mickinoz2005
asked on
ISA Server / Firewall Client - blocking an application
Hi Folks,
We use Kaseya in our office and it has an agent that you install on your clients computers and the agent checks back in to your server on port 5721 TCP.
We have a new client who use ISA SErver 2006 and the ISA firewall client and we are having great difficulty in getting our kaseya agent to checkin.
We have setup the firewall rules and we are confident they are correct but it is the firewall client where we seem to be struggling.
We can telnet from the client pc to our server address (which is external address) on port 5721 fine but our agent will not communicate. If we stop the firewall client then we can no longer telnet so this is leading us to believe it definitely is the firewall client.
We have asked around and even asked Kaseya but they obviously don't have many who use the ISA client as they could provide no information.
What do you need to setup on the firewall client rules to allow an application to communicate outbound on port 5721 (tcp) to an external server.
Cheers
Michael
We use Kaseya in our office and it has an agent that you install on your clients computers and the agent checks back in to your server on port 5721 TCP.
We have a new client who use ISA SErver 2006 and the ISA firewall client and we are having great difficulty in getting our kaseya agent to checkin.
We have setup the firewall rules and we are confident they are correct but it is the firewall client where we seem to be struggling.
We can telnet from the client pc to our server address (which is external address) on port 5721 fine but our agent will not communicate. If we stop the firewall client then we can no longer telnet so this is leading us to believe it definitely is the firewall client.
We have asked around and even asked Kaseya but they obviously don't have many who use the ISA client as they could provide no information.
What do you need to setup on the firewall client rules to allow an application to communicate outbound on port 5721 (tcp) to an external server.
Cheers
Michael
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
we never got a solution to this but we think it is related to the fact that the service uses local system.
thanks for your help though...
thanks for your help though...
No that is not why. The App was not, is not, supposed to be using the Firewall Service of the ISA/TMG to begin with. There is no way the ISA/TMG could handle it properly because it is not supposed to handle Internal-to-Internal traffic,...and it is not supposed to be receiving communication from the App in the first place.
The flaw is in the way the App is attempting the communication that causes the Firewall Client software to intercept the communication when it would normally ignore it. Once the Firewall Client intercepts it and sends it to the ISA/TMG it is "game over" and it will always fail.
Since there is no appearant way to "adjust" the App's bad behavior,...the only solution is the remove the Firewall Client from any machine that use this App.
The flaw is in the way the App is attempting the communication that causes the Firewall Client software to intercept the communication when it would normally ignore it. Once the Firewall Client intercepts it and sends it to the ISA/TMG it is "game over" and it will always fail.
Since there is no appearant way to "adjust" the App's bad behavior,...the only solution is the remove the Firewall Client from any machine that use this App.
The other possibility is that the App misuses Winsock and get hung up and in some kind of deadlock with the Firewall Client which operates as a Winsock Layered Service Provider (Winsock LSP). Since I believe in one of the above posts the ISA/TMG logs showed that no traffic involving this App was actually hitting the ISA/TMG,...this is the most likely scenario. In any case the solution is still the same,...the Clients running this particular App will need to have the Firewall Client removed from them due to the appearantly irreconcilable conflict of the too pieces of software running on the same machine at the same time.
ASKER
yeah removing the client is not an option apparently, if you set the agent service to run as a domain user it works fine...
Yes, removing the Firewall Client is an option if you do it correctly. It may require creation or rearrangement of Access Rules so the machine can use the SecureNAT Service in place of the Firewall Service.
Changing the agent service to run under a user account just proves that it is using the ISA/TMG when the ISA/TMG is not supposed to be involved in the first place. So all that is doing is compensating for the problem,...it is not actually solving it If it was solving the problem then the ISA/TMG would not even be involved and it would be a moot point.
You can do what you want, it is your stuff, but I have to clarify things because these threads are here for other people to search for solutions to their problems and it is important that they know the truth about how and what is happening and why,...otherwise we should not allow the thread to be put into the Experts-Exchange Database.
Changing the agent service to run under a user account just proves that it is using the ISA/TMG when the ISA/TMG is not supposed to be involved in the first place. So all that is doing is compensating for the problem,...it is not actually solving it If it was solving the problem then the ISA/TMG would not even be involved and it would be a moot point.
You can do what you want, it is your stuff, but I have to clarify things because these threads are here for other people to search for solutions to their problems and it is important that they know the truth about how and what is happening and why,...otherwise we should not allow the thread to be put into the Experts-Exchange Database.
ASKER