Welcome to ISAserver.org

RE: Name Resolution problem with Firewall clients

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> RE: Name Resolution problem with Firewall clients

Page: << < prev 1 [2]

Message

<< Older Topic Newer Topic >>

RE: Name Resolution problem with Firewall clients - 30.Jul.2004 4:45:00 PM

penrose.l@2college.nl

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline

Hi Chris ,

You should see all users who have installed the firewall client as their domain user logon name instead of anonymous , even if you do not require authentication.
What happens when you install the firewall client on your PC and then surf the net and monitor isa ? ( you as a domain admin I mean )
Maybe it's a rights thing ?

Kind regards,
LexP

(in reply to cbarneaud)

Post #: 21

Featured Links*

RE: Name Resolution problem with Firewall clients - 2.Aug.2004 12:52:00 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Lex,

On the downstream ISA firewall, but what about the upstream?

Thanks!
Tom

(in reply to cbarneaud)

Post #: 22

RE: Name Resolution problem with Firewall clients - 2.Aug.2004 1:16:00 PM

penrose.l@2college.nl

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline

Hi Tom ,

We don't have an upstream firewall [Smile]

Couldn't help you with that specific issue [Frown]

Kind regards,
Lex P

(in reply to cbarneaud)

Post #: 23

RE: Name Resolution problem with Firewall clients - 2.Aug.2004 4:39:00 PM

cbarneaud

Posts: 44
Joined: 10.Mar.2003
From: Sweden
Status: offline

HI,

I wonder if ISA server could get confuse when a client that is both SecureNAT and Firewall client make an HTTP request?

I made a Firewall chaining between the downstream ISA server and the upstream ISA server.
I created a Web proxy chaining to make the downstream ISA server a Web proxy client of the upstream ISA Server.

I made an HTTP request from a client(SecureNAT, Firewall Client, webProxy Client) to External.

The configuration on the client is:
-Enable Firewall Client Support
-Use a Web proxy Server
-Enable Web proxy Clients
-Integrated Authentification Method
-Bypass proxy for Web servers in this network
_direcly access computers specified in Domain tab
-Directly access theses servers or Domain (I added my Domainname.local)

I made an HTTP request from a client(SecureNAT, Firewall Client, webProxy Client) to External.

1)When I open the browser it takes about 8-10 secs before the home page appears, then no delay problem when changing site.

2)What I see in the Log is:

-A connection between The Student Network and the localhost on port 1745: OK
-A connection between The Student Network and the localhost on port 8080: OK
-A connection (during 8 sec) between The Localhost and the External on port 445(CIFS): Deny
Should I open this port between the downstream and the upstream ISA server and why?

-I could only see 'Anonymous' in the Client user column.

I change my Student Network Authentification configuration:
-Integrated Authentification Method ( Require all Users to Authenticate )

This time I could see my Domainname/Username in the log but:
I still get a deny access between my downstream ISA and the upstream ISA server on port 445(CIFS)during 8 secs.
I see many 'Failed Connection Attempt' on port 80(HTTP) from my Student Client to the localhost with 'Anonymous' as the client username.

and then:
-Many connections between the downstream ISA and the upstream ISA server on port 8080: OK
-Many connections between my Student Client and the External Network on port 8080(HTTP) with my domainname/Username.

The automatic Firewall Client Discovery (with DNS) is not working with this configuration) due to a 'Failed Connection Attempt' on port 80(HTTP) from my Student Client to the localhost with 'Anonymous' as the client username.

Ok everythings seems to work fine, but I would like to get a clear log than this one!

I really like to see some nice articles about Back to back config and multiples Internal networks.

Thanks a lot Tom, Lex for all supports.

Chris

(in reply to cbarneaud)

Post #: 24

RE: Name Resolution problem with Firewall clients - 3.Aug.2004 1:46:00 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Chris,

OK, we're starting to get into consultation land [Big Grin]

Do you have a network diagram of your ISA firewall networks? It would be easier to figure out what's going on here.

Thanks!
Tom

(in reply to cbarneaud)

Post #: 25

RE: Name Resolution problem with Firewall clients - 5.Aug.2004 9:05:00 AM

cbarneaud

Posts: 44
Joined: 10.Mar.2003
From: Sweden
Status: offline

HI,

Everythings looks like to work now so I will not disturb you any more (for this time [Wink]

).
I didn't resolve the problem with the traffic between the downstream and the upstream server on port 445(CIFS).
It should be an authentification process because if I start the brownser on another computer just after the first one I don't get any delay when opening the first page.

Thanks for all

Chris

(in reply to cbarneaud)

Post #: 26

RE: Name Resolution problem with Firewall clients - 5.Aug.2004 1:22:00 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Chris,

445 should only be required to access shares (and for some AD related stuff), so it shouldn't be too much of an issue with a FE/BE ISA firewall config.

Good to hear things are working better for you now!

Thanks!
Tom

(in reply to cbarneaud)

Post #: 27