now,...only add them later >> if you are forced to. The ISA Firewall Service is aware of the >> "statefullness" of packet traffic and may already be able to >> dynamically handle the Secondary Connection with intervention. But >> if it doesn't, then add the Secondary Connections. >> >> If it doesn't work after that, then you will have to stop being so >> "secretive" and dump all the information we need to solve this out >> on the table. I can't solve an unknown issue about an unknown >> application that connects to an unknown outside source in and >> unknown way for an unknown reason. >> >> -- >> >> Phillip Windell [MCP, MVP, CCNA] >> www.wandtv.com
- Next message: Linc: "Cannot print faxes"
- Previous message: JohnB: "With Forms Based Authentication turned on OWA just goes to a blank white screen."
- In reply to: DL: "Re: opening ISA Ports"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
