Now, when I have firewall clients, I can connect and do all the stuff configured at protocol definition, like Surf, ftp Icq, mirc and so on...
But I thought when I try some other protocols/program, like Direct connect or ftp at other ports it doesnt work at all.

I have made a some allow things to test this out, but didnt work. This is what I made.

At Protocol rules: Allow all trafics to all dest.
At Site and contant rules: Allow all to all dest.
At Ip packet filter: Allow all from Default external IP adress to any dest.

It seems that my clients using SecureNAT even when I installed FW client.

What have I made wrong?
Please tell if you want more info.

(Do I have my clients in the same NT domain as the ISA?)

/Jimmy

------------------
5 computer network (4 win9x, 1 win2k), HPNA 1mb network, cable modem.

===================================
don't forget to do security tests
---------------------------------

http://www.vulnerabilities.org/analysis.html
http://www.sdesign.com:8080/cgi-bin/fwtest.cgi
http://scan.sygatetech.com/
http://www.dslreports.com/scan
http://www.dslreports.com/secureme (I love this one)

I though that, if I install FW client I didnt have to def. protocols for every single program.

As you can see I have done the same rules as you did, HJB417.

Let me get this straight though, for CS. You can't get it to run even with a firewall client installed?

This is my access policy: http://www.skidmore.edu/~h_blackw/Access%20Policy.jpg

It pretty much gives clients access to all ports and allows them to go to any destination.

------------------
5 computer network (4 win9x, 1 win2k), HPNA 1mb network, cable modem.

===================================
don't forget to do security tests
---------------------------------

http://www.vulnerabilities.org/analysis.html
http://www.sdesign.com:8080/cgi-bin/fwtest.cgi
http://scan.sygatetech.com/
http://www.dslreports.com/scan
http://www.dslreports.com/secureme (I love this one)

I will post my rules when I get home. But Im pretty sure that its simular to yours.

I wonder if its something that refuses my FW client to authent to the ISA?

can anybody send me the protocol definitions, because the link does not work.

maybe has somebody a working link?

thanks for help

[QUOTE]Originally posted by HJB417:

I used the SecureNAT when I first tried ISA and I got my games (CS and Tribes2) working by creating protocol definitions as specified by [URL=http://www.pirnie.org/isaserver/app-ports.shtml]

List Maintained by: Jaime Pirnie
Last Updated: 4/1/2001 @ 11:46 Am PST

Tribes 2
Tribes 2 Patch Server

Primary Connection (1)
Port Number Protocol Type Direction Info
15101 TCP Outbound Patch Server Port


Tribes 2 Authentication Server

Primary Connection (2)
Port Number Protocol Type Direction Info
15104 TCP Outbound Sierra Master Server


Tribes 2 Master ServerList Server

Primary Connection (3)
Port Number Protocol Type Direction Info
15204 TCP Outbound Authentication Server

Secondary Connections (3) Port Number Protocol Type Direction Info
15206 TCP Outbound Authentication Server
15800 TCP Outbound Account Services

Tribes 2 Game/IRC Servers
Primary Connection (4) Port Number Protocol Type Direction Info
28000 UDP Send Receive Tribes2 Master Serv./Game Port

Secondary Connections (4) Port Number Protocol Type Direction Info
27999 UDP Send Receive Tribes2 Master Server
28001-29000 UDP Send Receive GameServer Ports
Special Notes:
Firewall Proxy Client Required: No
*** NOTE: These protocol definitions are not final and they are still under investigation. These are the ports that I have found on my own and are not from the Tribes2 folks. This seems to work for me but I've noticed that it will use different ports at different times of the day. As I get information I will update the data here.
When you get to the "Join" tab and it says "No Servers Found.." just be patient and wait. The servers will come in after a while. If after 3-5 minutes nothing happens try clicking "Refresh List" then wait another 2-3 minutes. If nothing happens then you must have something set up wrong. Check all your ports with those listed above.
You must make four separate protocol definitions for this to work properly.
Some servers will use a primary port other than 28000. This is common when there are more than one server running on a single machine. If you wish to play on a server that uses a different port like 28000, you need to make a new protocol definition just like what is described above using 28000 as the primary connection port number (4) instead of the default 28000.

