Solved

ISA Server / Firewall Client - blocking an application

Posted on 2011-09-19
7
966 Views
Last Modified: 2012-05-12
Hi Folks,

We use Kaseya in our office and it has an agent that you install on your clients computers and the agent checks back in to your server on port 5721 TCP.

We have a new client who use ISA SErver 2006 and the ISA firewall client and we are having great difficulty in getting our kaseya agent to checkin.

We have setup the firewall rules and we are confident they are correct but it is the firewall client where we seem to be struggling.

We can telnet from the client pc to our server address (which is external address) on port 5721 fine but our agent will not communicate. If we stop the firewall client then we can no longer telnet so this is leading us to believe it definitely is the firewall client.

We have asked around and even asked Kaseya but they obviously don't have many who use the ISA client as they could provide no information.

What do you need to setup on the firewall client rules to allow an application to communicate outbound on port 5721 (tcp) to an external server.

Cheers

Michael
0
Comment
Question by:mickinoz2005
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 5

Author Comment

by:mickinoz2005
ID: 36566527
Anybody??
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 36566869
If we stop the firewall client then we can no longer telnet so this is leading us to believe it definitely is the firewall client.

Then that should lead you to believe that it is not the Firewall Client.   The communication works when it is enabled,...does not work when disabled,...so clearly the Firewall Client is doing what it is supposed to do.

You need to consider that the Agent may not operate via the currently logged in user account,...instead it probably uses a Service Account or the Local System Account.  When you Telnet you do so under that currently logged in user.  So,..this means that if the Access Rule requires authentication that the manual Telnet authenticates but the automated Agent does not,..and hence fails.  To solve that the Access Rule used by the Agent must be unauthenticated (anonymous),..this means the Users Tab in the properties of the Rule must be set to only "All Users" (All Users = anonymous).  It is also possible to have the Agent authenticate properly if you can run it from a Service Account that is a normal user account (instead of the Local System Account) and then add that account to the Rule as an allowed account,...but I try to never make things that complicated.

Another thing that usually gets in the way is the Web Proxy Service.  If the Agent has "proxy settings" then they need to be completely disabled to make the Agent "proxy agnostic".  If the Agent does not have proxy settings then it may be hardcoded to "do whatever IE does".  If the later is true then you will have to run IE without proxy settings and allow the Proxy usage to be covered by the Firewall Client alone.  You would also have to go into the local config of the Firewall Client and uncheck the checkbox that tells it to push the config to the browser.  If you don't do that last step the Firewall Client will push the proxy settings back to the browser again on a 30 minute cycle.
0
 
LVL 5

Author Closing Comment

by:mickinoz2005
ID: 36913071
we never got a solution to this but we think it is related to the fact that the service uses local system.

thanks for your help though...
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 
LVL 29

Expert Comment

by:pwindell
ID: 36913277
No that is not why.   The App was not, is not, supposed to be using the Firewall Service of the ISA/TMG to begin with.  There is no way the ISA/TMG could handle it properly because it is not supposed to handle Internal-to-Internal traffic,...and it is not supposed to be receiving communication from the App in the first place.

The flaw is in the way the App is attempting the communication that causes the Firewall Client software to intercept the communication when it would normally ignore it.  Once the Firewall Client intercepts it and sends it to the ISA/TMG it is "game over" and it will always fail.

Since there is no appearant way to "adjust" the App's bad behavior,...the only solution is the remove the Firewall Client from any machine that use this App.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36913303
The other possibility is that the App misuses Winsock and get hung up and in some kind of deadlock with the Firewall Client which operates as a Winsock Layered Service Provider (Winsock LSP).  Since I believe in one of the above posts the ISA/TMG logs showed that no traffic involving this App was actually hitting the ISA/TMG,...this is the most likely scenario.   In any case the solution is still the same,...the Clients running this particular App will need to have the Firewall Client removed from them due to the appearantly irreconcilable conflict of the too pieces of software running on the same machine at the same time.
0
 
LVL 5

Author Comment

by:mickinoz2005
ID: 36913386
yeah removing the client is not an option apparently, if you set the agent service to run as a domain user it works fine...
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36916861
Yes, removing the Firewall Client is an option if you do it correctly.  It may require creation or rearrangement of Access Rules so the machine can use the SecureNAT Service in place of the Firewall Service.

Changing the agent service to run under a user account just proves that it is using the ISA/TMG when the ISA/TMG is not supposed to be involved in the first place.  So all that is doing is compensating for the problem,...it is not actually solving it  If it was solving the problem then the ISA/TMG would not even be involved and it would be a moot point.

You can do what you want, it is your stuff, but I have to clarify things because these threads are here for other people to search for solutions to their problems and it is important that they know the truth about how and what is happening and why,...otherwise we should not allow the thread to be put into the Experts-Exchange Database.
0

Featured Post

Get HTML5 Certified

Want to be a web developer? You'll need to know HTML. Prepare for HTML5 certification by enrolling in July's Course of the Month! It's free for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
Learn about cloud computing and its benefits for small business owners.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question