• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

help needed configuring FWC for app

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> help needed configuring FWC for app Page: [1]
Login
Message << Older Topic   Newer Topic >>
help needed configuring FWC for app - 4.Oct.2002 8:26:00 PM   
whisperedlies

 

Posts: 189
Joined: 7.Jun.2002
From: Ohio
Status: offline
We have a horrible, but crucial, application that our staff needs in order to be able to interface with a UNIX server. We previously had the UNIX server behind the firewall, and thus the application could connect directly to the server. However, a portion of the web catalog service would not work within the firewall no matter what we tried. so we decided to move the server outside.

Now... this application uses TCP Port 5100 for everything. When you start the program, it connects to the server, and if everything is ok, it asks for a username and password. when you type this stuff in, it sends it to the server. Now the mess begins. This application must download 4 or 5 .dat and .zip files that contain preferences. It creates a NEW connection for each download, but the connection is always to the remote server's TCP port 5100. These additional connections wait, and I believe eventually close, but the initial connection remains open, and the user does their work over this connection. These clients are FWC. So, I added a protocol definition allowing TCP 5100 Outbound, and added it to a protocol rule that any staff member can use. I have verified the FWC is using the protocol rule by looking in the FW log.

Now, what happens is, I open the program, it makes the initial connection, and i get the prompt for the username. I enter this, and it begins the login process. I notice it opens a second port to 5100 remote, and I see the progress bar that you should see when it begins to download the preference files, however, the progress bar stays at 0%, and the program sits there like that. You have to kill the program to exit. I look in the firewall logs, and nothing out of the ordinary shows up. it shows the right program, the right remote host, the right protocol, CONNECT is the operation, and 0 and 20000 are the statuses that you see (0 is completed successfully and 20000 is terminated normally), and it is using the appropriate rule.

so i tried adding some custom application configurations to the firewall mspclnt.ini:

[wf020000]
NameResolution=L
RemoteBindTcpPorts=5100
Persistent=1

And that didn't seem to have any effect. playing around, at the moment it looks like this:

ControlChannel=wsp.tcp
NameResolutionForLocalHost=L
KillOldSession=0
NameResolution=L
RemoteBindTcpPorts=5100
Persistent=1

Still no difference.

If i go to a workstation outside the firewall, it works fine. of course.

I did look in the packet filter logs, and i do see entries that are coming from the IP of this UNIX server, they are ICMP 3 (port unreachable) packets. obviously i'm sure that has something to do with it, however, they are being sent to the IPs of the DNS service running on my ISA server (I had to put external DNS on the same server as ISA cuz of budget constraints).

I've found that setting the workstation as a S-NAT client works, but I don't want to go that route unless there's a dire need.

Anyone have any ideas?
Post #: 1
RE: help needed configuring FWC for app - 4.Oct.2002 9:28:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mike,

Does it work when you create an All Open Protocol Rule can connect to it using the Firewall client?

Does the Server need to create secondary connections inbound?

Thanks!

Tom

(in reply to whisperedlies)
Post #: 2
RE: help needed configuring FWC for app - 4.Oct.2002 10:10:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Mike,

maybe you can post an excerpt of the firewall and packet filter log from the same time frame. Just be sure you have enabled on ISA the logging of all fields, otherwise it is hard to read them.

HTH,
Stefaan

(in reply to whisperedlies)
Post #: 3
RE: help needed configuring FWC for app - 4.Oct.2002 11:09:00 PM   
whisperedlies

 

Posts: 189
Joined: 7.Jun.2002
From: Ohio
Status: offline
Hi Tom,

No difference with an allow all rule [Frown]

I don't believe it requires secondary connections. i've tested this on a PC that isn't behind the firewall, and all it does is just create additional connections to the same port on the remote server for each file it downloads. so i'm thinking, the protocol definition i have created for this port should be the one used every time.

Hi Stefaan,

Here's an excerpt from the firewall log. I've noticed that I'm not seeing an entry for the blocked ICMP 3,3 in the packet log, like i said i was seeing before, so perhaps that was not linked to this problem like i thought.
#Fields: c-ip cs-username c-agent sc-authenticated date time s-svcname s-computername cs-referred r-host r-ip r-port time-taken cs-bytes sc-bytes cs-protocol cs-transport s-operation cs-uri cs-mime-type s-object-source sc-status s-cache-info rule#1 rule#2 sessionid connectionid
192.168.0.33 m.grabski wf020000.exe:3:5.0 Y 2002-10-04 20:50:11 fwsrv DUDLEY - - xxx.xxx.123.172 5100 - - - 5100 TCP Connect - - - 0 - Allow Basic Client Protocols Allow rule 3503 52206
192.168.0.33 m.grabski wf020000.exe:3:5.0 Y 2002-10-04 20:50:11 fwsrv DUDLEY - - xxx.xxx.123.172 5100 - - - 5100 TCP Connect - - - 0 - Allow Basic Client Protocols Allow rule 3503 52206
192.168.0.33 m.grabski wf020000.exe:3:5.0 Y 2002-10-04 20:50:16 fwsrv DUDLEY - - xxx.xxx.123.172 5100 - - - 5100 TCP Connect - - - 0 - Allow Basic Client Protocols Allow rule 3503 52207
192.168.0.33 m.grabski wf020000.exe:3:5.0 Y 2002-10-04 20:50:16 fwsrv DUDLEY - - xxx.xxx.123.172 5100 - - - 5100 TCP Connect - - - 0 - Allow Basic Client Protocols Allow rule 3503 52207
192.168.0.33 m.grabski wf020000.exe:3:5.0 Y 2002-10-04 20:50:19 fwsrv DUDLEY - - xxx.xxx.123.172 5100 - - - 5100 TCP Connect - - - 0 - Allow Basic Client Protocols Allow rule 3503 52208
192.168.0.33 m.grabski wf020000.exe:3:5.0 Y 2002-10-04 20:50:19 fwsrv DUDLEY - - xxx.xxx.123.172 5100 - - - 5100 TCP Connect - - - 0 - Allow Basic Client Protocols Allow rule 3503 52208
192.168.0.33 m.grabski wf020000.exe:3:5.0 Y 2002-10-04 20:50:40 fwsrv DUDLEY - - xxx.xxx.123.172 5100 20641 152 14147 5100 TCP Connect - - - 20001 - Allow Basic Client Protocols Allow rule 3503 52208
192.168.0.33 m.grabski wf020000.exe:3:5.0 Y 2002-10-04 20:50:40 fwsrv DUDLEY - - xxx.xxx.123.172 5100 24109 140 130 5100 TCP Connect - - - 20001 - Allow Basic Client Protocols Allow rule 3503 52207
192.168.0.33 m.grabski wf020000.exe:3:5.0 Y 2002-10-04 20:50:40 fwsrv DUDLEY - - xxx.xxx.123.172 5100 28766 478 14414 5100 TCP Connect - - - 20001 - Allow Basic Client Protocols Allow rule 3503 52206

I did use ethereal to capture a session from between my workstation and the ISA server, and from the ISA server to the UNIX box. Things look normal on the internal segment, and mostly normal on the external, but on the external segment I noticed a problem. It looks like shortly after the second connection is established, the ISA server starts to send ICMP 3,4 (destination unreachable, fragmentation needed) back to the UNIX server, and in that ICMP packet, ISA referns to my client PC by it's internal IP, which doesn't sound good at all to me.

ARGH!
Mike

[ October 04, 2002, 11:11 PM: Message edited by: Mike G. ]

(in reply to whisperedlies)
Post #: 4
RE: help needed configuring FWC for app - 4.Oct.2002 11:14:00 PM   
whisperedlies

 

Posts: 189
Joined: 7.Jun.2002
From: Ohio
Status: offline
Heh, I just noticed that in the excerpt I posted, the connection status is 20001 rather than 20000 like it had been. will it not end?

(in reply to whisperedlies)
Post #: 5
RE: help needed configuring FWC for app - 5.Oct.2002 12:04:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Mike,

from what I can see in the firewall log, there seems to be no problem with the protocol rules. The only thing is that the connections are abnormally terminated (connection status is 20001 rather than 20000). The cause is probably a RST send from one of the connected parties.

Aha... I was forgotten you have some experience with Ethereal. That's good, very good in this situation, because you will have to find out the real reason for those ICMP's. With Ethereal, you should be able to determine which packet is the cause of the ICMP message. I think that a detailed analyse of the Ethereal trace will be necessary.

HTH,
Stefaan

(in reply to whisperedlies)
Post #: 6
RE: help needed configuring FWC for app - 5.Oct.2002 5:17:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Does the application work if you create an all open rule and use the Firewall client?

(in reply to whisperedlies)
Post #: 7
RE: help needed configuring FWC for app - 7.Oct.2002 5:26:00 PM   
whisperedlies

 

Posts: 189
Joined: 7.Jun.2002
From: Ohio
Status: offline
Hi Thomas,

No, that has no effect

Hi Stefaan,

Over the weekend, I created a test ISA server from scratch again. Windows 2000 Server SP3, ISA 2000 Standard, Integrated Mode, no SP1. I created one protocol definition, TCP Port 5100 outbound, added it to a basic client set that all clients can and will use. I added one windows 2000 Pro client, installed the FWC, and it worked beautifully. It was nearly an out-of-the-box ISA configuration. The only differences in ISA on this new set up as opposed to the problematic one was this: No SP1, No IP routing configured, no additional IPs bound to external adapter, I did not configure any application settings for FWC, and I had established no server publishing or web publishing rules.

I did another ethereal session today, and it's still doing this one thing, it creates another connection to this remote server, and begins transferring data, and a variable number of packets gets through until ISA starts sending ICMP 3,4 to the remote server, and in these ICMP packets it keeps referring to my internal client's internal IP address and port, which is probably why a few minutes later, i see an entry in packet log saying it blocked the ICMP destination host/ port unreachable from the remote server. i'm wondering if this problem is akin to the FTP problem i'm having where I couldn't upload from an external host. but, then again, this client program works just fine on S-NAT clients. the FTP problem involved S-NAT clients.

One thing I noticed is ISA has been creating the connections to the external hosts on the additional IPs bound to the external interface, rather than using the default IP. I guess i don't see a problem with that, but i'm wondering if that's normal.

Mike

[ October 07, 2002, 05:32 PM: Message edited by: Mike G. ]

(in reply to whisperedlies)
Post #: 8
RE: help needed configuring FWC for app - 8.Oct.2002 6:17:00 AM   
whisperedlies

 

Posts: 189
Joined: 7.Jun.2002
From: Ohio
Status: offline
Hey Guys,

Problem Solved. I had IP Routing enabled, and this was causing this problem, as well as a slew of others. lesson here, I guess, is never underestimate the power of a checkbox.

Mike

(in reply to whisperedlies)
Post #: 9
RE: help needed configuring FWC for app - 8.Oct.2002 10:00:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Mike,

good to hear you got it working! [Smile]

To me it sounds very weird and I think it is somehow related to the known FTP bug when you have multiple external IPs bound. Moreover, a quote from Tom's article http://www.isaserver.org/pages/article.asp?id=994
quote:
One thing I have noticed is that when you have a VPN Server installed on the ISA Server, some strange things can happen with the source IP address for outbound requests. Sometimes a secondary IP address on the external interface of the ISA Server will show up as the source address for internal network client outbound requests. Why? You guess is as good as mine. But Ive only noticed this on ISA/VPN Server will multiple addresses bound to the external interface. I have not seen this happen on ISA Servers that are not VPN servers.
I have found also a strange behaviour with the H.323 RAS protocol when ISA is also used as VPN gateway.

Have you reported the problem to Microsoft? Hopefully they will fix that in the near future. [Big Grin]

Thanks for the follow up,
Stefaan

[ October 08, 2002, 10:00 PM: Message edited by: spouseele ]

(in reply to whisperedlies)
Post #: 10
RE: help needed configuring FWC for app - 8.Oct.2002 10:23:00 PM   
whisperedlies

 

Posts: 189
Joined: 7.Jun.2002
From: Ohio
Status: offline
Wow, that's it right there.

I do have the ISA server enabled as a VPN server, and indeed there are multiple IPs bound externally, and those are the symptoms ISA exhibited.

I'm going to go back on the test server and enable VPN and see what happens. Very interesting, I will send this along to MS.

Another thing, I was concerned about turning off IP routing because of some features it offers to SNAT clients, such as the ability to PING (you never appreciate the ability to PING until you loose the privilage). But even with IP Routing turned off, I can still PING from SNAT clients. I was sort of shocked because something needs to route packets from clients within the LAT out onto the internet, and if ISA has it disabled, it should not be possible. Am I correct, or do I have this misconstrued somehow? In fact, pretty much all the problems I was having with our firewall disappeared when i turned this feature off, with no loss of any sort of service. In that respect that makes this option an "Make ISA's External TCP/IP Communications Quirky" rather than "Enable IP Routing".

Am I understanding something wrong, or am I just going insane?

Mike

(in reply to whisperedlies)
Post #: 11
RE: help needed configuring FWC for app - 9.Oct.2002 9:10:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Mike,

so, it seems that the IP routing flag in ISA does more than the IP routing flag in RRAS. [Big Grin]

According to http://support.microsoft.com/default.aspx?scid=KB;EN-US;q279347&ID=KB;EN-US;q279347 it also enables the kernel-mode data pump for SNAT clients, but only for secondary connections (i.e. FTP). It is also a known that disabling IP routing solves the FTP issue as mentioned in the faq http://www.isaserver.org/pages/larticle.asp?type=FAQ&id=11 . That I can understand because they are directly related to each other.

However, it is rather strange ISA IP routing can also breaks simple outbound access when RRAS is enabled and you have multiple external IP's, even for firewall clients. Hmm... very weird!

So, the conclusion seems to be: always disable IP routing in ISA. If you want outbound ping and PPTP, then enable RRAS. Have you already tested that PPTP passthrough still works in this configuration?

Thanks,
Stefaan

(in reply to whisperedlies)
Post #: 12
RE: help needed configuring FWC for app - 9.Oct.2002 11:31:00 PM   
whisperedlies

 

Posts: 189
Joined: 7.Jun.2002
From: Ohio
Status: offline
Hi Stefaan,

I'm beginning to understand what's going on in this situation. I guess I was under the impression, however, that ISA's routing ability superceded RRAS's. Is this situation as "simple" as a conflict between the two routing services, if they're both enabled at the same time? PPTP is working just fine under this configuration. Since I turned off IP Routing in ISA, I can't find one thing wrong with our firewall configuration (so far), when before, there were a number of mysterious and random problems. Looks like one service or the other, when both were enabled, where randomly changing the external source IP. Very interesting.

Mike

(in reply to whisperedlies)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> help needed configuring FWC for app Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts