Solved

How to get thru Firewall with Outlook Web Access.

Posted on 2003-12-05
12
1,104 Views
Last Modified: 2008-03-10
Portable computers can use OWA until I turn on the firewall. They then get IE6 error message "the page cannot be displayed".  

Can someone give me some pointers on the best way to get through the firewall?  I've read q280132, but it leaves me cold (WAY to many ports). I've also researched about a dozen EE questions, but most of them are for more complicated environments and/or involved a lot of jargon that I don't understand.

RBERKE

Windows 2000 small business server (Exchange 5.5) and IE6 clients.

The firewall is a speedstream 5861 DSL router.  

I'm not using SSL, but I plan on switching to it soon and will do it now if it helps resolve the problem.

The 5861 system log shows the following errors every time someone tries to get through.

12/05/2003-13:28:28:IP-FILTER: I:PROTO 6 (TCP) pkt       from 67.39.222.214/43837
12/05/2003-13:28:28:IP-FILTER:             to 67.39.222.209/80 dropped, SYN Flag
12/05/2003-13:28:31:IP-FILTER: I:PROTO 6 (TCP) pkt       from 67.39.222.214/43837
12/05/2003-13:28:31:IP-FILTER:             to 67.39.222.209/80 dropped, SYN Flag
12/05/2003-13:28:37:IP-FILTER: I:PROTO 6 (TCP) pkt       from 67.39.222.214/43837
12/05/2003-13:28:37:IP-FILTER:             to 67.39.222.209/80 dropped, SYN Flag

The firewall script has the following filters  (I'm only showing those relating to 80 and 443)
remote ipfilter append input accept -p tcp -sp 80 internet
remote ipfilter append output accept -p tcp -dp 80 internet
remote ipfilter append input accept -p tcp -sp 443 internet
remote ipfilter append output accept -p tcp -dp 443 internet
remote ipfilter append input drop internet
remote ipfilter append output drop internet
save

Router port mapping
Protocol| First Port#| Last Port#| IP Address           | Port#|
   TCP  |  80           |  80           |  192.168.254.251  |  80


Other router settings

GENERAL INFORMATION FOR <>
  System started on.................... 12/4/2003 at 10:12
  Authentication override.............. none
  Server(s) (IP Translation) .......... 192.168.254.251 proto-TCP port-HTTP
  Mapping(s) (IP Translation) ......... 192.168.254.251 to 192.168.254.251 mapped on
                                        67.39.222.209 to 67.39.222.209 (1 entries)
  WAN to WAN Forwarding................ yes
  Block NetBIOS Default................ no
  BOOTP/DHCP Server address............ none
  Telnet Port.......................... default (23)
  Telnet Clients....................... all
  SNMP Port............................ default (161)
  SNMP Clients......................... LAN
                                        LAN
  HTTP Port............................ default (80)
  HTTP Clients......................... all
  Syslog Port.......................... default (514)
  Allowed Syslog Servers............... LAN
                                        LAN
  Default Syslog Servers............... none
  System message:
0
Comment
Question by:rberke
  • 7
  • 5
12 Comments
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9884958
How about:

remote ipfilter insert input accept -p tcp -sp 80 internet
remote ipfilter insert output accept -p tcp -dp 80 internet
remote ipfilter insert input accept -p tcp -sp 443 internet
remote ipfilter insert output accept -p tcp -dp 443 internet
remote ipfilter insert input drop internet
remote ipfilter insert output drop internet

0
 
LVL 5

Author Comment

by:rberke
ID: 9885507
No, insert just puts the filter at the top of the list while append puts it at the bottom. I didn't show it, but the script starts out with a flush command so your script is equivalent to mine.
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9885654
Yes, sorry... not a router guru. How about:

# Should only allow HTTP/SSL to server 67.39.222.209 from the internet
remote ipfilter insert input accept -p tcp -dp 80 -da 67.39.222.209 -dm 255.255.255.255 internet
remote ipfilter insert input accept -p tcp -dp 443 -da 67.39.222.209 -dm 255.255.255.255 internet

#Generic allowance of incoming HTTP/SSL to your network from the internet
remote ipfilter insert input accept -p tcp -dp 80 internet
remote ipfilter insert input accept -p tcp -dp 443 internet

#drop everything else
remote ipfilter insert input drop -p tcp -p udp internet
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 8

Expert Comment

by:JasonBigham
ID: 9885665
I think your usage of -sp and -dp were backwards... "think"
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9885666
I might be backwards though
0
 
LVL 5

Author Comment

by:rberke
ID: 9885759
I am also not a router guru, but the script was provided by the router manufacturer when SBC installed the router a year ago. It is the standard "medium security" firewall for everyone that bought an efficient 5861 that month.  There were no modifications made for exchange/web access etc.    -sp means sending port, and -dp means destination port.  But, I get confused also, which is why I hope to find an expert.

