Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Symantec Antivirus access rule

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Symantec Antivirus access rule Page: [1]
Login
Message << Older Topic   Newer Topic >>
Symantec Antivirus access rule - 10.Apr.2007 4:57:33 PM   
JeffVandervoort

 

Posts: 93
Joined: 20.Nov.2004
Status: offline 		ISA 2004 SP2 which is also a WS2003R2 VPN server.
Symantec Antivirus 10.x  and FWC 2004 SP1 on Win XP SP2 VPN Clients.

VPN works well in general, but I'm trying to construct a "Symantec Antivirus Inbound" access rule so these clients can report status on the SAV Server. I have created a "Symantec Antivirus Outbound" access rule that seems to work.

When my Inbound rule allows "All Outbound Traffic", it also works. When I change Protocols to my "Symantec Antivirus Inbound" custom protocol, clients go "offline" in SSC and are ultimately purged. Clients continue to receive virus and config updates either way...they just don't report to SSC unless I allow "All Outbound Traffic", which I'd prefer not to do.

When using my custom protocol definition, FW logs show connections denied from varying source ports to 38293 UDP on the SAV Server. But it shows the Protocol as being "Symantec Antivirus Outbound" and Rule as being "Default Rule".

Referring to this article--

http://entkb.symantec.com/security/output/n2005033011582148.html

--my current Symantec Antivirus Inbound protocol definition is as follows:
  • 1024-4999 TCP Inbound
  • 2967 TCP Inbound
  • 38293 UDP Receive Send

I realize there is a duplication with port 2967; the Symantec KB article implies that this is the only port that is needed, but I've tried it with and without 1024-4999 with the same results. When I find the right answer I'll clean up the definition!

Symantec Antivirus Outbound protocol definition is:
  • 2967 TCP Outbound
  • 38293 UDP Send

Note that the SAV clients are using LiveUpdate from an internal LU server, not Virus Definition Transport (VDT). When VDT is enabled, I don't have the problem...something in the VDT process keeps the client alive in SSC. The problem only occurs when clients use LiveUpdate.
Post #: 1

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Symantec Antivirus access rule Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts