Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

User defined protocols

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> General >> User defined protocols Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
User defined protocols - 12.Feb.2004 12:49:00 AM   
Persing

 

Posts: 40
Joined: 31.Jan.2004
Status: offline 		If I define a protocol it is available in server publishing rules but not in access rules. Is there some trick to making a user defined protocol show up when you are defining access rules?
Post #: 1
RE: User defined protocols - 12.Feb.2004 8:38:00 AM   
Linke Loe

 

Posts: 57
Joined: 1.Oct.2003
From: Utrecht, Netherlands
Status: offline 		Aren't only outbound protocols available in access rules and inbound protocols in server publishing?

(in reply to Persing)
Post #: 2
RE: User defined protocols - 12.Feb.2004 9:53:00 AM   
zhangmeibo

 

Posts: 87
Joined: 11.Feb.2004
From: China
Status: offline 		Aren't only outbound protocols available in access rules and inbound protocols in server publishing?

yes , I has same problem .

(in reply to Persing)
Post #: 3
RE: User defined protocols - 12.Feb.2004 12:46:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Meibo,

Yes.

HTH,
Tom

(in reply to Persing)
Post #: 4
RE: User defined protocols - 12.Feb.2004 5:05:00 PM   
Persing

 

Posts: 40
Joined: 31.Jan.2004
Status: offline 		OK. I suppose that inbound and outbound all depends on where you are. In ISA2000 I understood that inbound meant from the external interface and outbound meant from the internal interface. Now it looks like outbound is based on the "from" interface except in publishing where inbound is based on the "from" interface except for HTTP (web publishing) which is outbound? My head hurts. Is there some written rule or explaination of inbound / outbound, send /receive, to / from, and why web publishing rules don't seem to conform?

(in reply to Persing)
Post #: 5
RE: User defined protocols - 12.Feb.2004 8:36:00 PM   
Linke Loe

 

Posts: 57
Joined: 1.Oct.2003
From: Utrecht, Netherlands
Status: offline 		It's all the same. You mustn't see inbound/outbound as from wich interface the trafic comes. Inboud trafic is originated outside your network and outbound trafic comes from within your network.

When you try to reach a server on your LAN from the internet, you are generating inbound trafic. You use server publishing in this case. So in server publishing rules you can only use inbound protocol definitions.

When you want to reach an external website from within your LAN, you are generating outbound trafic. You control outbound trafic by using access rules, so in access rules, you can only use outbound protocol definitions.

Web publishing is nothing more than publishing an HTTP, or HTTPS-server. Here you will also only use the inbound HTTP and HTTPS protocol definitions.

(in reply to Persing)
Post #: 6
RE: User defined protocols - 12.Feb.2004 11:14:00 PM   
Persing

 

Posts: 40
Joined: 31.Jan.2004
Status: offline 		Thanks Linke Loe,
OK so far. That IS the way I was thinking, but if you publish OWA or a web site, bring up the rule and double click on HTTP, edit. They both show outbound! What's with that??

Now with ISA2000 if I wanted to block a range of addresses incoming, known spammers for instance, I could define a protocol rule for Port 25 inbound, put the address range of the spammers in it, and keep them out altogether. And I could turn off logging once I was sure the filter was working so I could look for other things in the log.

In ISA2004 I can only select outbound protocols. Even if I define a custom protocol it only shows up on the access rule list if it is outbound. How do I stop these guys now?

(in reply to Persing)
Post #: 7
RE: User defined protocols - 13.Feb.2004 9:25:00 AM   
zhangmeibo

 

Posts: 87
Joined: 11.Feb.2004
From: China
Status: offline 		hi , Montana

You can made this guys in a computer sets , and in you owa server publish policy , in property,in "from" sheet,"exceptions" , click "add", add the computer sets.

[Smile]

(in reply to Persing)
Post #: 8
RE: User defined protocols - 13.Feb.2004 3:23:00 PM   
Persing

 

Posts: 40
Joined: 31.Jan.2004
Status: offline 		Hi Linke Loe,
I did that but I can't tell if it's working or not. If you set an exception list in a publishing rule and one of the addresses on the exception list attempts access, is that logged or just ignored? I have logging for the rule enabled.

