Solved

ISA Server / Firewall Client - blocking an application

Posted on 2011-09-19
7
941 Views
Last Modified: 2012-05-12
Hi Folks,

We use Kaseya in our office and it has an agent that you install on your clients computers and the agent checks back in to your server on port 5721 TCP.

We have a new client who use ISA SErver 2006 and the ISA firewall client and we are having great difficulty in getting our kaseya agent to checkin.

We have setup the firewall rules and we are confident they are correct but it is the firewall client where we seem to be struggling.

We can telnet from the client pc to our server address (which is external address) on port 5721 fine but our agent will not communicate. If we stop the firewall client then we can no longer telnet so this is leading us to believe it definitely is the firewall client.

We have asked around and even asked Kaseya but they obviously don't have many who use the ISA client as they could provide no information.

What do you need to setup on the firewall client rules to allow an application to communicate outbound on port 5721 (tcp) to an external server.

Cheers

Michael
0
Comment
Question by:mickinoz2005
  • 4
  • 3
7 Comments
 
LVL 5

Author Comment

by:mickinoz2005
ID: 36566527
Anybody??
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 36566869
If we stop the firewall client then we can no longer telnet so this is leading us to believe it definitely is the firewall client.

Then that should lead you to believe that it is not the Firewall Client.   The communication works when it is enabled,...does not work when disabled,...so clearly the Firewall Client is doing what it is supposed to do.

You need to consider that the Agent may not operate via the currently logged in user account,...instead it probably uses a Service Account or the Local System Account.  When you Telnet you do so under that currently logged in user.  So,..this means that if the Access Rule requires authentication that the manual Telnet authenticates but the automated Agent does not,..and hence fails.  To solve that the Access Rule used by the Agent must be unauthenticated (anonymous),..this means the Users Tab in the properties of the Rule must be set to only "All Users" (All Users = anonymous).  It is also possible to have the Agent authenticate properly if you can run it from a Service Account that is a normal user account (instead of the Local System Account) and then add that account to the Rule as an allowed account,...but I try to never make things that complicated.

Another thing that usually gets in the way is the Web Proxy Service.  If the Agent has "proxy settings" then they need to be completely disabled to make the Agent "proxy agnostic".  If the Agent does not have proxy settings then it may be hardcoded to "do whatever IE does".  If the later is true then you will have to run IE without proxy settings and allow the Proxy usage to be covered by the Firewall Client alone.  You would also have to go into the local config of the Firewall Client and uncheck the checkbox that tells it to push the config to the browser.  If you don't do that last step the Firewall Client will push the proxy settings back to the browser again on a 30 minute cycle.
0
 
LVL 5

Author Closing Comment

by:mickinoz2005
ID: 36913071
we never got a solution to this but we think it is related to the fact that the service uses local system.

thanks for your help though...
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 29

Expert Comment

by:pwindell
ID: 36913277
No that is not why.   The App was not, is not, supposed to be using the Firewall Service of the ISA/TMG to begin with.  There is no way the ISA/TMG could handle it properly because it is not supposed to handle Internal-to-Internal traffic,...and it is not supposed to be receiving communication from the App in the first place.

The flaw is in the way the App is attempting the communication that causes the Firewall Client software to intercept the communication when it would normally ignore it.  Once the Firewall Client intercepts it and sends it to the ISA/TMG it is "game over" and it will always fail.

Since there is no appearant way to "adjust" the App's bad behavior,...the only solution is the remove the Firewall Client from any machine that use this App.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36913303
The other possibility is that the App misuses Winsock and get hung up and in some kind of deadlock with the Firewall Client which operates as a Winsock Layered Service Provider (Winsock LSP).  Since I believe in one of the above posts the ISA/TMG logs showed that no traffic involving this App was actually hitting the ISA/TMG,...this is the most likely scenario.   In any case the solution is still the same,...the Clients running this particular App will need to have the Firewall Client removed from them due to the appearantly irreconcilable conflict of the too pieces of software running on the same machine at the same time.
0
 
LVL 5

Author Comment

by:mickinoz2005
ID: 36913386
yeah removing the client is not an option apparently, if you set the agent service to run as a domain user it works fine...
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36916861
Yes, removing the Firewall Client is an option if you do it correctly.  It may require creation or rearrangement of Access Rules so the machine can use the SecureNAT Service in place of the Firewall Service.

Changing the agent service to run under a user account just proves that it is using the ISA/TMG when the ISA/TMG is not supposed to be involved in the first place.  So all that is doing is compensating for the problem,...it is not actually solving it  If it was solving the problem then the ISA/TMG would not even be involved and it would be a moot point.

You can do what you want, it is your stuff, but I have to clarify things because these threads are here for other people to search for solutions to their problems and it is important that they know the truth about how and what is happening and why,...otherwise we should not allow the thread to be put into the Experts-Exchange Database.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Learn about cloud computing and its benefits for small business owners.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now