I apologize to those who may have read this on experts-exchange.com.
I have searched high and low to find a solution to a problem I am experiencing with my ISA 2006 server. This is what I am trying to accomplish:
1. Allow all traffic on port 1935 (RTMP) to freely flow past my firewall allowing my users to connect to an outside Flash Communication Server that needs port 1935.
2. Failing that, allow RTMP traffic to flow over port 80.
Even though I have created the protocol and rules for option 1, all I am seeing in the ISA monitor is a connection opened then closed. It is running the rule and recognizes the port, however, something is going wrong.
Since I could not get that work, I was hoping to set up direct access (since the Web Proxy filter is not overly pleased with non-HTTP traffic flowing over port 80) to the sites in question. The monitor is showing it try to connect, but I receive the following error:
Failed Connection Attempt Log type: Web Proxy (Forward) Status: 13 The data is invalid. Rule: Source: Internal (192.168.0.xxx) Destination: (domainname.com xxx.xxx.xxx.xx:80) Request: Filter information: Req ID: 0ec41e2e Protocol: User:
-0-
The machine I am testing this with are running the ISA Firewall client. However, I have tried it without the client and just proxy, proxy and client and so on.
Any help would be GREATLY appreciated. My best case scenario would be to allow RTMP to flow through Port 1935 so I don't have to set up direct access sites.
I have noticed that the monitor is indicating that protocol RTMP (which I created for port 1935) opens a connection and then closes the connection right after.
After installing this please run the ISA Data Packager from the Start, Programs, ISA Server, ISA Tools menu Select the ‘Collect data from one of the following repro scenarios’ radio button and select the ‘Basic Repro and Static Configuration’ option, select ‘Next’ and then ‘Start Data Collection’.
When the ISA Data Packager has initialized the various data captures you will be asked to press the Spacebar to start capturing data. This is going to capture a number of data outputs from a repro of the issue (Network traces, ISA tracing output, ISA logs) so before running this and pressing the spacebar please get set-up to repro the issue.
When you are ready to repro the issue press the spacebar, repro the issue and then press the spacebar again to stop the captures. If you can try to keep this the time you are capturing quite short that will help our analysis of the data.
The BPA will also gather config data from the ISA server that will help us understand your set-up and will output all the data captures to a file on the desktop called isapackage.cab.
I am a newbie to ISA and have used this rollout to "train" myself. Running the best practice application was helpful and I noticed a few unrelated issues.
That said, I have created the IsaPackage1.cab. What is the best way to send this? Should I post part of it? You should see the RTMP protocol and traffic was from 192.168.0.130.
Thanks again, your help is greatly appreciated!
Bradford Schleifer
< Message edited by miopea -- 26.Dec.2008 6:27:27 PM >
I have seen the logs sent by you. My initial look at ISA configuration is fine. Few things.... if you are including "All Users" and "All Authenticated Users" both on a rule it's not going to serve the purpose. Since, you have ISA clients installed, only select "All Authenticated Users"
Now, to the actual issue. After seeing your Network Traces it seems that your communcation server at IP 69.94.x.x on port 1935 is sending RST flag. Your ISA communicates to the Server successfully, but the server is sending RST flag so you are seeing the ISA logs which is WSA_RWS_ABORTIVE_SHUTDOWN. This errore code is generated when one of the communicating peers terminate the session...
I am not sure about the configurations of the communication server. But there has to something which needs to allow your external IP of your ISA to accept communcation on the other end.
Check the configuration on that server which might allow connections from an ISA IP
< Message edited by inderjeet -- 29.Dec.2008 3:14:49 PM >
The only issue is that I do not have control over the Flash Communication Server. It is run by Omniture, our web analytics provider. It is where we play all of their training videos.
If I cannot get this to work with RTMP (port 1935), how would I go about configuring ISA to allow non-http traffic to flow on port 80?
If it helps, if i disable the HTTP filter, the video play correctly. So it would probably work if I could just disable HTTP filter for that particular destination.
The only issue is that I do not have control over the Flash Communication Server. It is run by Omniture, our web analytics provider. It is where we play all of their training videos.
If I cannot get this to work with RTMP (port 1935), how would I go about configuring ISA to allow non-http traffic to flow on port 80?
If it helps, if i disable the HTTP filter, the video play correctly. So it would probably work if I could just disable HTTP filter for that particular destination.
Thanks again for your continued assistance.
Thats a good idea. Create a Domain Name set with their website domain and to that destination Allow all users with a new HTTP protocol with HTTP filter disabled. Dont disable the HTTP filter for the original HTTP protocol...Then keep this rule on top of All Internet Access rule....
I tried what was suggested and created a new protocol "HTTP - Non-filtered" and created a rule pointing to the RTMP server's IPs. I see the rules firing to "Initiate Connection" and "Closed Connection"
However, between those two actions I receive "Failed Connection Attempt," with the monitoring showing this:
-snippet- Failed Connection Attempt Log type: Web Proxy (Forward) Status: 13 The data is invalid. Rule: Source: Internal (192.168.0.180) Destination: (69.94.139.192:80) Request: Filter information: Req ID: 18dac859 Protocol: User: anonymous -/snippet-
It appears that it is not firing the rule for that connection attempt, even though its going to the same IP.
Are you able to connect to the server without ISA Server? I still strongly think that the issue isnt the ISA Server.
Issue is at the server end, It's the server which is Ressetting the connection both on RTMP and HTTP. If you see the Firewall and WebProxy logs, you would see that it is failing over to HTTP when RTMP is dropped...Since it is RST flag it is trying 4 times and then failing over to HTTP
But it's not even letting the HTTP to go through...
If I disable the HTTP filter on the HTTP protocol, then users are able to connect to the destination server without a problem. The monitor tells me that 1935 is still being rejected, but it works fine on port 80.
I have tested this from home (through a basic Belkin firewall/router) and videos play fine there as well.
If it would help, I could disable the HTTP filter on the HTTP protocol and run a trace.
No, better create a different HTTP protocol with direction Outbound with TCP 80...Place this rule on top....Create a domain name set with the *.domainname.com entry for the server you are accessing...Allow it for users
Took a while to figure this out with Microsoft support but here is the solution for ISA 2006.
1. Create a custom HTTP protocol with no filters. 2. Create RTMP protocol on TCP 1935 with no filters. 3. Create rule allowing Custom_HTTP and RTMP from Internal to Omniture's IP address (69.94.139.192 (at time of this posting)). Make sure this rule is before your regular HTTP outbound rule. 4. Create rule denying regular HTTP from Internal to Omniture's IP address. Make sure this rule is right below the allow Custom_HTTP rule and above the regular HTTP outbound rule. 5. Do not use Web proxy from the client or the ISA firewall client.