Welcome to ISAserver.org

Publishing Symantac AV Corp to DMZ

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Publishing Symantac AV Corp to DMZ

Page: [1]

Message

<< Older Topic Newer Topic >>

Publishing Symantac AV Corp to DMZ - 28.Mar.2008 1:24:39 PM

BlakeD

Posts: 22
Joined: 8.Mar.2004
From: Okmulgee, OK
Status: offline

I have several servers in a DMZ located off an ISA 2004 server. I also have a Symantec AV / Control Center server internally that manages all my client machines. I want to be able to publish (I'm assuming this is a publish action, not a simple access one like I originally thought) the Symantec Control Center to the DMZ machines so they can get their updates, report issues, etc....

I have seen the article from Steve Moffat at www.isaserver.bm. I have previously used this to allow the ISA server to have SAV installed (but have since removed SAV from the server based on a blog post from Tom).

I have an access rule set up allowing the 7 protocols listed on Steve's article from & to my DMZ test server and my internal SAV server. It's no joy. I'm seeing Intel PDS Service (TCP 2967) and Symantec Msgsys (TCP 38293) traffic from my test server bound for my internal server, but it is being denied by the default rule.

Can one of you shed light on how to allow an SAV 10.x client access in a DMZ access through ISA to an internal SAV server?

Thanks!
--Blake

Post #: 1

Featured Links*

RE: Publishing Symantac AV Corp to DMZ - 28.Mar.2008 1:33:23 PM

Jason Jones

Posts: 2140
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

Not you again!

What network relationship do you have between the DMZ and the LAN?

If it is a route relationship, there is no value in using publishing rules unless there is an application filter that you can enable via server publishing. Therefore you may just as well use access rules.

Some of the filters (like RPC) still kick in even with access rules, but many of the other only come into play when publishing...

If you are using an access rule, I see no reason why the rules shouldn't be the same as for SAV on ISA (which you got working) just with a different source (the DMZ host). With access rules, the protocols will need to be defined as "oubound" with server publishing they will need to be defined as "inbound".

Cheers

JJ

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to BlakeD)

Post #: 2

RE: Publishing Symantac AV Corp to DMZ - 28.Mar.2008 5:33:11 PM

BlakeD

Posts: 22
Joined: 8.Mar.2004
From: Okmulgee, OK
Status: offline

Okay, the rule is set up as an access rule. Its allowing the Intel PDS Service (defined as 2967 TCP-Out & 2967 UDP-Send) along with the other 6 protocols. It is allowing these protocols both FROM and TO my internal SAV and my test DMZ server (explicit computer objects in ISA identified by IP). There rule is enabled; the action is allow; it is open to all users; 24x7 schedule, and is allowing all content types.

I attempt to move the test server's computer object into an assigned group in the Symantec System Center, I get traffic identified in the ISA monitoring tab. I am monitoring with filters of "Log Time = Live", "Client IP = (my Internal SAV Server)", and "Destination IP = (My DMZ Test Server)". I see three packets - They are from my Internal server to my test server, and are identified as the Intel PDS Service protocol. They are being denied via the Default Rule.

Okay, I'm confused as to why this is failing....

---Blake

**** MODERATORS - Can you move this to the Access Policy forum, since this is not a publishing issue? Thanks! ****

< Message edited by BlakeD -- 28.Mar.2008 7:33:05 PM >

(in reply to Jason Jones)

Post #: 3