• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 593
  • Last Modified:

Isa 2006 Dynamic Ports

We have the current setup of ISA 2006 (single homed) being used as a proxy server with some simple allow and deny rules.
This then goes through a ASA firewall where no ACLs are applied to the traffic from the ISA ip address.
Currently it does an OK job.
What I am having trouble with is an application we have to fix trucks, uses Portwise to connect back to the Factory via SSL tunnel. To negotiate this tunnel, the application uses dynamic ports 60000-65535.
What is happening is the following:

1.      The Application sends a DNS-query to the DNS-server to ask for the ip address  of Truck_factory server access.truck_factory.com, this step is only executed if it’s not stored on the the computers DNS-cache. ->DNS query “access.truck_factory.com” to DNS-server

2.      The DNS-server sends the response valid.ip.address back to the client computer
DNS-server -> “Truck_factory server ip-address valid.ip.address” ->to client

3.      The APPLICATION client machine sends a https “SYN message” to the Truck_factory server using the upper dynamic port range on the computer 60000-65535 ->“https SYN message” to Truck_factory-server valid.ip.address: 443

4.      The Truck_factory Server sends a https answer “RST, ACK” to the clients  “SYN message”, the client machine tries one more time to send a new syn message but with the same “RST, ACK” answer, then APPLICATION on the client machine throws the error message.
 valid.ip.address: 443 -> “https RST, ACK”  back to the client

Everything happens except step 4 when using the ISA 2006.
Previously there was no issue when it used a lower dynamic port range.

Please can anyone help me, might have to blow out some cobwebs :)
  • 5
  • 4
1 Solution
Without knowing the application.
The RST is send either by the application itself, then ISA is out of scope, or by ISA.
The first thought is, that ISA has to know the route. If a package is sent out, ISA has to be aware about it to allow the response. If a package takes a differnet way out than the response come in, it will deny the package, ans the result may be a RST. This should be visible in the ISA logs.

The other thought is - as RPC is involved, that ISA usually handles such traffic on defined ports, usually something around 5000. So if it works on such a port range and not with 60k ports, a reson may be the default RPC port range, for windows servers which is defined around port 5000.

So keep in track the ISA logs, what passes ISA and if the the communicaion chain is closed. So every package sent oput passes ISA as well as the response which comes back.

Second, check if RPC is involved, this psooibly needsome changes in the registry to reflect the allowed ports for such communications.

The other possibility  - as ISA is only a proxy - to bypass ISA for this application.
cplitdAuthor Commented:
Thanks Bembi,
Looking into your suggestions.
I have confirmed server should be able to use up to port 65535 for rpc communication
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ MaxUserPort
also enter a new key in registry
specifying the ports 1025 to 605535 to use.
Will test the application again and look into the ISA and wireshark logs again.
The other solution may be -  as you use ISA only as proxy - to bypass the proxy for this application.
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

cplitdAuthor Commented:
The application grabs the proxy settings from internet explorer to find its way to the internet.
I have 15 subnets, up to 60 dhcp addresses that could be accessing this application at one time.
The only way I know how to "bypass the proxy for this application" would be getting 60 addresses permissions to exit the ASA firewall, which would then be the default for all internet bound traffic.  
Is there a smarter way of doing this ?

You can define - as I would assume you do it for internal web services - define proxy exceptions.

This is a Browser setting, so either it is set by hand, by GPO or if you use a configuration link by ISA auto detection (in this case ISA hosts the exception list).

Waht you have to make sure in this case, that the way back it the same. So if ASA forwards all traffic blind to the ISA, it will not work.

Id a request passes the ISA, the resposne is allowed to pass ISA too. If the request will bypass ISA, the response is never allowed to pass ISA. So ASA has to seperate the response traffic too. That makes the bypass a little bit more tricky.
cplitdAuthor Commented:
Getting the ASA firewall people to allow traffic through the firewall from all my sites.
Will try the bypass proxy once this is done.
cplitdAuthor Commented:
Hi Bembi,
I have set up the bypass the proxy for the following traffic.
That idea is working well, thanks.

Still no solution on how to allow the ISA to allow this traffic?
At least what I remember from ISA 2006 (it is some time ago) is, that such constructions were not quite easy with ISA 2006 and the latest SP / Update was needed for some kind of communication. One of the reasons I moved later to TMG, where TMG tooks a bit more control over the traffic than in ISA 2006.

What is still the fact is the situation, that ISA needs the full controll of the traffic what may be more or less a routing logic problem than a real ISA issue in a 1 NIC constellation. And, the OS and ISA are working "hand in hand", means partly the traffic is controlled by the ISA and partly by settings of the OS.

The teh rule is, everything what comes in, has to pass the ISA when going out.

Another old ISA rule is, that ISA allowes, what is defined, means everthing what is not defined will be denied. For dynmaic port this means, even if the outgoing traffic is recognized by ISA, ISA needs a rule to allow the response to go back.

The major problem is the dynamic port range, what is not reall yhandled ver well by ISA 2006. ou can open th ewhole range to make sure, that the traffic is allowed, if this is a good solution is another question.

Whithout the knowledge, how the application is really communicating, it is not quite easy to say, if ISA 200t can handle it.
cplitdAuthor Commented:
No intended as a reflection on the help given, As it was greatly appreciated.
Answer is for the work around, not quite what is was after, but it is working and people are happy.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now