 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / Small Business Server / SBS 2000 / July 2003ISA blocks ipass update: UDP 67, 68 and 137.
Hi, We use a service that is called iPass and allows us to connect to the internet from anywhere in the world. When users connect to our LAN they can update the POP's and the software if there is an update. However, ISA blocks that. Currently there is a 4.2 MB update (new version) and that is very anoying for travellers to update on a 56K modem connection (usually getting 25K or so)... Please find below the ISALogs... I'm unable to understand this: the IPPD log seems to have a problem with UDP ports 67, 68 and 137. I noticed these same ports in the log when I tried to use Netscape from inside our network and when I tried to setup FTP from outside to inside... What is it with these ports? Do I have some weird NAT config? Please help!!! Thanks, Sam ISALogs\FWSD....log (firewall) 192.168.16.35, sam, idialer.exe:3:5.0, -, 7/30/2003, 16:59:42, -, PALMA, -, -, 216.239.111.201, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, -, BackOffice Internet Access Protocol Rule, -, 390, 1379 192.168.16.35, sam, idialer.exe:3:5.0, -, 7/30/2003, 16:59:42, -, PALMA, -, -, 216.239.111.201, 80, 15, 0, 3370, 80, TCP, Connect, -, -, -, 20001, -, BackOffice Internet Access Protocol Rule, -, 390, 1379 192.168.16.35, sam, idialer.exe:3:5.0, -, 7/30/2003, 17:00:05, -, PALMA, -, pb.ipass.com, 216.239.99.200, 0, -, 0, 0, -, -, GHBN, -, -, -, 0, -, BackOffice Internet Access Protocol Rule, BackOffice Internet Access Site and Content Rule, 390, 0 192.168.16.35, sam, idialer.exe:3:5.0, -, 7/30/2003, 17:00:05, -, PALMA, -, -, 216.239.99.200, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, -, BackOffice Internet Access Protocol Rule, -, 390, 1380 192.168.16.35, sam, idialer.exe:3:5.0, -, 7/30/2003, 17:00:06, -, PALMA, -, -, 216.239.99.200, 80, 140, 0, 3370, 80, TCP, Connect, -, -, -, 20000, -, BackOffice Internet Access Protocol Rule, -, 390, 1380 192.168.16.35, sam, idialer.exe:3:5.0, -, 7/30/2003, 17:05:05, -, PALMA, -, -, 216.239.111.201, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, -, BackOffice Internet Access Protocol Rule, -, 390, 1385 192.168.16.35, sam, idialer.exe:3:5.0, -, 7/30/2003, 17:05:05, -, PALMA, -, pb.ipass.com, 216.239.99.200, 0, -, 0, 0, -, -, GHBN, -, -, -, 0, -, BackOffice Internet Access Protocol Rule, BackOffice Internet Access Site and Content Rule, 390, 0 192.168.16.35, sam, idialer.exe:3:5.0, -, 7/30/2003, 17:05:05, -, PALMA, -, -, 216.239.111.201, 80, 16, 0, 3370, 80, TCP, Connect, -, -, -, 20001, -, BackOffice Internet Access Protocol Rule, -, 390, 1385 192.168.16.35, sam, idialer.exe:3:5.0, -, 7/30/2003, 17:05:05, -, PALMA, -, -, 216.239.99.200, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, -, BackOffice Internet Access Protocol Rule, -, 390, 1386 192.168.16.35, sam, idialer.exe:3:5.0, -, 7/30/2003, 17:05:05, -, PALMA, -, -, 216.239.99.200, 80, 188, 0, 3370, 80, TCP, Connect, -, -, -, 20000, -, BackOffice Internet Access Protocol Rule, -, 390, 1386 ISALog\IPPD...log (protocol) 7/30/2003, 17:00:13, 172.26.0.99, 172.26.0.255, Udp, 137, 137, -, BLOCKED, 172.26.0.99, 45 00 00 4e 16 b7 00 00 80 11 00 00 ac 1a 00 63 ac 1a 00 ff, 00 89 00 89 00 3a af 47 7/30/2003, 17:00:14, 172.26.0.99, 172.26.0.255, Udp, 137, 137, -, BLOCKED, 172.26.0.99, 45 00 00 4e 16 c2 00 00 80 11 00 00 ac 1a 00 63 ac 1a 00 ff, 00 89 00 89 00 3a af 47 7/30/2003, 17:00:15, 172.26.0.99, 172.26.0.255, Udp, 137, 137, -, BLOCKED, 172.26.0.99, 45 00 00 4e 16 d4 00 00 80 11 00 00 ac 1a 00 63 ac 1a 00 ff, 00 89 00 89 00 3a af 43 7/30/2003, 17:00:15, 172.26.0.99, 172.26.0.255, Udp, 137, 137, -, BLOCKED, 172.26.0.99, 45 00 00 4e 16 d9 00 00 80 11 00 00 ac 1a 00 63 ac 1a 00 ff, 00 89 00 89 00 3a af 43 7/30/2003, 17:00:16, 172.26.0.99, 172.26.0.255, Udp, 137, 137, -, BLOCKED, 172.26.0.99, 45 00 00 4e 16 ea 00 00 80 11 00 00 ac 1a 00 63 ac 1a 00 ff, 00 89 00 89 00 3a af 43 7/30/2003, 17:04:36, 192.168.16.2, 255.255.255.255, Udp, 68, 67, -, BLOCKED, 172.26.0.99, 45 00 01 10 44 43 00 00 80 11 24 f0 c0 a8 10 02 ff ff ff ff, 00 44 00 43 00 fc 63 59 01 01 06 00 a5 