Isa 2006 Dynamic Ports

Posted on 2014-03-18
Last Modified: 2014-04-06
We have the current setup of ISA 2006 (single homed) being used as a proxy server with some simple allow and deny rules.
This then goes through a ASA firewall where no ACLs are applied to the traffic from the ISA ip address.
Currently it does an OK job.
What I am having trouble with is an application we have to fix trucks, uses Portwise to connect back to the Factory via SSL tunnel. To negotiate this tunnel, the application uses dynamic ports 60000-65535.
What is happening is the following:

1.      The Application sends a DNS-query to the DNS-server to ask for the ip address  of Truck_factory server, this step is only executed if it’s not stored on the the computers DNS-cache. ->DNS query “” to DNS-server

2.      The DNS-server sends the response valid.ip.address back to the client computer
DNS-server -> “Truck_factory server ip-address valid.ip.address” ->to client

3.      The APPLICATION client machine sends a https “SYN message” to the Truck_factory server using the upper dynamic port range on the computer 60000-65535 ->“https SYN message” to Truck_factory-server valid.ip.address: 443

4.      The Truck_factory Server sends a https answer “RST, ACK” to the clients  “SYN message”, the client machine tries one more time to send a new syn message but with the same “RST, ACK” answer, then APPLICATION on the client machine throws the error message.
 valid.ip.address: 443 -> “https RST, ACK”  back to the client

Everything happens except step 4 when using the ISA 2006.
Previously there was no issue when it used a lower dynamic port range.

Please can anyone help me, might have to blow out some cobwebs :)
Question by:cplitd
  • 5
  • 4
LVL 35

Expert Comment

ID: 39940779
Without knowing the application.
The RST is send either by the application itself, then ISA is out of scope, or by ISA.
The first thought is, that ISA has to know the route. If a package is sent out, ISA has to be aware about it to allow the response. If a package takes a differnet way out than the response come in, it will deny the package, ans the result may be a RST. This should be visible in the ISA logs.

The other thought is - as RPC is involved, that ISA usually handles such traffic on defined ports, usually something around 5000. So if it works on such a port range and not with 60k ports, a reson may be the default RPC port range, for windows servers which is defined around port 5000.

So keep in track the ISA logs, what passes ISA and if the the communicaion chain is closed. So every package sent oput passes ISA as well as the response which comes back.

Second, check if RPC is involved, this psooibly needsome changes in the registry to reflect the allowed ports for such communications.

The other possibility  - as ISA is only a proxy - to bypass ISA for this application.

Author Comment

ID: 39941048
Thanks Bembi,
Looking into your suggestions.
I have confirmed server should be able to use up to port 65535 for rpc communication
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ MaxUserPort
also enter a new key in registry
specifying the ports 1025 to 605535 to use.
Will test the application again and look into the ISA and wireshark logs again.
LVL 35

Expert Comment

ID: 39943465
The other solution may be -  as you use ISA only as proxy - to bypass the proxy for this application.
Watch Anatomy of a Wi-Fi Hack On-Demand

In less than a weekend, anyone with Internet access and some free time can become a Wi-Fi MitM to wreak havoc on your network. View our Wi-Fi Expert in an on-demand episode of our Secure Wi-Fi mini-series as he explores the motives, execution, and anatomy of a Wi-Fi hack.


Author Comment

ID: 39943498
The application grabs the proxy settings from internet explorer to find its way to the internet.
I have 15 subnets, up to 60 dhcp addresses that could be accessing this application at one time.
The only way I know how to "bypass the proxy for this application" would be getting 60 addresses permissions to exit the ASA firewall, which would then be the default for all internet bound traffic.  
Is there a smarter way of doing this ?

LVL 35

Accepted Solution

Bembi earned 500 total points
ID: 39943565
You can define - as I would assume you do it for internal web services - define proxy exceptions.

This is a Browser setting, so either it is set by hand, by GPO or if you use a configuration link by ISA auto detection (in this case ISA hosts the exception list).

Waht you have to make sure in this case, that the way back it the same. So if ASA forwards all traffic blind to the ISA, it will not work.

Id a request passes the ISA, the resposne is allowed to pass ISA too. If the request will bypass ISA, the response is never allowed to pass ISA. So ASA has to seperate the response traffic too. That makes the bypass a little bit more tricky.

Author Comment

ID: 39951617
Getting the ASA firewall people to allow traffic through the firewall from all my sites.
Will try the bypass proxy once this is done.

Author Comment

ID: 39959989
Hi Bembi,
I have set up the bypass the proxy for the following traffic.
That idea is working well, thanks.

Still no solution on how to allow the ISA to allow this traffic?
LVL 35

Expert Comment

ID: 39967577
At least what I remember from ISA 2006 (it is some time ago) is, that such constructions were not quite easy with ISA 2006 and the latest SP / Update was needed for some kind of communication. One of the reasons I moved later to TMG, where TMG tooks a bit more control over the traffic than in ISA 2006.

What is still the fact is the situation, that ISA needs the full controll of the traffic what may be more or less a routing logic problem than a real ISA issue in a 1 NIC constellation. And, the OS and ISA are working "hand in hand", means partly the traffic is controlled by the ISA and partly by settings of the OS.

The teh rule is, everything what comes in, has to pass the ISA when going out.

Another old ISA rule is, that ISA allowes, what is defined, means everthing what is not defined will be denied. For dynmaic port this means, even if the outgoing traffic is recognized by ISA, ISA needs a rule to allow the response to go back.

The major problem is the dynamic port range, what is not reall yhandled ver well by ISA 2006. ou can open th ewhole range to make sure, that the traffic is allowed, if this is a good solution is another question.

Whithout the knowledge, how the application is really communicating, it is not quite easy to say, if ISA 200t can handle it.

Author Closing Comment

ID: 39982019
No intended as a reflection on the help given, As it was greatly appreciated.
Answer is for the work around, not quite what is was after, but it is working and people are happy.

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below.…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question