Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Isa 2006 Dynamic Ports

Posted on 2014-03-18
9
558 Views
Last Modified: 2014-04-06
Hi,
We have the current setup of ISA 2006 (single homed) being used as a proxy server with some simple allow and deny rules.
This then goes through a ASA firewall where no ACLs are applied to the traffic from the ISA ip address.
Currently it does an OK job.
What I am having trouble with is an application we have to fix trucks, uses Portwise to connect back to the Factory via SSL tunnel. To negotiate this tunnel, the application uses dynamic ports 60000-65535.
What is happening is the following:

1.      The Application sends a DNS-query to the DNS-server to ask for the ip address  of Truck_factory server access.truck_factory.com, this step is only executed if it’s not stored on the the computers DNS-cache.
10.87.68.143:64223 ->DNS query “access.truck_factory.com” to DNS-server 10.87.68.15:53

2.      The DNS-server sends the response valid.ip.address back to the client computer
DNS-server 10.87.68.15:53 -> “Truck_factory server ip-address valid.ip.address” ->to client 10.87.68.143:64223

3.      The APPLICATION client machine sends a https “SYN message” to the Truck_factory server using the upper dynamic port range on the computer 60000-65535  
10.87.68.143:61834 ->“https SYN message” to Truck_factory-server valid.ip.address: 443

4.      The Truck_factory Server sends a https answer “RST, ACK” to the clients  “SYN message”, the client machine tries one more time to send a new syn message but with the same “RST, ACK” answer, then APPLICATION on the client machine throws the error message.
 valid.ip.address: 443 -> “https RST, ACK”  back to the client 10.87.68.143:61834

Everything happens except step 4 when using the ISA 2006.
Previously there was no issue when it used a lower dynamic port range.

Please can anyone help me, might have to blow out some cobwebs :)
0
Comment
Question by:cplitd
  • 5
  • 4
9 Comments
 
LVL 35

Expert Comment

by:Bembi
ID: 39940779
Without knowing the application.
The RST is send either by the application itself, then ISA is out of scope, or by ISA.
The first thought is, that ISA has to know the route. If a package is sent out, ISA has to be aware about it to allow the response. If a package takes a differnet way out than the response come in, it will deny the package, ans the result may be a RST. This should be visible in the ISA logs.

The other thought is - as RPC is involved, that ISA usually handles such traffic on defined ports, usually something around 5000. So if it works on such a port range and not with 60k ports, a reson may be the default RPC port range, for windows servers which is defined around port 5000.

So keep in track the ISA logs, what passes ISA and if the the communicaion chain is closed. So every package sent oput passes ISA as well as the response which comes back.

Second, check if RPC is involved, this psooibly needsome changes in the registry to reflect the allowed ports for such communications.

The other possibility  - as ISA is only a proxy - to bypass ISA for this application.
0
 

Author Comment

by:cplitd
ID: 39941048
Thanks Bembi,
Looking into your suggestions.
I have confirmed server should be able to use up to port 65535 for rpc communication
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ MaxUserPort
also enter a new key in registry
HKLM\Software\Microsoft\Rpc\Internet
specifying the ports 1025 to 605535 to use.
Will test the application again and look into the ISA and wireshark logs again.
0
 
LVL 35

Expert Comment

by:Bembi
ID: 39943465
OK...
The other solution may be -  as you use ISA only as proxy - to bypass the proxy for this application.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:cplitd
ID: 39943498
Hi,
The application grabs the proxy settings from internet explorer to find its way to the internet.
I have 15 subnets, up to 60 dhcp addresses that could be accessing this application at one time.
The only way I know how to "bypass the proxy for this application" would be getting 60 addresses permissions to exit the ASA firewall, which would then be the default for all internet bound traffic.  
Is there a smarter way of doing this ?

thanks
0
 
LVL 35

Accepted Solution

by:
Bembi earned 500 total points
ID: 39943565
You can define - as I would assume you do it for internal web services - define proxy exceptions.

This is a Browser setting, so either it is set by hand, by GPO or if you use a configuration link by ISA auto detection (in this case ISA hosts the exception list).

Waht you have to make sure in this case, that the way back it the same. So if ASA forwards all traffic blind to the ISA, it will not work.

Id a request passes the ISA, the resposne is allowed to pass ISA too. If the request will bypass ISA, the response is never allowed to pass ISA. So ASA has to seperate the response traffic too. That makes the bypass a little bit more tricky.
0
 

Author Comment

by:cplitd
ID: 39951617
Thanks,
Getting the ASA firewall people to allow traffic through the firewall from all my sites.
Will try the bypass proxy once this is done.
0
 

Author Comment

by:cplitd
ID: 39959989
Hi Bembi,
I have set up the bypass the proxy for the following traffic.
That idea is working well, thanks.

Still no solution on how to allow the ISA to allow this traffic?
0
 
LVL 35

Expert Comment

by:Bembi
ID: 39967577
At least what I remember from ISA 2006 (it is some time ago) is, that such constructions were not quite easy with ISA 2006 and the latest SP / Update was needed for some kind of communication. One of the reasons I moved later to TMG, where TMG tooks a bit more control over the traffic than in ISA 2006.

What is still the fact is the situation, that ISA needs the full controll of the traffic what may be more or less a routing logic problem than a real ISA issue in a 1 NIC constellation. And, the OS and ISA are working "hand in hand", means partly the traffic is controlled by the ISA and partly by settings of the OS.

The teh rule is, everything what comes in, has to pass the ISA when going out.

Another old ISA rule is, that ISA allowes, what is defined, means everthing what is not defined will be denied. For dynmaic port this means, even if the outgoing traffic is recognized by ISA, ISA needs a rule to allow the response to go back.

The major problem is the dynamic port range, what is not reall yhandled ver well by ISA 2006. ou can open th ewhole range to make sure, that the traffic is allowed, if this is a good solution is another question.

Whithout the knowledge, how the application is really communicating, it is not quite easy to say, if ISA 200t can handle it.
0
 

Author Closing Comment

by:cplitd
ID: 39982019
Hi,
No intended as a reflection on the help given, As it was greatly appreciated.
Answer is for the work around, not quite what is was after, but it is working and people are happy.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question