[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

ISA - All Open and Allow rule is closing outgoing connections.

Posted on 2006-06-19
14
Medium Priority
?
399 Views
Last Modified: 2010-04-09
Hello

I have created an all open and allow rule in ISA 2004 that allows all outbound traffic to external.

I have noticed a few things about our network that is confusing:

1: The All Open and Allow rule is closing alot of outgoing connections, the strangest part about it, is that the connectsion are heading to unknown port numbers and IP addresses i dont recognise. in particular port 34568, 7247, 54862 and a few others.

2: I have lost email access to the internet after an automatic server update was installed by microsoft. Since this update i have not been able to send or recieve email via outlook (PoP3, SMTP).

I do not understand alot about ISA 2004 and have been browsing through isaserver.org which seems to be a really good site, but havent been able to work out why this is hapening.

Regards
Gavin McMillan
0
Comment
Question by:gavinandrewmcmillan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
14 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16954312
What do you mean by all open and allow?
Do you mean allow all protocols? If yes, this means allow all protocols that ISA has 'defined' in its protocol lists; not allow ALL protocols regardless of what they may be.

Are you using ISA in cache mode or in firewall mode?

If in firewall mode, are you using secureNAT (the default gateway of you client machines point to the internal NIC of the ISA?
Have you installed the ISA firewall client?

What do you mean by 'opening and closing'?

If that is literally the text you see in the log  (configuration - logging - click on start query) then the ISA is doing its job as per the rules defined.
34568 is a port commonly used with IP telephony services.

Regarding the email, again, check the log as above whilst someone tries to make a pop connection. What is seen in the log?
0
 
LVL 2

Author Comment

by:gavinandrewmcmillan
ID: 16956495
Hi Keith

ISA is running in firewall mode, i am using secureNAT and am using the firewall client.

All is working now with the pop3 email, which is good.

I have done some searching through the network and have found that several users have skype installed on their computers which probably accounts for the connections on strange ports and to unfamiliar ip addresses.

The issue regarding losing pop and smtp email access has been resolved (was the hosts fault). And as such i have began moving all our email accounts over to my server instead of having them hosted by the web host.

Regards
Gavin
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 16957351
OK.

You may want to consider setting up a verifier for the future.
(Open GUI - monitoring - connectivity)

You can create 'links' to web sites, dns servers, mail servers (almost anything). In turn, you can use the alerting (Open GUI - monitoring - alerts) to send you an internal mail or whatever if these services go down, local OR remote.

Regards
Keith
ISA MCT
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 2

Author Comment

by:gavinandrewmcmillan
ID: 16957400
Thats a handy piece of advice i will set up the alerts!

a quick side question i keep getting ip spoofing alerts:

Description: ISA Server detected a spoof attack from Internet Protocol (IP) address 10.0.0.1. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the packet filter log.

10.0.0.1 is the external nic on my isa server. What would be causing this?

Regards
Gavin
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16957439
What is the internal subnet(s) that are listed in your internal network?

Open the gui - configuration - networks - double-click on internal - addresses?
I have seen this, for example, when people select the option to add all of the private networks to the internal interface forgetting that they are also using part of this range on the outside as well.

Also,
Check your MS event logs; you should find an entry for these occurences
open the Gui, select configuration - monitoring
edit the query and change the timeline from 'live' to a time covering the events. Select update.
this will display all of the events from the database for the time period you put in.
How is the event listed in the log?
When complete, edit the query again and change the timeline back to live and update again.

Regards
keith
ISA MCT
0
 
LVL 2

Author Comment

by:gavinandrewmcmillan
ID: 16989210
Sorry for the late reply, had some Exchange issues i have been dealing with again.
if i double click internal and check the addresses it shows 192.168.1.0 - 192.168.1.255, should i include my external nic?

the basic network layout is this

Clients -----------------Server Nic1 [ISA] Server Nic2 -----------------ADSL Router
                               192.168.1.1           10.0.0.1                          10.0.0.138

Should i add 10.0.0.0 - 10.0.0.255 to the internal list?

Regards
Gavin
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16989968
No, only addresses accessible through the internal card go in here.

0
 
LVL 2

Author Comment

by:gavinandrewmcmillan
ID: 16990163
hmmmmm ok, any idea why it would keep saying that 10.0.0.1 is a spoof address?

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16994561
0
 
LVL 2

Author Comment

by:gavinandrewmcmillan
ID: 17006364
hmmm is it because my internal subnet is vastly different to my DMZ subnet? the internal subnet is 255.255.255.0 and the DMZ subnet is 255.0.0.0

Should i consider changing the internal subnet to 255.255.255.0?
0
 
LVL 2

Author Comment

by:gavinandrewmcmillan
ID: 17006384
Sorry i should have asked a different question for what have been discussing. I will start another and get you to post into it, this way you get the points you deserve.

Regards
Gavin
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17006964
No, again, the type of subnet mask you have 'should' not matter,
0
 
LVL 2

Author Comment

by:gavinandrewmcmillan
ID: 17007045
hmmm ill keep looking into it.

Thanks for your help Keith!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17007054
No, thank you but I haven't closed this one out yet. We simply haven't yet found the root issue yet so I'll keep this in my active list.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question