gateguard
asked on
S3 browser through Microsoft forefront
I have several virtual machines whose network gateway is a Microsoft forefront server. I cannot connect to s3 storage from any of those machines.
The vm's are running server2012r2 or server2007r2, all with windows firewall completely turned off.
If I change a gateway to a Sonicwall firewall the problem goes away. I have a reason for NOT WANTING to use the Sonicwall for these machines, so that is NOT a solution to this question.
The forefront server has an outgoing rule all internal to all external all protocols all open. No malware rules are active on this connection.
Why can't I connect to s3 through the forefront firewall? Thanks.
The vm's are running server2012r2 or server2007r2, all with windows firewall completely turned off.
If I change a gateway to a Sonicwall firewall the problem goes away. I have a reason for NOT WANTING to use the Sonicwall for these machines, so that is NOT a solution to this question.
The forefront server has an outgoing rule all internal to all external all protocols all open. No malware rules are active on this connection.
Why can't I connect to s3 through the forefront firewall? Thanks.
ASKER
Thanks for helping.
I did not set up a proxy when I installed Forefront.
Here are 3 log entries from the Forefront server, one after another (the source VM is 172.20.0.190, the program trying to connect to S3 storage is SQLBackupAndFtp):
Initiated Connection FIREFOREFRONT 11/27/2014 11:52:46 AM
Log type: Firewall service
Status: The operation completed successfully.
Rule: outgoing
Source: Internal (172.20.0.90:55521)
Destination: External (s3-1.amazonaws.com 54.231.17.80:443)
Protocol: HTTPS
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 172.20.0.90
Denied Connection FIREFOREFRONT 11/27/2014 11:52:47 AM
Log type: Web Proxy (Forward)
Status: 12227 The name on the SSL server certificate supplied by a destination server does not match the name of the host requested.
Rule: outgoing
Source: Internal (172.20.0.90:55521)
Destination: External (s3-1.amazonaws.com 54.231.17.80:443)
Request: 54.231.17.80:443
Filter information: Req ID: 0b7d416f; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: https-inspect
User: anonymous
Additional information
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 0 MIME type:
Closed Connection FIREFOREFRONT 11/27/2014 11:52:47 AM
Log type: Firewall service
Status: Closed Connection
Rule: outgoing
Source: Internal (172.20.0.90:55521)
Destination: External (s3-1.amazonaws.com 54.231.17.80:443)
Protocol: HTTPS
Additional information
Number of bytes sent: 0 Number of bytes received: 1054
Processing time: 63ms Original Client IP: 172.20.0.90
I did not set up a proxy when I installed Forefront.
Here are 3 log entries from the Forefront server, one after another (the source VM is 172.20.0.190, the program trying to connect to S3 storage is SQLBackupAndFtp):
Initiated Connection FIREFOREFRONT 11/27/2014 11:52:46 AM
Log type: Firewall service
Status: The operation completed successfully.
Rule: outgoing
Source: Internal (172.20.0.90:55521)
Destination: External (s3-1.amazonaws.com 54.231.17.80:443)
Protocol: HTTPS
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 172.20.0.90
Denied Connection FIREFOREFRONT 11/27/2014 11:52:47 AM
Log type: Web Proxy (Forward)
Status: 12227 The name on the SSL server certificate supplied by a destination server does not match the name of the host requested.
Rule: outgoing
Source: Internal (172.20.0.90:55521)
Destination: External (s3-1.amazonaws.com 54.231.17.80:443)
Request: 54.231.17.80:443
Filter information: Req ID: 0b7d416f; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: https-inspect
User: anonymous
Additional information
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 0 MIME type:
Closed Connection FIREFOREFRONT 11/27/2014 11:52:47 AM
Log type: Firewall service
Status: Closed Connection
Rule: outgoing
Source: Internal (172.20.0.90:55521)
Destination: External (s3-1.amazonaws.com 54.231.17.80:443)
Protocol: HTTPS
Additional information
Number of bytes sent: 0 Number of bytes received: 1054
Processing time: 63ms Original Client IP: 172.20.0.90
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Could you see anything in the ISA log when accessing it ?
Most probably it is a source based IP block rule check all the rules and it source and destination networks .Might be the client you are trying is not in the list.