We have an ISA 2004 Firewall which we are having some trouble allowing a connection coming through. We are trying to allow a connection from an external set of IP's which are already defined as a network.
We setup a protocol for "tcp outbound" which is tcp outbound over port 1081.
When running a log query, we get:
Log type: Firewall service Status: A connection was abortively closed after one of the peers sent a RST segment. Rule: Rulewecreated Source: Network we created ( xxx.xxx.xxx.xxx) Destination: Local Host ( xxxxxxx:1081) Protocol: tcp outbound
Basically we have a client machine that is home to a piece of software that relays to a database on a server behind our firewall. We need packets to be passed from the external network, through the firewall and to the client machine. We also need the packets to go back out the network.
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
We have an ISA 2004 Firewall which we are having some trouble allowing a connection coming through. We are trying to allow a connection from an external set of IP's which are already defined as a network.
Incorrect. They cannot be set as a "network". They must be set as an Address Object such as an Address Set, an Address Range, or a Subnet Object
We setup a protocol for "tcp outbound" which is tcp outbound over port 1081.
Wrong direction and the wrong approach.
Basically we have a client machine that is home to a piece of software that relays to a database on a server behind our firewall. We need packets to be passed from the external network, through the firewall and to the client machine. We also need the packets to go back out the network.
You are taking the wrong approach. This must either be done with a Server Publishing Rule (aka Non-Web Server Publishing Rule) or it must be done using a Remote Access VPN.
Unfortunately after creating a publishing rule, setting the external ip's to an address set, and allowing traffic across "tcp" inbound port 1081, I am still getting the same error message.
Closed Connection Log type: Firewall service Status: A connection was abortively closed after one of the peers sent a RST segment. Rule: SSSSSS Source: External ( xxxxxxx) Destination: Local Host ( xxxxxxxx) Protocol: tcp
From the google searches I have done, many users are experiencing this problem when attempting RDP connections. This is not our case.
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
There is no way to know with this small amount of information that you have done it correctly or not. This is much more complex to perform than the information you are giving us.
This is not an RDP connection, and has nothing to do with RDP.
The clarify what you are (should be) doing:
You are: 1. Publishing a Database Server that sits on the LAN and communicates using TCP-1081-Inbound.
2. The Source (From) within the Publishing Rule will be an Address Set or and Address Range or a Subnet Object that represents the IP Address(s) that the user would appear to be coming from. This is most likely not the actual IP# of the user's machine, but it is not impossible in some situations.
3. The Listener of the Rule will Listen for connections on either External or the specific IP# chosen on the External Nic of the ISA.
4. The Database Server must be operating as a SecureNAT Client of the ISA. If it is not operating as a SecureNAT Client of the ISA then the Publishing Rule must be set to "Show as coming from the ISA" rather than "Show as coming from the original client"
5. The Publishing Rule must be a Server Publishing Rule and not any other type.
It will fail if...... A. If the Database server uses more then, or other than, TCP-1081 at any time, then it may fail
B. If the Database Server has any IP restrictions built into it that don't consider and allow all the IP#s the user would possibly be coming from, it may fail.
C. If the ISA is running as a Single-Nic Caching Server then none of this is even possible and the ISA would not even be involved in the process
D. If there is a Back-to-Back DMZ with the ISA as the inner firewall and some other firewall as the outer firewall, then it will fail if the Publishing process is not repeated on the outer firewall with it "treating" the ISA as if the ISA was the Database Server. E. If any of the above Steps 1-5 are done incorrectly it, will fail
Thanks again for all of your help. I got it figured out. I was publishing the proxy server vs. the machine that the database is being hosted on. Once I created a publishing rule for that, the packets came right on through.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> General >> Access Rules 
Access Rules - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread