• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Denied Connection

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> Denied Connection Page: [1]
Login
Message << Older Topic   Newer Topic >>
Denied Connection - 2.Jul.2007 11:34:26 AM   
drewj2k

 

Posts: 7
Joined: 2.Jul.2007
Status: offline
Hi I am new so sorry if I do not explain my problem very well,

I have setup a rule so an application can access the update website via port 7000, or 80 (neither work it starts to work on port 80 then crashes)

The rule I setup is as follows,

Action = allow
Protocol = Outbound tcp port 7000
From = Internal
To = External
Conditin = All Users

but when I try to update the program through this port It fails and on the isa query it say's Denied Connection from the machine I was using to the IP Address of the update server and the rule that denied it is the one I created.

If I used port 80 It denies the connection through SBS Internet Access Rule.

Any ideas why it will not allow me to connect to this update server though client machines on the network?

It works fine on the server it self.

The program used to work on an old machine but that machine got formatted and given to a new user and a new machine has been given to the old user witch uses the program that needs updating and for some strange reason it does not work anymore I tried recreating the rule and adding the external IP address I cannot figure out why it does not work when it worked before on a different machine.

(ping and treacert failes from command to the IP of the update server)

Thanks Alot!!

Drew

< Message edited by drewj2k -- 2.Jul.2007 11:38:05 AM >
Post #: 1
RE: Denied Connection - 2.Jul.2007 11:44:00 AM   
jmilito

 

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline
If you trust the site and it's content...  Have you tried a wildcard whitelisting for the site it is trying to access?  You can do a couple of things:

1.  Install the firewall client (try this first)

2.  Create a rule and place it on top of your custom rule sets for testing:

Approved Sites > All Outbound > Internal to "Approved Sites" (use custom url set) > All users and see if this works. 

(in reply to drewj2k)
Post #: 2
RE: Denied Connection - 2.Jul.2007 12:10:28 PM   
drewj2k

 

Posts: 7
Joined: 2.Jul.2007
Status: offline
Thanks for your reply I created the rule as you sugguested, But no luck I tried pinging the url or IP from a local machine it is still getting denied.

:(

(in reply to jmilito)
Post #: 3
RE: Denied Connection - 2.Jul.2007 12:45:52 PM   
jmilito

 

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline
Are you able to ping any external sites?  Just wondering if you have ping disabled.  Have you tried a manual update of your application or just the ping?  Anything showing up in the logs when a manual update is attempted from your test workstation?

(in reply to drewj2k)
Post #: 4
RE: Denied Connection - 2.Jul.2007 2:04:59 PM   
drewj2k

 

Posts: 7
Joined: 2.Jul.2007
Status: offline
Thanks again for your reply, for some reason I cannot ping other external website (how do I turn it on?), Manul update fails on the program the firewall says in the report denied access, but the rule is set to allow so I am confused.

:(

(in reply to jmilito)
Post #: 5
RE: Denied Connection - 2.Jul.2007 4:30:49 PM   
jmilito

 

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline
Hmm...  Does this application use http through 7000?  Out of curiosity what is it?

Anyway if you are http 7000 here is an example of how I have configured my av updates:

Action = Allow
Protocols = FTP, HTTP, HTTPS
From = Internal AV Server
To = Internal, Approved Sites

In the approved sites I have the following url set:

http://somecompany.av.com:8801/*

Since my clients connect to the AV through http/s I allowed

Action = Allow
Protocols = HTTP, HTTPS
From = Internal
To = Internal AV Server Update Url http://internal.av.local:8801/*



If this does not work then perhaps some others in the forum have some ideas.

(in reply to drewj2k)
Post #: 6
RE: Denied Connection - 2.Jul.2007 4:46:23 PM   
drewj2k

 

Posts: 7
Joined: 2.Jul.2007
Status: offline
It can use 7000 or 80 default is 7000, I can change it in the programs settings, Its called sharescope, it needs to update for its database to be up to date.

I tried adding all that sutff just will not seem to work how do I activate ICMP for all local machines to ping out?

Thanks

(in reply to jmilito)
Post #: 7
RE: Denied Connection - 2.Jul.2007 4:57:31 PM   
jmilito

 

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline
ICMP settings are in the System Policies...  I wouldn't enable them for everybody though.

Assuming this is the software company (http://download.sharescope.co.uk/doc/User%20Guide.pdf) I found this info on ShareScope:


Update Failed
(Firewall Settings)
 
If you have a firewall you will need to alter your firewall settings.

ShareScope uses the following IP addresses:

85.159.80.16
& 85.159.84.7 (update.sharescope.co.uk)

212.227.21.63
& 217.146.97.201 (update2.sharescope.co.uk)
If you are unsure how to change this please call Support on 0845 045 0111 or 020 7549 1104.

(in reply to drewj2k)
Post #: 8
RE: Denied Connection - 2.Jul.2007 5:18:51 PM   
drewj2k

 

Posts: 7
Joined: 2.Jul.2007
Status: offline
I now Have the rule setup like this

Action = Allow
Protocols = FTP, HTTP, HTTPS, 7000 TCP Outbound,
From = Interal
To = External & 85.159.80.16 & 85.159.84.7 (update.sharescope.co.uk)

212.227.21.63
& 217.146.97.201 (update2.sharescope.co.uk)

And still no joy :( its really frustrating, Its almost like isa firewall wil not acknowledge my settings when I change them! I have tried restarting even though You do not need to in isa 2004.

I tried sharescope support and they do not have a clue!

It's the firewall that is denieing it though defently.

(in reply to jmilito)
Post #: 9
RE: Denied Connection - 3.Jul.2007 1:04:24 AM   
mzakir

 

Posts: 151
Joined: 2.Apr.2007
Status: offline
Hi drewj2k,

did you check in monitoring (Logging) where it is going blocked in FW ?

you will find your solution.



_____________________________

Malek Zakir
MCP,MCSA:Security,MCSA:Messaging,MCTS,CCNA,DCH

(in reply to drewj2k)
Post #: 10
RE: Denied Connection - 3.Jul.2007 4:09:00 AM   
drewj2k

 

Posts: 7
Joined: 2.Jul.2007
Status: offline
Yes but all it say's is denied connection and then rule I created thats why I do not understand?

(in reply to mzakir)
Post #: 11
RE: Denied Connection - 3.Jul.2007 5:29:49 AM   
drewj2k

 

Posts: 7
Joined: 2.Jul.2007
Status: offline
Sorry I am a newb.

ALL I HAD TO DO WAS MOVE THE RULE UP OMG HOW STUPID!!

Thanks for all your efforts to help though..

:D :)

(in reply to drewj2k)
Post #: 12
RE: Denied Connection - 3.Jul.2007 6:02:17 AM   
mzakir

 

Posts: 151
Joined: 2.Apr.2007
Status: offline
what's your DNS configuration on ISA Box & Client side ??

_____________________________

Malek Zakir
MCP,MCSA:Security,MCSA:Messaging,MCTS,CCNA,DCH

(in reply to drewj2k)
Post #: 13
RE: Denied Connection - 3.Jul.2007 6:53:40 AM   
jmilito

 

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline
Wonderful... I am glad you got it! Thanks for the reply. Happy downloading.

(in reply to mzakir)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> Denied Connection Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts