Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
UDP rule for ISA server
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
UDP rule for ISA server - 23.Oct.2004 10:46:00 AM
|
|
|
Guest
|
Good morning,
First of all, le tme say that my ISA server expertise is low, but I do have knowledge about firewalls in general.
We have a customer using the ISA Server who wishes to run our software. The connection between the client and the server fails when he tries to set up UDP ports. Normally, communication looks like this:
* Client is on a LAN protected by Firewall, the Server is on the internet.
* Client sends UDP packet towards Server. Source port is dynamic between 1-65535 (example: 3240). Destination port is within an interval (default 52000-52999, example: 52845).
* Firewall allows outbound packet and saves the state dynamically.
* Portal receives the packet and sends a reply. Source port for this UDP packet is 52845, Destination Port is 3240.
* Firewall compares the inbound packet with its list of states, find a match with the earlier outbound packet, and allows it through
* Client receives it, everyone is happy.
In firewall-1 and similar you set up a dynamic state rule and you have no problem. NAT is also not a problem with our product.
The problem is that the customer can't get it to work with the ISA server's Firewall client. From reading miscellaneous articles, I've come to the conclusion that I might set up an IP packet filter, but those does not support a range of ports - setting up 1000 packet filters is not something I can tell the customer to do.
Does anyone have an idea if there are other ways to do this with the ISA server? The client also has MS Proxy 2.0, but i doubt that can be of any use to us.
Regards,
Rolf Larsson
|
|
|
|
|
RE: UDP rule for ISA server - 23.Oct.2004 2:05:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Rolf,
first of all, creating IP Packet filters won't help you to give outbound access to internal clients. You must create protocol and site&content rules.
According to your descripton of the used protocol, the primary connection isn't on a fixed UDP port number. Therefore you can't create a new protocol definition because you can only define a port range in secondary connections.
One way to workaround the problem is:
- make sure the client runs the Firewall client.
- make sure you have a protocol rule allowing all IP traffic for that client.
HTH,
Stefaan
|
|
|
|
|
RE: UDP rule for ISA server - 25.Oct.2004 8:35:00 AM
|
|
|
Guest
|
Hi,
the connection is previously initiated as a web request on one specific port (TCP/80) - would this suffice for the initial request?
|
|
|
|
|
RE: UDP rule for ISA server - 28.Oct.2004 5:41:00 PM
|
|
|
Guest
|
Of course that works as it allows all IP traffic. Obviously, I can't recommend a customer to put their machines on the internet without a firewall...
So, back to my original question: Using the firewall client, how do I get a UDP bidirectional data stream working, where the source port completely random and the destination port within an interval of 1000 ports? Before the UDP data starts, a TCP web request is sent to the same machine. Could this be used to somehow allow the traffic through?
After looking around, it seems that the ISA server cannot utilize Dynamic States the way that most other firewalls do. Is this correct?
-- Rolf
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Wink]](/image/smiles/wink.gif)
