• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Non UDP - TCP protocols

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Non UDP - TCP protocols Page: [1]
Login
Message << Older Topic   Newer Topic >>
Non UDP - TCP protocols - 2.Nov.2002 11:13:00 AM   
gcjunior

 

Posts: 114
Joined: 28.Oct.2002
From: Belgium
Status: offline
If I understand it will, the only way to work with it, is to have the SecureNat client installed since these protocols are not supported by the firewall client.

It seems that in a production environment combining both (SecureNat and Firewall) is not a good practise.

Why? If you need policies on users and groups and e.g. PPTP, you have no choise, have you?

Regards

Geert
Post #: 1
RE: Non UDP - TCP protocols - 2.Nov.2002 3:23:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Geert,

a single machine can be configured as a SecureNAT, Firewall and Web Proxy client at the same time without any adverse interaction between the client configuration settings. In fact this is the standard configuration I always use for the clients.

HTH,
Stefaan

(in reply to gcjunior)
Post #: 2
RE: Non UDP - TCP protocols - 2.Nov.2002 9:09:00 PM   
gcjunior

 

Posts: 114
Joined: 28.Oct.2002
From: Belgium
Status: offline
Hi stefaan,

It's also something I read in tom's book at p.400 and I wondered why.

PS: I'm using the book realy as a study book, and maybe I'm falling over things others would not.

Regards for your answer but by the way, why combining all tree together? I can imagine web client + 1 other, but the 3 together?

Geert

(in reply to gcjunior)
Post #: 3
RE: Non UDP - TCP protocols - 2.Nov.2002 11:53:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Geert,

you are reading very thoroughly Tom's book. That's very good! [Big Grin]

Very often I'm working with a routed internal network. In that situation the clients all have DNS, WINS and Default Gateway set. So technically they are configured as SecureNAT client. Even if it is a simple internal network, I always set the Default Gateway.

The Firewall client works on the Winsock level and handles only requests for TCP/UDP protocols if they are *not* in the LAT. All other requests are not touched and follows the normal packet processing of the TCP/IP stack. In the latter case we say that the requests are sent as from a SecureNAT client. To learn more about the Firewall client, check out http://www.isaserver.org/articles/Understanding_the_Firewall_Client_Control_Channel.html .

If you carefully read the above mentioned article and look at the network monitor traces, you will see that the packets sent from a Firewall client has the ISA server internal IP address as destination IP address. The same holds true for a Web Proxy client. However, if you take a network monitor trace of a SecureNAT session, you will see that the packets sent from a SecureNAT client has the IP address of the real destination as destination IP address. Therefore it is common to say that if you see packets with the real destination IP address, they are sent as from a SecureNAT client.

Now, what Tom is referring to in his book is that although the client may be configured as SecureNAT client, if the Firewall client is installed and enabled, TCP/UDP packets will be handled by the Firewall client (if destination is not in the LAT).

Why combining all tree client types together? If you want to ping external destinations, the client must be a SecureNAT client because ping uses the ICMP protocol and that is *not* handled by the Firewall client.

HTH,
Stefaan

(in reply to gcjunior)
Post #: 4
RE: Non UDP - TCP protocols - 3.Nov.2002 8:37:00 PM   
gcjunior

 

Posts: 114
Joined: 28.Oct.2002
From: Belgium
Status: offline
Thanks Stef,

I never thought of this the way you document it with network monitor traces.

The fact that you see in case of a securenat clients the real destination address and in other cases the internal IP of the ISA server explains also why the secureNat is completely responsible for DNS resolving and why for the other client ISA server can do the resolving, isn't it?

Regards for your answer,

Geert

Now that I finished this chapter, I'll go through all documents I can find on this site concerning ISA services and ISA clients. I already saw your document on your site.

(in reply to gcjunior)
Post #: 5
RE: Non UDP - TCP protocols - 3.Nov.2002 8:54:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Geert,

yes, you are correct! When the firewall client is installed, ISA can do DNS lookup on behalf of the client. [Smile]

This weekend I have posted all the latest updates of my articles on isaserver.org. You can read them on http://www.isaserver.org/Stefaan_Pouseele/ .

BTW --- I'm a networking guy. So, I like to document things with Ethereal (a very good free network monitor) and compare them to the ISA log files. In that way I have learned a lot on how to read the log files.

Thanks,
Stefaan

(in reply to gcjunior)
Post #: 6
RE: Non UDP - TCP protocols - 3.Nov.2002 9:42:00 PM   
gcjunior

 

Posts: 114
Joined: 28.Oct.2002
From: Belgium
Status: offline
Thanks Stef,

your tips are and will be very usefull. At this moment I do to much reading and not enough testing myself.
I always start reading about and studying a product before actually realy using it. I should pay more attention to the "testing myself" part to become realy close with a product

Regards

Geert

(in reply to gcjunior)
Post #: 7
RE: Non UDP - TCP protocols - 3.Nov.2002 10:07:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi GC,

The PPTP issue is a real security concern for a number of reasons. You can't control who has access to PPTP through the firewall, so if you allow access, you allow it for everyone. As you can image, if you allow users to PPTP into an untrusted network, you allow allow sort of things to enter your network and they completely bypass your security configuration on the firewall.

HTH,
Tom

(in reply to gcjunior)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Non UDP - TCP protocols Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts