General discussion

  • Creator
    Topic
  • #2276331

    Internet Firewall

    Locked

    by kingofthenerds ·

    Hi All,

    I have an ISA server running, at the moment i don’t seem to be able to open any ports on it. I have tried multiple port openings E.g. POP, SMTP, FTP, on outbound and inbound but still these ports remain closed.

    I think it is because i have two instances of NAT running. Below is my current setup:

    Internet > ADSL Router(using NAT) > 100MB NIC in Windows 2000 Server ISA Server on 10.0.0.1 range > Out through a 1Gb NIC on 192.168.1.* range>Managed switch>Network

    The ISA Server is also running NAT.

    I am confused on the setup and i am defintely sick to death of not being able to open ports.

    Now listen closely, i am prepared to give all of these points to someone who can not just give me an answer, but help me through setting it up so that i can at least open a port such as FTP.

    When i am able to open a port and access from a computer inside the network the points will be awarded.

    Thankyou

    P.S. No negative comments, these are my points and these are the condition

All Comments

  • Author
    Replies
    • #3313500

      Reply To: Internet Firewall

      by cg it ·

      In reply to Internet Firewall

      you create packet filters to open ports that you need. ISA server by default closes ALL ports until you allow them. There are wizards you can run to publish services like Email, Web Servers, Remote Access. Change the view your using if you don’t see the Wizard Icons to create packet filters, Secure your network in the right pane.

      Open up ISA server management console. Expand your server in the left pane. Expand Access Policies. Note there are three entries. you’ll want filters. Here is where you create the filters to open up ports for your services. Note: ISA server does NOT allow “all users” access under rules. you MUST specify who is allowed e.g. a user group or user account. Also note, ISA server will conflict with IIS in listening on port 80. Therefore you must change the proxy to a port other than port 80 for HTTP requests. Internet explorer for clients must also be configured to user ISA server [proxy server] or they will get the standard denied request by ISA server.

      Microsoft Help and Support along with isaserver.org have a multitude of step by step instructions on configuring ISA Server 2000.

      • #3313498

        Reply To: Internet Firewall

        by cg it ·

        In reply to Reply To: Internet Firewall

        if you want or need more information post again and tell us what you have done to create rules and packet filters in ISA.

      • #3312795

        Reply To: Internet Firewall

        by kingofthenerds ·

        In reply to Reply To: Internet Firewall

        Poster rated this answer.

    • #3313445

      Reply To: Internet Firewall

      by rindi1 ·

      In reply to Internet Firewall

      Have a look at your ADSL Router. You can probably open/close ports there as well

    • #3313436

      Reply To: Internet Firewall

      by edlockett ·

      In reply to Internet Firewall

      If you want to open ports you must first do so in your router’s configuration. THEN you can open the required ports in the ISA server.

      Hope this helps 🙂

    • #3312845

      Reply To: Internet Firewall

      by kingofthenerds ·

      In reply to Internet Firewall

      One of the things i did was try to open port 21. I did this because we have a web page on the interenet that i need to upload things to. Currently i can only upload things from the ISA server.

      Any computer i try and upload from in the network it replies the following:
      Windows cannot access this folder. Make sure you have typed the name correctly and have permisson to access the folder and try again.

      Details: The connection was reset by the server.

      This is one message that i get. I have fiddled with settings etc and i have been able to get another message.

      It says something about not have enough permissions to access the folder, as if the way i access the internet from a client inside the network does not have enough rights.

      We use anonymous logins through ISA Server. We can’t authenticate because we have alot of Macs on our network that also go through the ISA server and they have a Mac server which handles their usernames and passwords so intergrated authentication in ISA is out of the question.

      I am really lost, i have followed a document explaining word for word how to open port 21 using ISA and it still didn’t work. It had pictures and all.

      What i need is someone to give me step by step instructions on opening a port and then i can tell you what happens when it doesn;t work.

