Solved

ISA Server / Firewall Client - blocking an application

Posted on 2011-09-19
7
963 Views
Last Modified: 2012-05-12
Hi Folks,

We use Kaseya in our office and it has an agent that you install on your clients computers and the agent checks back in to your server on port 5721 TCP.

We have a new client who use ISA SErver 2006 and the ISA firewall client and we are having great difficulty in getting our kaseya agent to checkin.

We have setup the firewall rules and we are confident they are correct but it is the firewall client where we seem to be struggling.

We can telnet from the client pc to our server address (which is external address) on port 5721 fine but our agent will not communicate. If we stop the firewall client then we can no longer telnet so this is leading us to believe it definitely is the firewall client.

We have asked around and even asked Kaseya but they obviously don't have many who use the ISA client as they could provide no information.

What do you need to setup on the firewall client rules to allow an application to communicate outbound on port 5721 (tcp) to an external server.

Cheers

Michael
0
Comment
Question by:mickinoz2005
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 5

Author Comment

by:mickinoz2005
ID: 36566527
Anybody??
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 36566869
If we stop the firewall client then we can no longer telnet so this is leading us to believe it definitely is the firewall client.

Then that should lead you to believe that it is not the Firewall Client.   The communication works when it is enabled,...does not work when disabled,...so clearly the Firewall Client is doing what it is supposed to do.

You need to consider that the Agent may not operate via the currently logged in user account,...instead it probably uses a Service Account or the Local System Account.  When you Telnet you do so under that currently logged in user.  So,..this means that if the Access Rule requires authentication that the manual Telnet authenticates but the automated Agent does not,..and hence fails.  To solve that the Access Rule used by the Agent must be unauthenticated (anonymous),..this means the Users Tab in the properties of the Rule must be set to only "All Users" (All Users = anonymous).  It is also possible to have the Agent authenticate properly if you can run it from a Service Account that is a normal user account (instead of the Local System Account) and then add that account to the Rule as an allowed account,...but I try to never make things that complicated.

Another thing that usually gets in the way is the Web Proxy Service.  If the Agent has "proxy settings" then they need to be completely disabled to make the Agent "proxy agnostic".  If the Agent does not have proxy settings then it may be hardcoded to "do whatever IE does".  If the later is true then you will have to run IE without proxy settings and allow the Proxy usage to be covered by the Firewall Client alone.  You would also have to go into the local config of the Firewall Client and uncheck the checkbox that tells it to push the config to the browser.  If you don't do that last step the Firewall Client will push the proxy settings back to the browser again on a 30 minute cycle.
0
 
LVL 5

Author Closing Comment

by:mickinoz2005
ID: 36913071
we never got a solution to this but we think it is related to the fact that the service uses local system.

thanks for your help though...
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 29

Expert Comment

by:pwindell
ID: 36913277
No that is not why.   The App was not, is not, supposed to be using the Firewall Service of the ISA/TMG to begin with.  There is no way the ISA/TMG could handle it properly because it is not supposed to handle Internal-to-Internal traffic,...and it is not supposed to be receiving communication from the App in the first place.

The flaw is in the way the App is attempting the communication that causes the Firewall Client software to intercept the communication when it would normally ignore it.  Once the Firewall Client intercepts it and sends it to the ISA/TMG it is "game over" and it will always fail.

Since there is no appearant way to "adjust" the App's bad behavior,...the only solution is the remove the Firewall Client from any machine that use this App.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36913303
The other possibility is that the App misuses Winsock and get hung up and in some kind of deadlock with the Firewall Client which operates as a Winsock Layered Service Provider (Winsock LSP).  Since I believe in one of the above posts the ISA/TMG logs showed that no traffic involving this App was actually hitting the ISA/TMG,...this is the most likely scenario.   In any case the solution is still the same,...the Clients running this particular App will need to have the Firewall Client removed from them due to the appearantly irreconcilable conflict of the too pieces of software running on the same machine at the same time.
0
 
LVL 5

Author Comment

by:mickinoz2005
ID: 36913386
yeah removing the client is not an option apparently, if you set the agent service to run as a domain user it works fine...
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36916861
Yes, removing the Firewall Client is an option if you do it correctly.  It may require creation or rearrangement of Access Rules so the machine can use the SecureNAT Service in place of the Firewall Service.

Changing the agent service to run under a user account just proves that it is using the ISA/TMG when the ISA/TMG is not supposed to be involved in the first place.  So all that is doing is compensating for the problem,...it is not actually solving it  If it was solving the problem then the ISA/TMG would not even be involved and it would be a moot point.

You can do what you want, it is your stuff, but I have to clarify things because these threads are here for other people to search for solutions to their problems and it is important that they know the truth about how and what is happening and why,...otherwise we should not allow the thread to be put into the Experts-Exchange Database.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question