D0TCom
asked on
Allow a specific port in TMG
Hi,
How do I enable a port for inbound and outbound connection ( like a synchronization process ) in TMG
the program was working fine until I realized that TMG firewall wasn't running, so I started the firewall and created a rule in the inbound&outbound section to allow this port.
added it to the exceptions although I saw my rules there anyway.
I'm still having issues trying to sync the software. Am I missing something here?
please help?
How do I enable a port for inbound and outbound connection ( like a synchronization process ) in TMG
the program was working fine until I realized that TMG firewall wasn't running, so I started the firewall and created a rule in the inbound&outbound section to allow this port.
added it to the exceptions although I saw my rules there anyway.
I'm still having issues trying to sync the software. Am I missing something here?
please help?
What is 'the software'? What is it syncing with?
What is the direction of the sync? ie Is this external users syncing to your internal service or your internal users/servers syncing with an external service?
Was the port required alredy defined in the FTMG protocols objects or have you defined it yourself? If you did it, what definitions have you used?
What is the direction of the sync? ie Is this external users syncing to your internal service or your internal users/servers syncing with an external service?
Was the port required alredy defined in the FTMG protocols objects or have you defined it yourself? If you did it, what definitions have you used?
You have to create a firewall rule in the TMG console not the Windows Firewall console. As TMG console replaces the Windows firewall console.
In TMG, you have to first create a custom protocol definition and enter which ports it uses. You then create an access rule. Or a publish rule, it depends if you are using NAT?
In TMG, you have to first create a custom protocol definition and enter which ports it uses. You then create an access rule. Or a publish rule, it depends if you are using NAT?
ASKER
I'm not using NAT - I created the access rule, since it's a sync process I created 2 rules.
rule1 from external - internal
rule2 from internal - external
I have defined a custom protocol ( 5993 ) called it GoldSync since its that app that requires to allow the connection.
My forefront is acting as an edge server only with TMG functionality.
rule1 from external - internal
rule2 from internal - external
I have defined a custom protocol ( 5993 ) called it GoldSync since its that app that requires to allow the connection.
My forefront is acting as an edge server only with TMG functionality.
Is the server directly connected to Internet?
You can monitor state sessions on TMG, Reports -> logging tab
Filter by destination port, and you will see what happens with the traffic..
You can monitor state sessions on TMG, Reports -> logging tab
Filter by destination port, and you will see what happens with the traffic..
ASKER
No its connected to layer3 switch > juniperSSG. TMG is part of the domain as per EBS installation.
I'll check the logs..
I'll check the logs..
Hi,
Remember that you need 2 protocol definitions, because in one way it's an outgoing protocol, and in the other way it's an incoming protocol... You can se that some pre-defined protocols (like SMTP) have 2 defintions: SMTP and SMTP Server...
Is it TCP 5993 or is IT UDP 5993 ??
If it's UDP, in the protocol definition for outgoing traffic you need to declare it as Send/Receive, because when you send an outgoing UDP packet there is probably an incoming UDP packet ad a response... So to tell TMG to accept the incoming response to an outgoing UDP packet your must declare the protocol definition as Send/Receive.
For the incoming UDP protocol definition it is the opposite, you need to declare it as Receive/Send.
Take a look in the Logging functionality of TMG and look for refused traffic to know which rule is missing...
Don't hesitate to give use extract of the log for diagnosis.
Have a good day
Remember that you need 2 protocol definitions, because in one way it's an outgoing protocol, and in the other way it's an incoming protocol... You can se that some pre-defined protocols (like SMTP) have 2 defintions: SMTP and SMTP Server...
Is it TCP 5993 or is IT UDP 5993 ??
If it's UDP, in the protocol definition for outgoing traffic you need to declare it as Send/Receive, because when you send an outgoing UDP packet there is probably an incoming UDP packet ad a response... So to tell TMG to accept the incoming response to an outgoing UDP packet your must declare the protocol definition as Send/Receive.
For the incoming UDP protocol definition it is the opposite, you need to declare it as Receive/Send.
Take a look in the Logging functionality of TMG and look for refused traffic to know which rule is missing...
Don't hesitate to give use extract of the log for diagnosis.
Have a good day
ASKER
How long should it take to "fetch the results"
ASKER
its 5993 TCP/UDP as per requirements.
Hi,
Ok, so you should create 3 protocol definitions, let's say:
1) "GoldSync outgoing" protocol definition that contains the following Port declarations: TCP 5993 Outgoing, and UDP 5993 Send/Receive
2) "GoldSync TCP incoming" protocol definition that contains the following Port declaration: TCP 5993 Incoming
3) "GoldSync UDP incoming" protocol definition that contains the following Port declaration: UDP 5993 Receive/Send
Then, you should create an access rule for outgoing traffic that includes the "GoldSync outgoing" protocol.
