Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
epolicy orchestrator denied
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
epolicy orchestrator denied - 6.Nov.2006 4:13:02 PM
|
|
|
mderosia
Posts: 9
Joined: 9.Sep.2004
From: Grand Rapids, MI.
Status: offline
|
Hello, I am having issues that I can not resolve. I am unable to get any of our ISA servers to communicate with McAfee ePolicy Orchestrator. When I log the communication, I get this in the log (below). There is one rule to allow all network to communicate with all networks for all users and it will not communicate. I have created a rule to allow local host to communicate with "ePO server" for all traffic with no help. I am completely stumped. Any thoughts?
Original Client IP
0.0.0.0
Client Agent
Mozilla/4.0 (compatible; SPIPE/3.0; Windows)
Authenticated Client
No
Service
Proxy
Server Name
044ISA
Transport
TCP
Source Port
0
Processing Time
1
Bytes Sent
2246
Bytes Received
16729
HTTP Status Code
12202 The ISA Server denied the specified Uniform Resource Locator (URL).
Cache Information
0x0
Error Information
0x200
Log Record Type
Web Proxy Filter
Log Time
10/18/2006 11:05
Destination IP
10.1.0.164
Destination Port
80
Action
Denied Connection
Client IP
10.44.0.24
Client Username
Anonymous
HTTP Method
POST
URL
/spipe/pkg?AgentGuid={8B1716B1-B671-468E-AC70-06066E88FDAD}&Source=Agent_3.0.0
|
|
|
|
RE: epolicy orchestrator denied - 9.Nov.2006 5:24:18 AM
|
|
|
Andy_UK
Posts: 80
Joined: 12.May2006
From: Suffolk, UK
Status: offline
|
Hi,
In order to get my ISA Server and VPN Clients updating through EPO I had to create the following rule:
From: VPN Clients and Local Host
To: EPO Server
You have to create a Protocol with the following:
Primary Connections:
Port 445 TCP Inbound
Port 8090-8091 TCP Inbound
Port 90-91 TCP Inbound
Secondary Connections:
Port 445 TCP Outbound
Port 8090-8091 TCP Outbound
Port 90-91 TCP Outbound
Port 88 UDP Receive Send
Port 88 UDP Send Receive
With this set, my VPN Clients update happily, as does the ISA itself, although the ISA does go into the no contact group in EPO.
Hope this helps,
Andy
|
|
|
|
|
RE: epolicy orchestrator denied - 25.Jan.2007 10:24:27 AM
|
|
|
vuilverwerking
Posts: 26
Joined: 29.Dec.2006
Status: offline
|
Hi,
I had this problem with ISA 2004 and ePo 3.5.
HTTP Compression Filter on the ISA 2004 Server is causing the problem.
Disable it and try again.
I'm now running on ISA 2006 and ePo 3.6.1 and no problem anymore.
|
|
|
|
|
RE: epolicy orchestrator denied - 25.Jan.2007 10:29:18 AM
|
|
|
mderosia
Posts: 9
Joined: 9.Sep.2004
From: Grand Rapids, MI.
Status: offline
|
I will check that and repost. I have been logging on to the server and updating manually from the box as a workaround. It does update from the correct repository so I know ePO is getting denied when trying to enforce an update. I will be upgrading to ePO 3.6 sometime in the next two week as well.
Thanks for the post,
mderosia
|
|
|
|
|
RE: epolicy orchestrator denied - 1.Feb.2007 10:17:06 AM
|
|
|
mhicks
Posts: 3
Joined: 1.Feb.2007
Status: offline
|
I am experiencing this issue too and hopefully someone can give me some help.
The dat files of the AV product update fine, but I am getting errors when the agent tries to communicate with ePO Server.
This is what shows up in the ISA firewall log:
Rule: Vircon
Destination IP: My ePO IP
Destination port: 80
Action: Denied Connection
Client IP: MY ISA IP
Client Username: Anonymous
Source Network:
HTTP Method: POST
URL: /spipe/pkg?AgentGuid=(E38......14c)&source=Agent_3.0.0
Original Client IP 0.0.0.0
HTTP Status Code: 12202 The ISA Server denied the specific Uniform Resource Locator(URL)
But, I have a rule to allow ISA to communicate with my ePO server, and that is the rule that is generating this error!! I am so confused
Here is the rule:
Name: Vircon
Action: Allow
Protocols: All Outbound Traffic
From: Local Host
To: Vircon
Condition: All Users
I have the other rule that Andy suggested right above this one, and no traffic even hits that rule.
I appreciate your help.
|
|
|
|
|
RE: epolicy orchestrator denied - 12.Feb.2007 4:35:56 PM
|
|
|
mderosia
Posts: 9
Joined: 9.Sep.2004
From: Grand Rapids, MI.
Status: offline
|
I have still had no luck trying to get this to work. I have crerated the protocol with the corect ports. I have a rule that allows all traffic from local host to ePO server both ways for all users. When I go to the ISA server and right click McAfee and select update now, it works every time. When I go to the ePO server and select agent wakeup call, it does not go through. Logging is showing that iy is getting blocked but notenough information to tell me why. It may be easier to just log on to the ISA server and select update now everyday. If I do not do that, it will not update at all.
|
|
|
|
|
RE: epolicy orchestrator denied - 12.Feb.2007 4:49:46 PM
|
|
|
mhicks
Posts: 3
Joined: 1.Feb.2007
Status: offline
|
By the way, I got mine to work. I had to uncheck "Require all users to authenticate." And now it works fine.
ISA Server Management, click on Configuration -> Networks. Right click on Internal, and open "Properties". Open the Web Proxy tab.Click Authentication. Uncheck "Require all users to authenticate."
Hope this helps.
|
|
|
|
|
RE: epolicy orchestrator denied - 13.Feb.2007 10:14:01 AM
|
|
|
mhicks
Posts: 3
Joined: 1.Feb.2007
Status: offline
|
With this checked, all users will be required to authenticate to a proxy. So every machine will be required to sign on to the proxy. Windows boxes should be able to pass logon credentials seamlessly via NTLM. but if you have a machine that isnt logged on the the domain, or a non-windows OS. Then a user will have to enter some form of authentication, even if you have the rule say "all users."
With that box checked, ISA will treat ALL USERS as an actual authenticated user, and should deny anonymous requests. But if you have your rule base setup correctly, then you shouldnt have to worry about anonymous requests.
So if anything, you gain the ability to allow certain machines access to the proxy, and not require the machine to logon.
Mike
|
|
|
|
|
RE: epolicy orchestrator denied - 13.Feb.2007 10:20:21 AM
|
|
|
mderosia
Posts: 9
Joined: 9.Sep.2004
From: Grand Rapids, MI.
Status: offline
|
Excellent, thanks mhicks.
I will do some more research on what you just posted to make sure it will work in my envrionment. I found another workoround that I am testing too. It is to create an ePO agent policy for the ISA server and set it to use the proxy with the credentials that I enter into the properties. Just another workaround that may work.
Thanks again.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
That was it!! 
