Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Why does my ISA Server still browse eventhough there is a packet filter denying it
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Why does my ISA Server still browse eventhough there is... - 21.Jun.2004 11:53:00 PM
|
|
|
soldier
Posts: 13
Joined: 21.Jun.2004
Status: offline
|
Hi all,
I have been playing with ISA server for a while, though I am no expert I have managed to get it to work. I am using a ADSL modem (one of those with a web interface) with a dynamic address. ISA server is setup as a firewall
What I would like to do is tighten up my ISA server, I did a port scan to see how well its sealed and much to my suprise there were alot of ports open, to mention a few port 80 in (though IIS is not installed, 1024, 1025 etc etc), that and the fact that the server always replys to a ping even after I configured it to ignore ICMP in.
After various attempts, I am still not able to close up the servers open ports, Or to open a few others. What am I doing wrong? Do I need to install the firewall client on the server to seal it up? I really would like increase the servers se curity.
Thankx
|
|
|
|
|
RE: Why does my ISA Server still browse eventhough ther... - 23.Jun.2004 2:15:00 PM
|
|
|
soldier
Posts: 13
Joined: 21.Jun.2004
Status: offline
|
Hi Stefaan
I am using www.grc.com 's Shields UP program to run a port scan on my ISA server. I have tried their port scanning software quite a few times. They offer also a simple explanation of who uses what ports.
Cheers
Soldier
|
|
|
|
|
RE: Why does my ISA Server still browse eventhough ther... - 27.Jun.2004 10:33:00 PM
|
|
|
soldier
Posts: 13
Joined: 21.Jun.2004
Status: offline
|
Hi All
I finally worked out what was the matter with my ISA server, I had added my external IP in my LAT address, thats why no matter what I did the same ports were open, I had added my external IP as part of my internal addresses.
I do however have another issue to sort out, I am trying to get ISA server to browse the internet, I am trying to do this without adding the proxy info, or using the firewall client. I followed the instructions to creat packet filters to allow the ISA server to browse, but this doesnt seem to work for me. My server refuses to browse, in addition I cant get any local services in the ISA server to work. Any ideas? I tried adding the firewall client on the ISA server but that didnt change anything.
My clients work great, no issues there. They run using the firewall client, I
Cheers
Soldier
|
|
|
|
|
RE: Why does my ISA Server still browse eventhough ther... - 27.Jun.2004 11:25:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Soldier,
good to hear that problem is solved. Always keep in mind that the LAT should only contain your internal IP address ranges; nothing more, nothing less.
To give applications running on ISA itself outbound access, you have to create IP packet filters. There is one exception to this general rule. You can configure IE on ISA itself as a Web Proxy client by using ISA_internal_IP port:8080 as proxy settings. In any case, do NOT install the Firewall client on ISA. It is a unsupported configuration.
What are the details of the IP packet filter created?
BTW --- ISA server is supposed to be a firewall not a general purpose workstation or server. Therefore, it is bad security practice to use ISA server for something else than a firewall.
HTH,
Stefaan
|
|
|
|
|
RE: Why does my ISA Server still browse eventhough ther... - 28.Jun.2004 12:45:00 PM
|
|
|
soldier
Posts: 13
Joined: 21.Jun.2004
Status: offline
|
Hi Stefaan
I think I have solved my packet filter problem, after quite a few tests I worked out that for the ISA server to browse the internet (without using the LAN proxy settings) I needed to configure an incoming packet filter as well as an outgoing filter for the required. As soon as I did that, the server was able to browse.
I know that its bad practice to use the server for something else other than a firewall. My question is, I have to create server publishing rules to get the clients apps to work, therfor opening the firewall. Thats ruffly the same as creating packet filters and getting the ISA server to do the work.
The difference is that I didnt open the ports in server publishing. I also have a dynamic IP addess so all those server publishing rules are wasted once the IP addess changes. Unless there is some auto update. So whats safer, server publishing rules or ISA packet filters
Thankx
Soldier
|
|
|
|
|
RE: Why does my ISA Server still browse eventhough ther... - 28.Jun.2004 8:22:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Soldier,
that's weird! One outbound IP packet filter should be enough. What are the details of the IP packet filter? The protocol should be TCP, the remote port 80 and the local port all or dynamic.
HTH,
Stefaan
|
|
|
|
|
RE: Why does my ISA Server still browse eventhough ther... - 28.Jun.2004 10:55:00 PM
|
|
|
soldier
Posts: 13
Joined: 21.Jun.2004
Status: offline
|
Hi Stefaan
Thats exactly how my outbound tcp port 80 request is, however I had to also setup a inbound tcp port 80 with the local port set to 80 and the remote port all. Not only did it work fot http, but also for another program once I setup this incoming and out going flow.
Could you also tell me why my port 80 is seen as open from the internet if I am not publishing anything. All the other ports are stealth, except 80. Another question: Whats better, getting the ISA server to run internet programs like emule or opening ports for the clients.
Thankx
Soldier
|
|
|
|
|
RE: Why does my ISA Server still browse eventhough ther... - 29.Jun.2004 12:10:00 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Soldier,
that's definitely *not* normal and indicates to me that something is wrong with your ISA configuration. To help you find it out, please post the following info unmodified:
- ipconfig /all on ISA
- netstat -r on ISA
- content of the LAT on ISA
HTH,
Stefaan
|
|
|
|
RE: Why does my ISA Server still browse eventhough ther... - 29.Jun.2004 5:12:00 PM
|
|
|
soldier
Posts: 13
Joined: 21.Jun.2004
Status: offline
|
Hi Stefaan
Here is the information you requested, and here hopeing some hacker doesnt use it to his advantage (:-).
NetStat -r
Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 a0 24 5a 01 8c ...... 3Com EtherLink PCI (Microsoft's Packet Sche
)
0x3 ...00 10 5a 29 8c 7d ...... 3Com EtherLink PCI (Microsoft's Packet Sche
)
0x2000005 ...00 30 0a 10 83 0b ...... Pirelli ADSL USB Modem
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 82.84.209.76 82.84.209.76 1
82.84.209.0 255.255.255.0 82.84.209.76 82.84.209.76 1
82.84.209.76 255.255.255.255 127.0.0.1 127.0.0.1 1
82.255.255.255 255.255.255.255 82.84.209.76 82.84.209.76 1
100.100.0.0 255.255.255.0 100.100.0.1 100.100.0.1 1
100.100.0.1 255.255.255.255 127.0.0.1 127.0.0.1 1
100.255.255.255 255.255.255.255 100.100.0.1 100.100.0.1 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.1 192.168.0.1 1
192.168.0.1 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.0.255 255.255.255.255 192.168.0.1 192.168.0.1 1
224.0.0.0 224.0.0.0 82.84.209.76 82.84.209.76 1
224.0.0.0 224.0.0.0 100.100.0.1 100.100.0.1 1
224.0.0.0 224.0.0.0 192.168.0.1 192.168.0.1 1
255.255.255.255 255.255.255.255 192.168.0.1 192.168.0.1 1
Default Gateway: 82.84.209.76
===========================================================================
Persistent Routes:
None
Ipconfig /all
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : conflict
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter ADSL:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Pirelli ADSL USB Modem
Physical Address. . . . . . . . . : 00-30-0A-10-83-0B
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 82.84.209.76
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 82.84.209.76
DHCP Server . . . . . . . . . . . : 10.0.0.2
DNS Servers . . . . . . . . . . . : 10.0.0.2
Lease Obtained. . . . . . . . . . : Tuesday, June 29, 2004 1:54:47 PM
Lease Expires . . . . . . . . . . : Wednesday, June 30, 2004 1:54:47 AM
Ethernet adapter Local Area Connection 1 192.168.0.1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI TX NIC
(3C905B-TX) #2
Physical Address. . . . . . . . . : 00-A0-24-5A-01-8C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :
Ethernet adapter Local Area Connection 2 100.100.0.1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI TX NIC
(3C905B-TX) #3
Physical Address. . . . . . . . . : 00-10-5A-29-8C-7D
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 100.100.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :
NETWORK ADDRESS TABLE: (LAT)
IP: 192.168.0.0 MASK: 192.168.0.255
IP: 100.100.0.1 MASK: 100.100.0.255
Cheers
Soldier
|
|
|
|
|
RE: Why does my ISA Server still browse eventhough ther... - 29.Jun.2004 10:27:00 PM
|
|
|
soldier
Posts: 13
Joined: 21.Jun.2004
Status: offline
|
Hi Stefaan
Yes I use an ADSL modem as my external interface, one thing I have to explain about this modem is that it does not opperate like a normal ADSL modem via DUN. You get connected by going into the http://x.x.x.x address of the modem and connect from within its software. Therefor I did not set it up with dun because I dont have an actual dialup connection but a http interface instead.
Cheers
Soldier
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Big Grin]](/image/smiles/biggrin.gif)
![[Smile]](/image/smiles/smile.gif)
![[Confused]](/image/smiles/confused.gif)
