Solved

Allow a specific port in TMG

Posted on 2010-08-24
22
6,798 Views
Last Modified: 2013-11-10
Hi,

How do I enable a port for inbound and outbound connection ( like a synchronization process ) in TMG

the program was working fine until I realized that TMG firewall wasn't running, so I started the firewall and created a rule in the inbound&outbound section to allow this port.

added it to the exceptions although I saw my rules there anyway.

I'm still having issues trying to sync the software. Am I missing something here?

please help?
0
Comment
Question by:D0TCom
  • 10
  • 4
  • 3
  • +2
22 Comments
 
LVL 16

Expert Comment

by:PaciB
ID: 33516613
Hi,

First of all, does TMG is configured to  NAT outgoing traffic ? Or does it simply route outgoing traffic ?
If your TMG is NATing you'll need at least 2 rules to allow bi-directional connections: one "access rule" for outgoing traffic, and one "publishing rule" for incoming traffic.

Then, are you sure that there might be outgoing and incoming connections ? Outgoing connections are easy to allow through NATing ISA/TMG, incoming connections require a publishing rule.

What port is needed ? Is it TCP or UDP ?
About incoming connections (is they are really needed) ensure that the internal target is a unique machine... You can not make a publishing rule for multiple internal targets !

Have a good day.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33518349
What is 'the software'? What is it syncing with?
What is the direction of the sync? ie Is this external users syncing to your internal service or your internal users/servers syncing with an external service?

Was the port required alredy defined in the FTMG protocols objects or have you defined it yourself? If you did it, what definitions have you used?
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 33519326
You have to create a firewall rule in the TMG console not the Windows Firewall console. As TMG console replaces the Windows firewall console.

In TMG, you have to first create a custom protocol definition and enter which ports it uses. You then create an access rule. Or a publish rule, it depends if you are using NAT?
0
 

Author Comment

by:D0TCom
ID: 33521774
I'm not using NAT - I created the access rule, since it's a sync process I created 2 rules.

rule1 from external - internal
rule2 from internal  - external

I have defined a custom protocol ( 5993 ) called it GoldSync since its that app that requires to allow the connection.

My forefront is acting as an edge server only with TMG functionality.
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 33522262
Is the server directly connected to Internet?

You can monitor state sessions on TMG, Reports -> logging tab

Filter by destination port, and you will see what happens with the traffic..
0
 

Author Comment

by:D0TCom
ID: 33522494
No its connected to layer3 switch > juniperSSG. TMG is part of the domain as per EBS installation.

I'll check the logs..
0
 
LVL 16

Expert Comment

by:PaciB
ID: 33523163
Hi,

Remember that you need 2 protocol definitions, because in one way it's an outgoing protocol, and in the other way it's an incoming protocol... You can se that some pre-defined protocols (like SMTP) have 2 defintions: SMTP and SMTP Server...

Is it TCP 5993 or is IT UDP 5993 ??

If it's UDP, in the protocol definition for outgoing traffic you need to declare it as Send/Receive, because when you send an outgoing UDP packet there is probably an incoming UDP packet ad a response... So to tell TMG to accept the incoming response to an outgoing UDP packet your must declare the protocol definition as Send/Receive.
For the incoming UDP protocol definition it is the opposite, you need to declare it as Receive/Send.

Take a look in the Logging functionality of TMG and look for refused traffic to know which rule is missing...

Don't hesitate to give use extract of the log for diagnosis.


Have a good day

0
 

Author Comment

by:D0TCom
ID: 33524011
How long should it take to "fetch the results"
0
 

Author Comment

by:D0TCom
ID: 33524053
its 5993 TCP/UDP as per requirements.
0
 
LVL 16

Expert Comment

by:PaciB
ID: 33524246
Hi,


Ok, so you should create 3 protocol definitions, let's say:

1) "GoldSync outgoing" protocol definition that contains the following Port declarations: TCP 5993 Outgoing, and UDP 5993 Send/Receive
2) "GoldSync TCP incoming" protocol definition that contains the following Port declaration: TCP 5993 Incoming
3) "GoldSync UDP incoming" protocol definition that contains the following Port declaration: UDP 5993 Receive/Send

Then, you should create an access rule for outgoing traffic that includes the "GoldSync outgoing" protocol.

After that, for incoming traffic, you start by creating two port listeners, one for each incoming protocol ("GoldSync TCP incoming" and "GoldSync UDP incoming"). You associate these listeners with the External network.
Then, you create 2 server publishing rules, one for each incoming protocol. Each publishing rule must be associated with one of the port listeners. In each publishing rule you designate the IP address of the internal server that should receive incoming requests.

This should work.

Have a good day.


0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33524547
Why would he use publishing rules when he is not using NAT?
0
 

Author Comment

by:D0TCom
ID: 33524787
how do I configure 2 port listeners?
0
 

Author Comment

by:D0TCom
ID: 33524871
sorry please ignore - found the web listener :)
0
 

Author Comment

by:D0TCom
ID: 33525274
there is no option there to configure port listener on it. I'm not sure if I'm looking in the right place...
0
 

Author Comment

by:D0TCom
ID: 33525776
Issue was resolved...it had nothing to do with TMG after all. I've configured VIP for port forwarding and assigned it to the server where the synchronization software is installed.

then created a policy to all incoming connection from a specific range of IP's to the Server. And it worked flawlessly.

Tested the sync process and its fine now. I still however don't know how to configure port listeners in TMG.

0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 33546384
1. There is no such thing as "port listeners"

2. There is no such thing as Port Forwarding.   "Forwarding" = "routing",...ports are Layer4 Addresses and they are not "routable" addresses,...they can be Translated,...but not Routed,...hence Port Forwarding is a meaningless term invented by retail marketing departments to sell cheap NAT firewalls to home users while incorrectly calling them "routers".

What you did was create a Non-Web Server Publishing Rule that is using a process called Reverse-NAT.  The "listener" is simply integrated into the Rule,...it is not something that you can "see" separately on it's own.

The only thing that has a separate distinct Listener is a Web Publishing Rule which does not apply to this context.
0
 

Author Closing Comment

by:D0TCom
ID: 33546394
Thanks - pwindell.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33546480
You're welcome.  I wanted to clarify things even if you had not seen my reply.  It is important for it to be clarified for others in the future who may find this thread while looking for a similar solution,..so they need to clearly understand what they are looking for.
BTW - If you weren't running NAT,...the solution was not really the correct one.  In a routed non-NAT situation a Outbound Access Rule would be used instead.  It would be outbound from the specific external IP range to the IP of the internal resource.
However the Publishing Rule will work,...and you can leave it if you wish.  If you ever switch to NAT then you will need it anyway.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33558023
I started to say something too, but then figured "what's the point?".   I started to give the speech about grades are supposed to be about the accuracy, not whether it  was what one "wanted to hear".
0
 

Author Comment

by:D0TCom
ID: 33558498
There was no solution here, because the issue was not a TMG miss-configuration. My juniper settings were revoked somehow, not sure how that can happen when I'm the only that has access to the firewall. (perhaps a seamless update?) who knows....

I've created a virtual ip (vip) according to Juniper's terminology and assigned the ports accordingly to my up-link.

 I've awarded you the points because you had explained Port listeners, and ultimately it is a crucial step to open a port in TMG whether in NAT or non-NAT setup. Aside from publishing it, if it was NAT configured.

Thanks for you help.

0
 
LVL 29

Expert Comment

by:pwindell
ID: 33558549
Ok.
 
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know what services you can and cannot, should and should not combine on your server.
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now