• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Only allowing 80/443

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Only allowing 80/443 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Only allowing 80/443 - 21.Dec.2007 1:32:29 PM   
RichStevenson

 

Posts: 18
Joined: 21.Dec.2007
Status: offline
Very new to ISA, coming off of BorderManager. I have ISA 2006 up and running with one rule to allow HTTP and HTTPS traffic out. But this rule also is allowing HTTP traffic out via other ports. My webmail, non MS, uses port 2095 and I expected that to be blocked but it let me through. Is this working as designed? I was expecting the above rule to allow ONLY 80/443 traffic outbound only.

Thanks,
Rich
Post #: 1
RE: Only allowing 80/443 - 21.Dec.2007 2:00:19 PM   
hrsanchez

 

Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
Rich,

You can edit HTTP protocol parameters and verify the port range is 80 TCP Outbound., but port 2095 ,is your source port or your destination port ?

Hector 

(in reply to RichStevenson)
Post #: 2
RE: Only allowing 80/443 - 21.Dec.2007 2:14:04 PM   
RichStevenson

 

Posts: 18
Joined: 21.Dec.2007
Status: offline
Hector,

I checked both and HTTP is at 80 and HTTPS is at 443.

I'm accessing http://xxxxxx.com:2095 so it is my destination.

Thanks,
Rich

(in reply to hrsanchez)
Post #: 3
RE: Only allowing 80/443 - 21.Dec.2007 2:37:16 PM   
hrsanchez

 

Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
ok, well you could monitor what happens:
From ISA console , Open Monitoring -> Edit Filter -> Client IP Equals ( your worksation´s IP ) -> Start  ; then  try to access http://xxxxxx.com:2095 from your workstation , and see what rule  permit access to port  2095.


(in reply to RichStevenson)
Post #: 4
RE: Only allowing 80/443 - 21.Dec.2007 2:44:45 PM   
RichStevenson

 

Posts: 18
Joined: 21.Dec.2007
Status: offline
Ok did that and it is the rule in question. Any other ideas?

(in reply to hrsanchez)
Post #: 5
RE: Only allowing 80/443 - 21.Dec.2007 3:16:55 PM   
hrsanchez

 

Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
How is your firewall configuration ?. How you define firewall interfaces ?.


 

(in reply to RichStevenson)
Post #: 6
RE: Only allowing 80/443 - 21.Dec.2007 3:29:25 PM   
RichStevenson

 

Posts: 18
Joined: 21.Dec.2007
Status: offline
Well we had an outside consultant come in and set the server up for us. The ISA is behind a Cisco firewall so he configured it with one network card and told us when creating an access rule, to select Internal for the From and To. You'll have to walk me thorugh any info you need to know about how it was setup. I appreciate the help!

(in reply to hrsanchez)
Post #: 7
RE: Only allowing 80/443 - 22.Dec.2007 2:53:58 PM   
hrsanchez

 

Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
Hi, Rich,

Well, when you install Isa server with only one network card , it has limitations ,you can only use it as proxie http,https and ftp. You cannot use it as firewall.

See:

http://support.microsoft.com/kb/838364/en-us

Hector

(in reply to RichStevenson)
Post #: 8
RE: Only allowing 80/443 - 22.Dec.2007 9:39:45 PM   
RichStevenson

 

Posts: 18
Joined: 21.Dec.2007
Status: offline
Thanks Hector, but shouldn't the HTTP rule only allow port 80 traffic? 

(in reply to hrsanchez)
Post #: 9
RE: Only allowing 80/443 - 23.Dec.2007 9:45:42 AM   
hrsanchez

 

Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
In order to control the wan trafic, you have to install two network cards in Isa server, one network conected to Cisco, and the other to your Lan switch. Then , define External interface to the network card conected to Cisco, and the other will be the internal inetrface.

See:
http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html 

On  the external nic you have to assign one ip and a default gateway address to the external network card  that  is connect to an upstream NAT router ( Cisco ). On the Internal nic, you have not  default gateway assigned and have to configure your DNS settings to point to an Internal DNS server which is also configured to resolve and forward requests to the Internet, then any packets being sent from the Internal network will traverse through ISA’s external network card, and Isa server can control the trafic.
On the  Internal Network properties put the IP address ranges that are reachable from the network adapter that is bound to the Internal network object. The External network object represents the connection to the internet and is consider being all networks not associated with the internal network or the protected network.
Then for Pc´s in your internal network in order to access Internet, you can use SecureNAT ( Pc.s with default GW to the internal inteface of ISA); the ISA Firewall Client or configure the client as an Web Proxy client; configuring the proxy settings IE to use the ISA server as it’s proxy.
If you want to authenticate clients access you have to use the Isa firewall client.



Hector

(in reply to RichStevenson)
Post #: 10
RE: Only allowing 80/443 - 23.Dec.2007 4:30:51 PM   
RichStevenson

 

Posts: 18
Joined: 21.Dec.2007
Status: offline
Ok I understand what you're saying and I'm going to pull the consultant back in to correct things. I orignally had him set it up exactly the way you described, but after he did, he came back and said it couldn't be done way.

But back to my orignal question. Are you saying that if I use ISA in a single NIC configuration, which I understand is just utilizing the proxy service, that it is working by design that the HTTP rule will allow traffic on other ports besides port 80? And by going to the two NIC config that the rule will only allow port 80 traffic?

Thanks,

Rich

(in reply to hrsanchez)
Post #: 11
RE: Only allowing 80/443 - 23.Dec.2007 8:05:43 PM   
hrsanchez

 

Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
That's right,  when you have installed at less two nics ( one internal connected  to LAN and one external connected to Cisco router ), Isa server will only allow port 80 traffic ( or ports that you want )  , from internal  to external network.  

Hector

(in reply to RichStevenson)
Post #: 12
RE: Only allowing 80/443 - 24.Dec.2007 7:27:56 AM   
RichStevenson

 

Posts: 18
Joined: 21.Dec.2007
Status: offline
Thank you very much for your help!
Happy Holidays!

Rich

(in reply to hrsanchez)
Post #: 13
RE: Only allowing 80/443 - 24.Dec.2007 2:45:29 PM   
hrsanchez

 

Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
You are welcome !, Happy holidays !

Hector 

(in reply to RichStevenson)
Post #: 14
RE: Only allowing 80/443 - 31.Dec.2007 11:58:28 AM   
RichStevenson

 

Posts: 18
Joined: 21.Dec.2007
Status: offline
Ok decided to give this a go myself and I'm having the saem problem with the HTTP rule. I've set the ISA up as an edge server with one NIC directly on the interent as the External interface and the second NIC on the LAN as the Internal interface. The default Deny rule is in place and blocks all traffic. I then created an HTTP Allow rule for traffic coming from the Internal going to the External and it allows traffic on port 80 as expected. But it also allows traffic on other ports such as 81 and 2095.

So I'm back to my original problem with the HTTP rule allowing traffic out other ports besides port 80.

Thanks,

Rich

(in reply to RichStevenson)
Post #: 15
RE: Only allowing 80/443 - 21.Jan.2008 5:20:22 PM   
netuser

 

Posts: 5
Joined: 21.Jan.2008
Status: offline
Hi Rich,

I was wondering if you were able to resolve this issue?
I have the exact same problem as you and am trying to find a solution.

I have blocked ports and they work when telnetting to the ports, but http traffic still gets through.


(in reply to RichStevenson)
Post #: 16
RE: Only allowing 80/443 - 25.Jan.2008 1:06:42 PM   
RichStevenson

 

Posts: 18
Joined: 21.Dec.2007
Status: offline
Yea I got it figured out, although I'm not happy with what I found. Seems that the rule behaves that way for the web proxyonly. Meaning, as you and I have seen, that a user using a browser pointed to the ISA is not restricted to only port 80 traffic. If you want to have that rule restict to just port 80 traffic, then you have to turn off the proxy setting in the browser and install the firewall client. With the client inercepting the requests, the rule blocks http traffic on all ports except 80.
But now I just discovered a new problem with this solution. If you generate a report and look at the top websites, only IP addresses are shown, not the website domains. But if you use the proxy setting in the browser, the names are displayed in the reports. The reason appears to be because requests made from a browser set to use a proxy are completely handled by the ISA box. But the FWC resolves the names to their IP's and then sends it off to the ISA box.

Rich

(in reply to netuser)
Post #: 17
RE: Only allowing 80/443 - 19.Feb.2008 9:30:52 AM   
hrsanchez

 

Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
Hi, Rich,

Server policy does not limit the ports to which the Web proxy may forward requests, so  if you only use Web proxy client you cannot control wan traffic.
http://msdn2.microsoft.com/en-us/library/ms812546.aspx

Hector

(in reply to RichStevenson)
Post #: 18

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Only allowing 80/443 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts