Solved

S3 browser through Microsoft forefront

Posted on 2014-11-27
3
213 Views
Last Modified: 2015-01-05
I have several virtual machines whose network gateway is a Microsoft forefront server. I cannot connect to s3 storage from any of those machines.

The vm's are running server2012r2 or server2007r2, all with windows firewall completely turned off.

If I change a gateway to a Sonicwall firewall the problem goes away. I have a reason for NOT WANTING to use the Sonicwall for these machines, so that is NOT a solution to this question.

The forefront server has an outgoing rule all internal to all external all protocols all open. No malware rules are active on this connection.

Why can't I connect to s3 through the forefront firewall?  Thanks.
0
Comment
Question by:gateguard
3 Comments
 
LVL 11

Expert Comment

by:sumeshbnr
ID: 40469640
Are you running proxy with ISA ? If yes try configuring proxy with the s3 storage client and then see what happens.

Could you see anything in the ISA log when accessing it ?

Most probably it is a source based IP block rule check all the rules and it source and destination networks .Might be the client you are trying is not in the list.
0
 

Author Comment

by:gateguard
ID: 40469704
Thanks for helping.

I did not set up a proxy when I installed Forefront.

Here are 3 log entries from the Forefront server, one after another (the source VM is 172.20.0.190, the program trying to connect to S3 storage is SQLBackupAndFtp):

Initiated Connection FIREFOREFRONT 11/27/2014 11:52:46 AM
Log type: Firewall service
Status: The operation completed successfully.  
Rule: outgoing
Source: Internal (172.20.0.90:55521)
Destination: External (s3-1.amazonaws.com 54.231.17.80:443)
Protocol: HTTPS
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 172.20.0.90
 
Denied Connection FIREFOREFRONT 11/27/2014 11:52:47 AM
Log type: Web Proxy (Forward)
Status: 12227 The name on the SSL server certificate supplied by a destination server does not match the name of the host requested.  
Rule: outgoing
Source: Internal (172.20.0.90:55521)
Destination: External (s3-1.amazonaws.com 54.231.17.80:443)
Request: 54.231.17.80:443
Filter information: Req ID: 0b7d416f; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: https-inspect
User: anonymous
 Additional information
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 0 MIME type:
 
Closed Connection FIREFOREFRONT 11/27/2014 11:52:47 AM
Log type: Firewall service
Status: Closed Connection
Rule: outgoing
Source: Internal (172.20.0.90:55521)
Destination: External (s3-1.amazonaws.com 54.231.17.80:443)
Protocol: HTTPS
 Additional information
Number of bytes sent: 0 Number of bytes received: 1054
Processing time: 63ms Original Client IP: 172.20.0.90
0
 
LVL 33

Accepted Solution

by:
shalomc earned 500 total points
ID: 40470521
Here is your answer:

Denied Connection FIREFOREFRONT 11/27/2014 11:52:47 AM
Log type: Web Proxy (Forward)
Status: 12227 The name on the SSL server certificate supplied by a destination server does not match the name of the host requested.  

All is good at Amazon. I would turn off the ISA transparent proxy for the amazonaws.com domain.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
RDP to TMG Firewall 6 302
TMG Proxy issues 1 549
Managing ForeFront Endpoint with SCCM2012 4 1,195
How to Setup & Deploy Proxy Settings on an iOS Device 4 849
ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs What does this mean and how can one go about correcting it? In simple terms, this error message indicates t…
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question