DirectPlay
Primary Connection
Port Number Protocol Type Direction
47624 TCP Outbound

Secondary Connection
Port Range Protocol Type Direction
2300-2400 UDP Send Receive
2300-2400 TCP Inbound
2300-2400 TCP Outbound
Special Notes:
Firewall Proxy Client Required: Yes
Most Microsoft games use DirectPlay
You must also go to the Firewall Client properties on the ISA Server
Select "Application Settings" tab
You need to make three new entries on this tab:
<exename> RemoteBindUdpPorts 2300-2400
<exename> ServerBindTcpPorts 2300-2400
<exename> KillOldSession 1
where <exename> is the name of the game executable that you are running. You can find this by looking in task manager and looking for the exe name while the game is running. You must do this for each and every DirectPlay game that you want to run through the ISA Server.

You can not host a game inside of the ISA Server. You can only connect to a hosted game on the outside of it.
This has not been tested on The Internet Gaming Zone (Lobby Launch). However if you turn on all rules, it will work. I just dont know what additional ports need to be opened for that. If someone know what they are please let me know.

MSN Messenger (All Features)
Primary Connection
Port Number Protocol Type Direction Info
1863 TCP Outbound Main Chat Port

Secondary Connection
Port Range Protocol Type Direction Info
6891-6900 TCP Inbound File Transfer Ports (Sending)
6891-6900 TCP Outbound File Transfer Ports (Receiving)
Special Notes:
Firewall Proxy Client Required: Yes
You must also go to the Firewall Client properties on the ISA Server:
Select "Application Settings" tab
You need to make one new entry on this tab:
App: msmsgs
Key: NameResolutionForLocalHost
Value: P
This step is just as important as the port numbers for file transfers to work. What this does it this: When MSN Messenger asks the computer it is running on "What is the IP address of this computer?" the system will give it the inside IP. Then when you try to send files to people, the remote client tries to connect to the IP of your inside network. Now we all know that this can never happen. So what you need to do is "fake out" MSN Messenger when it asks for the IP of the local computer. When you have this NameResolutionForLocalHost set, the Firewall Proxy client will give it the IP address of the external interface on the ISA server instead. Now when you try to send files to someone, they get the IP of the ISA server and since you have the secondary ports set up, it forwards the request to your MSN Messenger client and everything just works. :-) Dont forget to have your Firewall client update its settings after you do this so it gets the new information.

To get the Phone dial capabilities to work in MSN Messenger, just make a rule and in that rule include the pre-made protocol definitions for Net2Phone. When you get your rule made, this feature will now work like a charm!

Microsoft Game Voice
Special Notes:
Firewall Proxy Client Required: Yes
Microsoft Game Voice uses Direct Play for communication. Follow the instructions for DirectPlay to get the MS Game Voice to work through ISA Server.
You can not host a MS Game Voice session behind ISA Server

Half-Life
HalfLife Game Server Ports

Primary Connection (1)
Port Number Protocol Type Direction Info
27015 UDP Send Receive Main HalfLife Port

Secondary Connections (1)
Port Range Protocol Type Direction Info
27015-27050 UDP Receive Other HalfLife Game Ports
7002 TCP Outbound Won Authentication Port

HalfLife Server List Port
Primary Connection (2) Port Number Protocol Type Direction Info
27010 UDP Send Receive ServerList Server Port
Special Notes:
Firewall Proxy Client Required: Yes
You must make two separate protocol definitions for this to work properly.
Some servers will use a primary port other than 27015. This is common when there are more than one server running on a single machine. If you wish to play on a server that uses a different port like 27016, you need to make a new protocol definition just like what is described above using 27016 as the primary connection port number (1) instead of the default 27015.

EverQuest
EverQuest Patch Server

Primary Connection (1)
Port Number Protocol Type Direction
7000 TCP Outbound


EverQuest Login/Chat Server

Primary Connection (2)
Port Number Protocol Type Direction
5999 UDP Send Receive

Secondary Connection (2) Port Number Protocol Type Direction
5998 UDP Send Receive

EverQuest World Servers
Primary Connection (3) Port Number Protocol Type Direction
9000 UDP Send Receive

Secondary Connection (3) Port Range Protocol Type Direction
1025-65535 UDP Send Receive
Special Notes:
Firewall Proxy Client Required: Yes
You must make three separate protocol definitions for this to work properly.
I'm not too sure about the range of ports for the secondary (3). This should work, however I would to be more exact on what ports are used here so we don't have to have such a large port range. If anyone knows exactly what ports to use here please let me know.

