Re: Allow Wimba Live Classroom via ISA 2004 on SBS 2003
- From: "Steve Foster [SBS MVP]" <steve.foster@xxxxxxxxxxxxx>
- Date: Tue, 26 Feb 2008 06:59:28 -0800
Jon-Alfred Smith wrote:
On Fri, 22 Feb 2008 10:48:19 -0500, "Jim G" <Jim @ home.net> wrote:
Wimba Live Classroom tech support tells me it uses:
* For TCP, and alternate HTTP: 5998, 443 and port 5190
* For UDP: port 5998, 33434, 5190, and 16384
Now if I can figure out how to create a protocol/filter and add it to a
Rule, I'll be in business. 443 should already be forwarded.
We need to create:
1) a destination network object (Wimba Live Classroom)
2) a custom protocol
3) an access rule
If the default SBS ISA ruleset is in place, and the Wimba client application is capable of offering up proxy credentials (which sounds like the case), no, we don't. All that is required in this scenario is the protocol definition, and then the standard "SBS Internet Access" rule will apply.
If either the default SBS ISA ruleset is not in use, or the application is not secure-proxy-capable, *then* you'll need an access rule as well as the protocol definition. Whether you restrict the rule to a single destination set depends on whether this is the only Wimba classroom location that needs to be accessed.
First let's create a computer object as the destination and call it
Wimba Live Classroom:
In the MS ISA Server 2004 console click Firewall Policy.
In the right pane you have three tabs. Click on Toolbox.
Click on Network Objects.
Click New. Computer
Personally, if I'm creating destination sets, I prefer to use set objects rather than individual ones (ie I'd use a Computer Set, rather than a Computer). I just really wish ISA let you put Computer items into Computer Sets if you wanted to, rather than them being completely unrelatable.
Name: Wimba Live Classroom (or a name of your choice)
Computer IP Address: 208.185.32.145
Click Apply -- (good practice to do so for every step you take).
If you're referring to the "big" Apply, I completely disagree. The whole point of the "big" Apply is that you can work up a set of changes to the overall ISA policy, building all the elements required and the rules that use them, without disturbing the current policy. When you've completed all the work, *then* you make the new policy effective with the "big" Apply.
Second, lets create the Wimba custom protocol
Click Toolbox, Protocols
Click New
Name, Protocol
Name: Wimba Protocol
Click New
Protocol Type: TCP
Direction: Outbound
Port Range From: 5998 To: 5998. Click OK
Click New
Protocol Type: TCP
Direction: Outbound
Port Range From: 443 To: 443. Click OK
Click New
Protocol Type: TCP
Direction: Outbound
Port Range From: 5190 To: 5190. Click OK
Click New
Protocol Type: UDP
Direction: Outbound
UDP has no concept of "Outbound". The UDP equivalent to this would be "Send Receive". Whether that's actually the correct choice is unclear from the incomplete information Jim has.
Port Range From: 5998 To: 5998. Click OK
Click New
Protocol Type: UDP
Direction: Outbound
Port Range From: 33434 To: 33434. Click OK
Click New
Protocol Type: UDP
Direction: Outbound
Port Range From: 5190 To: 5190. Click OK
Click New
Protocol Type: UDP
Direction: Outbound
Port Range From: 16384 To: 16384.
Click Next
Do you want to use secondary connections: No
Well, some of those port ranges above should likely be under Secondary Connections, rather than Primary. The only entries under Primary should be those used to _initiate_ connections, not all the possible port/direction combinations the protocol will ever use.
Secondary connections are like "+1" on a guest invite - they only get to go to the party if they're with the nominated (Primary) guest. If they show up on their own, they're refused entry (or exit).
Third, we need the access rule
Let's create an access rule from Internal (the SBS internal network)
and Local Host (the SBS box) to the network object Wimba Live
Classroom:
Why would you include the SBS/ISA box itself in the rule? That would only be appropriate if the Wimba classroom software is installed on the SBS/ISA box.
Click on the Tasks tab (still within Firewall Policy).
Create New Access Rule
Access rule name: Wimba Access Rule (or a name of your choice)
Allow
This rule applies to: Selected protocols
Add: User-Defined, Wimba Protocol
Click Close (Note you could also edit the protocol here)
Click Next
This rule applies to traffic originating from the sources ...
Add: Internal, Local Host (btw, Local Host is not necessary)
See comment above. I would *never* add LocalHost to rules intended to deal with internal client access. It's usually better to keep rules for SBS/ISA itself separate from those for its clients.
I'm on the fence whether to get a Tom Shinder book,
No bad idea. Tom Shinder has written excellent books on ISA Server.
The first I read was back in 2001.
The big problem with Tom is that he doesn't believe SBS should exist with ISA on it.
--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.
.
- Follow-Ups:
- References:
- Allow Wimba Live Classroom via ISA 2004 on SBS 2003
- From: Jim G
- Re: Allow Wimba Live Classroom via ISA 2004 on SBS 2003
- From: Jon-Alfred Smith
- Re: Allow Wimba Live Classroom via ISA 2004 on SBS 2003
- From: Jon-Alfred Smith
- Allow Wimba Live Classroom via ISA 2004 on SBS 2003
- Prev by Date: Re: Exams required for SBS
- Next by Date: RE: Exams required for SBS
- Previous by thread: Re: Allow Wimba Live Classroom via ISA 2004 on SBS 2003
- Next by thread: Re: Allow Wimba Live Classroom via ISA 2004 on SBS 2003
- Index(es):
Relevant Pages
|
