Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Cannot open port to the outside?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Cannot open port to the outside? - 2.Jan.2003 9:28:00 PM
|
|
|
ivanv
Posts: 29
Joined: 18.Dec.2002
Status: offline
|
Hi everyone,
I hope you all had great holiday parties!
Well, I'm having some trouble configuring ISA Server to accept incoming traffic on port 9820. The strange thing is that it was working ok before.
I don't know for sure, but it appears this behavior started after I hooked ISA Server to Active Directory.
Well, I have two IP packet filters:
- Incoming: Allow on local port 9820, any remote port.
- Outgoing: Allow on remote port 9820, dynamic local port.
One would think that is enough, but it isn't !["[Frown]"](/image/smiles/frown.gif "\"\"") .
Can anyone help me?
Thanks in advance!
- Ivan V.
|
|
|
|
RE: Cannot open port to the outside? - 2.Jan.2003 9:55:00 PM
|
|
|
ivanv
Posts: 29
Joined: 18.Dec.2002
Status: offline
|
It's a service running on the ISA Server machine, but now that you mention it, I also use that machine as a gateway to access that port on the mahcines inside the LAN. That already works (not considering the inability to access from outside the LAN).
Oh, and in case you're wondering, the service is a software called Remote Administrator.
Regards,
Ivan V.
|
|
|
|
|
RE: Cannot open port to the outside? - 2.Jan.2003 11:05:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Ivan,
you can't publish a service more than once on the *same* external IP address. You need to have as many external IP's as the number of times you want to publish that service.
Can you tell us something more about that Remote Administrator service? The problem is that if you have installed it on ISA server too and it can't be bound to a specific IP address, you are in trouble!
HTH,
Stefaan
|
|
|
|
|
RE: Cannot open port to the outside? - 2.Jan.2003 11:17:00 PM
|
|
|
ivanv
Posts: 29
Joined: 18.Dec.2002
Status: offline
|
Hi Stefaan,
Thanks for your help.
I don't know what you mean by publishing a service more than once... Could you explain a bit more?
Remote Administrator is a service that allows you to remotely connect to a PC and work in it like if you were sitting right in front of it. Kind of like Terminal Services I believe. You can go to www.radmin.com for more info.
And yes, it can indeed use a custom port. In fact, its default port is 4899, but I'm using 9820.
Regards,
Ivan V.
|
|
|
|
|
RE: Cannot open port to the outside? - 3.Jan.2003 12:13:00 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Ivan,
when you create a server publishing rule you have to select the internal IP address, the external IP address and the used protocol definition (service). A server publishing rule will startup a listener for that particular service (i.e. TCP port 9820) on the defined external IP address and create dynamically a packet filter to open the listener for external connection. When a request comes in, the request will be forwarded to the defined internal IP address for the same service (protocol / port number).
Now, when you try to create a second publishing rule for the same service and external IP address but for another internal IP address, ISA will not be able to startup that listener and create the packet filter for it because that service is already running on that external IP address. So, the second publishing rule will fail! To solve that issue, you need to assign either an extra external IP address to the ISA external interface and use this new external IP address in the second publishing rule, or use another protocol definition (i.e. change the used port for that service).
It should be clear that if you install the Remote Admin service on ISA itself, and you can't bind the application to a particular IP address, that application will occupy that service (i.e. TCP port 9820) on *all* available IP addresses, regardless of interface adapter. Therefore, you would no longer be able to use the same service in a server publishing rule.
I hope this clear up some things about server publishing rules.
HTH,
Stefaan
|
|
|
|
|
RE: Cannot open port to the outside? - 4.Jan.2003 1:14:00 AM
|
|
|
ivanv
Posts: 29
Joined: 18.Dec.2002
Status: offline
|
Hmmmm... very strange... it's working again.
But I don't know what did I do to make it work!
First I added publishing rules (for ports 9820 & 110), then I deleted them.
Then, I added a packet filter to allow all traffic of every kind from every source. Didn't work. So I modifyied the external IP of the filter from "default" to the actual IP address of the Internet connection.
Voilß! It works!
So I delete that rule, and modify the other two (for ports 9820 and 110) to bind them to that IP address. It still works.
Just for fun, I select again the "default" external address for the filters... And it works! So, basically, I'm right where I started, but the thing works... I'm going mad.
|
|
|
|
|
RE: Cannot open port to the outside? - 4.Jan.2003 2:28:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Ivan,
I have the feeling you are mixing up different things. So, let's try to tackle the problem systematically.
First of all you should double check your basic ISA configuration. Use Jim's article http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html as a baseline.
Next, you should tell us where the services run you want to publish. Is this on an internal host or is it on ISA server itself or is it on both. This is very important to know because if they run on an internal hosts you have to use server publishing and *not* packet filters. On the other hand, if they run on ISA it might be necessary to use packet filters *unless* you can bind the service on the ISA internal IP address (preferred method). Moreover, you should be aware of a possible port contention problem. That is what I was talking about in my previous post.
So, here are the basic questions to better understand your configuration:
1) where is the POP3 (TCP port 110) service running you want to publish? Do you want to publish more then one POP3 service?
2) where is the RemoteAdmin (TCP port 9820) service running you want to publish? Do you want to publish more then one RemoteAdmin service?
HTH,
Stefaan
|
|
|
|
|
RE: Cannot open port to the outside? - 4.Jan.2003 6:59:00 PM
|
|
|
ivanv
Posts: 29
Joined: 18.Dec.2002
Status: offline
|
Hi,
I checked the article you point out and carried out all the steps described there.
Now, the services are running in ISA Server itself. The POP3 service all it does is to forward traffic to another host (since ISA can't do that on its own, AFAIK).
The Remote Admin is installed on several machines inside the network, but the one that is installed in ISA Server acts as a gateway to access the internal hosts, so I don't have to access them directly (I think I couldn't even if I wanted to).
In regard to binding this service to a specific interface, it can't be done. The service automatically binds itself to all available interfaces.
Regards,
Ivan V.
|
|
|
|
|
RE: Cannot open port to the outside? - 4.Jan.2003 8:12:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Ivan,
the gateway function (connect through option - I've just read the manual) of RemoteAdmin is a very nice feature and it is indeed much simpler to use that feature instead of publishing each individual host who runs the RemoteAdmin server.
Because RemoteAdmin is installed on ISA server itself and you can't bind it to the ISA internal interface, you have no other option then using a packet filter to allow access to it from the outside. The properties of the RemoteAdmin packet filter should read as:
- Filter Mode : Allow
- Filter Type : Custom
- Protocol : TCP
- Direction : Inbound
- Local Port: 9820
- Remote Port : Any Port
- Local Computer Filter Applies to Computer : default IP address on the external interface
- Remote Computer Filter Applies to Network : All Remote Computers
This should work without any problem if the external interface has a fixed IP address. Is that your case?
Concerning the POP3 service, it is not clear to me what you want to achieve. What do you mean exactly with "The POP3 service all it does is to forward traffic to another host"?
HTH,
Stefaan
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Razz]](/image/smiles/tongue.gif)
![[Big Grin]](/image/smiles/biggrin.gif)
![[Smile]](/image/smiles/smile.gif)
