Solved

Allow a specific port in TMG

Posted on 2010-08-24
22
6,634 Views
Last Modified: 2013-11-10
Hi,

How do I enable a port for inbound and outbound connection ( like a synchronization process ) in TMG

the program was working fine until I realized that TMG firewall wasn't running, so I started the firewall and created a rule in the inbound&outbound section to allow this port.

added it to the exceptions although I saw my rules there anyway.

I'm still having issues trying to sync the software. Am I missing something here?

please help?
0
Comment
Question by:D0TCom
  • 10
  • 4
  • 3
  • +2
22 Comments
 
LVL 16

Expert Comment

by:PaciB
Comment Utility
Hi,

First of all, does TMG is configured to  NAT outgoing traffic ? Or does it simply route outgoing traffic ?
If your TMG is NATing you'll need at least 2 rules to allow bi-directional connections: one "access rule" for outgoing traffic, and one "publishing rule" for incoming traffic.

Then, are you sure that there might be outgoing and incoming connections ? Outgoing connections are easy to allow through NATing ISA/TMG, incoming connections require a publishing rule.

What port is needed ? Is it TCP or UDP ?
About incoming connections (is they are really needed) ensure that the internal target is a unique machine... You can not make a publishing rule for multiple internal targets !

Have a good day.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
What is 'the software'? What is it syncing with?
What is the direction of the sync? ie Is this external users syncing to your internal service or your internal users/servers syncing with an external service?

Was the port required alredy defined in the FTMG protocols objects or have you defined it yourself? If you did it, what definitions have you used?
0
 
LVL 10

Expert Comment

by:simonlimon
Comment Utility
You have to create a firewall rule in the TMG console not the Windows Firewall console. As TMG console replaces the Windows firewall console.

In TMG, you have to first create a custom protocol definition and enter which ports it uses. You then create an access rule. Or a publish rule, it depends if you are using NAT?
0
 

Author Comment

by:D0TCom
Comment Utility
I'm not using NAT - I created the access rule, since it's a sync process I created 2 rules.

rule1 from external - internal
rule2 from internal  - external

I have defined a custom protocol ( 5993 ) called it GoldSync since its that app that requires to allow the connection.

My forefront is acting as an edge server only with TMG functionality.
0
 
LVL 10

Expert Comment

by:simonlimon
Comment Utility
Is the server directly connected to Internet?

You can monitor state sessions on TMG, Reports -> logging tab

Filter by destination port, and you will see what happens with the traffic..
0
 

Author Comment

by:D0TCom
Comment Utility
No its connected to layer3 switch > juniperSSG. TMG is part of the domain as per EBS installation.

I'll check the logs..
0
 
LVL 16

Expert Comment

by:PaciB
Comment Utility
Hi,

Remember that you need 2 protocol definitions, because in one way it's an outgoing protocol, and in the other way it's an incoming protocol... You can se that some pre-defined protocols (like SMTP) have 2 defintions: SMTP and SMTP Server...

Is it TCP 5993 or is IT UDP 5993 ??

If it's UDP, in the protocol definition for outgoing traffic you need to declare it as Send/Receive, because when you send an outgoing UDP packet there is probably an incoming UDP packet ad a response... So to tell TMG to accept the incoming response to an outgoing UDP packet your must declare the protocol definition as Send/Receive.
For the incoming UDP protocol definition it is the opposite, you need to declare it as Receive/Send.

Take a look in the Logging functionality of TMG and look for refused traffic to know which rule is missing...

Don't hesitate to give use extract of the log for diagnosis.


Have a good day

0
 

Author Comment

by:D0TCom
Comment Utility
How long should it take to "fetch the results"
0
 

Author Comment

by:D0TCom
Comment Utility
its 5993 TCP/UDP as per requirements.
0
 
LVL 16

Expert Comment

by:PaciB
Comment Utility
Hi,


Ok, so you should create 3 protocol definitions, let's say:

1) "GoldSync outgoing" protocol definition that contains the following Port declarations: TCP 5993 Outgoing, and UDP 5993 Send/Receive
2) "GoldSync TCP incoming" protocol definition that contains the following Port declaration: TCP 5993 Incoming
3) "GoldSync UDP incoming" protocol definition that contains the following Port declaration: UDP 5993 Receive/Send

Then, you should create an access rule for outgoing traffic that includes the "GoldSync outgoing" protocol.

After that, for incoming traffic, you start by creating two port listeners, one for each incoming protocol ("GoldSync TCP incoming" and "GoldSync UDP incoming"). You associate these listeners with the External network.
Then, you create 2 server publishing rules, one for each incoming protocol. Each publishing rule must be associated with one of the port listeners. In each publishing rule you designate the IP address of the internal server that should receive incoming requests.

This should work.

Have a good day.


0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Why would he use publishing rules when he is not using NAT?
0
 

Author Comment

by:D0TCom
Comment Utility
how do I configure 2 port listeners?
0
 

Author Comment

by:D0TCom
Comment Utility
sorry please ignore - found the web listener :)
0
 

Author Comment

by:D0TCom
Comment Utility
there is no option there to configure port listener on it. I'm not sure if I'm looking in the right place...
0
 

Author Comment

by:D0TCom
Comment Utility
Issue was resolved...it had nothing to do with TMG after all. I've configured VIP for port forwarding and assigned it to the server where the synchronization software is installed.

then created a policy to all incoming connection from a specific range of IP's to the Server. And it worked flawlessly.

Tested the sync process and its fine now. I still however don't know how to configure port listeners in TMG.

0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
Comment Utility
1. There is no such thing as "port listeners"

2. There is no such thing as Port Forwarding.   "Forwarding" = "routing",...ports are Layer4 Addresses and they are not "routable" addresses,...they can be Translated,...but not Routed,...hence Port Forwarding is a meaningless term invented by retail marketing departments to sell cheap NAT firewalls to home users while incorrectly calling them "routers".

What you did was create a Non-Web Server Publishing Rule that is using a process called Reverse-NAT.  The "listener" is simply integrated into the Rule,...it is not something that you can "see" separately on it's own.

The only thing that has a separate distinct Listener is a Web Publishing Rule which does not apply to this context.
0
 

Author Closing Comment

by:D0TCom
Comment Utility
Thanks - pwindell.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
You're welcome.  I wanted to clarify things even if you had not seen my reply.  It is important for it to be clarified for others in the future who may find this thread while looking for a similar solution,..so they need to clearly understand what they are looking for.
BTW - If you weren't running NAT,...the solution was not really the correct one.  In a routed non-NAT situation a Outbound Access Rule would be used instead.  It would be outbound from the specific external IP range to the IP of the internal resource.
However the Publishing Rule will work,...and you can leave it if you wish.  If you ever switch to NAT then you will need it anyway.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
I started to say something too, but then figured "what's the point?".   I started to give the speech about grades are supposed to be about the accuracy, not whether it  was what one "wanted to hear".
0
 

Author Comment

by:D0TCom
Comment Utility
There was no solution here, because the issue was not a TMG miss-configuration. My juniper settings were revoked somehow, not sure how that can happen when I'm the only that has access to the firewall. (perhaps a seamless update?) who knows....

I've created a virtual ip (vip) according to Juniper's terminology and assigned the ports accordingly to my up-link.

 I've awarded you the points because you had explained Port listeners, and ultimately it is a crucial step to open a port in TMG whether in NAT or non-NAT setup. Aside from publishing it, if it was NAT configured.

Thanks for you help.

0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
Ok.
 
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now