Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
SecureNat Acts Different in 2004?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
SecureNat Acts Different in 2004? - 7.Feb.2004 1:44:00 AM
|
|
|
chad.brown
Posts: 22
Joined: 26.Nov.2003
Status: offline
|
I asked the question in quotes below on the ISA 2000 boards a couple days ago with no helpfull responses. However today I began testing ISA 2004 and I notice my problem went away. Why would this happen? Also, anyone know of a fix in ISA 2000. Question below:
"I have Cisco 7960 IP phones failing to communicate with an offsite Call Manager. In an attempt to find out what was happening I installed a 7960 emulator on my PC. The funny thing was, everything worked. However, I noticed that it only worked because I had the firewall client enabled. As soon as I disabled the firewall client on my PC, communication failed. Since there is no firewall client for the 7960 I am left wondering what the fix is.
What I did do what create a packet filter opening up everything between my phones and the external Call Manager IP address. Alos, I had an "allow all out" protocol rule in place. Still no success.
Any Ideas?
BTW - I took one of the 7960's home for testing and everything worked great through my home linksys firewall."
[ February 07, 2004, 01:50 AM: Message edited by: chad.brown ]
|
|
|
|
|
RE: SecureNat Acts Different in 2004? - 9.Feb.2004 4:40:00 PM
|
|
|
trebligb
Posts: 94
Joined: 13.Feb.2002
Status: offline
|
That lack of support for IP phones is a massive problem and will stop a lot of potential deployments. A major request that is coming up anymore for us are IP based phones and phone systems.
How about two way video conferencing between PCs across ISA 2004? This did not work in 2000.
|
|
|
|
|
RE: SecureNat Acts Different in 2004? - 9.Feb.2004 7:20:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Bill,
Depends on the protocols used. H.323 filter is there, but the H.323 gatekeeper isn't there right now. The gatekeeper along with the filter enabled voice/video without the firewall client.
Most IP phones use SIP, so a SIP filter/gateway is required. I hope they are working on this one, because VoIP is only going to get more popular.
thanks!
Tom
|
|
|
|
|
RE: SecureNat Acts Different in 2004? - 14.Mar.2004 7:05:00 PM
|
|
|
amarshall
Posts: 1
Joined: 14.Mar.2004
From: Philadelphia PA USA
Status: offline
|
I've spent hours head banging with this one. If you use Cisco Callmanager and vanilla 7940/60 etc phones, it seems you can't use them throught the ISA server. This is because Skinny selects a random UDP port for inbound & outbound audio packets. You can, with some tweaking and port allocation get call setup to work, but without audio (so not much use there then).
*However* if you use W2K/XP as a client and VPN tunnel into the ISA server, so you get a tunneled inside network IP address, you *can* install Cisco IP softphone 1.3(3) and get it to work exactly as a 7940/60. The downside of this is that you need your client VPN PC to be up & connected to use the phone, however in most cases that isn't a problem. The upside is that a softphone license and a Clarisys i750H handset is cheaper than a 79x0 anyway and works just as well. The softphone (bizarre though it may seem) also allows you to specify the audio i/o UDP port so I'm guessing you could make it work with a non-VPN client too, but I haven't tested this yet. I'm also guessing that with a spare NIC card in the client PC, a crossover cable and an IP ROUTE command you could connect a physical 7960 to the tunnel (have to admit I haven't thought this through completely but it may be worth exploring)
Happy to share the config if anyone is interested
Andrew
|
|
|
|
|
RE: SecureNat Acts Different in 2004? - 14.Mar.2004 9:36:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Andrew,
So the WinXP client is on the Internal network and VPN's into where?
thanks!
Tom
|
|
|
|
|
RE: SecureNat Acts Different in 2004? - 19.Mar.2004 6:24:00 AM
|
|
|
TNovak523
Posts: 8
Joined: 26.Feb.2004
From: Warren
Status: offline
|
Wouldn't ISA 2004 fix this problem? If the phones were on a fixed range of I/P addresses, couldn't an all-open filter be setup to support that range of I/P addresses? I realize on ISA 2k that was pretty difficult if you wanted authentication on outbound traffic, but ISA 2k4 has those great "All users" groups.
I'm hoping this is the case, 'cause I have an AS/400 that has to communicate using SFTP and ISA 2k just won't work in that situation (no firewall client available) unless you setup a port redirector with the firewall client installed on it, and that only works when the secure channel is initiated on the ISA 2k side.
|
|
|
|
|
RE: SecureNat Acts Different in 2004? - 19.Mar.2004 4:52:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi T,
The problem is that SIP applications imbed the client IP address in the application layer header in most cases. Because of that, you need the firewall to be app aware so that it can change the app layer headers, like it does with FTP.
There are also other issues related to connection management. That's why you really need a SIP ALG (application layer gateway [proxy])
HTH,
Tom
|
|
|
|
|
RE: SecureNat Acts Different in 2004? - 28.Mar.2004 9:18:00 PM
|
|
|
Guest
|
SIP/(other VoIP protocols) hardphones can not be used with ISA2000 in a useful way. Softphones on computers with the firewallclient may work.
With ISA2004 SIP support is a little bit better and hardphones may run behind it.
But it is necessary that the phones support STUN and that there is a STUN server is available. That is true for all the above scenarios.
The next servere problem is, that ISA does not support Qos/traffic shapping/prioritization, however you call it.
I am strongly discourage you from deploying VoIP phones without a mechanism to enforce QoS in a commercial environment unless you can guarantee that there is always an abundance of up- and downstream bandwidth.
|
|
|
|
|
RE: SecureNat Acts Different in 2004? - 29.Mar.2004 2:22:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Chriz,
This is GREAT! I was not aware of the STUN technology.