I'm in the middle of a muddle right now, so I won't be able to do you suggestions till next week.  

In the meantime, I encourage other experts to respond if they think they know what to do.  

If two people respond, I'll bump the points to 500 and give 250 each.




0
 
LVL 8

Accepted Solution

by:
JasonBigham earned 250 total points
ID: 9885784
Yes, the -sp and -dp do confuse it a bit but here is how I see it.

remote ipfilter insert input accept -p tcp -dp 80 -da 67.39.222.209 -dm 255.255.255.255 internet

This statement is saying to allow any traffic destined for port 80 and to direct it to 67.39.22.209. That's why I was inlined to believe that it was -dp instead of -sp. Did it not work? If not, that's all I got :-(
0
 
LVL 5

Author Comment

by:rberke
ID: 9886847
Yep, that works.  In fact, I only used the single line from your 3:26pm post, none of the others.

But, serveral things still confuse me.  

Q1. The manufacturer's script has about 20 lines that all follow this format:

remote ipfilter insert input accept -p tcp -sp 80 internet
remote ipfilter insert output accept -p tcp -dp 80 internet

the input accept's all mention source port
the output accept's all mention destination port

but your command goes the opposite way, the input references the destination port
remote ipfilter insert input accept -p tcp -dp 80 -da 67.39.222.209 -dm 255.255.255.255 internet

Q 2.  the manufacturer's script ends with  

  remote ipfilter append input drop internet

Your suggestion (which I have not yet taken) terminates
  remote ipfilter insert input drop -p tcp -p udp internet

What’s the difference?

Q3.  The manufacturer’s script always has pairs, one for tcp and one for udp.

remote ipfilter append input accept -p tcp -sp 80 internet
remote ipfilter append input accept -p udp -sp 80 internet

Is the following equivalent?
 remote ipfilter append input accept -p tcp –p udp -sp 80 internet
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9897275
Q1.

If I understand correctly, the first one is allowing internet traffic in, form the internet, via port 80. The second one is the opposite... allowing internet traffic out, to the internet, via port 80

Q2.

remote ipfilter append input drop internet

If I understand correctly, this says to drop all traffic. So, if you don't have any entries above it, no traffic whatsoever will be allowed.

Q3.

I think they are assuming that if something is coming in, it probably goes out as well on the same port. Not sure though, depends if my assumptions on Q1 are correct. Don't add any more than you need to get this working though. If only my one line meets all your needs, then that is the most secure.

I think this is the opposite, and would be saying to allow your LAN traffic access past the router (to the internet in your scenario) to udp/tcp ports 80. Not sure if you need the udp entry though.

remote ipfilter append input accept -p tcp –p udp -sp 80 internet


0
 
LVL 5

Author Comment

by:rberke
ID: 9897836
So I'm getting closer to understanding.  One last question.

Q4 I'm not exactly sure how firewalls use masks, but I think that -dm 255.255.255.255 is the default mask.  It doesn't seem to matter if I include it or exclude it, they both work.  

Right now, my script has the following statement at the end
   remote ipfilter insert input accept -p tcp -dp 80 -da

If you think the -dm 255.255.255.255 is important, let me know. 67.39.222.209 internet.

In the meantime, I'm closing the question and awarding points.  Thanks for your help.

0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9897873
I bet the default behavior is to be broadcast (255.255.255.255) thus it works with or without. If you narrowed it down, then you would be narrowing down the number of hosts that could get in. This could be handy if you knew all the IP's of your OWA users, but probably a bit unnecessary when SSL, VPN, etc is available. Again, not sure though... not a router guy.
0
 
LVL 5

Author Comment

by:rberke
ID: 9898289
> not a router guy
A partial expert is better than no expert

Thanks again
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Read this checklist to learn more about the 15 things you should never include in an email signature.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
how to add IIS SMTP to handle application/Scanner relays into office 365.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question