Welcome to ISAserver.org

Some protocols unavailable with FWC

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Some protocols unavailable with FWC

Page: [1]

Message

<< Older Topic Newer Topic >>

Some protocols unavailable with FWC - 9.Sep.2003 9:09:00 AM

GuillaumeP

Posts: 22
Joined: 25.Sep.2002
From: France
Status: offline

Hi All,

I have some trouble with the firewall client.
When FWC is activated, I can not connect directly to a mail server on Internet (outside our network)
The telnet does not work anymore (telnet mail.outside.server 25)

If I disable the FWC, all seems to work fine.

Did anybody have any Idea ?
I check the ISA Logs and does not understand what is failing.

TIA.

Guillaume.

Post #: 1

Featured Links*

RE: Some protocols unavailable with FWC - 9.Sep.2003 8:22:00 PM

spouseele

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Guillaume,

the ISA logs should give you the answer! [Big Grin]

To get the most information out of the logfiles, I strongly recommend to enable the logging of all fields. In the MMC, go to the node Monitoring Configuration, then select Logs. In the details pane, right-click the applicable service and then click Properties. On the Fields tab, click Select All.

A lot of people seem to have problems with interpreting the logfiles. It isn't that difficult, but you should first understand what is logged. In the ISA helpfile there is a section called "Firewall and Web Proxy log fields", a must read. Additional information can be found in the following articles:
- http://support.microsoft.com/default.aspx?scid=kb;en-us;284818
- http://support.microsoft.com/default.aspx?scid=kb;en-us;193625
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winsock/winsock/windows_sockets_error_codes_2.asp

BTW --- You may post an excerpt of the ISA log. Just make sure the log is set to the ISA format.

HTH,
Stefaan

(in reply to GuillaumeP)

Post #: 2

RE: Some protocols unavailable with FWC - 10.Sep.2003 8:17:00 AM

GuillaumeP

Posts: 22
Joined: 25.Sep.2002
From: France
Status: offline

Here are some part of the log file :

With FWC activated

192.192.192.14, Guillaume, telnet.exe:3:5.0, N, 9/10/2003, 08:22:29, fwsrv, WEB, -, mail.aai.com, 209.213.6.56, 0, -, 0, 0, -, -, GHBN, -, -, -, 0, 0, Serveur Requ+�te DNS, Autoriser la r+�gle, 880, 0
192.192.192.14, Guillaume, telnet.exe:3:5.0, N, 9/10/2003, 08:22:29, fwsrv, WEB, -, -, 209.213.6.56, 25, -, 0, 0, 25, TCP, Connect, -, -, -, 0, 0, Allow Mail protocols, Autoriser la r+�gle, 880, 13854
192.192.192.14, Guillaume, telnet.exe:3:5.0, N, 9/10/2003, 08:22:29, fwsrv, WEB, -, -, 209.213.6.56, 25, -, 0, 0, 25, TCP, Connect, -, -, -, 0, 0, Allow Mail protocols, Autoriser la r+�gle, 880, 13854

With FWC disabled

192.192.192.14, -, -, N, 9/10/2003, 08:23:10, fwsrv, WEB, -, -, 209.213.6.56, 25, 220, 0, 0, 25, TCP, Connect, -, -, -, 0, 0, Allow Mail protocols, Autoriser la r+�gle, 4, 13856
192.192.192.14, -, -, N, 9/10/2003, 08:23:18, fwsrv, WEB, -, -, 209.213.6.56, 25, 8662, 6, 129, 25, TCP, Connect, -, -, -, 20000, 0, Allow Mail protocols, Autoriser la r+�gle, 4, 13856

Thanks for your help.

(in reply to GuillaumeP)

Post #: 3

RE: Some protocols unavailable with FWC - 10.Sep.2003 10:31:00 PM

spouseele

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Guillaume,

With FWC disabled:

- This are SecureNAT requests and you can see that because the fields cs-username and c-agent are empty.
- You see first the connection request (field s-operation = connect with field sc-status = 0). Field Rule#1 is the protocol rule allowing the request and field Rule#2 is the site&content rule allowing the request. The field sessionid = 4 and the field connectionid = 13856.
- If you follow now the sessionid and connectionid pair, you will find all log entries related to this particular connection.
- The second entry is the connection close (field s-operation = connect with field sc-status = 20000). The fields cs-bytes and sc-bytes are showing respectively the bytes sent and received.

With FWC activated:

- This are Firewall client requests and you can see that because the fields cs-username and c-agent are filled in.
- The first entry is a DNS request GHBN (Get Host by Name).
- The second and third entries are the same (duplicate entries) and show that the connection request (field s-operation = connect with field sc-status = 0) is allowed by Rule#1 (protocol) and Rule#2 (site&content).
- You must find at least another entry with the same sessionid and connectionid pair. It should contain s-operation = connect and a sc-status probably different from 2000X. What is the exact status code?

Also, check also the IP packet filter log. Do you see some blocked packets related to this traffic?

HTH,
Stefaan

(in reply to GuillaumeP)

Post #: 4