Isa 2006 Dynamic Ports
Posted on 2014-03-18
We have the current setup of ISA 2006 (single homed) being used as a proxy server with some simple allow and deny rules.
This then goes through a ASA firewall where no ACLs are applied to the traffic from the ISA ip address.
Currently it does an OK job.
What I am having trouble with is an application we have to fix trucks, uses Portwise to connect back to the Factory via SSL tunnel. To negotiate this tunnel, the application uses dynamic ports 60000-65535.
What is happening is the following:
1. The Application sends a DNS-query to the DNS-server to ask for the ip address of Truck_factory server access.truck_factory.com, this step is only executed if it’s not stored on the the computers DNS-cache.
10.87.68.143:64223 ->DNS query “access.truck_factory.com” to DNS-server 10.87.68.15:53
2. The DNS-server sends the response valid.ip.address back to the client computer
DNS-server 10.87.68.15:53 -> “Truck_factory server ip-address valid.ip.address” ->to client 10.87.68.143:64223
3. The APPLICATION client machine sends a https “SYN message” to the Truck_factory server using the upper dynamic port range on the computer 60000-65535
10.87.68.143:61834 ->“https SYN message” to Truck_factory-server valid.ip.address: 443
4. The Truck_factory Server sends a https answer “RST, ACK” to the clients “SYN message”, the client machine tries one more time to send a new syn message but with the same “RST, ACK” answer, then APPLICATION on the client machine throws the error message.
valid.ip.address: 443 -> “https RST, ACK” back to the client 10.87.68.143:61834
Everything happens except step 4 when using the ISA 2006.
Previously there was no issue when it used a lower dynamic port range.
Please can anyone help me, might have to blow out some cobwebs :)