Loose UDP Matching (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> General



Message


xylog -> Loose UDP Matching (29.Dec.2004 8:05:00 PM)

Does anyone know if ISA 2004 allows Loose UDP matching? If not is there a way to set it to allow this.

Loose UDP matching is supported in RRAS as described here:

quote:
UDP Source Port Allocation and Loose Source Matching

To better support various types of peer-to-peer applications, the NAT mapping behavior for UDP differs from that of TCP in the following two ways:

How NAT chooses the source port for outbound dynamic mappings. When creating a new TCP mapping for an outbound packet, the NAT driver chooses a source port without regard for already existing mappings as long as such a choice does not result in a conflict. In contrast, when choosing a source port for a UDP mapping for an outbound packet, the NAT driver determines if a mapping exists that has the same private address and port. If such a mapping exists, the NAT driver will use the same public port for the new mapping. For example:

* If a client on the private network makes a TCP connection to two different computers on the public network from the same source port, the NAT driver will choose different source ports for those mappings.
* If a client on the private network sends UDP packets to two different computers on the public network from the same source port, the NAT driver will use the same source port for both mappings.

How NAT determines whether an inbound packet matches an existing dynamic or static mapping. For TCP, an inbound packet must exactly match the 5-tuple for a mapping (that is, protocol, source address, source port, destination address, and destination port). For UDP, however, an inbound packet must match only the protocol, destination address, and destination port of a mapping the source address and source port of the packet are effectively ignored. This "loose matching behavior" applies only if the private port is greater than 1024. Allowing this behavior for ports below 1024 would introduce a security risk because it might allow unfettered access to such sensitive TCP and UDP ports as 137 (NetBIOS Name service) and 445 (Microsoft Common Internet File System [CIFS]).

Here is the full text I took this from:

http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_nat_how.asp




tshinder -> RE: Loose UDP Matching (29.Dec.2004 8:43:00 PM)

Hi Xy,

What are you trying to accomplish?

Thanks!
Tom




xylog -> RE: Loose UDP Matching (29.Dec.2004 8:52:00 PM)

I have an application that requires loose UDP matching to function properly. In Linux under the 2.2 kernel IPchains had a udp_dloose setting that could be configured for this to work. RRAS worked out of the box but ISA 2004 doesnt and I cant seem to find any information on whether ISA supports Loose UDP matching or not.




Page: [1]