Solved

How to get thru Firewall with Outlook Web Access.

Posted on 2003-12-05
12
1,102 Views
Last Modified: 2008-03-10
Portable computers can use OWA until I turn on the firewall. They then get IE6 error message "the page cannot be displayed".  

Can someone give me some pointers on the best way to get through the firewall?  I've read q280132, but it leaves me cold (WAY to many ports). I've also researched about a dozen EE questions, but most of them are for more complicated environments and/or involved a lot of jargon that I don't understand.

RBERKE

Windows 2000 small business server (Exchange 5.5) and IE6 clients.

The firewall is a speedstream 5861 DSL router.  

I'm not using SSL, but I plan on switching to it soon and will do it now if it helps resolve the problem.

The 5861 system log shows the following errors every time someone tries to get through.

12/05/2003-13:28:28:IP-FILTER: I:PROTO 6 (TCP) pkt       from 67.39.222.214/43837
12/05/2003-13:28:28:IP-FILTER:             to 67.39.222.209/80 dropped, SYN Flag
12/05/2003-13:28:31:IP-FILTER: I:PROTO 6 (TCP) pkt       from 67.39.222.214/43837
12/05/2003-13:28:31:IP-FILTER:             to 67.39.222.209/80 dropped, SYN Flag
12/05/2003-13:28:37:IP-FILTER: I:PROTO 6 (TCP) pkt       from 67.39.222.214/43837
12/05/2003-13:28:37:IP-FILTER:             to 67.39.222.209/80 dropped, SYN Flag

The firewall script has the following filters  (I'm only showing those relating to 80 and 443)
remote ipfilter append input accept -p tcp -sp 80 internet
remote ipfilter append output accept -p tcp -dp 80 internet
remote ipfilter append input accept -p tcp -sp 443 internet
remote ipfilter append output accept -p tcp -dp 443 internet
remote ipfilter append input drop internet
remote ipfilter append output drop internet
save

Router port mapping
Protocol| First Port#| Last Port#| IP Address           | Port#|
   TCP  |  80           |  80           |  192.168.254.251  |  80


Other router settings

GENERAL INFORMATION FOR <>
  System started on.................... 12/4/2003 at 10:12
  Authentication override.............. none
  Server(s) (IP Translation) .......... 192.168.254.251 proto-TCP port-HTTP
  Mapping(s) (IP Translation) ......... 192.168.254.251 to 192.168.254.251 mapped on
                                        67.39.222.209 to 67.39.222.209 (1 entries)
  WAN to WAN Forwarding................ yes
  Block NetBIOS Default................ no
  BOOTP/DHCP Server address............ none
  Telnet Port.......................... default (23)
  Telnet Clients....................... all
  SNMP Port............................ default (161)
  SNMP Clients......................... LAN
                                        LAN
  HTTP Port............................ default (80)
  HTTP Clients......................... all
  Syslog Port.......................... default (514)
  Allowed Syslog Servers............... LAN
                                        LAN
  Default Syslog Servers............... none
  System message:
0
Comment
Question by:rberke
  • 7
  • 5
12 Comments
 
LVL 8

Expert Comment

by:JasonBigham
Comment Utility
How about:

remote ipfilter insert input accept -p tcp -sp 80 internet
remote ipfilter insert output accept -p tcp -dp 80 internet
remote ipfilter insert input accept -p tcp -sp 443 internet
remote ipfilter insert output accept -p tcp -dp 443 internet
remote ipfilter insert input drop internet
remote ipfilter insert output drop internet

0
 
LVL 5

Author Comment

by:rberke
Comment Utility
No, insert just puts the filter at the top of the list while append puts it at the bottom. I didn't show it, but the script starts out with a flush command so your script is equivalent to mine.
0
 
LVL 8

Expert Comment

by:JasonBigham
Comment Utility
Yes, sorry... not a router guru. How about:

# Should only allow HTTP/SSL to server 67.39.222.209 from the internet
remote ipfilter insert input accept -p tcp -dp 80 -da 67.39.222.209 -dm 255.255.255.255 internet
remote ipfilter insert input accept -p tcp -dp 443 -da 67.39.222.209 -dm 255.255.255.255 internet

#Generic allowance of incoming HTTP/SSL to your network from the internet
remote ipfilter insert input accept -p tcp -dp 80 internet
remote ipfilter insert input accept -p tcp -dp 443 internet

#drop everything else
remote ipfilter insert input drop -p tcp -p udp internet
0
 
LVL 8

Expert Comment

by:JasonBigham
Comment Utility
I think your usage of -sp and -dp were backwards... "think"
0
 
LVL 8

Expert Comment

by:JasonBigham
Comment Utility
I might be backwards though
0
 
LVL 5

Author Comment

by:rberke
Comment Utility
I am also not a router guru, but the script was provided by the router manufacturer when SBC installed the router a year ago. It is the standard "medium security" firewall for everyone that bought an efficient 5861 that month.  There were no modifications made for exchange/web access etc.    -sp means sending port, and -dp means destination port.  But, I get confused also, which is why I hope to find an expert.

I'm in the middle of a muddle right now, so I won't be able to do you suggestions till next week.  

In the meantime, I encourage other experts to respond if they think they know what to do.  

If two people respond, I'll bump the points to 500 and give 250 each.




0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 
LVL 8

Accepted Solution

by:
JasonBigham earned 250 total points
Comment Utility
Yes, the -sp and -dp do confuse it a bit but here is how I see it.

remote ipfilter insert input accept -p tcp -dp 80 -da 67.39.222.209 -dm 255.255.255.255 internet

This statement is saying to allow any traffic destined for port 80 and to direct it to 67.39.22.209. That's why I was inlined to believe that it was -dp instead of -sp. Did it not work? If not, that's all I got :-(
0
 
LVL 5

Author Comment

by:rberke
Comment Utility
Yep, that works.  In fact, I only used the single line from your 3:26pm post, none of the others.

But, serveral things still confuse me.  

Q1. The manufacturer's script has about 20 lines that all follow this format:

remote ipfilter insert input accept -p tcp -sp 80 internet
remote ipfilter insert output accept -p tcp -dp 80 internet

the input accept's all mention source port
the output accept's all mention destination port

but your command goes the opposite way, the input references the destination port
remote ipfilter insert input accept -p tcp -dp 80 -da 67.39.222.209 -dm 255.255.255.255 internet

Q 2.  the manufacturer's script ends with  

  remote ipfilter append input drop internet

Your suggestion (which I have not yet taken) terminates
  remote ipfilter insert input drop -p tcp -p udp internet

What’s the difference?

Q3.  The manufacturer’s script always has pairs, one for tcp and one for udp.

remote ipfilter append input accept -p tcp -sp 80 internet
remote ipfilter append input accept -p udp -sp 80 internet

Is the following equivalent?
 remote ipfilter append input accept -p tcp –p udp -sp 80 internet
0
 
LVL 8

Expert Comment

by:JasonBigham
Comment Utility
Q1.

If I understand correctly, the first one is allowing internet traffic in, form the internet, via port 80. The second one is the opposite... allowing internet traffic out, to the internet, via port 80

Q2.

remote ipfilter append input drop internet

If I understand correctly, this says to drop all traffic. So, if you don't have any entries above it, no traffic whatsoever will be allowed.

Q3.

I think they are assuming that if something is coming in, it probably goes out as well on the same port. Not sure though, depends if my assumptions on Q1 are correct. Don't add any more than you need to get this working though. If only my one line meets all your needs, then that is the most secure.

I think this is the opposite, and would be saying to allow your LAN traffic access past the router (to the internet in your scenario) to udp/tcp ports 80. Not sure if you need the udp entry though.

remote ipfilter append input accept -p tcp –p udp -sp 80 internet


0
 
LVL 5

Author Comment

by:rberke
Comment Utility
So I'm getting closer to understanding.  One last question.

Q4 I'm not exactly sure how firewalls use masks, but I think that -dm 255.255.255.255 is the default mask.  It doesn't seem to matter if I include it or exclude it, they both work.  

Right now, my script has the following statement at the end
   remote ipfilter insert input accept -p tcp -dp 80 -da

If you think the -dm 255.255.255.255 is important, let me know. 67.39.222.209 internet.

In the meantime, I'm closing the question and awarding points.  Thanks for your help.

0
 
LVL 8

Expert Comment

by:JasonBigham
Comment Utility
I bet the default behavior is to be broadcast (255.255.255.255) thus it works with or without. If you narrowed it down, then you would be narrowing down the number of hosts that could get in. This could be handy if you knew all the IP's of your OWA users, but probably a bit unnecessary when SSL, VPN, etc is available. Again, not sure though... not a router guy.
0
 
LVL 5

Author Comment

by:rberke
Comment Utility
> not a router guy
A partial expert is better than no expert

Thanks again
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now