Re: Install Firewall Client on Server a no,no? by Steve
Steve
Sun Jan 22 21:47:59 CST 2006
TSParkCA wrote:
>We have an independent server program that needs to go out and transmit
>encrypted packets on port 0443 or 5845 for various authorizations and
>credit
>card transactions. Program updates for this software is also done thru port
>12345. The only way I have been able to get this done is by installing the
>firewall client on the server, though the program updates still don't work.
>The firewall client warns not to do this when installing. Since doing this,
>Exchange has become unstable with mostly the service attendant not starting
>on boot leading to all other exchange services not starting therefore
>taking
>exchange server down. I'm not sure if the firewall client is the cause of
>this but it seems likely. Is there another way to allow that program to be
>able to transmit on those ports and not install the firewall client on the
>server? Thanks.
The Firewall Client should *NEVER* *EVER* be installed on the server
itself. You just turned your machine into swiss cheese.
Get it *off* *NOW*.
The default ISA rules allow HTTPS out from the server itself, but neither
of the others would be. You'd need to define a new Access Rule for this
application, from Local Host to External (possibly creating their end as a
Computer or Domain set, and specifying that instead), that allowed HTTPS,
and 5845 and 12345 as outbound protocols, and applying to All Users. Make
sure the rule has a higher priority than any other server Access Rule.
Note that if 5845 or 12345 are being used to carry HTTPS traffic (ie SSL
on a non-standard port), you'll need to tell ISA about that separately,
using a script to add one or either of these as necessary as additional
Tunnel Port Ranges. You'll find the necessary script in a KB on
microsoft.com.
--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.