• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Configuring RTMP (Port 1935)

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> Configuring RTMP (Port 1935) Page: [1]
Login
Message << Older Topic   Newer Topic >>
Configuring RTMP (Port 1935) - 25.Dec.2008 10:45:13 PM   
miopea

 

Posts: 7
Joined: 25.Dec.2008
Status: offline
I apologize to those who may have read this on experts-exchange.com.

I have searched high and low to find a solution to a problem I am experiencing with my ISA 2006 server. This is what I am trying to accomplish:

1. Allow all traffic on port 1935 (RTMP) to freely flow past my firewall allowing my users to connect to an outside Flash Communication Server that needs port 1935.

2. Failing that, allow RTMP traffic to flow over port 80.

Even though I have created the protocol and rules for option 1, all I am seeing in the ISA monitor is a connection opened then closed. It is running the rule and recognizes the port, however, something is going wrong.

Since I could not get that work, I was hoping to set up direct access (since the Web Proxy filter is not overly pleased with non-HTTP traffic flowing over port 80) to the sites in question. The monitor is showing it try to connect, but I receive the following error:

Failed Connection Attempt
Log type: Web Proxy (Forward)
Status: 13 The data is invalid.  
Rule:  
Source: Internal (192.168.0.xxx)
Destination: (domainname.com xxx.xxx.xxx.xx:80)
Request:  
Filter information: Req ID: 0ec41e2e  
Protocol:  
User:  

-0-

The machine I am testing this with are running the ISA Firewall client. However, I have tried it without the client and just proxy, proxy and client and so on.

Any help would be GREATLY appreciated. My best case scenario would be to allow RTMP to flow through Port 1935 so I don't have to set up direct access sites.

I have noticed that the monitor is indicating that protocol RTMP (which I created for port 1935) opens a connection and then closes the connection right after.

Thank you in advance!
Post #: 1
RE: Configuring RTMP (Port 1935) - 26.Dec.2008 9:06:16 AM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
For the protocol you created the direction will be Outbound, type TCP and port 1935 (If it is a TCP traffic)

If its UDP then it will be "Send Receive" Port 1935

Then create an access rule from Internal to External allow "All users" for protocol you created

Keep this rule to the top of the rule list

If this is the exact way you created the rule and its not working then please run ISABPA in repto mode to collect the logs during the issue....

ISA BPA Steps:

ISA BPA can be downloaded and installed from the following location:
http://www.microsoft.com/downloads/details.aspx?FamilyID=d22ec2b9-4cd3-4bb6-91ec-0829e5f84063&DisplayLang=en

After installing this please run the ISA Data Packager from the Start,
Programs, ISA Server, ISA Tools menu Select the ‘Collect data from one of the following repro scenarios’ radio button and select the ‘Basic Repro and Static Configuration’ option, select ‘Next’ and then ‘Start Data Collection’.

When the ISA Data Packager has initialized the various data captures you
will be asked to press the Spacebar to start capturing data. This is going
to capture a number of data outputs from a repro of the issue (Network
traces, ISA tracing output, ISA logs) so before running this and pressing
the spacebar please get set-up to repro the issue.

When you are ready to repro the issue press the spacebar, repro the issue
and then press the spacebar again to stop the captures. If you can try to
keep this the time you are capturing quite short that will help our
analysis of the data.

The BPA will also gather config data from the ISA server that will help us
understand your set-up and will output all the data captures to a file on
the desktop called isapackage.cab.


_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to miopea)
Post #: 2
RE: Configuring RTMP (Port 1935) - 26.Dec.2008 3:33:33 PM   
miopea

 

Posts: 7
Joined: 25.Dec.2008
Status: offline
I am a newbie to ISA and have used this rollout to "train" myself. Running the best practice application was helpful and I noticed a few unrelated issues.

That said, I have created the IsaPackage1.cab. What is the best way to send this? Should I post part of it? You should see the RTMP protocol and traffic was from 192.168.0.130.

