Arin
asked on
Unix SecureNAT through ISA Server.
I am attempting to telnet through an ISA server from a Unix based system. I have made the Unix box a SecureNAT client, but I am unable to successfully telnet. The log files keep stating that it's blocked, but I have telnet listed in the protocol rules as allowed. As I can tell there aren't any restrictions on the access policies. I have enabled IP Routing on the ISA server. Any help/explination of what I could be doing wrong would be greatly appreciated. Thanks.
ASKER
Thanks for the reply,
All my Windows firewall clients seem to be able to telnet fine.
Yes, the Unix box has been set as a secureNAT client.
I created an allow rule with the predefined telnet protocol listed as port 23.
All my Windows firewall clients seem to be able to telnet fine.
Yes, the Unix box has been set as a secureNAT client.
I created an allow rule with the predefined telnet protocol listed as port 23.
Ok Arin,
I got some more documentation on SecureNat clients...I've pasted some good text below...some you might find repetative, some you might find useful!
You make a machine a SecureNAT client when you point its default gateway to an interface that routes Internet bound requests to the internal interface of the ISA Server. The default gateway is the IP address of the internal interface of the ISA Server if the client is on the same network ID as the internal interface of the ISA Server.
If you have a routed network, and the SecureNAT client is remote from the internal interface of the ISA Server, then you make the default gateway a router interface that provides the shortest route to the internal interface of the ISA Server.
One of the more problematic issues on these small networks is host name resolution for SecureNAT clients. The ISA Server will not resolve host names on the behalf of SecureNAT clients. Unlike Web Proxy and Firewall Clients, you must configure the SecureNAT client with the address of a DNS server.
If you do not have an internal DNS server, then you need to configure the SecureNAT clients to use an external DNS Server. This will likely be your ISPs DNS Server. The DNS server address can be configured on the SecureNAT clients manually, or you can have a DHCP server assign DNS server address(es).
Whether you install a DNS Server on your internal network, or configure your SecureNAT clients to use a DNS Server on the Internet, there must be a Protocol Rule allowing SecureNAT clients to make DNS queries to external DNS servers.
The SecureNAT client is your only solution for non-Windows clients that need access to protocols other than "Web Protocols" (HTTP, HTTPS, FTP and Gopher). However, there are some issues with the SecureNAT client that can bite you if you're not aware of them:
Access is limited to those protocols included in Protocol Definitions
SecureNAT requires Application Filters for complex protocols
No user/group based authentication for network access
Access Limited to Protocol included in the ISA Server's Protocol Definitions
The SecureNAT client depends on existing protocol definitions to access Internet applications on remote hosts. This creates a problem if you would like to have wide open outbound Internet access for your internal clients.
Hope that helps...looks like you need to define a DNS server for name resolution on that Unix box as well as creating an application filter for your telnet access (not sure what type of rule you created for Telnet access)...lastly you need to create a Client Address Set for this machine based on IP address to allow outbound access.
I got some more documentation on SecureNat clients...I've pasted some good text below...some you might find repetative, some you might find useful!
You make a machine a SecureNAT client when you point its default gateway to an interface that routes Internet bound requests to the internal interface of the ISA Server. The default gateway is the IP address of the internal interface of the ISA Server if the client is on the same network ID as the internal interface of the ISA Server.
If you have a routed network, and the SecureNAT client is remote from the internal interface of the ISA Server, then you make the default gateway a router interface that provides the shortest route to the internal interface of the ISA Server.
One of the more problematic issues on these small networks is host name resolution for SecureNAT clients. The ISA Server will not resolve host names on the behalf of SecureNAT clients. Unlike Web Proxy and Firewall Clients, you must configure the SecureNAT client with the address of a DNS server.
If you do not have an internal DNS server, then you need to configure the SecureNAT clients to use an external DNS Server. This will likely be your ISPs DNS Server. The DNS server address can be configured on the SecureNAT clients manually, or you can have a DHCP server assign DNS server address(es).
Whether you install a DNS Server on your internal network, or configure your SecureNAT clients to use a DNS Server on the Internet, there must be a Protocol Rule allowing SecureNAT clients to make DNS queries to external DNS servers.
The SecureNAT client is your only solution for non-Windows clients that need access to protocols other than "Web Protocols" (HTTP, HTTPS, FTP and Gopher). However, there are some issues with the SecureNAT client that can bite you if you're not aware of them:
Access is limited to those protocols included in Protocol Definitions
SecureNAT requires Application Filters for complex protocols
No user/group based authentication for network access
Access Limited to Protocol included in the ISA Server's Protocol Definitions
The SecureNAT client depends on existing protocol definitions to access Internet applications on remote hosts. This creates a problem if you would like to have wide open outbound Internet access for your internal clients.
Hope that helps...looks like you need to define a DNS server for name resolution on that Unix box as well as creating an application filter for your telnet access (not sure what type of rule you created for Telnet access)...lastly you need to create a Client Address Set for this machine based on IP address to allow outbound access.
ASKER
Hmm...
I have an internal DNS, but I wouldn't figure that DNS would be a problem. My Unix guys are attempting to connect via IP not by name, so I wouldn't figure DNS would be the issue. I don't think that telnet is a complex protocol so I wouldn't need any application filters, but I'm not sure about his. I'll have to see what defines a complex protocol. I've already created a client address set for my test Unix system with the rules set to allow it.
This is what is stumping me. From everything I've read what I have setup should be working, but it's not. I'll check about the application filter though. Thanks again for the help.
I have an internal DNS, but I wouldn't figure that DNS would be a problem. My Unix guys are attempting to connect via IP not by name, so I wouldn't figure DNS would be the issue. I don't think that telnet is a complex protocol so I wouldn't need any application filters, but I'm not sure about his. I'll have to see what defines a complex protocol. I've already created a client address set for my test Unix system with the rules set to allow it.
This is what is stumping me. From everything I've read what I have setup should be working, but it's not. I'll check about the application filter though. Thanks again for the help.
I agree with you...but it seems SecureNat does have a few shortcomings...but what do you expect from a Microsoft product? heheh. Actually it's a pretty decent alternative nonetheless.
I would just test a few things...even though you may already have a Telnet Protocol definition, try creating an application filter for it..just to test it.
If you can't telnet to your destination...can you ping it from the Unix box? Can you ping it by name? (just to test resolution)...but then again you said you're telnetting by IP and not by name anyway.
I would just test a few things...even though you may already have a Telnet Protocol definition, try creating an application filter for it..just to test it.
If you can't telnet to your destination...can you ping it from the Unix box? Can you ping it by name? (just to test resolution)...but then again you said you're telnetting by IP and not by name anyway.
ASKER
I've actually never created an application filter before, but I guess it wouldn't hurt to learn how and test it. ^_^
I did find something interesting... Last night before I went home I changed the properties of the server and removed the authentication from outgoing web requests. I set the server to reboot early this morning since it's a production server and I can't do that stuff in the middle of the day. I tried to telnet again this morning and it connected, but nothing was displayed. I check the logs and it seems to be blocking the external system from coming back in. I'm not sure exactly what this means, since I'm new to ISA, but it doesn't make me comfortable to remove any security. I think I'll be hitting the book store and buying a book today. ^_^
When I attempt to ping from the Unix system, I get no response. The ICMP reply is being blocked by the ISA server, so says the logs. I have not attempted to ping by name on the Unix system.
I did find something interesting... Last night before I went home I changed the properties of the server and removed the authentication from outgoing web requests. I set the server to reboot early this morning since it's a production server and I can't do that stuff in the middle of the day. I tried to telnet again this morning and it connected, but nothing was displayed. I check the logs and it seems to be blocking the external system from coming back in. I'm not sure exactly what this means, since I'm new to ISA, but it doesn't make me comfortable to remove any security. I think I'll be hitting the book store and buying a book today. ^_^
When I attempt to ping from the Unix system, I get no response. The ICMP reply is being blocked by the ISA server, so says the logs. I have not attempted to ping by name on the Unix system.
