Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

ISA - All Open and Allow rule is closing outgoing connections.

Posted on 2006-06-19
14
393 Views
Last Modified: 2010-04-09
Hello

I have created an all open and allow rule in ISA 2004 that allows all outbound traffic to external.

I have noticed a few things about our network that is confusing:

1: The All Open and Allow rule is closing alot of outgoing connections, the strangest part about it, is that the connectsion are heading to unknown port numbers and IP addresses i dont recognise. in particular port 34568, 7247, 54862 and a few others.

2: I have lost email access to the internet after an automatic server update was installed by microsoft. Since this update i have not been able to send or recieve email via outlook (PoP3, SMTP).

I do not understand alot about ISA 2004 and have been browsing through isaserver.org which seems to be a really good site, but havent been able to work out why this is hapening.

Regards
Gavin McMillan
0
Comment
Question by:gavinandrewmcmillan
  • 7
  • 7
14 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16954312
What do you mean by all open and allow?
Do you mean allow all protocols? If yes, this means allow all protocols that ISA has 'defined' in its protocol lists; not allow ALL protocols regardless of what they may be.

Are you using ISA in cache mode or in firewall mode?

If in firewall mode, are you using secureNAT (the default gateway of you client machines point to the internal NIC of the ISA?
Have you installed the ISA firewall client?

What do you mean by 'opening and closing'?

If that is literally the text you see in the log  (configuration - logging - click on start query) then the ISA is doing its job as per the rules defined.
34568 is a port commonly used with IP telephony services.

Regarding the email, again, check the log as above whilst someone tries to make a pop connection. What is seen in the log?
0
 
LVL 2

Author Comment

by:gavinandrewmcmillan
ID: 16956495
Hi Keith

ISA is running in firewall mode, i am using secureNAT and am using the firewall client.

All is working now with the pop3 email, which is good.

I have done some searching through the network and have found that several users have skype installed on their computers which probably accounts for the connections on strange ports and to unfamiliar ip addresses.

The issue regarding losing pop and smtp email access has been resolved (was the hosts fault). And as such i have began moving all our email accounts over to my server instead of having them hosted by the web host.

Regards
Gavin
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 16957351
OK.

You may want to consider setting up a verifier for the future.
(Open GUI - monitoring - connectivity)

You can create 'links' to web sites, dns servers, mail servers (almost anything). In turn, you can use the alerting (Open GUI - monitoring - alerts) to send you an internal mail or whatever if these services go down, local OR remote.

Regards
Keith
ISA MCT
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Author Comment

by:gavinandrewmcmillan
ID: 16957400
Thats a handy piece of advice i will set up the alerts!

a quick side question i keep getting ip spoofing alerts:

Description: ISA Server detected a spoof attack from Internet Protocol (IP) address 10.0.0.1. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the packet filter log.

10.0.0.1 is the external nic on my isa server. What would be causing this?

Regards
Gavin
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16957439
What is the internal subnet(s) that are listed in your internal network?

Open the gui - configuration - networks - double-click on internal - addresses?
I have seen this, for example, when people select the option to add all of the private networks to the internal interface forgetting that they are also using part of this range on the outside as well.

Also,
Check your MS event logs; you should find an entry for these occurences
open the Gui, select configuration - monitoring
edit the query and change the timeline from 'live' to a time covering the events. Select update.
this will display all of the events from the database for the time period you put in.
How is the event listed in the log?
When complete, edit the query again and change the timeline back to live and update again.

Regards
keith
ISA MCT
0
 
LVL 2

Author Comment

by:gavinandrewmcmillan
ID: 16989210
Sorry for the late reply, had some Exchange issues i have been dealing with again.
if i double click internal and check the addresses it shows 192.168.1.0 - 192.168.1.255, should i include my external nic?

the basic network layout is this

Clients -----------------Server Nic1 [ISA] Server Nic2 -----------------ADSL Router
                               192.168.1.1           10.0.0.1                          10.0.0.138

Should i add 10.0.0.0 - 10.0.0.255 to the internal list?

Regards
Gavin
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16989968
No, only addresses accessible through the internal card go in here.

0
 
LVL 2

Author Comment

by:gavinandrewmcmillan
ID: 16990163
hmmmmm ok, any idea why it would keep saying that 10.0.0.1 is a spoof address?

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16994561
0
 
LVL 2

Author Comment

by:gavinandrewmcmillan
ID: 17006364
hmmm is it because my internal subnet is vastly different to my DMZ subnet? the internal subnet is 255.255.255.0 and the DMZ subnet is 255.0.0.0

Should i consider changing the internal subnet to 255.255.255.0?
0
 
LVL 2

Author Comment

by:gavinandrewmcmillan
ID: 17006384
Sorry i should have asked a different question for what have been discussing. I will start another and get you to post into it, this way you get the points you deserve.

Regards
Gavin
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17006964
No, again, the type of subnet mask you have 'should' not matter,
0
 
LVL 2

Author Comment

by:gavinandrewmcmillan
ID: 17007045
hmmm ill keep looking into it.

Thanks for your help Keith!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17007054
No, thank you but I haven't closed this one out yet. We simply haven't yet found the root issue yet so I'll keep this in my active list.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question