ISA Server 2000 with Blackboard Application

Posted on 2004-12-01
Medium Priority
Last Modified: 2008-05-29
I am trying to figure out how do the following with ISA Server 2000.  I have an application that requires that I open up all ports between the external server and my internal server.  There (the software vendor) instructions on how to do this are below.  I have one ISA server with Two NICS, one internal, one external.  The Server inside the firewall that I need to allow access to has about 8 different IP Addresses, and the External NIC of the ISA server has about 12 ip addresses on it.  There description of how the communictation takes place is found in the paragraph below.  I am in over my head on this one.

Firewall software and hardware rules and interfaces for manipulating those rules vary widely, but customers in these kind of topologies have had success with configurations that allow packets from any port on cartridges.blackboard.com to arrive at any port on their local server only if the local server initiated the connection. The local server will typically grab the first available port greater than 1024 to make the outbound connection, and wait on that port for a response. The validation server doesn't initiate any new connections from its side, it just responds to the initial request on the same established channel since the CCAP connection is bi-directional (the inbound packets will be seen to come from the validation server's port 80, regardless of which port the validation server actually uses to send the packets).

Question by:jkelley53
  • 2

Accepted Solution

timSA earned 1500 total points
ID: 12737858
First of all opening all the ports is a major security risk.  If I understand you and the vendor correctly, your situation is typical and easy to configure.

First  for simplicity and troubleshooting, you have to have Site and Content  rule and Protocol rule allowing any outgoing protocols and any internet site access for all internal clients.  This is technically called "anonymous" rule.  If you do have the anonymous rule, then simply use the blackboard application from a machine.  

Usually, the blackboard application will initiate a connection from your internal network via ISA to blackboard.com at a port (say 400 for example.  This port is set by the Blackboard programmers and supposedly well-known).  The application also tells the blockboard.com machine to respond back at a randam port number above  1024 (say 3000 for example).   So,

Your machine:3000 ---> sends packets to ---->  blackboard.com:400
Your machine:3000 <--- blackboard machine sends its repsponse to your machine's port number 3000 <---- blockboard.com

If I understand your vendor correctly, they are saying their server will always use the port 400 regardless of what port your machine asked their system to respond to.  So if that's the case, create a server publishing rule and publish the machine where the blackboard application will run.  Allow only port 80 to come in for this blackboard application machine.  

Hopefully,  I didn't confuse more!


Author Comment

ID: 12737947
Thanks.  I just talked with Microsoft and they suggested I install the Firewall client.  (the blackboard server doing the outbound connection from my network) was a secure nat client until we tried the firewall client.  The firewall client combined with adding a specific destination set with the cartridges.blackboard.com server in it seemed to the do the trick.  Everything is working now.

You get the points since you were the first one to post some info for me.  Thanks.


Expert Comment

ID: 12738148
Thanks for the point.  I am surprised MS suggested you to use the firewall client.  All servers should be SecureNAT clients.  But your situation may be an exception.  

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 22 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question