• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Loose UDP Matching

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> General >> Loose UDP Matching Page: [1]
Login
Message << Older Topic   Newer Topic >>
Loose UDP Matching - 29.Dec.2004 8:05:00 PM   
xylog

 

Posts: 3
Joined: 9.May2002
Status: offline
Does anyone know if ISA 2004 allows Loose UDP matching? If not is there a way to set it to allow this.

Loose UDP matching is supported in RRAS as described here:

quote:
UDP Source Port Allocation and Loose Source Matching

To better support various types of peer-to-peer applications, the NAT mapping behavior for UDP differs from that of TCP in the following two ways:

How NAT chooses the source port for outbound dynamic mappings. When creating a new TCP mapping for an outbound packet, the NAT driver chooses a source port without regard for already existing mappings as long as such a choice does not result in a conflict. In contrast, when choosing a source port for a UDP mapping for an outbound packet, the NAT driver determines if a mapping exists that has the same private address and port. If such a mapping exists, the NAT driver will use the same public port for the new mapping. For example:

* If a client on the private network makes a TCP connection to two different computers on the public network from the same source port, the NAT driver will choose different source ports for those mappings.
* If a client on the private network sends UDP packets to two different computers on the public network from the same source port, the NAT driver will use the same source port for both mappings.

How NAT determines whether an inbound packet matches an existing dynamic or static mapping. For TCP, an inbound packet must exactly match the 5-tuple for a mapping (that is, protocol, source address, source port, destination address, and destination port). For UDP, however, an inbound packet must match only the protocol, destination address, and destination port of a mapping the source address and source port of the packet are effectively ignored. This "loose matching behavior" applies only if the private port is greater than 1024. Allowing this behavior for ports below 1024 would introduce a security risk because it might allow unfettered access to such sensitive TCP and UDP ports as 137 (NetBIOS Name service) and 445 (Microsoft Common Internet File System [CIFS]).

Here is the full text I took this from:

http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_nat_how.asp
Post #: 1
RE: Loose UDP Matching - 29.Dec.2004 8:43:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Xy,

What are you trying to accomplish?

Thanks!
Tom

(in reply to xylog)
Post #: 2
RE: Loose UDP Matching - 29.Dec.2004 8:52:00 PM   
xylog

 

Posts: 3
Joined: 9.May2002
Status: offline
I have an application that requires loose UDP matching to function properly. In Linux under the 2.2 kernel IPchains had a udp_dloose setting that could be configured for this to work. RRAS worked out of the box but ISA 2004 doesnt and I cant seem to find any information on whether ISA supports Loose UDP matching or not.

(in reply to xylog)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> General >> Loose UDP Matching Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts