Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
SecureNAT client and packet filtering
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
SecureNAT client and packet filtering - 29.Aug.2003 6:28:00 PM
|
|
|
JohnS
Posts: 71
Joined: 10.Aug.2001
Status: offline
|
Hi,
My customer has a problem. They use ISA server as simple firewall. No publishing, no inbound access, no cacheing. ISA server stands in-between internet and LAN. Local users (SecureNAT clients) browse internet, check mail etc. No DNS server is installed in local network - they use external.
Everything worked fine until they decided to enable packet filtering. If the packet filtering is enabled, it is impossible to browse web from internal computers, but it is possible to use any other protocol. I've checked the configuration and didn't find anything strange. Everything is done according Tom's book or articles on your site. It seems that something goes wrong with DNS, but I can not find what exactly. I have no experience in using ISA in such environment (I mean for such simple task). All my installations is used only for internal Web servers publishing.
So, I can't identify the problem. I saw some similar posts on this forum, but still can't find where to look else. Configuration is classic, interfaces are configured according to all recommendations, protocol rule and site&content rule allows all protocols and all traffic, LAT and client address set is correct. But if packet filter is enabled it is impossible to browse Web.
They told me that sometimes a few computers can browse Web with packet filtering enabled, but that can be done only on a few computers without any explanation. Sometimes one, sometimes another one can browse, but generaly no one can browse with packet filtering. Strange.
|
|
|
|
|
RE: SecureNAT client and packet filtering - 1.Sep.2003 10:49:00 AM
|
|
|
JohnS
Posts: 71
Joined: 10.Aug.2001
Status: offline
|
Thank you Stefaan for reply.
Configuration:
1. ISA server with 3 interfaces:
214.19.123.112 - external
172.16.0.254 - internal No 1 (LAN 1)
192.168.0.254 - internal No 2 (LAN 2)
2. ipconfig /all
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : company01
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Peer-Peer
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter 192.168.0.254:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 S Desktop Adapter
Physical Address. . . . . . . . . : 00-02-B3-A3-62-DF
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.254
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter 172.16.0.254:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82559 Fast Ethernet LAN on Motherboard
Physical Address. . . . . . . . . : 00-D0-B7-56-D8-01
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.0.254
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter 214.19.123.112:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100+ Management Adapter
Physical Address. . . . . . . . . : 00-02-B3-0A-DD-F5
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 214.19.123.112
Subnet Mask . . . . . . . . . . . : 255.255.255.192
Default Gateway . . . . . . . . . : 214.19.123.65
DNS Servers . . . . . . . . . . . : 214.19.0.1
NetBIOS over Tcpip. . . . . . . . : Disabled
3. route print
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 214.19.123.65 214.19.123.112 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.255.0 172.16.0.254 172.16.0.254 1
172.16.0.254 255.255.255.255 127.0.0.1 127.0.0.1 1
172.16.255.255 255.255.255.255 172.16.0.254 172.16.0.254 1
192.168.0.0 255.255.255.0 192.168.0.254 192.168.0.254 1
192.168.0.254 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.0.255 255.255.255.255 192.168.0.254 192.168.0.254 1
214.19.123.64 255.255.255.192 214.19.123.112 214.19.123.112 1
214.19.123.112 255.255.255.255 127.0.0.1 127.0.0.1 1
214.19.123.255 255.255.255.255 214.19.123.112 214.19.123.112 1
224.0.0.0 224.0.0.0 172.16.0.254 172.16.0.254 1
224.0.0.0 224.0.0.0 192.168.0.254 192.168.0.254 1
224.0.0.0 224.0.0.0 214.19.123.112 214.19.123.112 1
255.255.255.255 255.255.255.255 192.168.0.254 192.168.0.254 1
Default Gateway: 214.19.123.65
===========================================================================
Persistent Routes:
None
4. LAT
172.16.0.0 172.16.0.255
192.168.0.0 192.168.0.255
[ September 01, 2003, 07:58 PM: Message edited by: JohnS ]
|
|
|
|
|
RE: SecureNAT client and packet filtering - 1.Sep.2003 8:00:00 PM
|
|
|
JohnS
Posts: 71
Joined: 10.Aug.2001
Status: offline
|
Sorry, I've just edited the previous message. Incorrect 'route print' was posted.
|
|
|
|
|
RE: SecureNAT client and packet filtering - 1.Sep.2003 8:53:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi John,
OK, your interface settings, routing and LAT seems to be correct. You said that the internal clients are configured as SecureNAT clients. Because SecureNAT clients must be able to resolve external FQDN's on their own, I assume the DNS settings on the clients contains 214.19.0.1, your ISP/External DNS server. So, may I assume you can resolve external FQDN's on the SecureNAT clients with the IP packet filtering enabled?
If the internal clients try to browse the web, do you configure them as Web Proxy client too or does you use the HTTP Redirector to sent the SecureNAT web requests to the Web Proxy service on ISA? If the clients are configured as Web Proxy clients too, then for those requests ISA performs the DNS resolving on behalf of the client. Therefore ISA must be able to resolve external FQDN's. Check out if the default DNS packet filters are enabled. You should have two DNS packet filters, one for UDP port 53 outbound and one for TCP port 53 outbound. Of course don't forget to enable IP packet filtering too.
HTH,
Stefaan
|
|
|
|
|
RE: SecureNAT client and packet filtering - 1.Sep.2003 9:51:00 PM
|
|
|
JohnS
Posts: 71
Joined: 10.Aug.2001
Status: offline
|
Hi Stefaan,
Yes, SecureNAT clients are configured to use external DNS server 214.19.0.1. They can resolve external FQDN's when IP packet filtering is disabled. If packet filtering is enabled they can't browse. But at the same time they can check their emails without problems. It means that mail clients can resolve POP3 or SMPT servers (mail servers are configured as 'mail.domain.com', 'pop3.domain.com' etc.).
I have two DNS filters for UDP and TCP port 53.
HTTP redirector service is enabled also.
I noticed another one thing today. Web browsing works (with packet filtering) if SecureNAT clients are configured as Proxy Clients with external proxy server (proxy server of ISP).
Without packet filtering everything works fine with or without defined any external proxy server.
It seems that something is missed in ISA configuration, but I still can't find what.
|
|
|
|
|
RE: SecureNAT client and packet filtering - 1.Sep.2003 10:07:00 PM
|
|
|
JohnS
Posts: 71
Joined: 10.Aug.2001
Status: offline
|
Stefaan,
Thanks for your help. I think we've just found a problem. Your direction was right.
I've asked to check HTTP Redirector and to choose 'Send to requested Web Server' instead of 'Redirect to local Web Proxy service'. And it works now! My customer doesn't use cache on ISA.
It seems that this setting confused SecureNAT clients when they were redirected to local Web proxy servive. I still don't understand why, but now it (I mean HTTP browsing) works with packet filtering enabled.
I'll check the configuration more carefuly tomorow.
Thank you very much indeed.
|
|
|
|
|
RE: SecureNAT client and packet filtering - 1.Sep.2003 11:07:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi John,
some questions to better understand your setup:
1) in which mode is ISA server installed: firewall or integrated mode?
2) from a SecureNAT client, can you nslookup external FQDN's with IP packet filtering enabled?
3) from ISA server itself, can you nslookup external FQDN's with IP packet filtering enabled?
4) what protocol and site&content rules have you in place?
5) are you obliged to use your ISP proxy server?
Keep in mind that when you set the HTTP Redirector to 'Send to requested Web Server' you are bypassing completely the Web Proxy service on ISA *and* all site&content rules. Check out my article http://www.isaserver.org/tutorials/The_Mystery_of_the_HTTP_Redirector_and_SiteContent_Rules.html for more info.
HTH,
Stefaan
|
|
|
|
|
RE: SecureNAT client and packet filtering - 2.Sep.2003 1:17:00 PM
|
|
|
JohnS
Posts: 71
Joined: 10.Aug.2001
Status: offline
|
Hi Stefaan,
1) in which mode is ISA server installed: firewall or integrated mode?
Firewall mode.
2) from a SecureNAT client, can you nslookup external FQDN's with IP packet filtering enabled?
From a SecureNAT client I can nslookup an external FQDN's with IP packet filtering enabled.
3) from ISA server itself, can you nslookup external FQDN's with IP packet filtering enabled?
Oh! No, I can't. And I can't browse from ISA server itself. With packet filtering disabled I can nslookup and browse.
4) what protocol and site&content rules have you in place?
Protocol rules:
RULE1
Action: Allow
Protocol: All IP traffic
Applies to: Client Sets: CLIENT1;CLIENT2 (both internal subnetworks)
Schedule: Always
Content: All IP traffic
Destinations: All
Site & Content Rules:
SITERULE1
Action: Allow
Applies to: Client Sets: CLIENT1;CLIENT2 (both internal subnetworks)
Schedule: Always
HTTP Content: All content groups
Destinations: All external destinations
5) are you obliged to use your ISP proxy server?
No.
I've checked out your article. Interesting and useful. Thanks for URL. I've never paid serious attention to HTTP Redirector before.
|
|
|
|
|
RE: SecureNAT client and packet filtering - 2.Sep.2003 7:44:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi John,
OK, lets begin...
1) That means you have the Firewall service and the Web Proxy service running but the latter without the Caching feature. Right?
2) Very good!
3) Aha... that's a problem to be solved first! You should have two DNS IP packet filters, one for UDP port 53 outbound and one for TCP port 53 outbound.
To use IE on ISA itself, make IE a web proxy client by entering ISA_Internal_IP_address:8080 in the proxy settings. Keep in mind that ISA resolves DNS names on behalf of the Web Proxy client. Therefore you should first fix the DNS resolving problem.
4) Aha... you are *not* using anonymous rules. That's very good! BUT, if you do that and do *not* configure the client as Web Proxy clients, then the HTTP Redirector will kick in. However, if the HTTP Redirector is set to 'Redirect to local Web Proxy service', then all authentication information is lost. Therefore the implemented site&content rule will fail. You can check that out in the ISA log files.
To correct that problem, either allow anonymous requests (all requests) or disable the HTTP Redirector or make the client a Web Proxy client too. The latter is of course the recommended configuration.
HTH,
Stefaan
[ September 02, 2003, 07:55 PM: Message edited by: spouseele ]
|
|
|
|
|
RE: SecureNAT client and packet filtering - 2.Sep.2003 8:19:00 PM
|
|
|
JohnS
Posts: 71
Joined: 10.Aug.2001
Status: offline
|
Hi Stefaan,
1. Yes, I have Firewall service and Web Proxy service without caching feature.
2. I have two DNS packet filters - one for UDP port 53 outbound and one for TCP port 53 outbound.
But I still can't use IE on ISA even if I use it as a web proxy client entering ISA_internal_IP_address:8080 in the proxy settings. I can't browse as ISA can't resolve DNS names when "Redirect to local Proxy service" is enabled.
3. What do you mean telling "anonymous rules"?
I can't make clients a Web Proxy clients too. Clients use different external proxies for different tasks time by time, so it's impossible to configure their browsers to use ISA as Proxy server.
4. By the way, if I try to make clients as Web Proxy clients my browser shows:
"Technical Information (for support personnel)
Background: This error indicates that the gateway could not find the IP address of the Web site you are trying to access.
ISA Server: company01
Via: "
It makes me crazy. I feel that something is incorrect with DNS on ISA, but still can't find what.
[ September 02, 2003, 08:50 PM: Message edited by: JohnS ]
|
|
|
|
|
RE: SecureNAT client and packet filtering - 2.Sep.2003 9:05:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi John,
lets first fix the DNS problem. The DNS IP packet filters should read as follow:
DNS Lookup (UDP):
IP Protocol: UDP
Direction: send receive
Local Ports: All Ports
Remote Port: Fixed port
Remote Port number: 53
Local computer: Default IP addresses on the external interface
Remote computer: all remote computers
DNS Lookup (TCP):
IP Protocol: TCP
Direction: outbound
Local Ports: All Ports
Remote Port: Fixed port
Remote Port number: 53
Local computer: Default IP addresses on the external interface
Remote computer: all remote computers
BTW --- an anonymous rule is a rule with in the Apply To tab "any request".
HTH,
Stefaan
|
|
|
|
|
RE: SecureNAT client and packet filtering - 3.Sep.2003 8:55:00 AM
|
|
|
JohnS
Posts: 71
Joined: 10.Aug.2001
Status: offline
|
Hi Stefaan,
Exactly. Believe me, I already have these two DNS packet filters.
I'm starting to think that there is something wrong with operating system or ISA server itself. Looks strange. Packet filtering (with DNS filters enabled) kills DNS lookup on ISA.
[ September 03, 2003, 09:02 AM: Message edited by: JohnS ]
|
|
|
|
|
RE: SecureNAT client and packet filtering - 3.Sep.2003 9:27:00 AM
|
|
|
JohnS
Posts: 71
Joined: 10.Aug.2001
Status: offline
|
Stefaan,
Problem solved!
But I still do not understand what was wrong.
What I have done? I've rechecked all packet filters. Everything was OK (as I mentioned before) except one filter. I found an additional DNS lookup filter like this:
DNS Lookup (UDP):
IP Protocol: UDP
Direction: send
Local Ports: All Ports
Remote Port: Fixed port
Remote Port number: 53
Local computer: Default IP addresses on the external interface
Remote computer: all remote computers
So, they had three DNS lookup filters: one for TCP and two for UDP: one 'Send and receive' (default ISA filter) an additional with 'Send' only. And nothing more.
I've deleted this filter. Situation remained the same. Then I disabled all filters and enabled them all. Nothing. Finaly we restarted ISA. And what do you think? It works perfect now!
Btw, ISA was restarted a few times during these days. So, maybe something wrong was with DNS filter and disabling-enabling-restart helped? I don't know.
Thank you Stefaan very much indeed. I better understood how ISA works and ... solved the problem.
Have a good day!
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Eek!]](/image/smiles/eek.gif)
![[Smile]](/image/smiles/smile.gif)
