• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Access Rules

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> General >> Access Rules Page: [1]
Login
Message << Older Topic   Newer Topic >>
Access Rules - 30.Jul.2010 2:46:57 PM   
MichaelI

 

Posts: 3
Joined: 30.Jul.2010
Status: offline
Hello,

We have an ISA 2004 Firewall which we are having some trouble allowing a connection coming through.  We are trying to allow a connection from an external set of IP's which are already defined as a network. 

We setup a protocol for "tcp outbound" which is tcp outbound over port 1081.

When running a log query, we get:

Log type: Firewall service
Status: A connection was abortively closed after one of the peers sent a RST segment.
Rule: Rulewecreated
Source: Network we created ( xxx.xxx.xxx.xxx)
Destination: Local Host ( xxxxxxx:1081)
Protocol: tcp outbound

Basically we have a client machine that is home to a piece of software that relays to a database on a server behind our firewall.  We need packets to be passed from the external network, through the firewall and to the client machine.  We also need the packets to go back out the network.

Thank you.
Post #: 1
RE: Access Rules - 3.Aug.2010 12:09:39 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
We have an ISA 2004 Firewall which we are having some trouble allowing a connection coming through.  We are trying to allow a connection from an external set of IP's which are already defined as a network.

Incorrect.  They cannot be set as a "network".  They must be set as an Address Object such as an Address Set, an Address Range, or a Subnet Object

We setup a protocol for "tcp outbound" which is tcp outbound over port 1081.

Wrong direction and the wrong approach.

Basically we have a client machine that is home to a piece of software that relays to a database on a server behind our firewall.  We need packets to be passed from the external network, through the firewall and to the client machine.  We also need the packets to go back out the network.

You are taking the wrong approach.  This must either be done with a Server Publishing Rule (aka Non-Web Server Publishing Rule) or it must be done using a Remote Access VPN.

_____________________________

Phillip Windell

(in reply to MichaelI)
Post #: 2
RE: Access Rules - 4.Aug.2010 2:58:41 PM   
MichaelI

 

Posts: 3
Joined: 30.Jul.2010
Status: offline
Thank you for the help, it helped turn me around.

Unfortunately after creating a publishing rule, setting the external ip's to an address set, and allowing traffic across "tcp" inbound port 1081, I am still getting the same error message. 

Closed Connection 
Log type: Firewall service
Status: A connection was abortively closed after one of the peers sent a RST segment.
Rule: SSSSSS
Source: External ( xxxxxxx)
Destination: Local Host ( xxxxxxxx)
Protocol: tcp

From the google searches I have done, many users are experiencing this problem when attempting RDP connections.  This is not our case. 

Again thanks for your help earlier. 

(in reply to MichaelI)
Post #: 3
RE: Access Rules - 4.Aug.2010 3:24:31 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
There is no way to know with this small amount of information that you have done it correctly or not.  This is much more complex to perform than the information you are giving us.

This is not an RDP connection, and has nothing to do with RDP.

The clarify what you are (should be) doing:

You are:
1. Publishing a Database Server that sits on the LAN and communicates using TCP-1081-Inbound.

2. The Source (From) within the Publishing Rule will be an Address Set or and Address Range or a Subnet Object that represents the IP Address(s) that the user would appear to be coming from. This is most likely not the actual IP# of the user's machine, but it is not impossible in some situations.

3. The Listener of the Rule will Listen for connections on either External or the specific IP# chosen on the External Nic of the ISA.

4. The Database Server must be operating as a SecureNAT Client of the ISA.  If it is not operating as a SecureNAT Client of the ISA then the Publishing Rule must be set to "Show as coming from the ISA" rather than "Show as coming from the original client"

5. The Publishing Rule must be a Server Publishing Rule and not any other type.


It will fail if......
A. If the Database server uses more then, or other than, TCP-1081 at any time, then it may fail

B. If the Database Server has any IP restrictions built into it that don't consider and allow all the IP#s the user would possibly be coming from, it may fail.

C. If the ISA is running as a Single-Nic Caching Server then none of this is even possible and the ISA would not even be involved in the process

D. If there is a Back-to-Back DMZ with the ISA as the inner firewall and some other firewall as the outer firewall, then it will fail if the Publishing process is not repeated on the outer firewall with it "treating" the ISA as if the ISA was the Database Server.

E.
If any of the above Steps 1-5 are done incorrectly it, will fail

_____________________________

Phillip Windell

(in reply to MichaelI)
Post #: 4
RE: Access Rules - 10.Aug.2010 5:51:11 PM   
MichaelI

 

Posts: 3
Joined: 30.Jul.2010
Status: offline
Thanks again for all of your help.  I got it figured out.  I was publishing the proxy server vs. the machine that the database is being hosted on.  Once I created a publishing rule for that, the packets came right on through.  

(in reply to pwindell)
Post #: 5
RE: Access Rules - 11.Aug.2010 9:26:52 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Very good!
Glad you got it worked out..


_____________________________

Phillip Windell

(in reply to MichaelI)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> General >> Access Rules Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts