Re: Allow Wimba Live Classroom via ISA 2004 on SBS 2003

On Fri, 22 Feb 2008 10:48:19 -0500, "Jim G" <Jim @ home.net> wrote:

Wimba Live Classroom tech support tells me it uses:
* For TCP, and alternate HTTP: 5998, 443 and port 5190
* For UDP: port 5998, 33434, 5190, and 16384

Now if I can figure out how to create a protocol/filter and add it to a
Rule, I'll be in business. 443 should already be forwarded.

We need to create:
1) a destination network object (Wimba Live Classroom)
2) a custom protocol
3) an access rule

First let's create a computer object as the destination and call it
Wimba Live Classroom:

In the MS ISA Server 2004 console click Firewall Policy.
In the right pane you have three tabs. Click on Toolbox.
Click on Network Objects.
Click New. Computer
Name: Wimba Live Classroom (or a name of your choice)
Computer IP Address: 208.185.32.145
Click Apply -- (good practice to do so for every step you take).
Now you should see this object under Network Objects, Computers.

Second, lets create the Wimba custom protocol
Click Toolbox, Protocols
Click New
Name, Protocol
Name: Wimba Protocol

Click New
Protocol Type: TCP
Direction: Outbound
Port Range From: 5998 To: 5998. Click OK
Click New
Protocol Type: TCP
Direction: Outbound
Port Range From: 443 To: 443. Click OK
Click New
Protocol Type: TCP
Direction: Outbound
Port Range From: 5190 To: 5190. Click OK
Click New

Protocol Type: UDP
Direction: Outbound
Port Range From: 5998 To: 5998. Click OK
Click New
Protocol Type: UDP
Direction: Outbound
Port Range From: 33434 To: 33434. Click OK
Click New
Protocol Type: UDP
Direction: Outbound
Port Range From: 5190 To: 5190. Click OK
Click New
Protocol Type: UDP
Direction: Outbound
Port Range From: 16384 To: 16384.

Click Next
Do you want to use secondary connections: No
Click Finish
Click Apply

No you should see under Protocols, User-Defined:
Wimba Protocol
(Right-click for future editing if something need to be changed)

Third, we need the access rule
Let's create an access rule from Internal (the SBS internal network)
and Local Host (the SBS box) to the network object Wimba Live
Classroom:

Click on the Tasks tab (still within Firewall Policy).
Create New Access Rule
Access rule name: Wimba Access Rule (or a name of your choice)
Allow
This rule applies to: Selected protocols
Add: User-Defined, Wimba Protocol
Click Close (Note you could also edit the protocol here)
Click Next
This rule applies to traffic originating from the sources ...
Add: Internal, Local Host (btw, Local Host is not necessary)
This rule applies to traffic sent to these destinations
Click Add, Computers, Wimba Live Classroom
Click Close
Click Next
This rule applies to requests from the following user sets
Leave it for the time being with All Users
Click Finish
Make sure the Action is Allow
Click Apply

You can move the rule up and down by right-clicking (Move Down, Move
Up)

Leave the SBS Publishing Rules above.
Rule are evaluated from top to bottom. If you place under Last Default
rule, nothing will happen as the Last Default rule will deny all
traffic.

Make sure there is no blocking rule above / before the Wimba Access
Rule.

As an interesting note (at least I think so): By right-clicking a rule
you can temporary disable it, which I do no in order to test the Wimba
Access Rule.

I need to disable my SecureNAT rule (custom rule, not default)

Test
From my SecureNAT client I can't access anything but the Wimba site
Passed the Setup Wizard (but I don't have the audio equipment)
Managed to log in with a user name of my choice. Name:, not Username /
Password

For troubleshooting:
You can edit the UDP values and allow direction Send Receive (or the
other way round)
You can add the Web Proxy Filter.

You could create a Wimba User in the Toolbox and edit the Wimba Access
rule. Add the Wimba User, remove All Users ... you get the idea.

Just a last comment
What I really like about ISA Server it the approach taken with defined
self-contained objects and then you play around it as with Lego
bricks.

I'm on the fence whether to get a Tom Shinder book,

No bad idea. Tom Shinder has written excellent books on ISA Server.
The first I read was back in 2001.

or ditch ISA and get a
firewall appliance, although I realize I'd still have to configure/learn the
firewall appliance.

There are ISA Server appliances ...:-)
http://www.celestix.com/products/isa/index.htm

jas


.

Loading