• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Protocols work under SNAT, but not under FWC

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Protocols work under SNAT, but not under FWC Page: [1]
Login
Message << Older Topic   Newer Topic >>
Protocols work under SNAT, but not under FWC - 6.Nov.2002 2:15:00 PM   
IStewart

 

Posts: 22
Joined: 7.Oct.2002
Status: offline
Hi all,

I'm having a bit of trouble figuring this out, so I thought I'd check with everyone here, who, through their posts and tutorials, has already answered a lot of my questions.

We run a single ISA server, which is part of our domain, and publish a few websites and email servers through it (a mix of web publishing and server publishing), and initially set everyone as a secure NAT client, just to make the rollout easier, as we are a mix of 2000/98 machines. Now, I'd like to move to the firewall client, which will streamline authentication to the Web Proxy client, which I'd like to require authorization for (and thus keep track of users internet access.)

My trouble is this. We've configured a few extra protocol rules so that specific destination sets (defined by IP, currently) can access a few things outside the Allow Internet Access rule, such as Terminal Services or POP3. When the client is a secure NAT client, everything works fine. But if you install the firewall client, you're still able to get the basic internet access rules, but none of the extra protocols are working. Right click and disable the FWC, and you can use the extra protcols again.

I'm not sure if this is related, but just to be complete -- VPN is activated on the ISA server.

Thanks in advance,
Ian
Post #: 1
RE: Protocols work under SNAT, but not under FWC - 6.Nov.2002 6:44:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ian,

This situation indicates to me that the DNS configuration on the ISA Server is incorrect. Also, if VPN connections break your Internet connections for internal netowrk clients, that indicates your ISA Server is also a DC.

HTH,
Tom

(in reply to IStewart)
Post #: 2
RE: Protocols work under SNAT, but not under FWC - 6.Nov.2002 7:12:00 PM   
IStewart

 

Posts: 22
Joined: 7.Oct.2002
Status: offline
Hi Tom,

Thanks for the reply. I read your book by the way -- very well done.

ISA is not a DC, although it is a member of the domain. ISA has two cards, one internal, one external. The internal card resolves DNS queries on our internal DNS servers. Those internal DNS servers are configured to resolve anything they don't have by means of forwarders, to external DNS servers provided by our ISP. Looking at the cache on our internal DNS servers, I'm pretty confident all DNS requests are being resolved on our internal servers.

Just for redundancy, ISA also has external DNS servers configured on its external card. In network connections /advanced options, the internal connection is given priority over the external connection.

As to the VPN, its only allowed for Domain Admins, of which all 3 of us are in the building, and aren't using VPN during the day.

Anywhere else you suggest I look?

(in reply to IStewart)
Post #: 3
RE: Protocols work under SNAT, but not under FWC - 6.Nov.2002 7:15:00 PM   
IStewart

 

Posts: 22
Joined: 7.Oct.2002
Status: offline
Just to add a few details:

ISA is in Firewall Mode.

Clients are configured with all 3: SNAT, FWC, and Web Proxy.

Latest service pack and hotfixes applied.

(in reply to IStewart)
Post #: 4
RE: Protocols work under SNAT, but not under FWC - 6.Nov.2002 7:17:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi IW,

I would check the Protocol Rules and make sure the users have permissions to use the Protocols. Also, check the Firewall service log and check the error codes on the client requests. Make sure you also log Rule#1 and Rule#2 in the log files.

Thanks for the compliments on the book! [Big Grin]

Tom

(in reply to IStewart)
Post #: 5
RE: Protocols work under SNAT, but not under FWC - 6.Nov.2002 7:40:00 PM   
IStewart

 

Posts: 22
Joined: 7.Oct.2002
Status: offline
Ok. Log files!

Test: POP3 email.

Protocol: Allow SMTP, POP3
Client Set :IW-Stewart(My PC's static IP)

Unsucessful attempt with FWC on:

10.200.#.# istewart msimn.exe:3:5.0 N 2002-11-06 18:40:07 fwsrv 0FW-ISA - - 64.8.50.43 110 - - - 110 TCP Connect - - - 0 - IS-IStewart Ports Allow rule 8 89

10.200.#.# istewart msimn.exe:3:5.0 N 2002-11-06 18:40:07 fwsrv 0FW-ISA - - 64.8.50.43 110 - - - 110 TCP Connect - - - 0 - IS-IStewart Ports Allow rule 8 89

Sucessfuly attempt with FWC disabled:

[ November 06, 2002, 07:45 PM: Message edited by: I W Stewart ]

(in reply to IStewart)
Post #: 6
RE: Protocols work under SNAT, but not under FWC - 6.Nov.2002 7:44:00 PM   
IStewart

 

Posts: 22
Joined: 7.Oct.2002
Status: offline
Sucessful with FWC Disabled:

10.200.#.# - - N 2002-11-06 18:47:56 fwsrv 0FW-ISA - - 64.8.50.43 110 130 - - 110 TCP Connect - - - 0 - IS-IStewart Ports Allow rule 37 246

[ November 06, 2002, 07:44 PM: Message edited by: I W Stewart ]

(in reply to IStewart)
Post #: 7
RE: Protocols work under SNAT, but not under FWC - 6.Nov.2002 10:42:00 PM   
IStewart

 

Posts: 22
Joined: 7.Oct.2002
Status: offline
Hi All

I've managed to solve it.

Here's an interesting fact:

If your ISA external interface is multihomed, secure NAT traffic will always go out the default IP of the ISA server. Meanwhile, Firewall Client traffic will attempt to use the least-used IP.

This can really confuse you if you have a back-to-back firewall configuration, and are very restrictive about what protocols are allowed from what IPs.

Good luck!
Ian

(in reply to IStewart)
Post #: 8
RE: Protocols work under SNAT, but not under FWC - 6.Nov.2002 10:58:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Ian,

hmm... that's not what Tom has sorted out! Check out http://www.isaserver.org/tutorials/You_Cannot_Control_the_Source_IP_Address_on_the_External_Interface_of_the_ISA_Server.html

HTH,
Stefaan

(in reply to IStewart)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Protocols work under SNAT, but not under FWC Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts