• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Allow UDP from SecureNat

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client >> Allow UDP from SecureNat Page: [1]
Login
Message << Older Topic   Newer Topic >>
Allow UDP from SecureNat - 30.Jan.2004 7:03:00 PM   
ccizin

 

Posts: 18
Joined: 4.Jun.2002
Status: offline
I have an IP Addressable Camera behind my ISA Server that is trying to connect to an external IP via a UDP Port. The camera is not able to send out any images past the ISA, so I check my ISA Logs, I don't see anything listed coming from my camera's IP. I then use a Sniffer to make sure the packets are getting to my isa and they are. I think I need to setup a Packet Filter to allow this? What would I set it to? Receive? Send? Send Receive? Receive Send? Both? Please help!
Post #: 1
RE: Allow UDP from SecureNat - 30.Jan.2004 11:52:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Chris,

create a new protocol definition for UDP port xyz send/receive (or send depending on the exact specification of the protocol) and allow it in a protocol rule.

HTH,
Stefaan

(in reply to ccizin)
Post #: 2
RE: Allow UDP from SecureNat - 5.Feb.2004 1:25:00 PM   
ppeetoom

 

Posts: 262
Joined: 22.Dec.2003
From: The Netherlands
Status: offline
Just curious spouseele,

- What will happen if I use send/receive and only a send is needed ?
- And how do I find out if a send/receive is needed ?

Most explanations on the net on firewall configuration usually only give away the ports to open.

Thnx in advance.

(in reply to ccizin)
Post #: 3
RE: Allow UDP from SecureNat - 5.Feb.2004 8:21:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Groofster,

if you specify send/receive then the destination can sent packets back. So, if it is a pure unidirectional protocol, use send only.

For your second question, check out http://www.tacteam.net/openport.htm . It shows clearly you should make yourself familiar with the protocols you allow in and/or out. So, study the protocol specifications, take some Network Monitor traces and analyze them thoroughly.

HTH,
Stefaan

(in reply to ccizin)
Post #: 4
RE: Allow UDP from SecureNat - 6.Feb.2004 1:24:00 PM   
ppeetoom

 

Posts: 262
Joined: 22.Dec.2003
From: The Netherlands
Status: offline
Thanx spouseele,

It's part of the answer I needed. I am familiar with the different types of "open" ports. I was only curious what would happen if I specify a send/receive and only a send is needed. I know ISA opens and closes sockets transparantly, so I can't imagine it will overfload my ISA. (the otherway around is obvious => specify send when send/receive is needed)

It might be kind of a nerdy question, but he I'm a 4GL application designer. I'm supposed to be a nerd....... [Razz]

(in reply to ccizin)
Post #: 5
RE: Allow UDP from SecureNat - 6.Feb.2004 10:43:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Groofster,

as you probably know UDP is connectionless. However, most firewalls treat UDP as a simulated connection by using some timers. Therefore UDP send/receive compares very well to TCP outbound, and UDP receive/send to TCP inbound. Therefore bidirectional traffic is allowed between the source and destination on the specified port numbers.

So, specifying send/receive instead of send will not harm ISA server much. Make sense, isn't it! [Wink]

HTH,
Stefaan

(in reply to ccizin)
Post #: 6
RE: Allow UDP from SecureNat - 7.Feb.2004 5:37:00 PM   
ppeetoom

 

Posts: 262
Joined: 22.Dec.2003
From: The Netherlands
Status: offline
And again I thank you for the nerdy answer....... [Big Grin]

Leaves the next question. As far as I know it's impossible to Server Publish an UDP service. So what's the use of receive/send ? It can only be used for Packet Filters and/or secondary connections on FW Clients.

[ February 07, 2004, 05:40 PM: Message edited by: Groofster ]

(in reply to ccizin)
Post #: 7
RE: Allow UDP from SecureNat - 8.Feb.2004 5:41:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Groofster,

you can perfectly server publish an UDP based service without problem. Just make sure you have applied http://support.microsoft.com/default.aspx?scid=kb;EN-US;810493 for stability reasons.

HTH,
Stefaan

(in reply to ccizin)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client >> Allow UDP from SecureNat Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts