Solved

Unidentified IP Traffic

Posted on 2008-10-02
9
3,028 Views
Last Modified: 2012-12-17
I am trying to connect to a server running ISA2004 via RADMIN which uses port 4899.
I created the port and used it in a rule that is set to accept traffic from external to localhost on this port.

I am still unable to connect and if I look at the logging I get the following:

Denied Connection "SERVERNAME" 2008/10/02 09:45:50 AM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: External ( "MY IP":1553)
Destination: Local Host ( "SERVER IP":4899)
Protocol: Unidentified IP Traffic (TCP:4899)
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: "MY IP"
Client agent:


Why would this port still be seen as Unidentified if it is specified in a rule. (I have this same rule running and working in multiple other identical setups)
0
Comment
Question by:evdmerwe
9 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 22625316
localhost has a specific designation which is 127.0.0.1 there is no way an external request will ever try to access your server using the localhost designation.  You need to define the rule from any external to serverIP.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22626200
Disagree with you there. For example, in an SBS setup, all applications are on the localhost including exchange, owa, web, sharepoint, ftp and VPN etc.

You say you defined a protocol for port 4889 and have given that a name?
When you ran the publish a non-web server wizard, did you select the newly created protocol from the drop down list?
If ISA is reporting that the traffic is unidentified then the traffic that is being seen does not match the criteria from the protocol you created.

Keith
0
 

Author Comment

by:evdmerwe
ID: 22631554
I created an access rule and added the custom protocol called Radmin to the Protocols Tab. What is bugging me is that I made sure this access rule matches my other sites where it works.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22636137
Need to see the output of the ISA log i think. A couple of rows before during and after the request so i can see the whole pattern
0
 

