Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
IM going out through ISA
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
IM going out through ISA - 11.Dec.2002 12:36:00 PM
|
|
|
kb5oze
Posts: 20
Joined: 18.Apr.2002
From: New Orleans, La
Status: offline
|
I am experiencing an issue with IM. We are beta testing intranet IM communications. Here is setup. Both internal and external clients can log in and see each other. External users can send messages to internal users successfully. Internal users can send to each other successfully. The problem is that internal users can not send messages to external users, even though they are visible to each other as "on-line". We have Exchange 2k SP3 behind ISA SP1. E-mail flows fine. OWA works well and all websites are available with no problems. Any ideas? I am going to also post in www.msexchange.org. Feel free to contact me with any other questions.
Thanks,
Mike
|
|
|
|
RE: IM going out through ISA - 11.Dec.2002 7:45:00 PM
|
|
|
Guest
|
I had the same problem. I could detect presence but not send messages. I resolved it by setting up a packet filter allowing in and outbound packets for dynamic ports. (Presence is detected on port 80 but messages are sent from and to dynamic ports).
...BUT! My server is sitting right on the internet! Is this a BIG security risk or just a small one????
|
|
|
|
|
RE: IM going out through ISA - 11.Dec.2002 8:29:00 PM
|
|
|
kb5oze
Posts: 20
Joined: 18.Apr.2002
From: New Orleans, La
Status: offline
|
Is the ISA directly on the Internet? or the Exchange box? If ISA, that is OK. If Exchange, that is a BIG NO-NO.
Thanks,
Mike
|
|
|
|
|
RE: IM going out through ISA - 12.Dec.2002 1:16:00 AM
|
|
|
Guest
|
Well both actually. ISA and Exchange installed on one machine.
ISA is in firewall mode and I basically am using packet filtering to control access. Everything is shut except port 80 (IIS patched + exchange sp3) and the dynamic ports. (A port scan shows as much).
But can someone slip in through a port above 1024 and cause mischief? What service would be most succeptible in this fashion? IM via IIS?
I can conceptually understand the services on lower open ports being vulnerable but don't quite understand the mechanism for escalating priveleges via unpriveleged ports.
|
|
|
|
|
RE: IM going out through ISA - 12.Dec.2002 1:24:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jackrabbit,
Many trojans install on high ports and can take advantage of static packet filters. However, I'm not sure how you created a packet filter to allow all high ports outbound. Did you create one from source ALL to remote Dynamic? If so, you're not fully utilizing the security that packet filtering offers.
What protocols does the IM'er use? Does it accept connections on TCP 80? Are there any secondary connections?
Thanks!
Tom
|
|
|
|
|
RE: IM going out through ISA - 12.Dec.2002 3:46:00 AM
|
|
|
Guest
|
In the packet filter I created two filters on the ISA server. The first allows port 80 in and out. The second allows:
TCP
in both directions
local ports: dynamic
remote ports: all
Apparently the windows messenger through exchange uses RVP protocol (which as far as I can tell is fancy HTML/XML).
After the initial connection through port 80 the client and server seem to establish a connection from 10237 to 1078 (or whatever random high ports) and the actual text messages pass through here.
hmmm... could I maybe try to set the server up as a firewall client and allow HTTP traffic to pass instead of using packet filters???
|
|
|
|
|
RE: IM going out through ISA - 12.Dec.2002 12:45:00 PM
|
|
|
kb5oze
Posts: 20
Joined: 18.Apr.2002
From: New Orleans, La
Status: offline
|
After some investigation last night and this morning, I have more information. I tried configuring the internam MSn client as a FW client, no luck. I ran netmon on the mail server and I found that the mail server could not make the connection back to the external client. I double checked the logs on both the Ex2k box and ISA. There are no errors. ISA does show the External client coming in but does not show Ex2k replying. As the Exchange box knows where the remote client is, this seems to be an ISA issue. ISA seems to be losing the NAT for the IM clients that are external. Internal clients never see the ISA. Any thoughts?
Thanks,
Mike
|
|
|
|
RE: IM going out through ISA - 12.Dec.2002 2:14:00 PM
|
|
|
kb5oze
Posts: 20
Joined: 18.Apr.2002
From: New Orleans, La
Status: offline
|
I created a VPN connection and logged in. I was still unable to send a message to the external client (who is vpn connected, can see resources and connect to the IM service). Any ideas? I will try to temporarily connect the Ex2k server directly to the Internet as the final determination of wether ISA is the actual problem.
Thanks,
Mike
|
|
|
|
|
RE: IM going out through ISA - 12.Dec.2002 4:11:00 PM
|
|
|
kb5oze
Posts: 20
Joined: 18.Apr.2002
From: New Orleans, La
Status: offline
|
OK, but the issue is that internal IM clients can authenticate logon and communicate internally with no problem. External IM clients can authenticate and logon with no problems. External can also send a message to internal with no problem. As soon as an internal tries to either respond or send a IM message to an external client, the message fails. The external client does not recieve the message and an error occurs on the internal client that says "The message could not be sent to all recipients". I tried the fix from MS (Q281610) to no avail. I am just trying to track down the failure.
Thanks,
Mike
|
|
|
|
|
RE: IM going out through ISA - 12.Dec.2002 6:15:00 PM
|
|
|
Guest
|
Yes. That's all very interesting.