Starseige Tribes
Starseige Tribes Game Server Ports

Primary Connection (1)
Port Number Protocol Type Direction
28000 UDP Send Receive
Primary Connection (2)

28001 UDP Send Receive
Primary Connection (3)

28002 UDP Send Receive
Primary Connection (4)

28003 UDP Send Receive
Primary Connection (5)

28004 UDP Send Receive
Primary Connection (6)

28005 UDP Send Receive
Primary Connection (7)

28006 UDP Send Receive
Primary Connection (8)

28007 UDP Send Receive
Primary Connection (9)

28008 UDP Send Receive
Special Notes:
Firewall Proxy Client Required: Yes
You must make nine separate protocol definitions for this to work properly.
Some servers will use a primary port other than 28000-28008. This is common when there are more than one server running on a single machine. If you wish to play on a server that uses a different port like 28000-28008, you need to make a new protocol definition just like what is described above using the new port number (28009 for instance) as the primary connection port number instead of 28000-28008.

Internet Gaming Zone
Primary Connection
Port Number Protocol Type Direction
6667 TCP Outbound

Secondary Connection
Port Range Protocol Type Direction
28800-29000 TCP Outbound
Special Notes:
Firewall Proxy Client Required: Yes
This has only been tested using the basic free games that are available on the Zone (chess, checkers, etc).
This may not work when using games like Age of Empires and other DirectPlay games. More ports are needed. I don't know what other ports I need to open to get these DirectPlay games to Lobby Launch from the Internet Gaming Zone. If anyone knows, please let me know.
Some Internet Gaming Zone lobbies will not work with this configuration. The reason for this is that the port numbers for most of the different game lobbies use different port numbers. These port numbers change every time the Zone servers are rebooted so finding the port number of a certain lobby may only work for a short amount of time (until the Zone servers are rebooted). If you want to play on a lobby that doesn't work with the rules above, just make a rule called "All" and allow all IP traffic. You can then turn this on and off as you want to play the game. This is only a workaround and not what I would call a good solution.

Ultima Online
Ultima Online Patch Servers
Primary Connection (1)
Port Number Protocol Type Direction Info
8888 TCP Outbound Main Patch Server Port

Secondary Connections (1)
Port Range Protocol Type Direction Info
9999 TCP Outbound Secondary Patch Server Port


Ultima Online Login/Game Servers

Primary Connection (2)
Port Number Protocol Type Direction Info
7775 TCP Outbound Main Login Server Port

Secondary Connections (2)
Port Range Protocol Type Direction Info
7776-7777 TCP Outbound Secondary Login Server Ports
5001-5010 TCP Outbound Main GameServer Ports
Special Notes:
Firewall Proxy Client Required: Yes
You need to make two separate protocol definitions for this to work. Both are listed above. Make sure that you add both protocols to your rule when you define it.

GameSpy 3D
GameSpy 3D Registration Server
Primary Connection (1)
Port Number Protocol Type Direction
25635 UDP Send Receive


GameSpy Master Server

Primary Connection (2)
Port Number Protocol Type Direction
28900 TCP Outbound
Special Notes:
Firewall Proxy Client Required: No
You need to make two separate protocol definitions for this to work. Both are listed above. Make sure that you add both protocols to your rule when you define it.

Only ports I opened are UDP ports 6112.

I couldn't find anymore info on Blizzards website.

Any help is appreciated! Thanks!

------------------
5 computer network (1 win9x, 4 win2k), HPNA 1mb network, cable modem.

===================================
don't forget to do security tests
---------------------------------

http://www.vulnerabilities.org/analysis.html
http://www.sdesign.com:8080/cgi-bin/fwtest.cgi
http://scan.sygatetech.com/
http://www.dslreports.com/scan
http://www.dslreports.com/secureme (I love this one)

----------