65 d4 73 0a 00 80 00 c0 a8 10 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7/30/2003, 17:04:44, 192.168.16.2, 255.255.255.255, Udp, 68, 67, -, BLOCKED, 172.26.0.99, 45 00 01 10 46 f5 00 00 80 11 22 3e c0 a8 10 02 ff ff ff ff, 00 44 00 43 00 fc dd 32 01 01 06 00 00 00 00 00 0a 00 80 00 c0 a8 10 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7/30/2003, 17:04:44, 192.168.16.2, 255.255.255.255, Udp, 67, 68, -, BLOCKED, 172.26.0.99, 45 00 01 48 46 f6 00 00 80 11 00 00 c0 a8 10 02 ff ff ff ff, 00 43 00 44 01 34 3a 37 7/30/2003, 17:04:53, 192.168.16.2, 255.255.255.255, Udp, 68, 67, -, BLOCKED, 172.26.0.99, 45 00 01 10 49 a2 00 00 80 11 1f 91 c0 a8 10 02 ff ff ff ff, 00 44 00 43 00 fc dd 32 01 01 06 00 00 00 00 00 0a 00 80 00 c0 a8 10 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7/30/2003, 17:04:53, 192.168.16.2, 255.255.255.255, Udp, 67, 68, -, BLOCKED, 172.26.0.99, 45 00 01 48 49 a3 00 00 80 11 00 00 c0 a8 10 02 ff ff ff ff, 00 43 00 44 01 34 3a 37 7/30/2003, 17:05:00, 192.168.16.2, 255.255.255.255, Udp, 68, 67, -, BLOCKED, 172.26.0.99, 45 00 01 10 4a be 00 00 80 11 1e 75 c0 a8 10 02 ff ff ff ff, 00 44 00 43 00 fc dd 32 01 01 06 00 00 00 00 00 0a 00 80 00 c0 a8 10 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7/30/2003, 17:05:00, 192.168.16.2, 255.255.255.255, Udp, 67, 68, -, BLOCKED, 172.26.0.99, 45 00 01 48 4a bf 00 00 80 11 00 00 c0 a8 10 02 ff ff ff ff, 00 43 00 44 01 34 3a 37 ISALog\WEBD....log (weblog) 127.0.0.1, anonymous, iPassConnect, -, 7/30/2003, 17:00:12, -, PALMA, -, did01.ipass.com, -, 80, 0, 478, 3370, http, -, POST, http://did01.ipass.com/dialerId/DialerId, -, -, 403, -, - , - 127.0.0.1, anonymous, iPassConnect, -, 7/30/2003, 17:05:34, -, PALMA, -, did01.ipass.com, -, 80, 0, 478, 3370, http, -, POST, http://did01.ipass.com/dialerId/DialerId, -, -, 403, -, - , - Hi Sam, Thank you for using Microsoft Technical Support Newsgroups. Do you have your ISA Site & Content Rule and Protocol Rule set to allow "Users and Groups" or "Any Request". If set to Users & Groups, change it to Any Request and restart the ISA Services. Once again, thank you for using the newsgroups. Best Regards, David Butler - MCSE NT4/2000 Microsoft Technical Support Get Secure! - www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. David...an "any request" turns off egress filtering. Not good, not good at all with 03-026 RDP/Dcom worm in the works. We have one of the best dang firewalls in the marketplace at our fingertips. Let's learn how to set up our systems the right way. Let's try to build a hole...Build a specific rule in ISA for those ..specifically UDP ports.. [don't mean to be mean to you ..... and please accept my suggestions ...] > Hi Sam, > [quoted text clipped - 20 lines] > This posting is provided "AS IS" with no warranties, > and confers no rights. -- "Don't lose sight of security. Security is a state of being, not a state of budget. He with the most firewalls still does not win. Put down that honeypot and keep up to date on your patches. Demand better security from vendors and hold them responsible. Use what you have, and make sure you know how to use it properly and effectively." ~ Rain Forest Puppy http://www.wiretrip.net/rfp/txt/evolution.txt Hi Susan and David, Thanks for your replies. I'm abit of a stubborn guy and like to understand everything I'm configuring. I have set the "BackOffice Internet Access Site and Content Rule" to apply to "Users and groups specified below" and the account listed is "OFFICE\BackOffice Internet Users" group. Now, I have studied lots of material on HTTP and FTP, including the 20+ pages of Stefaan Pouseele on isaserver.org and I still don't get where the traffic on these UDP port 67, 68 and 137 comes from. Browsers, FTP and this iPass update process claim to use TCP only! Is it them generating this traffic or is it ISA? Secondly, I'd like to know what kind of rule Susan is referring to: "The BackOffice Internet Access" Protocol rule applies to all IP traffic. So why are internally initiated sessions blocked on UDP level???? This seems like a lack of functionality/intelligence within ISA to me. Last, but not least, I have