In any event, that approach may prevent unauthorized access, but it does not solve my problem. My log is flodded with attempted accesses from certain IP ranges and they show up as unidentified IP traffic. In ISA2000 I could stop them cold with a packet filter. I want to do the same thing with ISA2004, but can't seem to find a way. It is very difficult to diagnose a specific problem when there is a high volume of error messages clouding the situation. There has got to be a way.

(in reply to Persing)
Post #: 9
RE: User defined protocols - 13.Feb.2004 9:40:00 PM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline 		hey pete ,

New firewall rule
add ports
on the task panel VERY small you will see 'new' and 'edit'

click on new. Had to make one for the time server ( 123 udp/tcp )

Kind regards,
Lex Penrose.

(in reply to Persing)
Post #: 10
RE: User defined protocols - 14.Feb.2004 12:09:00 AM   
Persing

 

Posts: 40
Joined: 31.Jan.2004
Status: offline 		Thanks for your interest Lex,
I am aware of how to create additional protocol definitions, but you can only see outgoing protocols in access rules so it would be no use to create an incoming SMTP protocol. There already is an outgoing definition for SMTP. The only problem when I try to use it is that no matter how I set up the To: and From:, it does not block the spammers. They don't get through to my SMTP server, they just show up in the log as hundreds of entries with SMTP or Unidentified Traffic in the description. It is a though ISA2004 throws them out before the rules are processed against them. In the log entry where you would usually see the rule that was processed against this transaction it is blank. In ISA2000 a packet filter with the incoming port number and originating address will kill this kind of stuff.

(in reply to Persing)
Post #: 11
RE: User defined protocols - 14.Feb.2004 1:32:00 AM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Pete,

For Publishing Rules you use Inbound protocol definition, for ARs, you use Outbound definitions.

HTH,
Tom

(in reply to Persing)
Post #: 12
RE: User defined protocols - 14.Feb.2004 6:47:00 PM   
Persing

 

Posts: 40
Joined: 31.Jan.2004
Status: offline 		That's what I have done Tom. But as I mentioned in my previous post it doesn't seem to work. The packet filters in ISA2000 sure do the job, but this appears to be a situation where some built-in feature in ISA catches this stuff and denys access without any rule being involved. This is why I wanted a list of status codes because I thought maybe that would shed some light on this. In the configurations that you have seen do you get a lot of denied "unidentified traffic" and other denied identified (ie, SMTP, etc) traffic with no rule identified and zero's for a lot of the fields?

(in reply to Persing)
Post #: 13
RE: User defined protocols - 15.Feb.2004 4:51:00 PM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline 		Hi Pete,

"it does not block the spammers. They don't get through to my SMTP server" that's strange.

Let me try to catch your problem :

You have spammers on the internet with specific IP's. Let's say we have an Exchange server with IP 127.54.5.5 ( it's internal but let's say it was an external IP address somewhere on the internet ) and that IP is spamming your SMTP servers with mail.
Now you want to be able to put a filter in ISA 2004 that blocks 127.54.5.5 IP access to port 25 on your SMTP server , by setting an exception in your ALLOW rule to port 25. ( in order to allow the rest of the world to access your firewall ).

The problem you are having is that you don't see 127.54.5.5 IP trying to connect to your published SMTP server on the ISA 2004 box , but you see 'unidentified IP' ?
By being unidentified , the IP 127.54.5.5 can't be blocked , so the spamming Exchange server with ip address 127.54.5.5 can access your published SMTP server because there is an allow rule on your ISA server with exceptions that it doesn't apply to ( because ISA thinks it doesn't have IP 127.54.5.5 )

If that's your problem then I understand it
[Smile]

Have you tried the following :

Make a same kind of rule for an internal server that is in an exception rule ( just like you would exclude 127.54.5.5 ). Would it 'identify' your server then ? and would it block the connection ?

let us know

Kind regards,
Lex Penrose

(in reply to Persing)
Post #: 14
RE: User defined protocols - 15.Feb.2004 6:30:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Montana Pete:
That's what I have done Tom. But as I mentioned in my previous post it doesn't seem to work. The packet filters in ISA2000 sure do the job, but this appears to be a situation where some built-in feature in ISA catches this stuff and denys access without any rule being involved. This is why I wanted a list of status codes because I thought maybe that would shed some light on this. In the configurations that you have seen do you get a lot of denied "unidentified traffic" and other denied identified (ie, SMTP, etc) traffic with no rule identified and zero's for a lot of the fields?
Hi Pete,

I guess an except to this would be when services are running on the firewall itself. In that circumstance, you would use an outbound protocol from External to Local Host.