After that, for incoming traffic, you start by creating two port listeners, one for each incoming protocol ("GoldSync TCP incoming" and "GoldSync UDP incoming"). You associate these listeners with the External network.
Then, you create 2 server publishing rules, one for each incoming protocol. Each publishing rule must be associated with one of the port listeners. In each publishing rule you designate the IP address of the internal server that should receive incoming requests.
This should work.
Have a good day.
Ok, so you should create 3 protocol definitions, let's say:
1) "GoldSync outgoing" protocol definition that contains the following Port declarations: TCP 5993 Outgoing, and UDP 5993 Send/Receive
2) "GoldSync TCP incoming" protocol definition that contains the following Port declaration: TCP 5993 Incoming
3) "GoldSync UDP incoming" protocol definition that contains the following Port declaration: UDP 5993 Receive/Send
Then, you should create an access rule for outgoing traffic that includes the "GoldSync outgoing" protocol.
After that, for incoming traffic, you start by creating two port listeners, one for each incoming protocol ("GoldSync TCP incoming" and "GoldSync UDP incoming"). You associate these listeners with the External network.
Then, you create 2 server publishing rules, one for each incoming protocol. Each publishing rule must be associated with one of the port listeners. In each publishing rule you designate the IP address of the internal server that should receive incoming requests.
This should work.
Have a good day.
Why would he use publishing rules when he is not using NAT?
ASKER
how do I configure 2 port listeners?
ASKER
sorry please ignore - found the web listener :)
ASKER
there is no option there to configure port listener on it. I'm not sure if I'm looking in the right place...
ASKER
Issue was resolved...it had nothing to do with TMG after all. I've configured VIP for port forwarding and assigned it to the server where the synchronization software is installed.
then created a policy to all incoming connection from a specific range of IP's to the Server. And it worked flawlessly.
Tested the sync process and its fine now. I still however don't know how to configure port listeners in TMG.
then created a policy to all incoming connection from a specific range of IP's to the Server. And it worked flawlessly.
Tested the sync process and its fine now. I still however don't know how to configure port listeners in TMG.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks - pwindell.
You're welcome. I wanted to clarify things even if you had not seen my reply. It is important for it to be clarified for others in the future who may find this thread while looking for a similar solution,..so they need to clearly understand what they are looking for.
BTW - If you weren't running NAT,...the solution was not really the correct one. In a routed non-NAT situation a Outbound Access Rule would be used instead. It would be outbound from the specific external IP range to the IP of the internal resource.
However the Publishing Rule will work,...and you can leave it if you wish. If you ever switch to NAT then you will need it anyway.
BTW - If you weren't running NAT,...the solution was not really the correct one. In a routed non-NAT situation a Outbound Access Rule would be used instead. It would be outbound from the specific external IP range to the IP of the internal resource.
However the Publishing Rule will work,...and you can leave it if you wish. If you ever switch to NAT then you will need it anyway.
I started to say something too, but then figured "what's the point?". I started to give the speech about grades are supposed to be about the accuracy, not whether it was what one "wanted to hear".
ASKER
There was no solution here, because the issue was not a TMG miss-configuration. My juniper settings were revoked somehow, not sure how that can happen when I'm the only that has access to the firewall. (perhaps a seamless update?) who knows....
I've created a virtual ip (vip) according to Juniper's terminology and assigned the ports accordingly to my up-link.
I've awarded you the points because you had explained Port listeners, and ultimately it is a crucial step to open a port in TMG whether in NAT or non-NAT setup. Aside from publishing it, if it was NAT configured.
Thanks for you help.
I've created a virtual ip (vip) according to Juniper's terminology and assigned the ports accordingly to my up-link.
I've awarded you the points because you had explained Port listeners, and ultimately it is a crucial step to open a port in TMG whether in NAT or non-NAT setup. Aside from publishing it, if it was NAT configured.
Thanks for you help.
Ok.
First of all, does TMG is configured to NAT outgoing traffic ? Or does it simply route outgoing traffic ?
If your TMG is NATing you'll need at least 2 rules to allow bi-directional connections: one "access rule" for outgoing traffic, and one "publishing rule" for incoming traffic.
Then, are you sure that there might be outgoing and incoming connections ? Outgoing connections are easy to allow through NATing ISA/TMG, incoming connections require a publishing rule.
What port is needed ? Is it TCP or UDP ?
About incoming connections (is they are really needed) ensure that the internal target is a unique machine... You can not make a publishing rule for multiple internal targets !
Have a good day.