RE: SBS Premium/ISA --- what are we missing?

Hi Ginger,

Thanks for posting in our newsgroup.

From your description, I know that you opened external 1433 and DVR port
connections on ISA 2004 but they drop all the time. If I am off-base,
please don't hesitate to let me know.

Based on my experience, the rule for visiting external port 1433 and DVR
may not be correctly created. Please try the following steps.

Step 1: Create two protocols for port 1443 and DVR.

1. Open the ISA management console; navigate to Firewall Policy.

2. Click Toolbox on the right and click Protocols.

3. Click New->Protocol.

4. Enter the name and click Next.

5. Click New and input the following.

Type: TCP (or UDP)
Port: 1443
Direction: Outbound

6. Click Next 2 times and click Apply.

7. Do the same steps with Port DVR.

Step 2: Create rule to allow internal users visit outbound port 1443 and
DVR.

1. Open the ISA management console; navigate to Firewall Policy

2. Right click Firewall Policy and click New->Access Rule, enter a
descriptive name for this rule and click Next.

3. Click Allow and then click Next.

4. Change the "Apply this rule to" open from All IP traffic to Selected
protocols, and check the "Out Bound 1443" and "Outbound DVR", then click
Next.

5. Select Access Rules Source: Internal.

6. Select Access Rules Destination: External.

7. Select User Sets: All Users.

8. Click Next and Finish.

Then move this rule to the top and click Apply to save the settings. How
will things go?

Step 3: Please check ISA connection limit time:

Please open the ISA Server management console, navigate to Configuration->
General-> Define Connection Limits-> Connection Limit, and then uncheck the
"Limit the number of connections" option.

After that, please restart the ISA firewall service.

For more information, please refer to:

How to permit non-Microsoft programs to connect to the Internet through
Internet Security and Acceleration Server 2004
http://support.microsoft.com/?id=837831

Note: You must ensure the Firewall client is installed and enabled on all
the workstations.

Step 4: Please also install the ISA 2004 SP2 to see if the problem can be
resolved:

Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard
Edition Service Pack 2
http://www.microsoft.com/downloads/details.aspx?familyid=88350ABA-D09E-44B5-
8002-96590ABFA148&displaylang=en

If the problem still exists, please kindly help me collect the following
information for further research:

1. Please help to gather the ISA Info:

1) Download the file from the following URL:

http://www.isatools.org/isainfo/ISAInfo.zip

2) Extract all files to a folder on ISA server.

3) Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
current folder.
4) Please send these files to me.

2. Please also help to gather the ISA logs:

1) Schedule a down time.

2) Open ISA 2004 management console.

3) Expand the server node and highlight 'Monitoring'.

4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.

5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.

6) Switch to the 'Fields' tab, click 'Select All', and then click OK.

7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.

8) Switch to the 'Fields' tab, click 'Select All', and then click OK.

9) Click 'Apply' to save changes and update the configuration.

10) Temporarily disable the Firewall service. To do that, please click
Monitoring | Services tab, and then right click 'Microsoft Firewall' to
choose 'Stop'.

11) Clear the current existing W3C logs. To do that, go to the log saving
directory and clean any existing .W3C logs. By default, the logs will be
saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may not
be able to deleted, that's normal.) You may backup them first and then
delete them.

12) Go back to the ISA 2004 management console, and then Start the stopped
'Microsoft Firewall' service.

13) Reproduce the problem, stop the service, and then gather the resulting
W3C files to me for analysis.

14) Please also let me know the IP address of the testing clients so that I
can filter the data.

Please send the information to v-robeli@xxxxxxxxxxxxx with subject:
38637356-SBS Premium/ISA --- what are we missing.

I am looking forward to hear from you.

If you need further assistance, please don't hesitate to let me know.

Sincerely,

Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================

This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
<From: "Ginger Estherskip" <gingerestherskip@xxxxxxxxxxxx>
<Subject: SBS Premium/ISA --- what are we missing?
<Date: Thu, 5 Apr 2007 17:23:49 -0400
<Lines: 27
<X-Priority: 3
<X-MSMail-Priority: Normal
<X-Newsreader: Microsoft Outlook Express 6.00.3790.3959
<X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3959
<X-RFC2646: Format=Flowed; Original
<Message-ID: <OFKjmi8dHHA.4352@xxxxxxxxxxxxxxxxxxxx>
<Newsgroups: microsoft.public.windows.server.sbs
<NNTP-Posting-Host: rrcs-24-97-250-98.nys.biz.rr.com 24.97.250.98
<Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:28086
<X-Tomcat-NG: microsoft.public.windows.server.sbs
<
<We're having a lot of trouble with the ISA2004 in SBS Premium. With SBS
<2000 (and ISA 2000), our outside connections were rock-solid and we had
<little trouble... now we have trouble with an external SQL server and an
<external DVR that we access.
<
<So, with ISA 2000, we didn't need to "open" the outgoing ports since they
<were already available if you had WinProxy installed. (ISA Firewall
<Client).
<
<So we installed the ISA Firewall Client for ISA 2004 on all the desktops,
<and it works OK for external FTP, and we do get the external 1433 and DVR
<port connections, but they drop all the time --- the connections are very,
<very spotty. Why would this be? Our internet connection has not changed
<and we have an awesome connection to the internet that is not spotty at
all.
<Setting up outside the firewall allows the connections to work with no
<trouble at all... so it's gotta be something with our configuration.
<
<I tried setting access rules for outgoing traffic for those ports (and I
<looked in the logs and those rules do fire), but it seems like those
<wouldn't be necessary --- but adding the rules didn't help the issue.
<
<Any advice? I'm ready to throw the box out the window right now :)
...Also,
<it was a fresh install on a new server, the server tests out just fine,
and
<I did re-run the internet connection wizard on SBS in case something was
<awry there...
<
<
<

.

Relevant Pages

  • Re: Possible Mail Relay or just new usages of returned mail by spammers
    ... If you have ANY type of firewall, be it a NAT router or true firewall ... ISA can be used in conjunction with the router/firewall, but if you do, you ... to be done twice...once in ISA, and once in the router to port forward to ...
    (microsoft.public.windows.server.sbs)
  • Re: Trying to understand this behavior, Ports in IIS
    ... That tells me the ISA server was accepting the connections. ... assign port 8080. ... In the border router and in the PIX firewall (both devices are "in front of" ...
    (microsoft.public.inetserver.iis.security)
  • Re: Trying to understand this behavior, Ports in IIS
    ... assign port 8080. ... In the border router and in the PIX firewall (both devices are "in front of" ... the ISA 2004) I made sure the access-lists were opened accordingly for both ... I took traces of client and server connections and I only see traffic on ...
    (microsoft.public.inetserver.iis.security)
  • Re: LINUX Firewall
    ... Here at home I have a SBS2k3 with a basic firewall... ... because I use this for play I keep it pretty tight and there is no port ... The fact that I can patch my ISA server in my office with the latest ... > I am planning on setting up a LINUX box to act as a firewall for my SBS 2000 ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: sys/1386/i386/mptable.c rev 1.239 breaks boot.
    ... >> If a valid ELCR was found, consult it for the trigger mode of ISA ... ioapic0: intpin 1 bus ISA ... xl0: using port I/O ...
    (freebsd-current)
Quantcast