Is the STUN server installed on the Internal network, or on the ISA firewall, or on a DMZ segment?
Thanks!
Tom
|
|
|
|
|
RE: SecureNat Acts Different in 2004? - 29.Mar.2004 3:12:00 PM
|
|
|
Guest
|
The STUN server has to be on the external network, that would be the Internet in most cases.
There are public STUN servers out where and most SIP providers do have one.
It is also possible to use a far end NAT traversal product, like the Free World Dialup does.
Drawbacks:
-Does not work with ISA2000 as long as you are not using the firewall client
-Inbound calling seems to be unreliable at times and needs further testing
-Without QoS/Traffic Shaping VoIP in comerical environments is a dangerous gamble
-Windows Messenger does not support STUN
Alternatives:
-co-deploy a near end NAT traversal product, like www.brekeke.com OnDO Sip Server on the ISA Server
-drawbacks: still von QoS, potentialy dangerous/unsecure
|
|
|
|
|
RE: SecureNat Acts Different in 2004? - 30.Mar.2004 10:25:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Chriz,
Putting an insecure server product on the firewall itself doesn't seem very compelling.
Its a real shame that the VoIP market is so fragmented, and that none of the VoIP vendors appreciate the fact that organizations need to run restictive firewalls to secure both inbound and outbound access. They assume that even large companies run "all open" outbound NAT routers or something similar.
Thanks!
Tom
|
|
|
|
|
RE: SecureNat Acts Different in 2004? - 30.Mar.2004 12:03:00 PM
|
|
|
Guest
|
Well I think the ones with the biggest problems are the medium and small businesses.
The big companies can affored the gear necessary to make VoIP work -even with restrictive firewalls.
But the medium and small ones do not, and I think they are the ones that will buy most ISA server copies.
As I already said, NAT travesal is only one of two stumbling blocks, the other one is QoS.
|
|
|
|
|
RE: SecureNat Acts Different in 2004? - 30.Mar.2004 6:33:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Chriz,
I'm really hoping that a third party will see the great benefits for dev'ing apps for both of the features.
Thanks!
Tom
|
|
|
|
|
RE: SecureNat Acts Different in 2004? - 30.Mar.2004 9:40:00 PM
|
|
|
Guest
|
Well, I am resonable confident that were will be a SIP application filter. This despite the fact that there were not many 3-rd party SIP application filters.
But regarding QoS ... I do not have many hopes reagarding that.
Maybe MS will be pressured to implement it at a later stage by Linux based firewall appliances.
I have tested a wireless access point (70Ç/80$) that was running linux, and it had (of course basic) QoS capabilities.
|
|
|
|
|
RE: SecureNat Acts Different in 2004? - 31.Mar.2004 10:45:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Chriz,
It'll be interesting to see what third parties step up to the plate to fill in these gaps. I think that ISA 2004 will have a lot higher profile than 2000, so I think there will be a better chance.
Thanks!
Tom
|
|
|
|
|
RE: SecureNat Acts Different in 2004? - 14.Apr.2004 1:51:00 PM
|
|
|
Guest
|
I want to know where you got Cisco 7960 emulator to download.I don;t have Real Phone with me to chk Please let me know
quote:
Originally posted by chad.brown:
I asked the question in quotes below on the ISA 2000 boards a couple days ago with no helpfull responses. However today I began testing ISA 2004 and I notice my problem went away. Why would this happen? Also, anyone know of a fix in ISA 2000. Question below:
"I have Cisco 7960 IP phones failing to communicate with an offsite Call Manager. In an attempt to find out what was happening I installed a 7960 emulator on my PC. The funny thing was, everything worked. However, I noticed that it only worked because I had the firewall client enabled. As soon as I disabled the firewall client on my PC, communication failed. Since there is no firewall client for the 7960 I am left wondering what the fix is.
What I did do what create a packet filter opening up everything between my phones and the external Call Manager IP address. Alos, I had an "allow all out" protocol rule in place. Still no success.
Any Ideas?
BTW - I took one of the 7960's home for testing and everything worked great through my home linksys firewall."
|
|
|
|
|
RE: SecureNat Acts Different in 2004? - 15.Apr.2004 9:41:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by Andrew Marshall:
I've spent hours head banging with this one. If you use Cisco Callmanager and vanilla 7940/60 etc phones, it seems you can't use them throught the ISA server. This is because Skinny selects a random UDP port for inbound & outbound audio packets. You can, with some tweaking and port allocation get call setup to work, but without audio (so not much use there then).
*However* if you use W2K/XP as a client and VPN tunnel into the ISA server, so you get a tunneled inside network IP address, you *can* install Cisco IP softphone 1.3(3) and get it to work exactly as a 7940/60. The downside of this is that you need your client VPN PC to be up & connected to use the phone, however in most cases that isn't a problem. The upside is that a softphone license and a Clarisys i750H handset is cheaper than a 79x0 anyway and works just as well. The softphone (bizarre though it may seem) also allows you to specify the audio i/o UDP port so I'm guessing you could make it work with a non-VPN client too, but I haven't tested this yet. I'm also guessing that with a spare NIC card in the client PC, a crossover cable and an IP ROUTE command you could connect a physical 7960 to the tunnel (have to admit I haven't thought this through completely but it may be worth exploring)
Happy to share the config if anyone is interested
Andrew
Hi Andrew,
Very interesting!
Where are you VPN'ing to? A DMZ that has the call manager?
Thanks!
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Frown]](/image/smiles/frown.gif)