      I can assure you it won’t work. I have no idea why. Please get me to perform some tests so you can get an idea of whats happening, i really need to work this out.

      If i can open just one port that is closed, i will be fine to open any other ports. Help me do this and have the points.

      Thankyou

    • #3312798

      Reply To: Internet Firewall

      by kingofthenerds ·

      In reply to Internet Firewall

      Here is some sites I have been to with easy instructions, with pictures and all. But i is still not working.

      http://www.isaserver.org/tutorials/Microsoft_ISA_Server_Part_II__Firewall_Functions_Publishing_Policy_Rules.html

      http://www.isaserver.org/tutorials/Microsoft_ISA_Server_Part_I__introduction_installation_configuration_Web_caching_and_Internet_access.html

      Surely there is some guru out there that looks at opening a port on an ISA server as easy. If so it should be no problem helping me open a port.

      Thanks

    • #3312793

      Reply To: Internet Firewall

      by kingofthenerds ·

      In reply to Internet Firewall

      I have added 2 custom packet filters for 25and 110 allowing biderectional communication on those ports. I chose any remote host for both to connect too.

      I have a protocol rule that allows all traffic, all the time from anyone.

      I hope you gurus have better luck figuring out whats wrong then me.

      Maybe the problem is occuring when a request comes from a 192 range and goes to a 10 range.

      Thanks

    • #3312707

      Reply To: Internet Firewall

      by edlockett ·

      In reply to Internet Firewall

      OK I’ll make it simple for you…
      You can open as much as you like in the ISA server. It’s not going to work because your router also has a firewall.

    • #3312660

      Reply To: Internet Firewall

      by ian mclaws ·

      In reply to Internet Firewall

      Well, since you are able to FTP from the ISA box (which is behind the router), your router is not the problem.

      I believe that your problem is exactly what you suspect. You are using the reserved ranges (192 and 10) on each side of the ISA box. This results, (If you have automatically constructed your LAT) in both ranges being listed as local (in the local address table). This confuses the ISA box into not knowing where to send information, kind of like having two different routes for it to pass packets, only one of which is valid. You should, however, have had events in your application log…

      Take a look at your LAT entries. You should detele them, (after writing them down) and create the entries you need manually, so that ISA doesn’t add the other reserved ranges automatically. By default, the 10.0.0.0, 169.254.0.0, and 192.168.0.0 ranges are added as local.

      Let me know how it goes (and good luck).

      IanM

    • #3312653

      Reply To: Internet Firewall

      by cg it ·

      In reply to Internet Firewall

      This is for ISA server 2000. ISA 2004 is way different.
      With that in mind, first thing you have to do is that your ISA servers external interface that connects to your DSL router must be within the same IP address range of your DSL router LAN. NOT your public ISP address. the NIC also must be configured to use your ISPs DNS servers, NOT your LAN DNS server. Second, on the DSL router, you MUST use port fowarding and specify ISA servers external interface IP address that the router foward traffic destined for whatever service to ISA server. Thats the first step. If your DSL router doesn’t foward inbound traffic to ISA server nothings is going to get in to the network.

      Next step is to create an access rule in ISA server. Access rules are a security feature only. They either allow users or user groups internet access. You said you created a rule to allow all users outbound access.If so, everyone will have internet access.

      Next is to create a set of packet filters. This is done by choosing new filters from the list in ISA Server access policy, filters. Just run the wizard and make SURE for FTP you specify TCP and port 21 AND port 20. you’ll need filters for both ports and that you have inbound and outbound filters.

      next if server publishing. If your web server or FTP server is on your network, ISA needs to be configured to foward inbound packets to your downstream server. This is where most get bogged down. ISA server will not automatically foward packets to a server downstream [with the exception of SBS 2000 server running exchange 2000]. you MUST publish a server and direct ISA server to foward packets to it AND the correct shared folder path.

      • #3312648

        Reply To: Internet Firewall

        by cg it ·

        In reply to Reply To: Internet Firewall

        your DSL router has 2 interfaces public and private. The public I’ll assume you get an IP addres dynamically from your ISP. The private needs to be a static IP address. Consumer DSL routers normally only allow the 192.168.x.x address range so having a 10.x.x.x public ip address range for the private LAN on the DSL router sounds off to me. So your private LAN on the DSL router should be 192.168.x.x with a subnet mask of 255.255.255.XXX The external interface on ISA server MUST be configured within this same IP address range and subnet mask. the Default gateway on the external ISA server interface is then the DSL routers PRIVATE ip address.

      • #3312646

        Reply To: Internet Firewall

        by cg it ·

        In reply to Reply To: Internet Firewall

        also note, getting an access denied while trying to connect to a shared resource on a web server that is NOT on the same segment and your running IIS 5.0 or 6.0 WITH frontpage server extensions isn’t an ISA problem. Its an IIS web site authentication problem. Frontpage server extensions work with Frontpage. If your using sharepoint, you’ve got to uninstall frontpage extensions and then extend the web server for sharepoint.

      • #3312640

        Reply To: Internet Firewall

        by cg it ·

        In reply to Reply To: Internet Firewall

        another important tip. clients MUST use the ISA server firewall client program on client computers. NOT on ISA server itself.

      • #3312637

        Reply To: Internet Firewall

        by cg it ·

        In reply to Reply To: Internet Firewall

        last comment on web servers. If your web server is NOT on the network, e.g. NOT behind ISA server and your trying to use a client behind ISA to connect to the web server for administration purposes, and your getting access denied messages when trying to update a web site with new pages, the problem may not be ISA server but rather your web server.

      • #3311040

        Reply To: Internet Firewall

        by kingofthenerds ·

        In reply to Reply To: Internet Firewall

        Poster rated this answer.

    • #3313277

      Reply To: Internet Firewall

      by curlergirl ·

      In reply to Internet Firewall

      Let me try to address a couple of things first and see how it goes. I think your basic problem has to do with the routing between the ISA server and the rest of your LAN. First of all, you do NOT want your router and your ISA server both running NAT. The only way I know of to run NAT on a Win2K server is to set up Internet Connection Sharing. If that’s what you are doing, turn it off – this may be the source of all your problems.

      I’d recommend simplifying your IP routing setup as follows: Internet>ADSL Router (using NAT) w/LAN IP address in 192.168.1.x range > Managed Switch (preferably same switch that the server is using); the server only needs one NIC w/IP address in 192.168.1.x range, connected to the switch, using ADSL router’s IP as the default gateway; workstations should be using the ISA server as the default gateway, NOT the router. DNS on the router, server and workstations should point to your internal DNS server. Your internal DNS server can handle all name resolution, or you can set it to use your ISP’s DNS servers as forwarders. This works fine unless you are trying to create a DMZ of some kind. If that’s the case, I’d still start out with this setup until you get everything working right, and then you can add the additional 10.x.x.x subnet if necessary.

      Now, at this point, you should have all your workstations and servers able to access the Internet through the ISA server. If you get this far and are still having problems setting up port filtering, post back and I’ll continue on to the next step.

      Hope this helps!

    • #3313265

      Reply To: Internet Firewall

      by kingofthenerds ·

      In reply to Internet Firewall

      First of all i want to thank everyone for their detailed answers. For once i have asked a question and been given something great to work with.

      Second i am raising the points awarded because of this fact.

      Last but not least here is my setup and my reasoning:
      ADSL ROUTER is on 10.0.0.138 connected to ISA Server NIC on 10.0.0.10. This is because the ISA has to NIC cards so that everything must passthrough the ISA Server to get to the Internet. The second NIC card in the ISA server is then connected to the network on 192.168.1.3 which is our networking address scheme for all computers in the network.

      I am about to try every suggestion mentioned and i will add that the router has a firewall but it is disabled. Hence i can ftp, email etc from the ISA server but not from any machine inside the network.

      Thankyou and i will report back soon

    • #3313259

      Reply To: Internet Firewall

      by kingofthenerds ·

      In reply to Internet Firewall

      i must add an important point after reading the articles. I don’t have a Web Server or mail server etc. I have a company on the internet that hosts our webpage and i simply want to be able to ftp to it from a machine inside my network, instead of having to be on the ISA Server to do this.

      I must also add that i do not have firewall clients installed on any machine. I don’t really no what there for, but i read somewhere if you have NAT running on ISA you don’t need it.

      I think this is where u should instruct me to look. Show me where to find if ISA is running NAT. Because if it is not and i am not using firewall clients then obviously i have some major problems.

      Remember though all clients can access the internet, but can’t ftp email etc.

      Thanks

    • #3313251

      Reply To: Internet Firewall

      by kingofthenerds ·

      In reply to Internet Firewall

      One last point, i have checked the LAT on the ISA server. There is one listing which is:
      From To
      192.168.1.0 192.168.1.255

      That is all that is there, should there be a 10 range as well?

      Also i believe all my trouble is coming from not having a proper route setup between 192 network and 10 network range. At the moment i only have a default rule in their.

      Please instruct me on how to setup a route between 192.168.1.0 address to 10.0.0.0 address. Please include all information because i have no idea how to do this.

      Thanks

    • #3313250

      Reply To: Internet Firewall

      by kingofthenerds ·

      In reply to Internet Firewall

      One last comment, i have checked the NIC card settings on the ISA server. Details Below:

      100MB NIC from ISA to ADSL Router
      IP Address 10.0.0.10
      Subnet 255.255.255.0
      Default Gateway 10.0.0.138

      DNS
      Primary and Secondary both pointing to ISP

      1GB NIC in ISA to Network
      IP Address 192.168.1.3
      Subnet 255.255.255.0
      Gateway nothing

      DNS
      Primary DOmain DNS Server
      Secondary nothing

      I hope this helps
      Thanks

    • #3313246

      Reply To: Internet Firewall

      by kingofthenerds ·

      In reply to Internet Firewall

      I have checked the properties on the Packet Filter folder on the ISA Server and packet filtering is enable with a tick, but no other boxes are ticked on that page. For E.g. IP Routing is not enabled.

      Could this be the problem?

    • #3313028

      Reply To: Internet Firewall

      by cg it ·

      In reply to Internet Firewall

      First of all, I’ll say that it is best if you have ISA server on the DMZ port of your ADSL router. Though you can have a couple of layers of defense e.g. the firewall on the router, then ISA server, then your network, configuring your router, then ISA can get overly complicated.

      Next is to simplify the understanding of ISA server. Its a very detailed,configurable proxy server with a built in firewall with stateful packet inspection. ISA server will block traffic unless specifically allowed by rules you create and by packet filters allowing traffic through specific ports. Its a lot like Remote Access in that traffic is first checked to see if there is a filter allowing it over the specified port, then rules are checked allowing content type. Then rules are checked allowing a specific user or group of users. If anywhere along the way the traffic does not meet any of the rules or filters, traffic is denied.

      Next point is NAT. NAT is nothing more than the router adding a header to the packet with the “public” IP address. Each router can either add the header or just foward the packet on to the next router. Routers can strip the packet header assigned by another router using NAT to get to the header with the next destination IP. Routers also foward packets that are not destined for their respective LAN segment in which they are a part of to their default gateway. This is configured in the routers routing table. [ e.g.If no address is found that matches the packet address in the routers routing table its fowarded].

      The firewall client program is for automatic configuration of the web browser to use ISA server. You CAN manually configure each client computer to use ISA server but the firewall client program does that automatically. Its NOT mandatory to use the firewall client program [except on ISA Server 2004].

      • #3313022

        Reply To: Internet Firewall

        by cg it ·

        In reply to Reply To: Internet Firewall

        if you can user ISA server to upload content to a web server but clients behind ISA server are denied that, then a Site & Content Rule, Access rule, or filter is blocking FTP from the client to the destination. It is important to note that Site and Content rules are for internal clients. Meaning that you can deny or filter internal clients from accessing specific sites or specific content type. If not allowed, its denied. Filters deny traffic by traffic type and port. FTP traffic over ports 20 and 21. Both ports must have filters allowing traffic. Port 20 is for connection negotiation and 21 is for payload delivery. if you don’t have filters for both ports you won’t get FTP traffic. This might be your problem. make sure you have filters for both ports 20 and ports 21 created to allow traffic for FTP and that the client computer and the user account your using have the appropriate access rights for FTP via Site and Content Rules.

      • #3311042

        Reply To: Internet Firewall

        by kingofthenerds ·

        In reply to Reply To: Internet Firewall

        Poster rated this answer.

    • #3311191

      Reply To: Internet Firewall

      by shmaltz ·

      In reply to Internet Firewall

      In order to open ports on double NAT:
      If your ADSL firewall/router has a DMZ feature, then set the ISA to be the DMZ host and on the ISA make sure you forward it correctly.
      If it doesn’t have a DMZ feature, then forward the ports you want to open (in this case FTP) to the ISA Server on the ADSL router and then on the ISA forward it to the machine on the LAN.

    • #3311188

      Reply To: Internet Firewall

      by kingofthenerds ·

      In reply to Internet Firewall

      Below is the exact message i get when trying to FTP:
      The Folder “ftp://www.website.com” is read only because the proxy server is not setup to allow full access.

      I click ok and this page displays in my browser:

      The page cannot be displayed
      There is a problem with the page you are trying to reach and it cannot be displayed.

      ——————————————————————————–

      Please try the following:

      Click the Refresh button, or try again later.

      Open the Web site home page, and then look for links to the information you want.
      If you typed the page address in the Address bar, make sure that it is spelled correctly.

      Verify that the Internet access policy on your network allows you to view this this page.
      If you believe you should be able to view this directory or page, please contact the Web site administrator by using the e-mail address or phone number listed on the Web site home page.
      HTTP 502 Proxy Error – The login request was denied. The logon account might have been disabled or logon information might have changed. Log on again to verify that the information was typed correctly. If the problem continues, report the problem to the administrator of the Internet server you are requesting. (12015)
      Internet Security and Acceleration Server

      ——————————————————————————–

      Technical Information (for support personnel)

      Background:
      The gateway could not retrieve the requested page.

      ISA Server: proxy1.sheahan.edu.au
      Via:

      Time: 11/15/2004 1:06:19 AM GMT

      Any ideas?

    • #3312198

      Reply To: Internet Firewall

      by kingofthenerds ·

      In reply to Internet Firewall

      IMPORTANT INFO

      I have just had a break through. I have been reading everything i can get my hands on and attempting all suggestions.

      I was getting nowhere fast, so i turned back to isaserver.org for more reading.

      I then found an article on Internet Explorer FTP Client. It identified the problem that i was having exactly.

      I now realise that i have only been using Web Proxy Client and to use FTP through ISA you must have either SecureNAT or Firewall Client to work.

      I didn’t want to install Firewall Client on all machines and because of my Macs I couldn’t.

      But the SecureNAT i could do. To have a client function as a secureNAT client all you must do is setup your gateway as the Internal NIC of the ISA server. IT IS THAT SIMPLE.

      But this is where it gets tricky, I still can’t use outlook express, ports 25 and 110 are still blocked.

      Therefore the secureNAT has fixed my FTP problem but not my SMTP or POP problem.

      I am hoping now that you know all this you can give me some suggestions.

      I have a DHCP server by the way and it assigns IP addresses. How do i get it to assign a gateway address to each client. I couldn’t find that option in DHCP snap in?

      Thanks

    • #3311038

      Reply To: Internet Firewall

      by kingofthenerds ·

      In reply to Internet Firewall

      This question was closed by the author

Viewing 19 reply threads