• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

microsoft-ds (tcp 445) with Firewall-client

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> microsoft-ds (tcp 445) with Firewall-client Page: [1]
Login
Message << Older Topic   Newer Topic >>
microsoft-ds (tcp 445) with Firewall-client - 19.Jul.2005 8:45:00 AM   
abruggeman

 

Posts: 10
Joined: 29.Jun.2005
From: Leiden, The Netherlands
Status: offline
Hello, I searched the forum and found some related topics but not exactly my problem.

I am trying to access a share (tcp 445) from a pc on the internal network to a server on a perimeter network. The firewall rules are set. The relationship is NAT.
It works fine when connecting as a secureNAT client (setting the ip route directly to the ISA), but not with the fw-client enabled. The fw-client doesn't seem to "pick up" the traffic, I see nothing in the log.
I adjusted several fw-client settings in Configuration>General>Define FW Client Settings, but I couldn't get it working.

I am curious for experiences of others.
Post #: 1
RE: microsoft-ds (tcp 445) with Firewall-client - 20.Jul.2005 5:15:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi A,

What errors do you see in the logs?

Thanks!
Tom

(in reply to abruggeman)
Post #: 2
RE: microsoft-ds (tcp 445) with Firewall-client - 20.Jul.2005 9:35:00 AM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
You shouldn't try to get the Firewall Client to pick up SMB requests, as you'll be stuck in a chicken and egg scenario.

IF you get the Firewall Client to pick up SMB requests (you would need to find the component that initiates SMB requests, which can be LSASS or SVCHOST since SVCHOST is where the LanManWorkstation component will register) then you would be stuck in a scenario of the client being unable to contact the DC to logon because the FWC is picking up all of that traffic.

What rule allows the SecureNAT SMB request? What rule denies the FWC SMB request?

(in reply to abruggeman)
Post #: 3
RE: microsoft-ds (tcp 445) with Firewall-client - 2.Aug.2005 7:57:00 AM   
abruggeman

 

Posts: 10
Joined: 29.Jun.2005
From: Leiden, The Netherlands
Status: offline
Thanks for your replies, sorry for my late reply.

With the fw-client enabled, the logging shows:
port 3128, protocol TCP all, Initiated connection, no rule, from source address to localhost;
port 80, protocol http, Failed connection, Rule web access, User anonymous, from source to destination address;
port 3128, protocol TCP all, Closed connection, no rule, from source address to localhost;

Without using the fw-client the logging shows:
port 445, Microsoft CIFS (TCP), Initiated connection, rule xxx, no user, from source to destination address.

So there is no deny, but it looks like the fw-client changes the traffic from port 445 to 80. This cannot work.
I also changed the client settings lsass and svchost, but this didn't change the outcome.

(in reply to abruggeman)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> microsoft-ds (tcp 445) with Firewall-client Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts