• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Make the Firewall Client Ignore Telnet

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> Make the Firewall Client Ignore Telnet Page: [1]
Login
Message << Older Topic   Newer Topic >>
Make the Firewall Client Ignore Telnet - 16.Dec.2005 7:10:26 PM   
sixdoubleo

 

Posts: 7
Joined: 16.Dec.2005
Status: offline
As the subject suggests, I would like the Firewall Client to ignore Telnet altogether.  Not BLOCK it, but ignore it and just let it fall through the IP stack where my network's routing will handle it.

I was thinking add telnet application Disable=1 but it doesn't seem to do the trick.

Any ideas?
Post #: 1
RE: Make the Firewall Client Ignore Telnet - 16.Dec.2005 7:32:30 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi sixdoubleo,

what are you really trying to accomplish? What problems do you have with Telnet?

HTH,
Stefaan

(in reply to sixdoubleo)
Post #: 2
RE: Make the Firewall Client Ignore Telnet - 16.Dec.2005 7:37:34 PM   
sixdoubleo

 

Posts: 7
Joined: 16.Dec.2005
Status: offline
Many of our users use a mainframe TN3270 connection to an external host.  Our TN3270 sessions are absolutely mission critical.  I don't want them passing through the ISA...in case I had to reboot it or something.

I want these connections to "fall-out" of the FWC and pass through our PIX firewall. 

I know I can accomplish this by adding the external TN3270 host to our Internal network set.  (This used to be called the "LAT" in previous versions).  However, then I am getting in the business of adding external systems to our LAT, and thus losing the ability to have the ISA control, say, an FTP session to this host.

So in a nutshell, TN3270 is mission critical.  I don't want it relying on the ISA. 

(in reply to spouseele)
Post #: 3
RE: Make the Firewall Client Ignore Telnet - 16.Dec.2005 7:50:51 PM   
sixdoubleo

 

Posts: 7
Joined: 16.Dec.2005
Status: offline
Also....we have about 700 TN3270 sessions.  I don't need to control or monitor these, so there really isn't any reason to run them through the ISA.  They will just present an unnecessary load on the ISA that we don't need.  That way the ISA can be more or less dedicated to doing web proxying, and controlling access to the more "premium" services, such as IM, ftp, etc.

If I have 700 telnet sessions on the ISA and I need to reboot or restart the firewall service, that's a lot of unhappy people.

(in reply to sixdoubleo)
Post #: 4
RE: Make the Firewall Client Ignore Telnet - 16.Dec.2005 7:54:31 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi sixdoubleo,

I don't agree that a PIX would run more stable than an ISA server, but if you want to exclude an application from being handled by the Firewall client you need to create an entry with the application name without the extension (.exe) and specify Disable=1. Keep in mind that you want be able to authenticate the traffic from that application anymore.

HTH,
Stefaan

(in reply to sixdoubleo)
Post #: 5
RE: Make the Firewall Client Ignore Telnet - 16.Dec.2005 7:58:12 PM   
sixdoubleo

 

Posts: 7
Joined: 16.Dec.2005
Status: offline
Thank you.  I don't want to get into an argument about whther ISA or PIX is more stable.  We all have different needs and configurations that might render one solution a better fit than another.  But for whatever the reason, there are times when I want to tell the FWC to ignore an application...even if for sheer troubleshooting needs.

So how do I verify on my client that these settings are taking effect?  I see there is the common.ini and application.ini however they don't seem to reflect any changes....even after a reboot and using the Test button in the FWC.  Does the firewall service need to be restarted to make central FWC settings take effect?


(in reply to spouseele)
Post #: 6
RE: Make the Firewall Client Ignore Telnet - 16.Dec.2005 8:32:32 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi sixdoubleo,

first of all you need to determine the application name on the client. Use Task Manager for that.
Next, create the entry on the ISA server.
Once that done, open IE and get http://wpad/wspad.dat . That's the configuration file the client will get from the ISA server and check if you see the entry you created. At last, refresh the Firewall client config (detect now).

With the FWCtool command=PrintServerConfig ( http://www.microsoft.com/downloads/details.aspx?familyid=f20f6267-273d-4870-b1e8-799b261b4786&displaylang=en ) you can see what is actual loaded in memory by the Firewall client. 

HTH,
Stefaan

(in reply to sixdoubleo)
Post #: 7
RE: Make the Firewall Client Ignore Telnet - 16.Dec.2005 10:30:09 PM   
sixdoubleo

 

Posts: 7
Joined: 16.Dec.2005
Status: offline
quote:

ORIGINAL: spouseele

Hi sixdoubleo,

first of all you need to determine the application name on the client. Use Task Manager for that.
Next, create the entry on the ISA server.
Once that done, open IE and get http://wpad/wspad.dat . That's the configuration file the client will get from the ISA server and check if you see the entry you created. At last, refresh the Firewall client config (detect now).

With the FWCtool command=PrintServerConfig ( http://www.microsoft.com/downloads/details.aspx?familyid=f20f6267-273d-4870-b1e8-799b261b4786&displaylang=en ) you can see what is actual loaded in memory by the Firewall client. 

HTH,
Stefaan


Thanks for the detailed instructions!  One question, though.  Where do I do the http://wpad/wspad.dat ?  I do this on the ISA server and I get page cannot be displayed.   I am not running automatic discovery.


< Message edited by sixdoubleo -- 16.Dec.2005 10:32:40 PM >

(in reply to spouseele)
Post #: 8
RE: Make the Firewall Client Ignore Telnet - 16.Dec.2005 11:11:45 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi sixdoubleo,

quote:

Where do I do the http://wpad/wspad.dat ?  I do this on the ISA server and I get page cannot be displayed.   I am not running automatic discovery.
You do that on a client. If you don't have a DNS wpad entry then use the FQDN of the ISA internal interface instead of wpad. That should work equally well.

HTH,
Stefaan

(in reply to sixdoubleo)
Post #: 9
RE: Make the Firewall Client Ignore Telnet - 17.Dec.2005 12:05:29 AM   
sixdoubleo

 

Posts: 7
Joined: 16.Dec.2005
Status: offline
quote:

ORIGINAL: spouseele

Hi sixdoubleo,

quote:

Where do I do the http://wpad/wspad.dat ?  I do this on the ISA server and I get page cannot be displayed.   I am not running automatic discovery.
You do that on a client. If you don't have a DNS wpad entry then use the FQDN of the ISA internal interface instead of wpad. That should work equally well.

HTH,
Stefaan


Hmm...that doesn't work either.  http://ISA01/wspad.dat gives the same "page cannot be displayed" error.  I wonder if something within the ISA's Firewall Client setup is misconfigured.  Is there a service or something which published the FWC settings?

Edit:  Nevermind.  I needed to specify http://ISA01:8080/wspad.dat. Got it....


< Message edited by sixdoubleo -- 17.Dec.2005 12:07:51 AM >

(in reply to spouseele)
Post #: 10
RE: Make the Firewall Client Ignore Telnet - 17.Dec.2005 12:16:29 AM   
sixdoubleo

 

Posts: 7
Joined: 16.Dec.2005
Status: offline
Stefaan,

Thanks a LOT for your help. 

I now have an exception for Attachmate Extra and the firewall client is ignoring Attachmate Extra.  I prefer this MUCH better to the way I was doing this before....which was to include the TN3270 server in our LAT. 

You've been a great help.  I appreciate you taking the time to help me.  Hope you have a good weekend.

Dave 

(in reply to sixdoubleo)
Post #: 11
RE: Make the Firewall Client Ignore Telnet - 17.Dec.2005 1:32:41 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Dave,

glad to hear you have it working and thanks for the follow up!

Stefaan

(in reply to sixdoubleo)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> Make the Firewall Client Ignore Telnet Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts