Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SecureNat and Firewall - complete mistery, not working

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client >> SecureNat and Firewall - complete mistery, not working Page: [1]
Login
Message << Older Topic   Newer Topic >>
SecureNat and Firewall - complete mistery, not working - 14.Oct.2004 10:15:00 PM   
grama

 

Posts: 34
Joined: 10.Jun.2001
From: Sofia,BG
Status: offline 		Dear all,

We have very strange problem. All our SecureNat clients cannot access anything through the ISA Server.

ISA installed in Integrated mode (Firewall/Cache). Proxy works perfect.
SecureNat clients have ISA as a gateway. DNS works perfectly (but it goes through other Internet connection).
I create a protocol rule to allow for example port 25 from LAN Computer IPs to Internet. Then when i telnet from one of the LAN Computers to www.somehost.com port:25 nothing happens.
Strange is there is some delay and almost connect then i got back to prompt without connecting.
In Firewall Logs on ISA i see error 13301 which is request denied, no matter that i've configured protocol rule to allow this tcp port 25 connection for the specific computer.

Everything is configured as it should be : LAT, IP Routing, Packet Filtering ,etc.

Any ideas how to diagnose more ?
I am very desperate and think about re-installation of the whole server "[Smile]"

Regarsd.
Post #: 1
RE: SecureNat and Firewall - complete mistery, not working - 14.Oct.2004 11:12:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi grama,

what are the values of the fields Rule#1 (protocol) and Rule#2 (site&content)?

Keep in mind that a SecureNAT client can not authenticate by user/group to an ISA server.

HTH,
Stefaan

(in reply to grama)
Post #: 2
RE: SecureNat and Firewall - complete mistery, not working - 15.Oct.2004 12:57:00 PM   
grama

 

Posts: 34
Joined: 10.Jun.2001
From: Sofia,BG
Status: offline 		I know for securenat clients, that's why the rule is for computer IP not User.
Strange, but in firewall logs
in the specified row
rule1 and rule2 is empty - nothing written there, on the row i just see the IPs, port 25, and error 13301 [Smile] ) and some other not important stuff like session id,etc.
It's complete mistery for me [Wink] I though i knew a lot for ISA [Smile] this server worked few months ago, but at some time it stopped. Now some friends asked me to help them [Smile] ) And see my surprise when i saw this problem [Wink] I am sure there is solution, but can't find it now.

(in reply to grama)
Post #: 3
RE: SecureNat and Firewall - complete mistery, not working - 15.Oct.2004 7:52:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi grama,

if ISA denies the request with sc-status=13301 then something is wrong with your rule set. I suggest you create an all open protocol (any request, all IP traffic, always) and site&content (any request, any destination, any content, always) rule to check out if it works then.

HTH,
Stefaan

(in reply to grama)
Post #: 4
RE: SecureNat and Firewall - complete mistery, not working - 18.Oct.2004 4:27:00 PM   
grama

 

Posts: 34
Joined: 10.Jun.2001
From: Sofia,BG
Status: offline 		So you were right [Smile]
The rules in Site and content rules are per-user based, that's why the applications are not working. If i make these rules IP based everything works.
But i really want to make these applications work User-based. So far i know i have to use MS Firewall Client and some how put the application name there so that i can make all connections from this application go to ISA with username/pass. I tried testing with ftp.exe but i couldn't make it. Any help ? [Wink] Suggestions.

(in reply to grama)
Post #: 5
RE: SecureNat and Firewall - complete mistery, not working - 18.Oct.2004 8:12:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi grama,

yes, for non-Web based protocols you have to install the Firewall client on the internal workstations if you want user/group based access control. However, you don't need to add applications to the firewall configuration files. By default nearly all applications should work without any configuration change.

What did you see in the Firewall log when you tested with the standard Microsoft commandline FTP client? Please, if you post some excerpts from the log file, make sure you have enabled the logging of all fields and that the log format was set to ISA format.

