?
Solved

Unix SecureNAT through ISA Server.

Posted on 2003-02-24
15
Medium Priority
?
635 Views
Last Modified: 2013-11-16
I am attempting to telnet through an ISA server from a Unix based system.  I have made the Unix box a SecureNAT client, but I am unable to successfully telnet.  The log files keep stating that it's blocked, but I have telnet listed in the protocol rules as allowed.  As I can tell there aren't any restrictions on the access policies.  I have enabled IP Routing on the ISA server.  Any help/explination of what I could be doing wrong would be greatly appreciated.  Thanks.
0
Comment
Question by:Arin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 5
15 Comments
 
LVL 3

Expert Comment

by:nouellette
ID: 8011000
have you tried telnetting from a different box just to see if it's the box or the rule.

how did you make that unix box a securenat client?  all you have to do is simply program the default gateway of that unix box to point to the IP of the ISA server, that's it.  So hopefully you did that correctly.  

how did you set the telnet rule?  TCP outbound port 23 or possibly port 24?
0
 

Author Comment

by:Arin
ID: 8017066
Thanks for the reply,

All my Windows firewall clients seem to be able to telnet fine.

Yes, the Unix box has been set as a secureNAT client.

I created an allow rule with the predefined telnet protocol listed as port 23.
0
 
LVL 3

Expert Comment

by:nouellette
ID: 8017396
Ok Arin,

I got some more documentation on SecureNat clients...I've pasted some good text below...some you might find repetative, some you might find useful!

You make a machine a SecureNAT client when you point its default gateway to an interface that routes Internet bound requests to the internal interface of the ISA Server. The default gateway is the IP address of the internal interface of the ISA Server if the client is on the same network ID as the internal interface of the ISA Server.

If you have a routed network, and the SecureNAT client is remote from the internal interface of the ISA Server, then you make the default gateway a router interface that provides the shortest route to the internal interface of the ISA Server.

One of the more problematic issues on these small networks is host name resolution for SecureNAT clients. The ISA Server will not resolve host names on the behalf of SecureNAT clients. Unlike Web Proxy and Firewall Clients, you must configure the SecureNAT client with the address of a DNS server.

If you do not have an internal DNS server,  then you need to configure the SecureNAT clients to use an external DNS Server. This will likely be your ISPs DNS Server. The DNS server address can be configured on the SecureNAT clients manually, or you can have a DHCP server assign DNS server address(es).

Whether you install a DNS Server on your internal network, or configure your SecureNAT clients to use a DNS Server on the Internet, there must be a Protocol Rule allowing SecureNAT clients to make DNS queries to external DNS servers.

The SecureNAT client is your only solution for non-Windows clients that need access to protocols other than "Web Protocols" (HTTP, HTTPS, FTP and Gopher). However, there are some issues with the SecureNAT client that can bite you if you're not aware of them:

Access is limited to those protocols included in Protocol Definitions
SecureNAT requires Application Filters for complex protocols
No user/group based authentication for network access
Access Limited to Protocol included in the ISA Server's Protocol Definitions
The SecureNAT client depends on existing protocol definitions to access Internet applications on remote hosts. This creates a problem if you would like to have wide open outbound Internet access for your internal clients.

Hope that helps...looks like you need to define a DNS server for name resolution on that Unix box as well as creating an application filter for your telnet access (not sure what type of rule you created for Telnet access)...lastly you need to create a Client Address Set for this machine based on IP address to allow outbound access.


0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 

Author Comment

by:Arin
ID: 8017473
Hmm...

I have an internal DNS, but I wouldn't figure that DNS would be a problem.  My Unix guys are attempting to connect via IP not by name, so I wouldn't figure DNS would be the issue.  I don't think that telnet is a complex protocol so I wouldn't need any application filters, but I'm not sure about his.  I'll have to see what defines a complex protocol.  I've already created a client address set for my test Unix system with the rules set to allow it.

This is what is stumping me.  From everything I've read what I have setup should be working, but it's not.  I'll check about the application filter though.  Thanks again for the help.
0
 
LVL 3

Expert Comment

by:nouellette
ID: 8017540
I agree with you...but it seems SecureNat does have a few shortcomings...but what do you expect from a Microsoft product?  heheh.  Actually it's a pretty decent alternative nonetheless.

I would just test a few things...even though you may already have a Telnet Protocol definition, try creating an application filter for it..just to test it.  

If you can't telnet to your destination...can you ping it from the Unix box?  Can you ping it by name?  (just to test resolution)...but then again you said you're telnetting by IP and not by name anyway.  
0
 

Author Comment

by:Arin
ID: 8017608
I've actually never created an application filter before, but I guess it wouldn't hurt to learn how and test it. ^_^

I did find something interesting... Last night before I went home I changed the properties of the server and removed the authentication from outgoing web requests.  I set the server to reboot early this morning since it's a production server and I can't do that stuff in the middle of the day.  I tried to telnet again this morning and it connected, but nothing was displayed.  I check the logs and it seems to be blocking the external system from coming back in.  I'm not sure exactly what this means, since I'm new to ISA, but it doesn't make me comfortable to remove any security.  I think I'll be hitting the book store and buying a book today. ^_^

When I attempt to ping from the Unix system, I get no response.  The ICMP reply is being blocked by the ISA server, so says the logs.  I have not attempted to ping by name on the Unix system.
0
 
LVL 3

Expert Comment

by:nouellette
ID: 8017746
Yeah you'll have to allow ICMPs out of your network in order to ping out.  

Before hitting the bookstore, try www.isaserver.org its an awesome resource for ISA and Ive spent countless hours on it since the day it was born.  It's probably going to be more valuable than any book you buy!

Not sure why ISA was blocking the inbound communication from your telnet sesssion but makes sense why you couldnt see any information.  I'm not EXACTLY sure the inner workings of the difference between allowing protocols or application filters...but I'm guessing just allowing outbound TCP, port 23 isn't enough, as a response and data have to flow back in.  That's probably why appilcation filters are best for this perhaps.  
0
 

Author Comment

by:Arin
ID: 8017841
According to the logs, the ping goes out, but it blocks the reply.  I'm not sure why this is if it's a NAT client.

I've been to isaserver.org and I've tried all the suggestions that I've found there.  This is driving me crazy and figured it wouldn't hurt to ask.  I'm afraid this situation will result in me having to rebuild the server.

I'll head over to isaserver.org and check out application filters since I never considered it an option before.  It just seems to me it's breaking the rules of NAT if it doesn't work.  It's supposed to know where to send replies from the outside to the original requester.

Thanks for all the help.  
0
 
LVL 3

Accepted Solution

by:
nouellette earned 225 total points
ID: 8017941
Arin,

You won't have to rebuild the server, this is doable.

One rule I always do...but this might be tricky for you...is if I'm stuck and a I can't get a client to get out of the fireawll for a particular service...i create a rule for that client and allow ALL traffic, in and out for that IP.  I then work backwards from there.  If it works, then I know it's simply a problem with my filters/rules for that client.  If you can get away with it being a production server, try that route.

Anyhow, good luck and report back your findings.
0
 

Author Comment

by:Arin
ID: 8018847
nouellette,

I picked up the book they advertise on isaserver.org today at lunch.  Configuring ISA server 2K.  I'll let you know if it's worth it! ^_^  Hopefully this will shed some light on the areas that I'm fuzzy on and help me with understanding ISA server overall.  If I run across my answer I'll let you know.  Thanks again for the help.
0
 

Author Comment

by:Arin
ID: 8027041
Okay.  I've made a Windows system a secureNAT client as well and it's acting the same way.  It has to be something setup in a rule somewhere.  I think it may have something to do with the authentication.  I'm going to change it back and see if it reacts the same way.  That will give me a direction to go in.
0
 
LVL 4

Expert Comment

by:pmarquardt
ID: 8036579
Hi Arin. Just to make sure, you need to right click on the ISA Server name just below Server and Arrays in the MMC, choose properties. Under Outgoing Web Requests, click on your ISA Server name and choose edit, look to see if you have the integrated box checked. This will allow *nix boxes to be secure nat boxes. Also, make sure that you have enabled Telnet in your Site and Content Rule.
0
 

Author Comment

by:Arin
ID: 8036611
Thanks for the reply pmarquardt.

Yes the authentication method is set to "Integrated".  Telnet has also been setup in the rules.
0
 

Author Comment

by:Arin
ID: 8036710
Arrrgh!  I figured it out.  The Unix guys gave me an address that doens't work with telnet.  I found some public sites that allowed telnet and guess what... it worked!  Where's my baseball bat?  Sorry.  I find this rather embarrasing.  I apologize to you guys for wasting your time.
0
 

Author Comment

by:Arin
ID: 8036723
PS.  I'm awarding nouellette the points for being so patient and helping me through this ordeal.
0

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses
Course of the Month13 days, 13 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question