no idea on security issues implications if I poke a hole in our firewall for those 3 UDP ports. Thanks in advance for your help! Kind regards, Sam >-----Original Message----- >David...an "any request" turns off egress filtering. Not good, not good at all [quoted text clipped - 44 lines] > >. Hi Sam - see inline  SignatureChad A Gross Lerman's Law of Technology: Any technical problem can be overcome given enough time and money. Corollary: You are never given enough time or money. > Hi Susan and David, > [quoted text clipped - 12 lines] > and this iPass update process claim to use TCP only! Is it > them generating this traffic or is it ISA? 137 is netbios related and could be normal network traffic, 67 & 68 are BOOTP . . . which makes me doubt that these are being used by iPass. Just out of curiosity, I'd try booting workstations one by one and see if you can associated these log entries with a particular machine (or machines) boot process. > Secondly, I'd like to know what kind of rule Susan is > referring to: "The BackOffice Internet Access" Protocol > rule applies to all IP traffic. So why are internally > initiated sessions blocked on UDP level???? This seems > like a lack of functionality/intelligence within ISA to me. The "All IP Trafic" option in ISA protocol rules is a little misleading - as it does not allow all IP traffic. This option allows all protocols currently defined in ISA. Thus if there is not a protocol definition for a certain port, ISA will block that traffic. By default, ISA doesn't include protocol definitions for BOOTP, which is by UDP 67 & 68 are being blocked > Last, but not least, I have no idea on security issues > implications if I poke a hole in our firewall for those 3 > UDP ports. There shouldn't be much of a security risk in allowing this traffic outbound for testing purposes. If this doesn't solve the problem, then I'd close the holes back up. > Thanks in advance for your help! > Kind regards, [quoted text clipped - 48 lines] >> >> . Hi Susan, Thank you for your suggestions and you are correct, ideally we should be concerned not only with ingress, but also egress as an infected client computer could, with unrestricted outbound access, cause problems for other servers. Details on how to create specific rules to accommodate 3rd party software can be found in our knowledge base as well as 3rd party websites. Here are two articles which offer specific recommendation regarding common configurations. You would want to modify these recommendations to fit your specific scenario: 297479 How to Use America Online 6.0 with ISA http://support.microsoft.com/?id=297479 295667 How to Allow Third-Party Internet Connections Through ISA http://support.microsoft.com/?id=295667 Once again, thank you for using the newsgroups. Best Regards, David Butler - MCSE NT4/2000 Microsoft Technical Support Get Secure! - www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Hi David, Thanks for your reply. With Sunsan's warning in my head, I tried your suggestion. It failed... The site and content rule is an IP rule and altough I cannot find evidence anywhere, I think it manages TCP/IP and NOT UDP. Another ugly thing is that when I restored the original setting (from "Any Request" to "Users & Groups") and restarted the ISA management service (which restarts 3 dependent services), all user were unable to use the internet and the firewall client was unable to find ISA server. A reboot of the server solved that, lucky me! Kind regards, Sam >-----Original Message----- >Hi Sam, [quoted text clipped - 23 lines] > >. Hi David, I tested your solution again, using another PC in our LAN. This time the switch from "users and groups" to "any request" and back to "users and groups" went OK. I only noticed Microsoft web proxy event 14148 (failed to bind to port 80, due to other service using that port (which is untrue!)) in the application log, directly followed by a 14186 (started succesfully). The second test also did not bring any solution! kind regards, Sam >-----Original Message----- >Hi Sam, [quoted text clipped - 23 lines] > >. |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.