Firewall settings - reply

TheMSsForum.com: The Microsoft Software Forum

Hi Chad

I am following up on the reply to my question on the
Newsgroup (see below). I am trying to set up an EDI system
from my LAN. It requires access to the remote server over
ports 21, 989, 990, and 3662. I have created protocol
rules for each of these ports (both inbound and outbound)
but my software fails at the point of the handshake,
implying that the ports are not accessible in some way.I
have set them up as TCP ports and specified the port
numbers inbound and outbound (separate protocols under one
protocol rule). I am trying to access the remote server
from one of my workstations.

I think everything is set up correctly. Can you think of
anything I may have missed or overlooked?

Yours

John Wilson







Hi John -

First question is what machine(s) need access on these
ports? If client
machines, you need to create a protocol rule (& and
protocol definitions),
if the server is the only machine that needs these ports,
then you are
correct that you need packet filters.

For your packet filters, I'm guessing you have both your
local and remote
ports set to a fixed port. It's been my experience that
this does not work
well, if at all. The side of the connection that is
accepting inbound
connections should be set to the fixed port number, with
the client side
being set to either All Ports or Dynamic. For example, if
you are
initiating a connection with a server on the internet (so
that the remote
server is accepting the incoming connection), then the
remote port will be
set to fixed and the local port will be set to either All
Ports or Dynamic.
If your server is accepting inbound connections from
others, then the local
port will be set to fixed and the remote port set to
either All Ports or
Dynamic. Also - unless you are accepting inbound
connections from other
machines on the internet, I would set the packet filters
to be for outbound
access only.

If the clients need access, you'll need to expand Policy
Elements and create
a new protocol definition for each port you need open. If
you're using the
default BackOffice Internet Access protocol rule, then the
clients should
have access after creating these definitions. If you've
locked down your
outbound access, then you'll need to create a new protocol
rule to allow the
new protocol definitions you just created.

--
Chad A Gross

Lerman's Law of Technology: Any technical problem can be
overcome
given enough time and money. Corollary: You are never
given enough
time or money.



John Wilson wrote:
> I am trying to open up four ports in the ISA server on
SBS
> 2000. I have followed the instructions in the help files,
> creating new packet filters for ports 989, 990 and 3667.
> These are required for an FTP system of EDI. Once these
> have been created there is still no server connection. Is
> there anything I may have forgotten in creating these
> filters? I have configured them to allow traffic both in
> and out on each of these specific port numbers. I have
> also monitored the server with a port scanner to identify
> open ports. These particular ports do not appear as one
of
> the open ports.
>
> Can anyone help or explain?
>
> John Wilson


.
Top

Re: Firewall settings - reply by Chad

Chad
Mon Jul 21 13:13:46 CDT 2003

Hi John -

I'm not that familiar with EDI, so I'm just going off the info from your
posts. Since you created Protocol rules, I am assuming that it's a client
machine that needs access, right? Try this - create a new protocol
definition with TCP 21 as your primary connection, then select to use
secondary connections. Add each of your other ports 989, 990, 3662 as
secondary connections (both inbound / outbound), then modify your protocol
rule to use this new protocol definition and see if that helps any. In
order to use this protocol, you will need the firewall client installed on
the workstation. Also, I'd make sure that all of these ports are in fact
using TCP. My personal experience has been that if there is some sort of
authentication handshake involved, you will have one port that uses UDP -
but that isn't neccesarily the case all the time.

--
Chad A Gross

Lerman's Law of Technology: Any technical problem can be overcome
given enough time and money. Corollary: You are never given enough
time or money.



J Wilson wrote:
> Hi Chad
>
> I am following up on the reply to my question on the
> Newsgroup (see below). I am trying to set up an EDI system
> from my LAN. It requires access to the remote server over
> ports 21, 989, 990, and 3662. I have created protocol
> rules for each of these ports (both inbound and outbound)
> but my software fails at the point of the handshake,
> implying that the ports are not accessible in some way.I
> have set them up as TCP ports and specified the port
> numbers inbound and outbound (separate protocols under one
> protocol rule). I am trying to access the remote server
> from one of my workstations.
>
> I think everything is set up correctly. Can you think of
> anything I may have missed or overlooked?
>
> Yours
>
> John Wilson
>
>
>
>
>
>
>
> Hi John -
>
> First question is what machine(s) need access on these
> ports? If client
> machines, you need to create a protocol rule (& and
> protocol definitions),
> if the server is the only machine that needs these ports,
> then you are
> correct that you need packet filters.
>
> For your packet filters, I'm guessing you have both your
> local and remote
> ports set to a fixed port. It's been my experience that
> this does not work
> well, if at all. The side of the connection that is
> accepting inbound
> connections should be set to the fixed port number, with
> the client side
> being set to either All Ports or Dynamic. For example, if
> you are
> initiating a connection with a server on the internet (so
> that the remote
> server is accepting the incoming connection), then the
> remote port will be
> set to fixed and the local port will be set to either All
> Ports or Dynamic.
> If your server is accepting inbound connections from
> others, then the local
> port will be set to fixed and the remote port set to
> either All Ports or
> Dynamic. Also - unless you are accepting inbound
> connections from other
> machines on the internet, I would set the packet filters
> to be for outbound
> access only.
>
> If the clients need access, you'll need to expand Policy
> Elements and create
> a new protocol definition for each port you need open. If
> you're using the
> default BackOffice Internet Access protocol rule, then the
> clients should
> have access after creating these definitions. If you've
> locked down your
> outbound access, then you'll need to create a new protocol
> rule to allow the
> new protocol definitions you just created.
>
>
> John Wilson wrote:
>> I am trying to open up four ports in the ISA server on SBS
>> 2000. I have followed the instructions in the help files,
>> creating new packet filters for ports 989, 990 and 3667.
>> These are required for an FTP system of EDI. Once these
>> have been created there is still no server connection. Is
>> there anything I may have forgotten in creating these
>> filters? I have configured them to allow traffic both in
>> and out on each of these specific port numbers. I have
>> also monitored the server with a port scanner to identify
>> open ports. These particular ports do not appear as one of
>> the open ports.
>>
>> Can anyone help or explain?
>>
>> John Wilson
>
>
> .


Top