• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 586
  • Last Modified:

Isa 2006 Dynamic Ports

Hi,
We have the current setup of ISA 2006 (single homed) being used as a proxy server with some simple allow and deny rules.
This then goes through a ASA firewall where no ACLs are applied to the traffic from the ISA ip address.
Currently it does an OK job.
What I am having trouble with is an application we have to fix trucks, uses Portwise to connect back to the Factory via SSL tunnel. To negotiate this tunnel, the application uses dynamic ports 60000-65535.
What is happening is the following:

1.      The Application sends a DNS-query to the DNS-server to ask for the ip address  of Truck_factory server access.truck_factory.com, this step is only executed if it’s not stored on the the computers DNS-cache.
10.87.68.143:64223 ->DNS query “access.truck_factory.com” to DNS-server 10.87.68.15:53

2.      The DNS-server sends the response valid.ip.address back to the client computer
DNS-server 10.87.68.15:53 -> “Truck_factory server ip-address valid.ip.address” ->to client 10.87.68.143:64223

3.      The APPLICATION client machine sends a https “SYN message” to the Truck_factory server using the upper dynamic port range on the computer 60000-65535  
10.87.68.143:61834 ->“https SYN message” to Truck_factory-server valid.ip.address: 443

4.      The Truck_factory Server sends a https answer “RST, ACK” to the clients  “SYN message”, the client machine tries one more time to send a new syn message but with the same “RST, ACK” answer, then APPLICATION on the client machine throws the error message.
 valid.ip.address: 443 -> “https RST, ACK”  back to the client 10.87.68.143:61834

Everything happens except step 4 when using the ISA 2006.
Previously there was no issue when it used a lower dynamic port range.

Please can anyone help me, might have to blow out some cobwebs :)
0
cplitd
Asked:
cplitd
  • 5
  • 4
1 Solution
 
BembiCEOCommented:
Without knowing the application.
The RST is send either by the application itself, then ISA is out of scope, or by ISA.
The first thought is, that ISA has to know the route. If a package is sent out, ISA has to be aware about it to allow the response. If a package takes a differnet way out than the response come in, it will deny the package, ans the result may be a RST. This should be visible in the ISA logs.

The other thought is - as RPC is involved, that ISA usually handles such traffic on defined ports, usually something around 5000. So if it works on such a port range and not with 60k ports, a reson may be the default RPC port range, for windows servers which is defined around port 5000.

So keep in track the ISA logs, what passes ISA and if the the communicaion chain is closed. So every package sent oput passes ISA as well as the response which comes back.

Second, check if RPC is involved, this psooibly needsome changes in the registry to reflect the allowed ports for such communications.

The other possibility  - as ISA is only a proxy - to bypass ISA for this application.
0
 
cplitdAuthor Commented:
Thanks Bembi,
Looking into your suggestions.
I have confirmed server should be able to use up to port 65535 for rpc communication
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ MaxUserPort
also enter a new key in registry
HKLM\Software\Microsoft\Rpc\Internet
specifying the ports 1025 to 605535 to use.
Will test the application again and look into the ISA and wireshark logs again.
0
 
BembiCEOCommented:
OK...
The other solution may be -  as you use ISA only as proxy - to bypass the proxy for this application.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
cplitdAuthor Commented:
Hi,
The application grabs the proxy settings from internet explorer to find its way to the internet.
I have 15 subnets, up to 60 dhcp addresses that could be accessing this application at one time.
The only way I know how to "bypass the proxy for this application" would be getting 60 addresses permissions to exit the ASA firewall, which would then be the default for all internet bound traffic.  
Is there a smarter way of doing this ?

thanks
0
 
BembiCEOCommented:
You can define - as I would assume you do it for internal web services - define proxy exceptions.

This is a Browser setting, so either it is set by hand, by GPO or if you use a configuration link by ISA auto detection (in this case ISA hosts the exception list).

Waht you have to make sure in this case, that the way back it the same. So if ASA forwards all traffic blind to the ISA, it will not work.

Id a request passes the ISA, the resposne is allowed to pass ISA too. If the request will bypass ISA, the response is never allowed to pass ISA. So ASA has to seperate the response traffic too. That makes the bypass a little bit more tricky.
0
 
cplitdAuthor Commented:
Thanks,
Getting the ASA firewall people to allow traffic through the firewall from all my sites.
Will try the bypass proxy once this is done.
0
 
cplitdAuthor Commented:
Hi Bembi,
I have set up the bypass the proxy for the following traffic.
That idea is working well, thanks.

Still no solution on how to allow the ISA to allow this traffic?
0
 
BembiCEOCommented:
At least what I remember from ISA 2006 (it is some time ago) is, that such constructions were not quite easy with ISA 2006 and the latest SP / Update was needed for some kind of communication. One of the reasons I moved later to TMG, where TMG tooks a bit more control over the traffic than in ISA 2006.

What is still the fact is the situation, that ISA needs the full controll of the traffic what may be more or less a routing logic problem than a real ISA issue in a 1 NIC constellation. And, the OS and ISA are working "hand in hand", means partly the traffic is controlled by the ISA and partly by settings of the OS.

The teh rule is, everything what comes in, has to pass the ISA when going out.

Another old ISA rule is, that ISA allowes, what is defined, means everthing what is not defined will be denied. For dynmaic port this means, even if the outgoing traffic is recognized by ISA, ISA needs a rule to allow the response to go back.

The major problem is the dynamic port range, what is not reall yhandled ver well by ISA 2006. ou can open th ewhole range to make sure, that the traffic is allowed, if this is a good solution is another question.

Whithout the knowledge, how the application is really communicating, it is not quite easy to say, if ISA 200t can handle it.
0
 
cplitdAuthor Commented:
Hi,
No intended as a reflection on the help given, As it was greatly appreciated.
Answer is for the work around, not quite what is was after, but it is working and people are happy.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now