Welcome to ISAserver.org

Tandem behind ISA

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 General] >> Installation >> Tandem behind ISA

Page: [1]

Message

<< Older Topic Newer Topic >>

Tandem behind ISA - 9.Mar.2001 12:43:00 AM

giannis

Posts: 5
Joined: 8.Mar.2001
From: seattle, washington, usa
Status: offline

Hi, I've got an unusual situation here... We have a high-end server application running on a chain of Tandem Non-Stop Himalaya servers behind an ISA Server. The application is designed to initiate connections to remote hosts through a specific TCP port. The remote hosts send replies back to the application through a range of 1000 TCP ports. All the ports are in the high port range. For some reason these secendary reply connections are not happening. If I move the Tandem outside the firewall it works great. I have opened up all the appropriate ports to no avail. I can see that the initial outgoing communication is happening. It's the replies that get blocked. I suspect it has something to do with SecureNAT and the fact that the application is running on a non-windows system. I need some help. I'm sure somebody out there has put non-windows stuff behind ISA....

Post #: 1

Featured Links*

RE: Tandem behind ISA - 9.Mar.2001 1:55:00 AM

jmunyan

Posts: 800
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline

I think you need to create an additional protocol definition for this application. If all communications are initiated from the tandem then configure the protocol accordingly and put the secondary as the incoming connections in the high port range you are expecting. If you have an all out protocol rule dont forget to go back in and check the new protocol definition you have created so that it is read into the default rule.

John

(in reply to giannis)

Post #: 2

RE: Tandem behind ISA - 9.Mar.2001 2:32:00 AM

giannis

Posts: 5
Joined: 8.Mar.2001
From: seattle, washington, usa
Status: offline

That's what i have done but it does not work. Something about the tandem.... I now discovered that i can ping public hosts from the Tandem but cannot trace-route anything beyond the ISA. Weird... Tracert of course works fine from win machines (snats or firewall clients). Tandem tech support says tracer packets are being sent. ISA is set as the gateway on the tandem. Tracers to the gateway work fine from the Tandem. I'm stumped!

(in reply to giannis)

Post #: 3

RE: Tandem behind ISA - 9.Mar.2001 9:14:00 AM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Giannis,

I think John is on the mark here. You need to create the appropriate Protocol Definitions and Protocol rules. However, it is strange that tracert works on the Windows SecureNAT clients, but not the non-MS SecureNAT client. Sounds like one for PSS

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

(in reply to giannis)

Post #: 4

RE: Tandem behind ISA - 10.Mar.2001 12:28:00 AM

giannis

Posts: 5
Joined: 8.Mar.2001
From: seattle, washington, usa
Status: offline

Tom, i agree. What's got me stumped however is that the appropriate protocol defs and access rules have been created. I know which ports the application is using, so no problem there... IT's got to be something about the tandem tcp/ip stack???

(in reply to giannis)

Post #: 5

RE: Tandem behind ISA - 10.Mar.2001 8:02:00 PM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Giannis,

I agree. When you find the answer, please let us know! This is a very interesting problem and I would really like to know the solution too.

Thanks!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

(in reply to giannis)

Post #: 6

RE: Tandem behind ISA - 10.Mar.2001 10:07:00 PM

giannis

Posts: 5
Joined: 8.Mar.2001
From: seattle, washington, usa
Status: offline

Well, i've been looking at the packet filter logs and i am seeing some packets coming back from the remote host that the Tandem application is comminicating with, but none are blocked(i temporarily logged blocked and non-blocked packets. huge log file!). So here is what i'm hypothesysing:

The server process in the tandem captures the private non-routable ip of its local interface. It sucessfully initiates communication with the remote host outside the firewall. In that communication, that captured, non routable IP is probably delivered indicating where to send the replies....

That explains why i can see that initial connection happening but nothing after that. Of course i will be contacting the application developers, but if that is the case what are my options beside asking for an application hotfix? I cannot think of anything i can do on the ISA server to make this work. Static mapping, static route... none of that would work, right?

When i change the ip address of the tandem interface to a legal public one and stop/start the process, it works fine. That tells me that it must be capturing its ip everytime it starts. So here is what i'm going to try next:

Disconnect the Tandem from the LAN, change its ip to the same as the ISA external, restart the process, change its ip back to the private one, reconnect it to the private LAN, publish a server on isa on that private IP.

[This message has been edited by giannis (edited 10 March 2001).]

(in reply to giannis)

Post #: 7

RE: Tandem behind ISA - 11.Mar.2001 6:16:00 PM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Giannis,

That would explain it. Although I would be interested in the traffic on the external interface on the ISA Server and see what its sending out using NetMon. You might be able to see the IP address in the data section if the decode for it will work.

Perhaps another option would be to put the server on a DMZ segment. Then you can use public IP addresses. The drawback is that you are limited in terms of how you configure the client restrictions.

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

(in reply to giannis)

Post #: 8