Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
problem IM client tunneling through HTTP
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
problem IM client tunneling through HTTP - 13.Oct.2006 11:08:52 AM
|
|
|
ThijsD
Posts: 21
Joined: 31.Aug.2005
Status: offline
|
Hello Tom & everyone else,
We use an ISA array to provide internet access to our LAN users.
Recently, I've replaced our ISA 2004 enterprise array (2 servers) with a new ISA 2006 enterprise array. No upgrade, a full reinstall!
After installing the new ISA 2006 servers, I've imported the full enterprise ISA config from my ISA 2004 setup.
The import succeeded and everything works fine, except for MSN access through HTTP.
MSN clients can no longer connect to the MSN network, through the access rule that allows outgoing HTTP/HTTPS (tunneling through HTTP).
This has always worked fine on my ISA 2004 array!
I have not created any HTTP filter signatures to block MSN.
When I create a rule that allows outgoing MSN access (port 1863) and use the ISA firewall client, I can connect successfully to the MSN network.
So it really seems like a problem related to the webproxy as the problem only occurs when the MSN traffic is tunneled through the webproxy filter.
Does anyone else has this problem with the new ISA 2006?
Some suggestions?
Thanks in advance for your help & comments!!!
Best regards,
ThijsD
|
|
|
|
|
RE: problem IM client tunneling through HTTP - 17.Oct.2006 7:51:18 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi This,
Does the ISA Firewall's log files show the connections are blocked, or that there isn't a rule that is allowing the connection?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: problem IM client tunneling through HTTP - 17.Oct.2006 8:49:07 AM
|
|
|
ThijsD
Posts: 21
Joined: 31.Aug.2005
Status: offline
|
Hi Tom
Thanks for your reply.
When I look on the monitoring tab, I see multiple connections from my client IP to MSN IP addresses, using HTTP protocol. In the action-column it says 'Allow connection'.
All those connections are allowed by an enterprise rule called 'HTTP-HTTPS'. Those connections have an HTTP status code 200.
The last connection I see on the monitoring tab is an SSL-connection from my client IP to login.live.com. In the action-column it says 'Failed Connection Attempt'. This connection is also processed though the same enterprise rule called 'HTTP-HTTPS'. The failed SSL-connection has an HTTP status code 64.
And I doublechecked and the enterprise rule allows both HTTP & HTTPS.
Thanks again,
Thijs
|
|
|
|
|
RE: problem IM client tunneling through HTTP - 18.Oct.2006 7:07:07 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Thijs,
Try configuring the MSN, Passport, Hotmail and Microsoft for Direct Access and make sure the Firewall client is installed and working properly on the client systems.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: problem IM client tunneling through HTTP - 23.Oct.2006 4:26:44 AM
|
|
|
ThijsD
Posts: 21
Joined: 31.Aug.2005
Status: offline
|
Hi Tom,
Thanks for your help.
If I configure those sites for direct access and install the fw client, this means it isn't tunneled any longer through the web proxy. So the fw client connects you through port 1863. Is that correct?
We have alot of computers that are not under our control (at least not for software installation), so it's not possible to provide every computer - that needs MSN access - with the ISA firewall client.
Any other suggestions I can try or should I log a call @ the microsoft support center?
Thanks again.
|
|
|
|
|
RE: problem IM client tunneling through HTTP - 25.Oct.2006 9:00:32 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Thijs,
No, it just means that it bypasses the Web proxy filter.
The Firewall client isn't required unless you require authentication.
Check out:
http://support.microsoft.com/kb/838708
And then configure those sites for Direct Access. Make sure authentication at the ISA Firewall isn't required for the SecureNAT clients.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: problem IM client tunneling through HTTP - 8.Nov.2006 3:03:19 AM
|
|
|
ThijsD
Posts: 21
Joined: 31.Aug.2005
Status: offline
|
Hi all,
The problem is solved, it wasn't ISA!
It was caused by a router that was performing NAT for the external interface of ISA.
I think the router had troubles to translate the MSN connection requests...
All is fine now, thanks for your help (especially Tom!)
Best regards,
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
