Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Trouble with one app downloading images
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Trouble with one app downloading images - 1.Nov.2008 10:39:34 AM
|
|
|
steamngn
Posts: 18
Joined: 6.Aug.2008
Status: offline
|
Hi all,
I am having trouble with the following setup:
ISA 2006 on Win2003SP2 configured as back end firewall with two nics. External nic is connected to Cisco PIX 501 hard firewall at this point. ISA server is joined to internal domain, and configured to allow full internet access. We have one application that our clients run which when the user selects an item number within the app, the image for that item is downloaded from a remote site. For some reason ISA is not letting the images come through. If I connect a client the PIX firewall it works fine. I am at a loss as to what is doing this! Can someone shed some light on why only this one app is being blocked? If I monitor the client, it shows a connection initiated to the remote IP address, but nothing comes back. Could this be some sort of routing issue? I have tried clients with and without the firewall client installed, no difference...
Help!
Andy
_____________________________
There is never enough time to write code correctly; there is always enough time for a hotfix...
|
|
|
|
|
RE: Trouble with one app downloading images - 4.Nov.2008 9:28:37 PM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
Don't know anything about the App.
Your tagline may say it all.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Trouble with one app downloading images - 5.Nov.2008 12:39:34 PM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
1. Create a New Protocol. Name it the same as the App if you want.
2. Set the port range of the protocol to "80 - 80"
3. Make sure the HTTP Application filter is not associated with the protocol
4. Create an Access Rule with these specs:
Name: <whatever>
From: <Computer Set containing the IP#(s) of the machine(s) running this
App> This means you may want the machines to have statically
assigned addresses so they won't change.
To: <Computer Set containning the IP#s of what the App connects to>
Users: Most likely will need "All Users", but you can try specific users if
the Firewall Clients is installed
Protocol: The Protocol you created above
5. Position this rule above any other HTTP Rules that are on the List.
There may be situations where some kind of accompanying Deny Rule has to be created, but I can't remember the details,..however I don't think this is one of those situations. But if this is one of those situations then someone who knows needs to respond because I don't know.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Trouble with one app downloading images - 5.Nov.2008 12:42:21 PM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
quote:
and they are working towards reconfiguring the app to use different ports.
Don't forget to send them a copy of your tagline :-)
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Trouble with one app downloading images - 5.Nov.2008 1:29:48 PM
|
|
|
steamngn
Posts: 18
Joined: 6.Aug.2008
Status: offline
|
quote:
Don't forget to send them a copy of your tagline :-)
HAAAAAHahahahahaha...
Oh yes, I will be sure to send that off directly! 
Ok, now back to work....
The app works like this:
when a client machine requests an updated databse, the app will go out on Ports 80,443,9000 and 9001 in order to authenticate and connect to the correct database server(s). This part is ok. Now, according to the vendor, the downloads come down on port 80 in a protocol other than http. Ok, we just covered that. I made a new protocol with a range 80-80 outbound and a secondary connection 80-80 inbound, no filters, and created an allow rule between my pc IP and external in order to test this out. Now I download the database and see no killed connections during the process, so I believe we're close. for the last part of this puzzle, when a client PC opens this database app and then opens an item, that item zoom then requests a download from a different web server, from internal to this site via port 80. This connection is initiated, but nothing ever comes down and it doesn't close properly. i am wondering if we need to add ports 9000/9001 and 443 to this rule in the same manner?
Andy
_____________________________
There is never enough time to write code correctly; there is always enough time for a hotfix...
|
|
|
|
|
RE: Trouble with one app downloading images - 5.Nov.2008 1:59:53 PM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
quote:
ports 9000/9001 and 443 to this rule in the same manner?
I would add them to the same Protocol I described previously,..then you only have one protocol in the Rule to deal with. Then delete the ones you created previously (assuming you did create some). I also think you need to again make sure that no HTTP Application Filters are associated with it.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Trouble with one app downloading images - 5.Nov.2008 2:56:41 PM
|
|
|
steamngn
Posts: 18
Joined: 6.Aug.2008
Status: offline
|
Ah Phil.... The games continue...
Ok, here is the current config. I have one protocol named db, ports 1-65535 outbound with secondary 80-9001 inbound. None of the filters are checked for this protocol. I have 3 IP range sets that cover the ranges of computer server we need to connect to. I then made this rule:
<allow>
<from> internal
<to> ranges 1-2-3
<protocol>db
<users>all
<content type>all
NOW what I am getting is this:
during the download there are 3 GET calls made to download the appropriate files. I am now getting 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED errors during what I think is the second file download. This would be the file that has the image location links, and perhaps our issue all along (If the link is goofy,then the image can't download!)! So now the question is, why the sync issues? I do not have the connections getting killed anymore, so our rule is definitly on the right track...
Andy
_____________________________
There is never enough time to write code correctly; there is always enough time for a hotfix...
|
|
|
|
|
RE: Trouble with one app downloading images - 5.Nov.2008 4:23:16 PM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
quote:
Ok, here is the current config. I have one protocol named db, ports 1-65535 outbound with secondary 80-9001 inbound.
No no. There are no secondary connections,..everything is primary.
Protocol Specs:
Name: "DB"
Prinary Connections:
1. 80 to 80
2. 443 to 443
3. 9000 to 9001
Secondary Connections: [None]
Direction: Outbound (always outbound)
Type: TCP (at least I assume it is TCP)
Application Filters: [None]
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Trouble with one app downloading images - 5.Nov.2008 4:55:38 PM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
quote:
Now this configuration has cut down the number of SYN_PACKET errors by half; but I am still getting some, and the images are still not coming in. Could it be that we need to allow UDP as well here?
Don't know. Maybe the vendor can shed more light on it.
quote:
I can email you an error log if that would help...
Those just make me dizzy to read.
If your ISA is fully patched your Log Filter Tool should have "One Of" as a Condition choice. Choose:
Filter by: Client IP
Condition: One Of
Value: <IP of Client>, <IP of destination>
Then there should be the Default lines of:
Log Record Type Equals Firewall or Web Proxy
Log Time Live
Action Not Equal Connection Status
Just leave those as they are.
This should let you see all traffic leaving the Client and all traffic trying to return from the Destination
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