Author Comment

by:evdmerwe
ID: 22657354
Here is a few lines from the W3c logfile

#Fields: computer      date      time      IP protocol      source      destination      original client IP      source network      destination network      action      status      rule      application protocol      bytes sent      bytes sent intermediate      bytes received      bytes received intermediate      connection time      connection time intermediate      username      agent      session ID      connection ID
TMASERVER      2008/10/07      08:05:06      TCP      192.168.99.13:1338      192.168.99.1:81      192.168.99.13      Internal      Local Host      Establish      0x0      INTERNAL ACCESS      Unidentified IP Traffic      0      0      0      0      -      -      -      -      5545      52408
TMASERVER      2008/10/07      08:05:06      TCP      192.168.99.13:1338      192.168.99.1:81      192.168.99.13      Internal      Local Host      Terminate      0x80074e21      INTERNAL ACCESS      Unidentified IP Traffic      48      48      40      40      -      -      -      -      5545      52408
TMASERVER      2008/10/07      08:05:07      TCP      192.168.99.13:1338      192.168.99.1:81      192.168.99.13      Internal      Local Host      Establish      0x0      INTERNAL ACCESS      Unidentified IP Traffic      0      0      0      0      -      -      -      -      5545      52409
TMASERVER      2008/10/07      08:05:07      TCP      192.168.99.13:1338      192.168.99.1:81      192.168.99.13      Internal      Local Host      Terminate      0x80074e21      INTERNAL ACCESS      Unidentified IP Traffic      48      48      40      40      -      -      -      -      5545      52409
TMASERVER      2008/10/07      08:05:08      ICMP      192.168.99.16:8      192.168.99.1      192.168.99.16      Internal      Local Host      Terminate      0x80074e20      INTERNAL ACCESS      Ping      148      148      148      148      60438      60438      -      -      4656      52389
TMASERVER      2008/10/07      08:05:08      TCP      192.168.99.16:1255      192.168.99.1:389      192.168.99.16      Internal      Local Host      Terminate      0x80074e20      INTERNAL ACCESS      LDAP      2263      2263      830      830      60344      60344      -      -      4656      52394
TMASERVER      2008/10/07      08:05:08      TCP      192.168.99.16:1254      192.168.99.1:389      192.168.99.16      Internal      Local Host      Terminate      0x80074e20      INTERNAL ACCESS      LDAP      3397      3397      7017      7017      60360      60360      -      -      4656      52393
TMASERVER      2008/10/07      08:05:10      TCP      41.243.235.165:1247      192.168.168.254:4899      -      External      Local Host      Denied      0x800733f5      -      Unidentified IP Traffic      0      0      0      0      -      -      -      -      5653      52410
TMASERVER      2008/10/07      08:05:10      TCP      192.168.99.13:1334      195.99.99.101:81      192.168.99.13      Internal      External      Terminate      0x80074e20      Unrestricted Internet access      Unidentified IP Traffic      144      144      0      0      69000      69000      -      -      5545      52388
TMASERVER      2008/10/07      08:05:13      TCP      41.243.235.165:1247      192.168.168.254:4899      -      External      Local Host      Denied      0x800733f5      -      Unidentified IP Traffic      0      0      0      0      -      -      -      -      5653      52411
TMASERVER      2008/10/07      08:05:17      TCP      192.168.99.10:2826      195.99.99.101:81      192.168.99.10      Internal      External      Establish      0x0      Unrestricted Internet access      Unidentified IP Traffic      0      0      0      0      -      -      -      -      5656      52412
TMASERVER      2008/10/07      08:05:19      TCP      41.243.235.165:1247      192.168.168.254:4899      -      External      Local Host      Denied      0x800733f5      -      Unidentified IP Traffic      0      0      0      0      -      -      -      -      5653      52413
TMASERVER      2008/10/07      08:05:23      TCP      192.168.99.10:2823      195.99.99.101:81      192.168.99.10      Internal      External      Terminate      0x80074e20      Unrestricted Internet access      Unidentified IP Traffic      144      144      0      0      69047      69047      -      -      5656      52397
TMASERVER      2008/10/07      08:05:23      TCP      192.168.99.14:1092      192.168.99.1:1025      192.168.99.14      Internal      Local Host      Intermediate      0x0      INTERNAL ACCESS      RPC (all interfaces)      0      0      0      0      5400172      900063      -      -      5564      51297
TMASERVER      2008/10/07      08:05:32      TCP      192.168.99.13:1335      195.99.99.101:81      192.168.99.13      Internal      External      Terminate      0x80074e20      Unrestricted Internet access      Unidentified IP Traffic      144      144      0      0      69000      69000      -      -      5545      52399
TMASERVER      2008/10/07      08:05:37      TCP      192.168.99.16:1253      192.168.99.1:1025      192.168.99.16      Internal      Local Host      Terminate      0x80074e20      INTERNAL ACCESS      RPC (all interfaces)      1288      1288      1040      1040      90360      90360      -      -      4656      52392
TMASERVER      2008/10/07      08:05:38      TCP      192.168.99.10:2819      196.38.248.129:443      192.168.99.10      Internal      External      Terminate      0x80074e21      Unrestricted Internet access      HTTPS      9480      9480      32178      32178      108172      108172      -      -      5656      52381
TMASERVER      2008/10/07      08:05:38      TCP      192.168.99.14:1096      192.168.99.1:1140      192.168.99.14      Internal      Local Host      Intermediate      0x0      INTERNAL ACCESS      RPC (all interfaces)      18621      460      23279      4760      5399969      899844      -      -      5564      51303
TMASERVER      2008/10/07      08:05:38      TCP      192.168.99.10:2827      195.99.99.101:81      192.168.99.10      Internal      External      Establish      0x0      Unrestricted Internet access      Unidentified IP Traffic      0      0      0      0      -      -      -      -      5656      52414
TMASERVER      2008/10/07      08:05:39      TCP      196.38.248.129:443      192.168.168.254:58770      196.38.248.129      External      Local Host      Denied      0xc0040017      -      Unidentified IP Traffic      0      0      0      0      -      -      -      -      0      0
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 125 total points
ID: 22661720
So its an authentication issue.

First of all (just noticed it) you say you created a rule? You need to add this by publishing - not creating a rule.
Use the straight-forward 'Publish a server' wizard and put in the ISA's internal Ip address and listen on the external interface
0
 

Author Comment

by:evdmerwe
ID: 22678482
Thanks Keith your publishing suggestion worked
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22680693
You're welcome :)
0
 

Expert Comment

by:saltrock2k
ID: 38697922
Excellent.

How does this work for TMG 2010? I have my own protocol set at TCP for port 10101.
Anything external comes in but cannot be filtered through the internal interface. I even tried setting up a 2 stage publishing rule, one from external to the internal interface. The next from the internal to the device.

I can telnet to the device internally fine, but I cannot from TMG on that port. If I change the port from 10101 to 80, then I can access the web page from my home.

I have raised this with Microsoft, but I need to have a solution by Wednesday this week. It seems sad that a simple non-web publishing rules should work.

Tom.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question