HTH,
Stefaan

(in reply to grama)
Post #: 6
RE: SecureNat and Firewall - complete mistery, not working - 18.Oct.2004 9:03:00 PM   
grama

 

Posts: 34
Joined: 10.Jun.2001
From: Sofia,BG
Status: offline 		192.168.1.35, -, -, N, 10/18/2004, 21:57:10, fwsrv, XX-XX-FW-01, -, -, 182.17.122.92, 21, -, 0, 0, 21, TCP, Connect, -, -, -, 13301, 0, -, -, 66, 296

This is what i get (IP of FTP is changed) in the logs. Seems firewall client doesn't authenticate the user for that kind of application (ftp from command prompt). I thin it doesn't authenticate for any application at all [Smile]
Firewall client is enabled and operational. The only problem is i can't see it's icon on the tray (because it's hidden by policy). So i can't be sure if it has the 'green arrow' or not. But i suspect it doesn't have the green arrow, judging by firewall logs [Smile]

I can't remember if firewall client worked at all (2 years ago when we configured the whole system). Only few months ago we started using per-user authentication. Before it was per-IP.

ISA has all fixes up to date, SP1,FP1,SP2, etc.
[Smile] Windows 2003 Server.

Workstation is also SecureNat and has proxy configured. Proxy works of course, securenat by IP too works [Smile]

(in reply to grama)
Post #: 7
RE: SecureNat and Firewall - complete mistery, not working - 18.Oct.2004 10:22:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi grama,

because the field c-agent is not filled in, the request seems not to be send as a Firewall client request. So, it sounds that the Firewall client is not well installed or can not talk to the ISA server .

I suggest you repair the Firewall client from the ISA Firewall client share and you do not hide the Firewall client icon in the system tray. Also, check out http://support.microsoft.com/default.aspx?scid=kb;en-us;284523 .

HTH,
Stefaan

[ October 18, 2004, 10:27 PM: Message edited by: spouseele ]

(in reply to grama)
Post #: 8
RE: SecureNat and Firewall - complete mistery, not working - 19.Oct.2004 12:49:00 PM   
grama

 

Posts: 34
Joined: 10.Jun.2001
From: Sofia,BG
Status: offline 		thank you.
and by the way i think what went wrong [Smile] )
our firewall on computers was installed long time ago with group policy [Smile] getting the msi source from the isa when we installed it. Later we did some updates (of course:) on the ISA (FP,SP2, patches) and probably they also fix things in the firewall client installation located in ISA directory.
So we haven't updated our MSI group policy since then and installation for the firewall client (which is from another folder).
So probably thats why it doesn't work now. I will check it out and post result [Smile]
Thanks again.

(in reply to grama)
Post #: 9
RE: SecureNat and Firewall - complete mistery, not working - 19.Oct.2004 9:22:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi grama,

OK, keep us informed!

Thanks,
Stefaan

(in reply to grama)
Post #: 10
RE: SecureNat and Firewall - complete mistery, not working - 20.Oct.2004 1:03:00 AM   
grama

 

Posts: 34
Joined: 10.Jun.2001
From: Sofia,BG
Status: offline 		Sometimes the answer is in front of you but you have to look little aside to get it [Smile]

Somebody stopped the Autodiscovery on the ISA and also deleted the DHCP and DNS records for WPAD [Smile] Somebody i am gonna ...*** [Smile] )

So basically when Firewall Client was in "Autodiscovery Mode" it couldn't find ISA Server, and because we have hidden the tray icon from users (it is hidden for everyone actually) that's why i couldn't see the error message on the tray. I found this error when reinstalled the icon on the tray, then played little and found the WPAD and Autodiscover were not configured.

I started the Autodiscovery on ISA, configured DHCP/DNS WPAD entries and all works like a charm [Smile]

Well thanks very much to you Stefaan. I think if you have not replied to my problem i wouldn't be digging in the right directions so much and finding the real problem [Smile] ))

(in reply to grama)
Post #: 11
RE: SecureNat and Firewall - complete mistery, not working - 20.Oct.2004 10:00:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi grama,

very glad to hear you got it working and thanks for the follow up! [Smile]

Stefaan

(in reply to grama)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client >> SecureNat and Firewall - complete mistery, not working Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts