• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 265
  • Last Modified:

S3 browser through Microsoft forefront

I have several virtual machines whose network gateway is a Microsoft forefront server. I cannot connect to s3 storage from any of those machines.

The vm's are running server2012r2 or server2007r2, all with windows firewall completely turned off.

If I change a gateway to a Sonicwall firewall the problem goes away. I have a reason for NOT WANTING to use the Sonicwall for these machines, so that is NOT a solution to this question.

The forefront server has an outgoing rule all internal to all external all protocols all open. No malware rules are active on this connection.

Why can't I connect to s3 through the forefront firewall?  Thanks.
0
gateguard
Asked:
gateguard
1 Solution
 
sumeshbnrCommented:
Are you running proxy with ISA ? If yes try configuring proxy with the s3 storage client and then see what happens.

Could you see anything in the ISA log when accessing it ?

Most probably it is a source based IP block rule check all the rules and it source and destination networks .Might be the client you are trying is not in the list.
0
 
gateguardAuthor Commented:
Thanks for helping.

I did not set up a proxy when I installed Forefront.

Here are 3 log entries from the Forefront server, one after another (the source VM is 172.20.0.190, the program trying to connect to S3 storage is SQLBackupAndFtp):

Initiated Connection FIREFOREFRONT 11/27/2014 11:52:46 AM
Log type: Firewall service
Status: The operation completed successfully.  
Rule: outgoing
Source: Internal (172.20.0.90:55521)
Destination: External (s3-1.amazonaws.com 54.231.17.80:443)
Protocol: HTTPS
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 172.20.0.90
 
Denied Connection FIREFOREFRONT 11/27/2014 11:52:47 AM
Log type: Web Proxy (Forward)
Status: 12227 The name on the SSL server certificate supplied by a destination server does not match the name of the host requested.  
Rule: outgoing
Source: Internal (172.20.0.90:55521)
Destination: External (s3-1.amazonaws.com 54.231.17.80:443)
Request: 54.231.17.80:443
Filter information: Req ID: 0b7d416f; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: https-inspect
User: anonymous
 Additional information
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 0 MIME type:
 
Closed Connection FIREFOREFRONT 11/27/2014 11:52:47 AM
Log type: Firewall service
Status: Closed Connection
Rule: outgoing
Source: Internal (172.20.0.90:55521)
Destination: External (s3-1.amazonaws.com 54.231.17.80:443)
Protocol: HTTPS
 Additional information
Number of bytes sent: 0 Number of bytes received: 1054
Processing time: 63ms Original Client IP: 172.20.0.90
0
 
shalomcCTOCommented:
Here is your answer:

Denied Connection FIREFOREFRONT 11/27/2014 11:52:47 AM
Log type: Web Proxy (Forward)
Status: 12227 The name on the SSL server certificate supplied by a destination server does not match the name of the host requested.  

All is good at Amazon. I would turn off the ISA transparent proxy for the amazonaws.com domain.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now