Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Isa 2006 Dynamic Ports

Posted on 2014-03-18
Medium Priority
Last Modified: 2014-04-06
We have the current setup of ISA 2006 (single homed) being used as a proxy server with some simple allow and deny rules.
This then goes through a ASA firewall where no ACLs are applied to the traffic from the ISA ip address.
Currently it does an OK job.
What I am having trouble with is an application we have to fix trucks, uses Portwise to connect back to the Factory via SSL tunnel. To negotiate this tunnel, the application uses dynamic ports 60000-65535.
What is happening is the following:

1.      The Application sends a DNS-query to the DNS-server to ask for the ip address  of Truck_factory server access.truck_factory.com, this step is only executed if it’s not stored on the the computers DNS-cache. ->DNS query “access.truck_factory.com” to DNS-server

2.      The DNS-server sends the response valid.ip.address back to the client computer
DNS-server -> “Truck_factory server ip-address valid.ip.address” ->to client

3.      The APPLICATION client machine sends a https “SYN message” to the Truck_factory server using the upper dynamic port range on the computer 60000-65535 ->“https SYN message” to Truck_factory-server valid.ip.address: 443

4.      The Truck_factory Server sends a https answer “RST, ACK” to the clients  “SYN message”, the client machine tries one more time to send a new syn message but with the same “RST, ACK” answer, then APPLICATION on the client machine throws the error message.
 valid.ip.address: 443 -> “https RST, ACK”  back to the client

Everything happens except step 4 when using the ISA 2006.
Previously there was no issue when it used a lower dynamic port range.

Please can anyone help me, might have to blow out some cobwebs :)
Question by:cplitd
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 35

Expert Comment

ID: 39940779
Without knowing the application.
The RST is send either by the application itself, then ISA is out of scope, or by ISA.
The first thought is, that ISA has to know the route. If a package is sent out, ISA has to be aware about it to allow the response. If a package takes a differnet way out than the response come in, it will deny the package, ans the result may be a RST. This should be visible in the ISA logs.

The other thought is - as RPC is involved, that ISA usually handles such traffic on defined ports, usually something around 5000. So if it works on such a port range and not with 60k ports, a reson may be the default RPC port range, for windows servers which is defined around port 5000.

So keep in track the ISA logs, what passes ISA and if the the communicaion chain is closed. So every package sent oput passes ISA as well as the response which comes back.

Second, check if RPC is involved, this psooibly needsome changes in the registry to reflect the allowed ports for such communications.

The other possibility  - as ISA is only a proxy - to bypass ISA for this application.

Author Comment

ID: 39941048
Thanks Bembi,
Looking into your suggestions.
I have confirmed server should be able to use up to port 65535 for rpc communication
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ MaxUserPort
also enter a new key in registry
specifying the ports 1025 to 605535 to use.
Will test the application again and look into the ISA and wireshark logs again.
LVL 35

Expert Comment

ID: 39943465
The other solution may be -  as you use ISA only as proxy - to bypass the proxy for this application.
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!


Author Comment

ID: 39943498
The application grabs the proxy settings from internet explorer to find its way to the internet.
I have 15 subnets, up to 60 dhcp addresses that could be accessing this application at one time.
The only way I know how to "bypass the proxy for this application" would be getting 60 addresses permissions to exit the ASA firewall, which would then be the default for all internet bound traffic.  
Is there a smarter way of doing this ?

LVL 35

Accepted Solution

Bembi earned 1000 total points
ID: 39943565
You can define - as I would assume you do it for internal web services - define proxy exceptions.

This is a Browser setting, so either it is set by hand, by GPO or if you use a configuration link by ISA auto detection (in this case ISA hosts the exception list).

Waht you have to make sure in this case, that the way back it the same. So if ASA forwards all traffic blind to the ISA, it will not work.

Id a request passes the ISA, the resposne is allowed to pass ISA too. If the request will bypass ISA, the response is never allowed to pass ISA. So ASA has to seperate the response traffic too. That makes the bypass a little bit more tricky.

Author Comment

ID: 39951617
Getting the ASA firewall people to allow traffic through the firewall from all my sites.
Will try the bypass proxy once this is done.

Author Comment

ID: 39959989
Hi Bembi,
I have set up the bypass the proxy for the following traffic.
That idea is working well, thanks.

Still no solution on how to allow the ISA to allow this traffic?
LVL 35

Expert Comment

ID: 39967577
At least what I remember from ISA 2006 (it is some time ago) is, that such constructions were not quite easy with ISA 2006 and the latest SP / Update was needed for some kind of communication. One of the reasons I moved later to TMG, where TMG tooks a bit more control over the traffic than in ISA 2006.

What is still the fact is the situation, that ISA needs the full controll of the traffic what may be more or less a routing logic problem than a real ISA issue in a 1 NIC constellation. And, the OS and ISA are working "hand in hand", means partly the traffic is controlled by the ISA and partly by settings of the OS.

The teh rule is, everything what comes in, has to pass the ISA when going out.

Another old ISA rule is, that ISA allowes, what is defined, means everthing what is not defined will be denied. For dynmaic port this means, even if the outgoing traffic is recognized by ISA, ISA needs a rule to allow the response to go back.

The major problem is the dynamic port range, what is not reall yhandled ver well by ISA 2006. ou can open th ewhole range to make sure, that the traffic is allowed, if this is a good solution is another question.

Whithout the knowledge, how the application is really communicating, it is not quite easy to say, if ISA 200t can handle it.

Author Closing Comment

ID: 39982019
No intended as a reflection on the help given, As it was greatly appreciated.
Answer is for the work around, not quite what is was after, but it is working and people are happy.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question