Yeah you'll have to allow ICMPs out of your network in order to ping out.
Before hitting the bookstore, try www.isaserver.org its an awesome resource for ISA and Ive spent countless hours on it since the day it was born. It's probably going to be more valuable than any book you buy!
Not sure why ISA was blocking the inbound communication from your telnet sesssion but makes sense why you couldnt see any information. I'm not EXACTLY sure the inner workings of the difference between allowing protocols or application filters...but I'm guessing just allowing outbound TCP, port 23 isn't enough, as a response and data have to flow back in. That's probably why appilcation filters are best for this perhaps.
Before hitting the bookstore, try www.isaserver.org its an awesome resource for ISA and Ive spent countless hours on it since the day it was born. It's probably going to be more valuable than any book you buy!
Not sure why ISA was blocking the inbound communication from your telnet sesssion but makes sense why you couldnt see any information. I'm not EXACTLY sure the inner workings of the difference between allowing protocols or application filters...but I'm guessing just allowing outbound TCP, port 23 isn't enough, as a response and data have to flow back in. That's probably why appilcation filters are best for this perhaps.
ASKER
According to the logs, the ping goes out, but it blocks the reply. I'm not sure why this is if it's a NAT client.
I've been to isaserver.org and I've tried all the suggestions that I've found there. This is driving me crazy and figured it wouldn't hurt to ask. I'm afraid this situation will result in me having to rebuild the server.
I'll head over to isaserver.org and check out application filters since I never considered it an option before. It just seems to me it's breaking the rules of NAT if it doesn't work. It's supposed to know where to send replies from the outside to the original requester.
Thanks for all the help.
I've been to isaserver.org and I've tried all the suggestions that I've found there. This is driving me crazy and figured it wouldn't hurt to ask. I'm afraid this situation will result in me having to rebuild the server.
I'll head over to isaserver.org and check out application filters since I never considered it an option before. It just seems to me it's breaking the rules of NAT if it doesn't work. It's supposed to know where to send replies from the outside to the original requester.
Thanks for all the help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
nouellette,
I picked up the book they advertise on isaserver.org today at lunch. Configuring ISA server 2K. I'll let you know if it's worth it! ^_^ Hopefully this will shed some light on the areas that I'm fuzzy on and help me with understanding ISA server overall. If I run across my answer I'll let you know. Thanks again for the help.
I picked up the book they advertise on isaserver.org today at lunch. Configuring ISA server 2K. I'll let you know if it's worth it! ^_^ Hopefully this will shed some light on the areas that I'm fuzzy on and help me with understanding ISA server overall. If I run across my answer I'll let you know. Thanks again for the help.
ASKER
Okay. I've made a Windows system a secureNAT client as well and it's acting the same way. It has to be something setup in a rule somewhere. I think it may have something to do with the authentication. I'm going to change it back and see if it reacts the same way. That will give me a direction to go in.
Hi Arin. Just to make sure, you need to right click on the ISA Server name just below Server and Arrays in the MMC, choose properties. Under Outgoing Web Requests, click on your ISA Server name and choose edit, look to see if you have the integrated box checked. This will allow *nix boxes to be secure nat boxes. Also, make sure that you have enabled Telnet in your Site and Content Rule.
ASKER
Thanks for the reply pmarquardt.
Yes the authentication method is set to "Integrated". Telnet has also been setup in the rules.
Yes the authentication method is set to "Integrated". Telnet has also been setup in the rules.
ASKER
Arrrgh! I figured it out. The Unix guys gave me an address that doens't work with telnet. I found some public sites that allowed telnet and guess what... it worked! Where's my baseball bat? Sorry. I find this rather embarrasing. I apologize to you guys for wasting your time.
ASKER
PS. I'm awarding nouellette the points for being so patient and helping me through this ordeal.
how did you make that unix box a securenat client? all you have to do is simply program the default gateway of that unix box to point to the IP of the ISA server, that's it. So hopefully you did that correctly.
how did you set the telnet rule? TCP outbound port 23 or possibly port 24?