But the important thing to determine here is whether an Exchange server that serves only IM clients on the internet can be protected with packet filters exclusively.
|
|
|
|
RE: IM going out through ISA - 12.Dec.2002 11:34:00 PM
|
|
|
kb5oze
Posts: 20
Joined: 18.Apr.2002
From: New Orleans, La
Status: offline
|
Dr. Shinder & rabbit,
After putting the Ex2k box directly, the same issue happened. This is definately an Exchange problem. Apparently, Exchange is losing the credentials on the external login as the event viewer has the "16387" error. I think the problem is the way exchange is trying to communicate back to the remote client. This is definately not an ISA issue (so ISA is doing exactly as it is supposed to do). I thought that ISA was the culprit as there are no other issues with the Ex2K server. I will see what else I can find out.
Thanks for the help
Mike
|
|
|
|
RE: IM going out through ISA - 13.Dec.2002 5:14:00 PM
|
|
|
kb5oze
Posts: 20
Joined: 18.Apr.2002
From: New Orleans, La
Status: offline
|
Finally, got the connections, etc to work. I found a document buried at Microsoft that detailed Polling and ports. There was a configuration issue on Exchange, ISA & the external clients. Go to http://www.decossas.com/impoll.htm to see the document. Basically though, ISA did work as it was supposed to on the security side of the IM configuration. If anyone has any questions, feel free to e-mail me as I have a lot of documentation on IM services now.
Thanks to everyone that helped with this problem & especially to Dr. Shinder for having this valuable resource available for us.
Thanks,
Mike
|
|
|
|
|
RE: IM going out through ISA - 13.Dec.2002 7:54:00 PM
|
|
|
Guest
|
Thanks for the link! Very helpful.
Based on that it seems hard to make server publishing rules.
Assumming that the RVP protocol can pass as HTTP, then web publishing on port 80 would be a start. But the reverse connections from the high ports still have to happen. Maybe that could be accomplished by making the server a proxy or firewall client....
|
|
|
|
|
RE: IM going out through ISA - 14.Dec.2002 3:15:00 AM
|
|
|
kb5oze
Posts: 20
Joined: 18.Apr.2002
From: New Orleans, La
Status: offline
|
Actually, on my configuration, the server is only a Secure Nat Client. No proxy or FW Client. The internal DNS forwards unknown domains to an internet DNS server. I did have to open the file transfer ports (6891-6900 outbond) as well the dynamic in and out bound range. I think the biggest thing is the registry edit on the exchange box. Don't forget the mods to the client registry. I will test that portion out on another external client probably next week and post the results here. Let me know if you need any other info on the IM stuff.
Thanks,
Mike
|
|
|
|
|
RE: IM going out through ISA - 16.Dec.2002 9:14:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by kb5oze:
Finally, got the connections, etc to work. I found a document buried at Microsoft that detailed Polling and ports. There was a configuration issue on Exchange, ISA & the external clients. Go to http://www.decossas.com/impoll.htm to see the document. Basically though, ISA did work as it was supposed to on the security side of the IM configuration. If anyone has any questions, feel free to e-mail me as I have a lot of documentation on IM services now.
Thanks to everyone that helped with this problem & especially to Dr. Shinder for having this valuable resource available for us.
Thanks,
Mike
Hi Mike,
Thanks! Great stuff.
Tom
|
|
|
|
|
RE: IM going out through ISA - 16.Dec.2002 9:19:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by kb5oze:
Actually, on my configuration, the server is only a Secure Nat Client. No proxy or FW Client. The internal DNS forwards unknown domains to an internet DNS server. I did have to open the file transfer ports (6891-6900 outbond) as well the dynamic in and out bound range. I think the biggest thing is the registry edit on the exchange box. Don't forget the mods to the client registry. I will test that portion out on another external client probably next week and post the results here. Let me know if you need any other info on the IM stuff.
Thanks,
Mike
Hi Mike,
So you did this:
Create ten protocol defintions, each with one of the Primary connection using ports in the 6891 to 6900 range TCP outbound, and then create a protocol rule that included these ten protocol definitions
then, you did:
Create a protocol definition with a specific TCP port outbound (which one?) and then 1024-65534 inbound for secondary connections?
Thanks!
Tom
|
|
|
|
|
RE: IM going out through ISA - 17.Dec.2002 12:02:00 PM
|
|
|
kb5oze
Posts: 20
Joined: 18.Apr.2002
From: New Orleans, La
Status: offline
|
Hi Tom,
The port is 1863 Outbound with the secondary ports at the other 2. I still have more research to do as I still have a lot of test configurations in the mix and I want to make sure that they are not having any affect. As I go through them I will post the results here. Thanks for the great site!
Thanks,
Mike
|
|
|
|
|
RE: IM going out through ISA - 17.Dec.2002 12:15:00 PM
|
|
|
kb5oze
Posts: 20
Joined: 18.Apr.2002
From: New Orleans, La
Status: offline
|
Hi Tom,
Just for the heck of it, I spent a little time removing the test configurations. The inside client s MUST be FW clients for the IM to work. I still don't understand how IM is communicating. The Exchange server doesn't care if it is a FW client or not as long as it is a SecureNAT client. This is kind of odd. Any ideas about this?
Also, the external clients can get in regardless of the configuration of the interior clients.
Thanks,
Mike
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Big Grin]](/image/smiles/biggrin.gif)
