?
Solved

How to setup rexec with forefront TMG

Posted on 2011-09-20
7
Medium Priority
?
873 Views
Last Modified: 2012-05-12
Hi,

We are implementing a solution where we are placing a forefront TMG machine between our clients
and our server and the clients are on a separate VLAN.

Now we are experiencing problems when the clients try doing a Rexec against our server and we believe
it has something to do with the fact that Rexec starts on port 512 but later on switches communication
to the stderr port and when this happens our server don't get a correct SYN ACK back from the client and
eventually the server times out the connection since no SYN ACK has reached the server.

Have anybody implemented a solution with forefront TMG and rexec that knows something about this?
0
Comment
Question by:IT-VAS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 36572690
I hadn't implement that solution before, but hope the below will help:

You can define a new protocol using a primary port and secondary port from the new protocol wizard.

then add this protocol to that access rule.
0
 

Author Comment

by:IT-VAS
ID: 36572718
Hi,

Thank you for the answer. We have thought of that solution, but the trouble is that the rexec protocol seems to choose
different stderr ports every timy in the range from 1024 and above so we don't know how to solve it without opening
a lot of ports in the forefront TMG.

It seems very hard to find material related to Rexec through firewall.

Br,
Johan
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 36572733
emmmmmm,

you can reduce the risk by opening these ports only to a specific host no to all external.

create a new computer object with the server ip address, and create an access rule from internal to that computer.

If that is not an option for, the application documents should advice which ports are required to make it work correctly.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:IT-VAS
ID: 36573453
Hi again,

We have tried both suggestions, but with no success.

Forefront says Unidentified IP-trafic (TCP:512) Connection Established with result SUCCESS
But after that there is no more information in the logging and still no connection between client and server.

Br,
Johan
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36573577
I think you are seeing why it is just plain a bad idea to put a firewall between the Clients and their LAN Resources.   Firewalls are to protect the LAN from outside networks,...you should not be sticking them in the middle of the private LAN.  the fact that the users are a different subnet in this case is a given and the fact that the subnet (segment) was created by VLANing doesn't really matter.

Many applications that are designed to operate within a private LAN use protocols that are too complex to run over a firewall unless the Firewall has an Application Layer Filter to interpret and process the protocol's traffic pattern,...and there is no way you are going to come up with an Application Filter for a custom application such as this.
0
 

Accepted Solution

by:
IT-VAS earned 0 total points
ID: 36579193
Hi,

We have solved the issue ourselves by changing traffic from the client to instead use Stdout port for Rexec communication.
Then there is no need to set up specific rules since everything is using port 512.

Br,
Johan
0
 

Author Closing Comment

by:IT-VAS
ID: 36708034
Not the perfect solution, but it only requires minor change in the clients to make it work.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question