HTH,
Tom

(in reply to Persing)
Post #: 15
RE: User defined protocols - 16.Feb.2004 12:12:00 AM   
Persing

 

Posts: 40
Joined: 31.Jan.2004
Status: offline 		Hi Lex,
You were doing great up to this point.

", so the spamming Exchange server with ip address 127.54.5.5 can access your published SMTP server because there is an allow rule on your ISA server with exceptions that it doesn't apply to ( because ISA thinks it doesn't have IP 127.54.5.5 )"

The spamming server CANNOT access my server, therefore the exception rule never get an opportunity to block him. There is no actual damage dome or mail received. It's just that my logs get full of all this traffic labeled SMTP and labeled "unidentified" and I have to dig my way around all this chaff to analyze other activities. Most of this stuff is labeled source external, destination local host, so I would expect ISA to direct it (port 25 right) to the Exchange server but it doesn't.

Today I saved my configuration, uninstalled ISA2004 and reinstalled from the February Technet CD so it would be a different source in case my download was bad. With just a bare bones system I published exchange server, fired it up, and here comes all the trash again. I am surprised everyone doesn't see this stuff.

(in reply to Persing)
Post #: 16
RE: User defined protocols - 16.Feb.2004 7:35:00 PM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline 		Hi Pete ,

I am discerning the same problem here.
Too many 'unidentified IP trafic' is blocked by the default rule ( deny all ).

I'll run a packet analyzer to see which packets are 'unidentified' [Smile]
I'll let you know if I can find anything

Kind regards,
Lex Penrose

(in reply to Persing)
Post #: 17
RE: User defined protocols - 17.Feb.2004 2:25:00 PM   
Persing

 

Posts: 40
Joined: 31.Jan.2004
Status: offline 		Thanks Lex,
I am glad someone else sees it. Most of my questionable traffic has no rule identified at all. It looks like this:
FIREWALL, 2/16/2004, 12:23:08, TCP, 65.103.98.194:44300, 12.32.44.41:25, 65.103.98.194, External, Local Host, Denied, 0xc0040017, -, SMTP, -,
Sure wish we had a list of error codes so we tell a little bit more about what's going on.

(in reply to Persing)
Post #: 18
RE: User defined protocols - 17.Feb.2004 5:47:00 PM   
Persing

 

Posts: 40
Joined: 31.Jan.2004
Status: offline 		Ran more tests this morning. It is obvious that the bulk of these "denied" entries in the firewall log are associated with successsful transactions. I am getting denied entries for both smtp and http activiey that encountered no problems whatever. I had a user access a predefined list of sites (fox news, cnn, etc) while I examined the log file, and "access denied" entries with no rule identified popped up all over. The User said she had no error messages or difficulty. I am beginning to think that the logging facility is badly hosed up. I know this is a beta, but logging is a very critical part of examining this product, and it is difficult for me to believe that Microsoft would release it to public beta with a broken logging facility. I will be interested to see what your conclusions are.

(in reply to Persing)
Post #: 19
RE: User defined protocols - 19.Feb.2004 10:08:00 PM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline 		Hi Pete ,

Ok Microsoft says the following :
===========
I don't have a list of error codes but I can tell you that unidentified IP
traffic is traffic that we don't have a protocol defined for. That is why it
is "Unidentified" it does not necessarilly imply that there is anything
wrong with it.

Barclay Neira [MS]
============

Well looks like Msft is haven't finished implementing their errorcodes yet ( lol [Big Grin] )

anyway , I asked a guy from microsoft if he could get a list of errorcodes. I can't find any reason not to give them to the public. So maybe we'll be lucky [Smile]
He also had a look at the unidentified IP traffic and will ask the local ISA guru for some more info on this issue.

The strange thing is that while analyzing the unidentified IP traffic , I couldn't find any unidentified IP traffic in our sniffer ( Sniffer Pro ) It was 100% http/https traffic , yet ISA sees half of these packets as unidentified and thus blocks them as a default rule.

btw : Our problem is easily reproduceable by setting your proxy on in ISA and sending a client to windowsupdate.microsoft.com
When clicking scan my computer ( https module ) the ISA will see unidentified traffic.

It will all be alright [Smile]

Kind regards,
Lex Penrose

(in reply to Persing)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> General >> User defined protocols Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts