Kevin - I am meaning to nail down the ports that the RPA wants to dedicate too. Sofar, with default packet filtering set I haven't lost any functionality with chaining to as_agent, all traffic gets through. I have the secondary route set as direct to internet and there's a noticable performance drop when the rpa is bypassed. I'm not sure how crucial the nettgain2k is for good performance on the 360 yet, but the general consensus in the user groups has been to run rpa.

I'll be hammering on it some more later tonight.

Open up a bidirectionl filter for all local ports with port 9876 on the HPA IP Address. Not sure if the HPA IP address is a single host or not. You can right click and select Setup on the RPA icon to get the correct remote IP address.

I still haven't got the Mission Control filter settings yet.

Tom - Will disabling the IP Routing result in the external interface having a more "stealth" appearance to external scans? Any downside to disabling IP Routing?

- Kevin

------------------
/*
Kevin Westby
email@kevinwestby.com
http://www.kevinwestby.com
*/

All local UDP ports, Send receive, All remote ports on host 192.168.255.252.

Not sure I understand that one.....but it's keeping my MC status icon in the green.

Do you know if it's possible to use Protocol Rules for inbound traffic? The only other alternative to the above packet filter rule might be a protocol rule that sets up the primary port and then some secondary ports.

I can't locate any files which look like NetGain2K files....do you know specifically which ones constitute NetGain (I had thought that that's what the RPA was)?

- Kevin

------------------
/*
Kevin Westby
email@kevinwestby.com
http://www.kevinwestby.com
*/

Prior to my upgrade I used the RJ45 on the 180 and experienced a similar behavior (as well as with the 360). You basically need to open up some ports (see above) to allow the Mission Control application to communicate.

Bottom line: Mission Control will not work with a default ISA configuration, you will need to "open up" the necessary protocols/ports. But that's to be expected :-).

- Kevin

------------------
/*
Kevin Westby
email@kevinwestby.com
http://www.kevinwestby.com
*/

quote:

---

Originally posted by bjames:
Latest attempts have been driving me nuts. I spent the weekend getting real intimate with rmisa.exe <G>.
Previously, I've had great success publishing the web server with multiple sites and host headers working. Now, I can't get the listener going without crashing the isa control and the scheduled caching service. Maddening? You bet. I put off the web sites for now - all IIS services are stopped except SMTP outbound so I can send email out from some winsock apps that don't have the option of providing authentication to starband's smtp server.
Tom - I saw something about a problem with IP Pooling. Might I be another victim of this?
And on packet filtering - I have it enabled now along with ID and IP routing. However, my exernal IP is included in the LAT. I doubt it should be there, but before this point I've been seeing a firewall error that it couldn't route to the external address, so I threw it in there with the internal address range. Well, now no more error, but not reporting port scans either.

Kevin - I am meaning to nail down the ports that the RPA wants to dedicate too. Sofar, with default packet filtering set I haven't lost any functionality with chaining to as_agent, all traffic gets through. I have the secondary route set as direct to internet and there's a noticable performance drop when the rpa is bypassed. I'm not sure how crucial the nettgain2k is for good performance on the 360 yet, but the general consensus in the user groups has been to run rpa.

I'll be hammering on it some more later tonight.

---

Hi Bill,

And it seemed to be working so well!

Not good to put the exteranl interface in the LAT. That makes the exteranl interfaces a trusted network, and spoofers can have a heyday with that configuration. When you put the exteranl interface in the LAT, you essentially have no more external network.

I assume that there is *no* packet filtering when the external interface is in the LAT, because the packet filters only apply to the exteranl interface, which is defined by the LAT!

Not sure why your sevices are crashing. Could be the DHCP procoess and address reassignment?

Sounds like you're having fun, though

Tom

------------------
http://www.isaserver.org/shinder/



Get It Here!

quote:

---

Originally posted by kwestby:
Bill - I think I have the RPA ports down now...at least according to the tackbar icon.

Open up a bidirectionl filter for all local ports with port 9876 on the HPA IP Address. Not sure if the HPA IP address is a single host or not. You can right click and select Setup on the RPA icon to get the correct remote IP address.

I still haven't got the Mission Control filter settings yet.

Tom - Will disabling the IP Routing result in the external interface having a more "stealth" appearance to external scans? Any downside to disabling IP Routing?

- Kevin

---

Hi Kevin,

What do you see on your port scans? You should see only ports that you've opened for packet filters, publishing rules, and dynamic packets filters (which will only accept data from the server that an outbound request was made to).

HTH,
Tom

------------------
http://www.isaserver.org/shinder/



Get It Here!

quote:

---

Originally posted by tshinder:
Hi Bill,

And it seemed to be working so well!

---

How I wish. I knew I was in trouble when all the deliberate port scans I initiated on myself generated nothing in the alerts. But putting the external IP into the LAT and having that cure the 14120 error I have been seeing endlessly in my sleep was a little unsettling. I'm more convinced than ever now that the IP pooling is thwarting me here.

Here's a list of the current listens right now:

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:25 0.0.0.0:0 LISTENING
TCP 0.0.0.0:53 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1720 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3007 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3008 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3013 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:9877 0.0.0.0:0 LISTENING
TCP 0.0.0.0:12643 0.0.0.0:0 LISTENING
TCP 0.0.0.0:12670 0.0.0.0:0 LISTENING
TCP 0.0.0.0:12671 0.0.0.0:0 LISTENING
TCP 0.0.0.0:12675 0.0.0.0:0 LISTENING
TCP 0.0.0.0:12882 0.0.0.0:0 LISTENING

Now would this be a conflict between the Win2k routing table and the LAT? I'm at a loss here.

Fighting on though..
- Bill James

Back to basic ISA config though..
Ever look at something so many times you don't even see what it is anymore?
My LAT blues were cased by my LAT being wrong. Took a look at the win2k routing table and then it was obvious. Fixed that.
I can enable packet filtering now and it's blocking as it should be. Blocking everything - even the allow filters I have enabled. I am getting an error for Packet filtering now (11003) -

Microsoft ISA Server Control failed. The
failure occurred during Reading packet filters
because the configuration property
LocalHostIPAddress of key
SOFTWARE\Microsoft\Fpc\Arrays\{F237530C-5DA7-
4E92-82D2-35A144A7FC17}\ArrayPolicy\Proxy-
Packet-Filters\{291DD86A-E5EA-4C93-B975-
2E97546F5768} is not valid.
The error description is: An invalid argument was
supplied.

Fun. I'll check that one after at least another cup of coffee.

Let me know how it goes.

I've recently started dropping my ip address for some reason and it isn't re-establishing :-(. Gonna go check SBUsers to see if anyone else has similar issue.

------------------
/*
Kevin Westby
email@kevinwestby.com
http://www.kevinwestby.com
*/

I've been checking my site via grc.com. It immediately detects an open port 139. After that the more complete port scan shows multiple ports open 21, 23, 25, 79....etc. Doing a fport /p shows a few of those ports, but not all....may be something on the grc.com site. But I'm still looking for a way to verify the state of my external interface. Any ideas?

------------------
/*
Kevin Westby
email@kevinwestby.com
http://www.kevinwestby.com
*/

Now as for your port 139, that's the netbios over TCP/IP. You need to goto your tcp settings for the external nic and disable it on the tcp/ip advanced properties tab. Unbind client for MS networks too while you're at it. Those are the some of the first things that I axe during any server setup.

Still no 360.. grrr.
- Bill

The only way I can get a new lease is by rebooting or shutting of all of the ISA services and doing an IPCONFIG /renew.

I did not have this trouble with the 180 and I have not tried the USB interface on the 360. I would really like to find a fix. None of those listed in the many posts on this seem to work.

-ck