Thanks again, your help is greatly appreciated!

Bradford Schleifer

< Message edited by miopea -- 26.Dec.2008 6:27:27 PM >

(in reply to inderjeet)
Post #: 3
RE: Configuring RTMP (Port 1935) - 29.Dec.2008 8:54:35 AM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
send it to isaissues@yahoo.com

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to miopea)
Post #: 4
RE: Configuring RTMP (Port 1935) - 29.Dec.2008 3:12:54 PM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
I have seen the logs sent by you. My initial look at ISA configuration is fine. Few things.... if you are including "All Users" and "All Authenticated Users" both on a rule it's not going to serve the purpose. Since, you have ISA clients installed, only select "All Authenticated Users"

Now, to the actual issue. After seeing your Network Traces it seems that your communcation server at IP 69.94.x.x on port 1935 is sending RST flag. Your ISA communicates to the Server successfully, but the server is sending RST flag so you are seeing the ISA logs which is WSA_RWS_ABORTIVE_SHUTDOWN. This errore code is generated when one of the communicating peers terminate the session...

I am not sure about the configurations of the communication server. But there has to something which needs to allow your external IP of your ISA to accept communcation on the other end.

Check the configuration on that server which might allow connections from an ISA IP

< Message edited by inderjeet -- 29.Dec.2008 3:14:49 PM >


_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to miopea)
Post #: 5
RE: Configuring RTMP (Port 1935) - 29.Dec.2008 9:19:15 PM   
miopea

 

Posts: 7
Joined: 25.Dec.2008
Status: offline
Thank you for your investigation and reply.

The only issue is that I do not have control over the Flash Communication Server. It is run by Omniture, our web analytics provider. It is where we play all of their training videos.

If I cannot get this to work with RTMP (port 1935), how would I go about configuring ISA to allow non-http traffic to flow on port 80?

If it helps, if i disable the HTTP filter, the video play correctly. So it would probably work if I could just disable HTTP filter for that particular destination.

Thanks again for your continued assistance.

(in reply to inderjeet)
Post #: 6
RE: Configuring RTMP (Port 1935) - 30.Dec.2008 8:58:41 AM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
quote:

ORIGINAL: miopea

Thank you for your investigation and reply.

The only issue is that I do not have control over the Flash Communication Server. It is run by Omniture, our web analytics provider. It is where we play all of their training videos.

If I cannot get this to work with RTMP (port 1935), how would I go about configuring ISA to allow non-http traffic to flow on port 80?

If it helps, if i disable the HTTP filter, the video play correctly. So it would probably work if I could just disable HTTP filter for that particular destination.

Thanks again for your continued assistance.


Thats a good idea. Create a Domain Name set with their website domain and to that destination Allow all users with a new HTTP protocol with HTTP filter disabled. Dont disable the HTTP filter for the original HTTP protocol...Then keep this rule on top of All Internet Access rule....

Hope that helps

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to miopea)
Post #: 7
RE: Configuring RTMP (Port 1935) - 30.Dec.2008 11:12:25 AM   
miopea

 

Posts: 7
Joined: 25.Dec.2008
Status: offline
I tried what was suggested and created a new protocol "HTTP - Non-filtered" and created a rule pointing to the RTMP server's IPs. I see the rules firing to "Initiate Connection" and "Closed Connection"

However, between those two actions I receive "Failed Connection Attempt," with the monitoring showing this:

-snippet-
Failed Connection Attempt
Log type: Web Proxy (Forward)
Status: 13 The data is invalid.  
Rule:  
Source: Internal (192.168.0.180)
Destination: (69.94.139.192:80)
Request:  
Filter information: Req ID: 18dac859  
Protocol:  
User: anonymous
-/snippet-

It appears that it is not firing the rule for that connection attempt, even though its going to the same IP.

Any assistance would be GREATLY appreciated!

(in reply to inderjeet)
Post #: 8
RE: Configuring RTMP (Port 1935) - 30.Dec.2008 11:37:59 AM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
Are you able to connect to the server without ISA Server? I still strongly think that the issue isnt the ISA Server.

Issue is at the server end, It's the server which is Ressetting the connection both on RTMP and HTTP. If you see the Firewall and WebProxy logs, you would see that it is failing over to HTTP when RTMP is dropped...Since it is RST flag it is trying 4 times and then failing over to HTTP

But it's not even letting the HTTP to go through...

Below logs shows that...

192.168.0.130 - 69.94.139.192 80 - SERVER-GATEWAY
192.168.0.130 - 69.94.139.192 80 - SERVER-GATEWAY
192.168.0.130 - 69.94.139.192 80 - SERVER-GATEWAY

Successfully
Terminate 192.168.0.130 1332 69.94.139.192 80 WSA_RWS_CONNECTION_KILLED
Establish 192.168.0.130 1332 69.94.139.192 80 The operation completed successfully
Terminate 192.168.0.130 1331 69.94.139.192 443 WSA_RWS_ABORTIVE_SHUTDOWN
Establish 192.168.0.130 1331 69.94.139.192 443 The operation completed successfully

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to miopea)
Post #: 9
RE: Configuring RTMP (Port 1935) - 30.Dec.2008 5:05:20 PM   
miopea

 

Posts: 7
Joined: 25.Dec.2008
Status: offline
If I disable the HTTP filter on the HTTP protocol, then users are able to connect to the destination server without a problem. The monitor tells me that 1935 is still being rejected, but it works fine on port 80.

I have tested this from home (through a basic Belkin firewall/router) and videos play fine there as well.

If it would help, I could disable the HTTP filter on the HTTP protocol and run a trace.

(in reply to inderjeet)
Post #: 10
RE: Configuring RTMP (Port 1935) - 30.Dec.2008 5:39:03 PM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
No, better create a different HTTP protocol with direction Outbound with TCP 80...Place this rule on top....Create a domain name set with the *.domainname.com entry for the server you are accessing...Allow it for users

Then Run the Test...and send me the Traces

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to miopea)
Post #: 11
RE: Configuring RTMP (Port 1935) - 30.Dec.2008 6:17:03 PM   
miopea

 

Posts: 7
Joined: 25.Dec.2008
Status: offline
I have already set up that new HTTP protocol. Should I have the HTTP filter on or off for the trace?

(in reply to inderjeet)
Post #: 12
RE: Configuring RTMP (Port 1935) - 31.Dec.2008 8:57:01 AM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
No Filters should be on , then run the trace

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to miopea)
Post #: 13
RE: Configuring RTMP (Port 1935) - 5.Feb.2009 2:35:33 PM   
yamaha33166

 

Posts: 1
Joined: 5.Feb.2009
Status: offline
Took a while to figure this out with Microsoft support but here is the solution for ISA 2006.

1. Create a custom HTTP protocol with no filters.
2. Create RTMP protocol on TCP 1935 with no filters.
3. Create rule allowing Custom_HTTP and RTMP from Internal to Omniture's IP address (69.94.139.192 (at time of this posting)). Make sure this rule is before your regular HTTP outbound rule.
4. Create rule denying regular HTTP from Internal to Omniture's IP address. Make sure this rule is right below the allow Custom_HTTP rule and above the regular HTTP outbound rule.
5. Do not use Web proxy from the client or the ISA firewall client.

That is all.


(in reply to inderjeet)
Post #: 14
RE: Configuring RTMP (Port 1935) - 14.Aug.2009 1:53:08 AM   
frank.lin

 

Posts: 2
Joined: 22.Jan.2008
Status: offline
How does it work if the server is internal and you are trying to "publish"?

Case:
RTMP used by Adobe Connect server housed inside ISA.
How to one config ISA to allow outside to access the Adobe Connect?

I have no issue getting the web page to work but once it hits the RTMP, it fails.

Thanks

(in reply to yamaha33166)
Post #: 15

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> General >> Configuring RTMP (Port 1935) Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts