Question

Opening ports in ISA Server

Asked by: wmkman

I am running Win2k server and ISA Server on a school network with XP clients.  I have little familiarity with ISA and am having difficulty allowing access to a site needed by the teachers.  The site they need is at IP address for the WebCT server is 128.227.128.58 and the necessary ports are  8930, 9030, and a few more.  The teachers are able to reach the main site but when they try to enter and logon, they get a blank page and I believe that is through the port 9030.  I have created a content and filter rule, a protocol rule which allows all protocol definitions including the one created for "WebCT", and I have created a protocol definition.  I have restarted the proxy and the firewall services.  I am assuming that I would have to do this for all of these ports?  I was also told that it is possible to run a script to add ports to the SSL tunneling although I do not know how to do this.  I need to have this working for the instructors asap.  Any help that you can give me would be greatly appreciated.

Thanks

Bill

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2003-09-11 at 06:51:51ID20735786
Tags

isa

,

server

,

open

,

port

Topics

MS Forefront-ISA

,

Enterprise Firewalls

,

Network Software Firewalls

Participating Experts
5
Points
500
Comments
18

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. communicate with one SSL Site on port 80 through ISA 2k
    I have the ISA server 2K and it allows SSL only in port 443 by default, but I need to access one site that use SSL in port 80! Can I create one tunnel on my port 80? Is there any solution for this problem? thanks
  2. SSL pages and Microsoft ISA 2004
    i am running an ISA server at the school where i work which is between my internal network and the internet. the only problem is that it will not let me access any SSL site. this sucks because the email server is hosted externally and runs on port 8843 which means that i can'...
  3. ISA Server Not allowing SSL connection to Dell Open Mana…
    Dell Power Edge 2850 running Windows 2003 Standard Server with ISA 2004 Standard. When trying to open Dell Open Manager I receive the following error. Network Access Message: The page cannot be displayed Technical Information (for Support personnel) Error Code: 502 Proxy...
  4. ISA Server 2004 - Tunnel Port AddRange - Broke Prox…
    We used a script to add port 24xx to our SSL TunnelPortRange. Because it is not a standard SSL Port. After running this script all web traffic has gone south. (visually) After turning on some logging within ISA server I see traffic like GET www.google.com and then closing t...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: GoldwingPosted on 2003-09-13 at 18:35:13ID: 9355060

have you tried installing the firewall client on the workstations???

Also what might help.. is adding the ISA's IP and port (8080) in internet explorer's proxy settings..

 

by: GoldwingPosted on 2003-09-13 at 18:36:50ID: 9355071

the ISA firewall client can be found at \\servername\mspclnt\

 

by: wmkmanPosted on 2003-09-14 at 10:22:25ID: 9357620

I do have the firewall client on the workstations.  At least I think I do.  I will definately double check.  Also port 8080 is the port that ISA is using for internet access and is being used by the clients to access internet.  Also, is the way I described about the definition, protocol rule etc. the correct process?

 

by: GoldwingPosted on 2003-09-14 at 11:48:59ID: 9357965

i hope you didn't create a "allow all protocols incoming and outgoing" rule.. if you did that your firewall is wide open to the internet

 

by: wmkmanPosted on 2003-09-14 at 13:50:36ID: 9358512

No I didn't but maybe I haven't selected all of the correct ones that I need.  This is the first time that I have done this and most things seem to be going fine except for this configuration with the teachers site access.  They seem to be able to access other internet sites but not this one.

 

by: GoldwingPosted on 2003-09-14 at 14:31:40ID: 9358733

The problem with that application might be.. that the teacher connects to it using port 9030 and the application might be trying to connect back to the teachers computer using a different port.. (same as the mIRC DCC recieve ports)

also did you check if the application uses TCP or UDP ports?

i've run into simmilar problems here (with PC-DUO) but solved it here by installing the ISA Client.

 

by: wmkmanPosted on 2003-09-16 at 11:06:50ID: 9372211

According to the WebCT people,  different send and receive ports are not an issue.  I just need certain ones open.  The application uses TCP ports and I do have ISA Client installed on the client machines.  I have also just verified with the service provider that manages our router that the specified ports are available so it must be from within and probably ISA Server.

 

by: GoldwingPosted on 2003-09-16 at 14:13:41ID: 9373596

your router.... is it a brigded router?? or a regular router? and if it is a regular router.. does it have a build-in firewall?

 

by: wmkmanPosted on 2003-09-16 at 17:06:27ID: 9374500

The company says that it is a regular router and does not have a built-in firewall.  It is allowing all traffic to pass through and we are filtering what comes in through the ISA firewall.

 

by: JJ2Posted on 2003-09-18 at 03:52:31ID: 9385165

Maybe this will help.

Question:   Which ports does WebCT need to be open through a firewall? What are the default ports?
 
Solution:   For users to be able access WebCT successfully through your server-side firewall, you must open up to four ports.

WebCT CE 3.8 and later:

The HTTP port. Set during installation of WebCT. WebCT's default is 8900.
If using SSL, the HTTPS port. The default is 443.
TCP port for Chat. The default is 4445.
TCP port for Whiteboard. The default is 4567.

Note: You can find the current port settings for Chat and Whiteboard in the administrator interface, in server settings.
WebCT 3.7 CE and earlier:

The HTTP port. Set during installation of WebCT. WebCT's default is 8900.
TCP port for Chat tool. The default is 4445.
UDP port for Whiteboard. The default is 4567.
TCP port for Whiteboard. The default is 4568.

Notes:
You can find the current port settings for Chat and Whiteboard in the administrator interface, in server settings.
If any customizations to your WebCT installation require access to other ports on the WebCT server (example: SSL), your server-side firewall must also be configured correctly for these ports. http://help.webct.com/knowledgebase

 

by: zero01Posted on 2003-09-19 at 09:10:56ID: 9394475

http://www.isaserver.org/tutorials/How_to_use_ISA_Server_Packet_Filters.html


http://www.isaserver.org - best site for isa server EVER. plus the two books you can buy, also very great. they have everyone from the website in the books too and more

 

by: wmkmanPosted on 2003-09-19 at 13:02:06ID: 9396117

I want to thank everyone for all their help with this issue.  This has been quite challenging for me since I came into ISA very "green".  I have found a "solution" so to speak.  I installed netscape navigator and tried accessing the internet and received an error telling me that ISA was blocking internet access.  After going through the help given me by you all, doing alot of double checking, I found out that not only was ISA's firewall running but so was a microsoft firewall running within "services".  I disabled that particular firewall to allow only ISA firewall to run.  I then started Netscape and I was able to reach the internet.  When I tried to access WebCT and the logon page I was informed that I was entering an encripted area and asked if I wanted to continue and I did.  I received the logon screen as well as I was able to log on to the site.  So that would tell me that the ports are open through ISA.  However, on the down side of this, Internet Explorer still will not allow me or the teachers access to the site's logon page so there must be something in IE even though I have been through that many times as well.  I think that I am going to be satisfied, for now anyway, with using Netscape.

Thanks again
Especially Goldwing for responding so many times and being so patient.

 

by: nonsencePosted on 2003-09-19 at 16:58:02ID: 9397455

you really should stick with ie if you're using isa server. but netscape can work too. just make sure you specify the proxy settings in the browser to use the http proxy service provided by isa.

the downside to using netscape is that i don't think it can support ntlm authentication. so if u wanted alot more security in your client browser sessions and u set up ntml or higher authentication then netscape users would be locked out of using the proxy cus it would block them access since they wouldn't be able to provide proper authentication.

now, for starters when u install isa from scratch it blocks almost everything including dhcp requests. u need to enable the dhcp client packet filter to make the external dhcp nic work. next, if u use something called the Web Proxy Auto Discovery Protocol WDAP then browser clients are given the proxy settings and dns information needed to access isa server through the proxy service much like a dhcp server hands out ip address information. just about all major web browsers: mozilla, netscape, ie and probably konquerer support this feature. just right click on the isa server in the mmc console, choose properties and click the auto discovery tab at the top and publish it. for more info search for it on the site zero01 gave u.

umm hmmm. what else. well, my own college uses webct. and i can access it fine through isa server's proxy services.

and those microsoft firewall services you were talking about. that is the isa server........ the needed services that are part of the core isa server install in an integrated mode (firewall, proxy, nat) are:
Microsoft Firewall - the actual isa server firewall and ids system used to protect your server (don't shut it off ever)
Microsoft H.323 Gatekeeper - a proxy server for streaming video and audio (not really needed in your case)
Microsoft ISA Server Control - the mmc and other things you need to setup and control how isa works (u can block the ports it runs on for extra security if u plan on only accessing isa servers setting either locally or from the internal network)
Microsoft Scheduled Cache Content Download - this is much like the task scheduler for windows but isa has it's own too (by default isa makes 2 tasks when installed so keep this service running)
Microsoft Web Proxy - this is the actual proxy service that will support your browser clients to access the internet on. by default it run on the internal nic on port 8080 with no authentication. keep it cus u need it. but be aware that if u have little or no clients accessing isa on a daily basic and isa needs to be used for other services then u should look into how to lower the memory usage that isa takes up on the system (by default it uses 50% of the usable memory on the system).

i set it to 5% or at most 25% otherwise it tends to use over 60mb just when it's idle, more if it needs it.

to do this, go to cache configuration, right click on it, go to properties, click the advanced tab and at the bottom of the window you'll see what u need to change. make it whatever you feel you need it to be. like i said, i'm only one person using isa server and i set it to 5%. probably not the best course of action for most networks but it works for me. default value is 50

ok good luck

 

by: wmkmanPosted on 2003-09-26 at 13:28:33ID: 9439298

I have tried all the suggestions but to no avail.  When I was able to get netscape to work, it was like you suggested, only because the firewall was completely down.  (Not a good thing)  Netscape however, does tell me specifically that ISA is blocking the access to the secure login part of the webct.ufl.edu website.  I know that opening ports are not advisable.  I don't want to do it if unnecessary.  The school wants the teachers to have access to this site however.  WebCT is not installed on any of our machines nor I don't believe need to be.  I can go to a local college and through their firewall am able to access the site without any problems.  Those particular ports must not be much of an issue with them.  Maybe I am thinking of this the wrong way.  I do though really need this to work.  If someone has any more suggestions, I will be very eager to hear.

Thanks

 

by: nonsencePosted on 2003-09-26 at 13:49:38ID: 9439455

 

by: wmkmanPosted on 2003-11-26 at 11:20:26ID: 9826947

I just was able to get the connection working.  Ended up using a VB script to add the extra ports to the SSL tunneling configuration.  Through your help and the book "ISA Server and Beyond" this was accomplished.  Thanks

 

by: quickstartitPosted on 2004-04-07 at 21:09:07ID: 10780713

Can you tell exactly how to run this script?  I've got the KB article 283284, but it assumes I know how to create and run this VBScript and I don't.

 

by: wmkmanPosted on 2004-04-08 at 12:24:52ID: 10786449

This script -

set isa=CreateObject("FPC.Root")
set tprange=isa.Arrays.GetContainingArray.ArrayPolicy.WebProxy.TunnelPortRanges
set tmp=tprange.AddRange("SSL 3520", 3520, 3520)
tprange.Save

            -assuming this is the one you have- should have a "vbs" extension.  Right click and select edit.  This will be in notepad that you will do the editing.  The port number(s) that you would like to "briefly" open, I say that because everyone knows that opening ports is dangerous.  Bascially, this script only opens the ports when needed and should not leave them open.  Anyway, once in notepad, replace the number of the listed, "3520" in this case, with the one that you would like to "open".  This will create a tunnel through the firewall that should allow the access.  For instance:  If you would like port 3020, line 3 would look like this:

set tmp=tprange.AddRange("SSL 3020", 3020, 3020)

Once completed, save the result and then double click to execute.  The script should run by itself.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...