?
Solved

S3 browser through Microsoft forefront

Posted on 2014-11-27
3
Medium Priority
?
237 Views
Last Modified: 2015-01-05
I have several virtual machines whose network gateway is a Microsoft forefront server. I cannot connect to s3 storage from any of those machines.

The vm's are running server2012r2 or server2007r2, all with windows firewall completely turned off.

If I change a gateway to a Sonicwall firewall the problem goes away. I have a reason for NOT WANTING to use the Sonicwall for these machines, so that is NOT a solution to this question.

The forefront server has an outgoing rule all internal to all external all protocols all open. No malware rules are active on this connection.

Why can't I connect to s3 through the forefront firewall?  Thanks.
0
Comment
Question by:gateguard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 11

Expert Comment

by:sumeshbnr
ID: 40469640
Are you running proxy with ISA ? If yes try configuring proxy with the s3 storage client and then see what happens.

Could you see anything in the ISA log when accessing it ?

Most probably it is a source based IP block rule check all the rules and it source and destination networks .Might be the client you are trying is not in the list.
0
 

Author Comment

by:gateguard
ID: 40469704
Thanks for helping.

I did not set up a proxy when I installed Forefront.

Here are 3 log entries from the Forefront server, one after another (the source VM is 172.20.0.190, the program trying to connect to S3 storage is SQLBackupAndFtp):

Initiated Connection FIREFOREFRONT 11/27/2014 11:52:46 AM
Log type: Firewall service
Status: The operation completed successfully.  
Rule: outgoing
Source: Internal (172.20.0.90:55521)
Destination: External (s3-1.amazonaws.com 54.231.17.80:443)
Protocol: HTTPS
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 172.20.0.90
 
Denied Connection FIREFOREFRONT 11/27/2014 11:52:47 AM
Log type: Web Proxy (Forward)
Status: 12227 The name on the SSL server certificate supplied by a destination server does not match the name of the host requested.  
Rule: outgoing
Source: Internal (172.20.0.90:55521)
Destination: External (s3-1.amazonaws.com 54.231.17.80:443)
Request: 54.231.17.80:443
Filter information: Req ID: 0b7d416f; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: https-inspect
User: anonymous
 Additional information
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 0 MIME type:
 
Closed Connection FIREFOREFRONT 11/27/2014 11:52:47 AM
Log type: Firewall service
Status: Closed Connection
Rule: outgoing
Source: Internal (172.20.0.90:55521)
Destination: External (s3-1.amazonaws.com 54.231.17.80:443)
Protocol: HTTPS
 Additional information
Number of bytes sent: 0 Number of bytes received: 1054
Processing time: 63ms Original Client IP: 172.20.0.90
0
 
LVL 33

Accepted Solution

by:
shalomc earned 2000 total points
ID: 40470521
Here is your answer:

Denied Connection FIREFOREFRONT 11/27/2014 11:52:47 AM
Log type: Web Proxy (Forward)
Status: 12227 The name on the SSL server certificate supplied by a destination server does not match the name of the host requested.  

All is good at Amazon. I would turn off the ISA transparent proxy for the amazonaws.com domain.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs What does this mean and how can one go about correcting it? In simple terms, this error message indicates t…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses
Course of the Month11 days, 22 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question