Solved

Unidentified IP Traffic

Posted on 2008-10-02
9
2,994 Views
Last Modified: 2012-12-17
I am trying to connect to a server running ISA2004 via RADMIN which uses port 4899.
I created the port and used it in a rule that is set to accept traffic from external to localhost on this port.

I am still unable to connect and if I look at the logging I get the following:

Denied Connection "SERVERNAME" 2008/10/02 09:45:50 AM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: External ( "MY IP":1553)
Destination: Local Host ( "SERVER IP":4899)
Protocol: Unidentified IP Traffic (TCP:4899)
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: "MY IP"
Client agent:


Why would this port still be seen as Unidentified if it is specified in a rule. (I have this same rule running and working in multiple other identical setups)
0
Comment
Question by:evdmerwe
9 Comments
 
LVL 76

Expert Comment

by:arnold
Comment Utility
localhost has a specific designation which is 127.0.0.1 there is no way an external request will ever try to access your server using the localhost designation.  You need to define the rule from any external to serverIP.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Disagree with you there. For example, in an SBS setup, all applications are on the localhost including exchange, owa, web, sharepoint, ftp and VPN etc.

You say you defined a protocol for port 4889 and have given that a name?
When you ran the publish a non-web server wizard, did you select the newly created protocol from the drop down list?
If ISA is reporting that the traffic is unidentified then the traffic that is being seen does not match the criteria from the protocol you created.

Keith
0
 

Author Comment

by:evdmerwe
Comment Utility
I created an access rule and added the custom protocol called Radmin to the Protocols Tab. What is bugging me is that I made sure this access rule matches my other sites where it works.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Need to see the output of the ISA log i think. A couple of rows before during and after the request so i can see the whole pattern
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:evdmerwe
Comment Utility
Here is a few lines from the W3c logfile

#Fields: computer      date      time      IP protocol      source      destination      original client IP      source network      destination network      action      status      rule      application protocol      bytes sent      bytes sent intermediate      bytes received      bytes received intermediate      connection time      connection time intermediate      username      agent      session ID      connection ID
TMASERVER      2008/10/07      08:05:06      TCP      192.168.99.13:1338      192.168.99.1:81      192.168.99.13      Internal      Local Host      Establish      0x0      INTERNAL ACCESS      Unidentified IP Traffic      0      0      0      0      -      -      -      -      5545      52408
TMASERVER      2008/10/07      08:05:06      TCP      192.168.99.13:1338      192.168.99.1:81      192.168.99.13      Internal      Local Host      Terminate      0x80074e21      INTERNAL ACCESS      Unidentified IP Traffic      48      48      40      40      -      -      -      -      5545      52408
TMASERVER      2008/10/07      08:05:07      TCP      192.168.99.13:1338      192.168.99.1:81      192.168.99.13      Internal      Local Host      Establish      0x0      INTERNAL ACCESS      Unidentified IP Traffic      0      0      0      0      -      -      -      -      5545      52409
TMASERVER      2008/10/07      08:05:07      TCP      192.168.99.13:1338      192.168.99.1:81      192.168.99.13      Internal      Local Host      Terminate      0x80074e21      INTERNAL ACCESS      Unidentified IP Traffic      48      48      40      40      -      -      -      -      5545      52409
TMASERVER      2008/10/07      08:05:08      ICMP      192.168.99.16:8      192.168.99.1      192.168.99.16      Internal      Local Host      Terminate      0x80074e20      INTERNAL ACCESS      Ping      148      148      148      148      60438      60438      -      -      4656      52389
TMASERVER      2008/10/07      08:05:08      TCP      192.168.99.16:1255      192.168.99.1:389      192.168.99.16      Internal      Local Host      Terminate      0x80074e20      INTERNAL ACCESS      LDAP      2263      2263      830      830      60344      60344      -      -      4656      52394
TMASERVER      2008/10/07      08:05:08      TCP      192.168.99.16:1254      192.168.99.1:389      192.168.99.16      Internal      Local Host      Terminate      0x80074e20      INTERNAL ACCESS      LDAP      3397      3397      7017      7017      60360      60360      -      -      4656      52393
TMASERVER      2008/10/07      08:05:10      TCP      41.243.235.165:1247      192.168.168.254:4899      -      External      Local Host      Denied      0x800733f5      -      Unidentified IP Traffic      0      0      0      0      -      -      -      -      5653      52410
TMASERVER      2008/10/07      08:05:10      TCP      192.168.99.13:1334      195.99.99.101:81      192.168.99.13      Internal      External      Terminate      0x80074e20      Unrestricted Internet access      Unidentified IP Traffic      144      144      0      0      69000      69000      -      -      5545      52388
TMASERVER      2008/10/07      08:05:13      TCP      41.243.235.165:1247      192.168.168.254:4899      -      External      Local Host      Denied      0x800733f5      -      Unidentified IP Traffic      0      0      0      0      -      -      -      -      5653      52411
TMASERVER      2008/10/07      08:05:17      TCP      192.168.99.10:2826      195.99.99.101:81      192.168.99.10      Internal      External      Establish      0x0      Unrestricted Internet access      Unidentified IP Traffic      0      0      0      0      -      -      -      -      5656      52412
TMASERVER      2008/10/07      08:05:19      TCP      41.243.235.165:1247      192.168.168.254:4899      -      External      Local Host      Denied      0x800733f5      -      Unidentified IP Traffic      0      0      0      0      -      -      -      -      5653      52413
TMASERVER      2008/10/07      08:05:23      TCP      192.168.99.10:2823      195.99.99.101:81      192.168.99.10      Internal      External      Terminate      0x80074e20      Unrestricted Internet access      Unidentified IP Traffic      144      144      0      0      69047      69047      -      -      5656      52397
TMASERVER      2008/10/07      08:05:23      TCP      192.168.99.14:1092      192.168.99.1:1025      192.168.99.14      Internal      Local Host      Intermediate      0x0      INTERNAL ACCESS      RPC (all interfaces)      0      0      0      0      5400172      900063      -      -      5564      51297
TMASERVER      2008/10/07      08:05:32      TCP      192.168.99.13:1335      195.99.99.101:81      192.168.99.13      Internal      External      Terminate      0x80074e20      Unrestricted Internet access      Unidentified IP Traffic      144      144      0      0      69000      69000      -      -      5545      52399
TMASERVER      2008/10/07      08:05:37      TCP      192.168.99.16:1253      192.168.99.1:1025      192.168.99.16      Internal      Local Host      Terminate      0x80074e20      INTERNAL ACCESS      RPC (all interfaces)      1288      1288      1040      1040      90360      90360      -      -      4656      52392
TMASERVER      2008/10/07      08:05:38      TCP      192.168.99.10:2819      196.38.248.129:443      192.168.99.10      Internal      External      Terminate      0x80074e21      Unrestricted Internet access      HTTPS      9480      9480      32178      32178      108172      108172      -      -      5656      52381
TMASERVER      2008/10/07      08:05:38      TCP      192.168.99.14:1096      192.168.99.1:1140      192.168.99.14      Internal      Local Host      Intermediate      0x0      INTERNAL ACCESS      RPC (all interfaces)      18621      460      23279      4760      5399969      899844      -      -      5564      51303
TMASERVER      2008/10/07      08:05:38      TCP      192.168.99.10:2827      195.99.99.101:81      192.168.99.10      Internal      External      Establish      0x0      Unrestricted Internet access      Unidentified IP Traffic      0      0      0      0      -      -      -      -      5656      52414
TMASERVER      2008/10/07      08:05:39      TCP      196.38.248.129:443      192.168.168.254:58770      196.38.248.129      External      Local Host      Denied      0xc0040017      -      Unidentified IP Traffic      0      0      0      0      -      -      -      -      0      0
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 125 total points
Comment Utility
So its an authentication issue.

First of all (just noticed it) you say you created a rule? You need to add this by publishing - not creating a rule.
Use the straight-forward 'Publish a server' wizard and put in the ISA's internal Ip address and listen on the external interface
0
 

Author Comment

by:evdmerwe
Comment Utility
Thanks Keith your publishing suggestion worked
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
You're welcome :)
0
 

Expert Comment

by:saltrock2k
Comment Utility
Excellent.

How does this work for TMG 2010? I have my own protocol set at TCP for port 10101.
Anything external comes in but cannot be filtered through the internal interface. I even tried setting up a 2 stage publishing rule, one from external to the internal interface. The next from the internal to the device.

I can telnet to the device internally fine, but I cannot from TMG on that port. If I change the port from 10101 to 80, then I can access the web page from my home.

I have raised this with Microsoft, but I need to have a solution by Wednesday this week. It seems sad that a simple non-web publishing rules should work.

Tom.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
EMAIL BANNER 8 25
Linksys LRT 224 forward 3 35
iptables ubuntu BLOCK all 2 75
suspending the anti virus 6 103
Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now