Solved

ISA - All Open and Allow rule is closing outgoing connections.

Posted on 2006-06-19
14
389 Views
Last Modified: 2010-04-09
Hello

I have created an all open and allow rule in ISA 2004 that allows all outbound traffic to external.

I have noticed a few things about our network that is confusing:

1: The All Open and Allow rule is closing alot of outgoing connections, the strangest part about it, is that the connectsion are heading to unknown port numbers and IP addresses i dont recognise. in particular port 34568, 7247, 54862 and a few others.

2: I have lost email access to the internet after an automatic server update was installed by microsoft. Since this update i have not been able to send or recieve email via outlook (PoP3, SMTP).

I do not understand alot about ISA 2004 and have been browsing through isaserver.org which seems to be a really good site, but havent been able to work out why this is hapening.

Regards
Gavin McMillan
0
Comment
Question by:gavinandrewmcmillan
  • 7
  • 7
14 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
What do you mean by all open and allow?
Do you mean allow all protocols? If yes, this means allow all protocols that ISA has 'defined' in its protocol lists; not allow ALL protocols regardless of what they may be.

Are you using ISA in cache mode or in firewall mode?

If in firewall mode, are you using secureNAT (the default gateway of you client machines point to the internal NIC of the ISA?
Have you installed the ISA firewall client?

What do you mean by 'opening and closing'?

If that is literally the text you see in the log  (configuration - logging - click on start query) then the ISA is doing its job as per the rules defined.
34568 is a port commonly used with IP telephony services.

Regarding the email, again, check the log as above whilst someone tries to make a pop connection. What is seen in the log?
0
 
LVL 2

Author Comment

by:gavinandrewmcmillan
Comment Utility
Hi Keith

ISA is running in firewall mode, i am using secureNAT and am using the firewall client.

All is working now with the pop3 email, which is good.

I have done some searching through the network and have found that several users have skype installed on their computers which probably accounts for the connections on strange ports and to unfamiliar ip addresses.

The issue regarding losing pop and smtp email access has been resolved (was the hosts fault). And as such i have began moving all our email accounts over to my server instead of having them hosted by the web host.

Regards
Gavin
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
Comment Utility
OK.

You may want to consider setting up a verifier for the future.
(Open GUI - monitoring - connectivity)

You can create 'links' to web sites, dns servers, mail servers (almost anything). In turn, you can use the alerting (Open GUI - monitoring - alerts) to send you an internal mail or whatever if these services go down, local OR remote.

Regards
Keith
ISA MCT
0
 
LVL 2

Author Comment

by:gavinandrewmcmillan
Comment Utility
Thats a handy piece of advice i will set up the alerts!

a quick side question i keep getting ip spoofing alerts:

Description: ISA Server detected a spoof attack from Internet Protocol (IP) address 10.0.0.1. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the packet filter log.

10.0.0.1 is the external nic on my isa server. What would be causing this?

Regards
Gavin
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
What is the internal subnet(s) that are listed in your internal network?

Open the gui - configuration - networks - double-click on internal - addresses?
I have seen this, for example, when people select the option to add all of the private networks to the internal interface forgetting that they are also using part of this range on the outside as well.

Also,
Check your MS event logs; you should find an entry for these occurences
open the Gui, select configuration - monitoring
edit the query and change the timeline from 'live' to a time covering the events. Select update.
this will display all of the events from the database for the time period you put in.
How is the event listed in the log?
When complete, edit the query again and change the timeline back to live and update again.

Regards
keith
ISA MCT
0
 
LVL 2

Author Comment

by:gavinandrewmcmillan
Comment Utility
Sorry for the late reply, had some Exchange issues i have been dealing with again.
if i double click internal and check the addresses it shows 192.168.1.0 - 192.168.1.255, should i include my external nic?

the basic network layout is this

Clients -----------------Server Nic1 [ISA] Server Nic2 -----------------ADSL Router
                               192.168.1.1           10.0.0.1                          10.0.0.138

Should i add 10.0.0.0 - 10.0.0.255 to the internal list?

Regards
Gavin
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
No, only addresses accessible through the internal card go in here.

0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 2

Author Comment

by:gavinandrewmcmillan
Comment Utility
hmmmmm ok, any idea why it would keep saying that 10.0.0.1 is a spoof address?

0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
0
 
LVL 2

Author Comment

by:gavinandrewmcmillan
Comment Utility
hmmm is it because my internal subnet is vastly different to my DMZ subnet? the internal subnet is 255.255.255.0 and the DMZ subnet is 255.0.0.0

Should i consider changing the internal subnet to 255.255.255.0?
0
 
LVL 2

Author Comment

by:gavinandrewmcmillan
Comment Utility
Sorry i should have asked a different question for what have been discussing. I will start another and get you to post into it, this way you get the points you deserve.

Regards
Gavin
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
No, again, the type of subnet mask you have 'should' not matter,
0
 
LVL 2

Author Comment

by:gavinandrewmcmillan
Comment Utility
hmmm ill keep looking into it.

Thanks for your help Keith!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
No, thank you but I haven't closed this one out yet. We simply haven't yet found the root issue yet so I'll keep this in my active list.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Netgear WMS5316 Guest SSiD 1 70
Cisco ASA 1 54
iptables ubuntu BLOCK all 2 74
firewall inside of network 9 65
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now