Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Firewall Client and RPC
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Firewall Client and RPC - 11.May2005 6:20:00 PM
|
|
|
big_dazza
Posts: 449
Joined: 24.Apr.2003
Status: offline
|
Tom,
me again!
My network guys have put a hardware FW between ISA and the LAN FW clients. Whenever we load apps like Yahoo Messenger and ICQ from the FW clients, our network guy see random high number ports conenctions between the client and the ISA box. If I turn off the FW client, the apps go straight to the Internet and the logs show that they don't use any high number ports.
Three questions:
1. does the fw client use RPC - perhaps to run the autoconfig script?
2. Why do I not see the RPC connections in the logs of the ISA box even tho my network guy does? Is this because of the fact that the RPC comms are at too low a level?
lastly
3. Is there any I can do to stop the FW client using RPC?
Thanks
|
|
|
|
|
RE: Firewall Client and RPC - 11.May2005 7:59:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
The Firewall Client functions "similar" to RPC - the client tells the ISA Server, I need to make a connection to %ExternalServer% on port 5900, for example. ISA tells the client - connect to me on port 27000 for future data transmission with%ExternalServer%.
There is no way to restrict the firewall client port range as we do with RPC.
|
|
|
|
|
RE: Firewall Client and RPC - 11.May2005 10:16:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by big_dazza:
Tom,
me again!
My network guys have put a hardware FW between ISA and the LAN FW clients. Whenever we load apps like Yahoo Messenger and ICQ from the FW clients, our network guy see random high number ports conenctions between the client and the ISA box. If I turn off the FW client, the apps go straight to the Internet and the logs show that they don't use any high number ports.
Three questions:
1. does the fw client use RPC - perhaps to run the autoconfig script?
2. Why do I not see the RPC connections in the logs of the ISA box even tho my network guy does? Is this because of the fact that the RPC comms are at too low a level?
lastly
3. Is there any I can do to stop the FW client using RPC?
Thanks
Hi BD,
Ha! Your network guys are a trip. Sounds like a three stooges movie, they have no idea what the protocols are that they're working with, they have no idea why their placing a "hardware" firewall where they're placing it, and I have to wonder if they even understand what firewalls do and how they work.
Man, I do *not* envy you having to work with those guys.
Thanks!
Tom
|
|
|
|
|
RE: Firewall Client and RPC - 11.May2005 11:28:00 PM
|
|
|
big_dazza
Posts: 449
Joined: 24.Apr.2003
Status: offline
|
ClintD,
is this documented anywhere?
|
|
|
|
|
RE: Firewall Client and RPC - 12.May2005 12:26:00 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Not anywhere that I could find quickly - you can take a network capture of it and use Ethereal to view it - Ethereal knows how to break apart the packets (unlike MS' Network Monitor) so you can understand what's going on.
|
|
|
|
|
RE: Firewall Client and RPC - 12.May2005 10:06:00 AM
|
|
|
big_dazza
Posts: 449
Joined: 24.Apr.2003
Status: offline
|
Any theories as to why it does this? If it wants to connect to %externalserver% on port 5000, why doesn't it talk to ISA on port 5000, or at least via 1745?
Also, any ideas why I don't see this going on in the ISA monitoring?
Thanks for you help BTW
|
|
|
|
|
RE: Firewall Client and RPC - 12.May2005 10:42:00 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
In order to prevent the firewall service from not being able to respond adequately for FWC requests on TCP 1745, it just switches over communication to an ephemeral port for data transfer - it's very similar to Passive mode FTP.
As for monitoring, it just shows up as the protocol "un-wrapped" from the FWC control/data channel - I wish there was some indicator, like a parentheses, bracket, etc..., to indicate the traffic is FWC originated, but unfortunately not.
|
|
|
|
|
RE: Firewall Client and RPC - 12.May2005 12:16:00 PM
|
|
|
big_dazza
Posts: 449
Joined: 24.Apr.2003
Status: offline
|
Thanks alot. If you know of a way we can restrict these high number ports to (at least) a specified range please let me know.
Thanks for your help
|
|
|
|
|
RE: Firewall Client and RPC - 13.May2005 5:21:00 PM
|
|
|
big_dazza
Posts: 449
Joined: 24.Apr.2003
Status: offline
|
ClintD
I still can't see this "un-wrapped" log entry. Where do I look, when, etc.
Can you post an example?
Thanks
|
|
|
|
|
RE: Firewall Client and RPC - 14.May2005 12:23:00 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
It will just show up as the protocol that is being used - eit the filter to monitor live and filter based on the client IP address and you should see the traffic.
|
|
|
|
|
RE: Firewall Client and RPC - 16.May2005 6:21:00 PM
|
|
|
big_dazza
Posts: 449
Joined: 24.Apr.2003
Status: offline
|
ClintD
thanks for your response again, but I still just can't see this traffic. Perhaps I am just being a dunce! I would be reeeeeally grateful if you could log this activity on your ISA box, copy just the one record showing this discussion to your clipboard and paste it on a post here.
Perhaps it's in my logs but I'm missing it
Sorry to be a (useless) pain!
|
|
|
|
|
RE: Firewall Client and RPC - 16.May2005 7:20:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
You're not going to see this in the ISA console - you'll need to takne network captures to see the Firewall Client mechanism at work. By the time it shows up in the Logging function, it's just normal traffic.
[ May 16, 2005, 07:21 PM: Message edited by: ClintD ]
|
|
|
|
|
RE: Firewall Client and RPC - 17.May2005 9:13:00 AM
|
|
|
big_dazza
Posts: 449
Joined: 24.Apr.2003
Status: offline
|
Ah! I see. Thanks.
|
|
|
|
|
RE: Firewall Client and RPC - 20.May2005 7:08:00 AM
|
|
|
big_dazza
Posts: 449
Joined: 24.Apr.2003
Status: offline
|
ClintD
you said in an earlier reply to this post, that the emphemeral ports are used "In order to prevent the firewall service from not being able to respond adequately for FWC requests on TCP 1745". But WP clients all use port 8080/80 and that seems OK. Could there be a different reason why MS chose to have ephemeral ports usage with FW clients?
Thanks
|
|
|
|
|
RE: Firewall Client and RPC - 21.May2005 8:21:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
I'm sure there could be, but I don't know of any for certain. Typically WinSock apps open up a lot more ports than Web Proxy clients do, and in addition, secondary connections - again, FTP is a great example.
Not to be too blunt, but does it really matter? This is how the Firewall Client works - you could get on the Microsoft ISA server newsgroups and ask one of the developers why they designed it this way, but it is how I've described it - your call with PSS (where I used to work) just confirmed what I already told you.
[ May 21, 2005, 08:23 PM: Message edited by: ClintD ]
|
|
|
|
|
RE: Firewall Client and RPC - 24.May2005 9:09:00 AM
|
|
|
big_dazza
Posts: 449
Joined: 24.Apr.2003
Status: offline
|
I know. You're preaching to the converted. I'm having issues with our sec admin guys accepting all of this, and I want to be armed to the teeth when making points, that's all.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Smile]](/image/smiles/smile.gif)
RE: Firewall Client and RPC - ![[Big Grin]](/image/smiles/biggrin.gif)
![[Razz]](/image/smiles/tongue.gif)
