ISA blocks ipass update: UDP 67, 68 and 137.

TheMSsForum.com: The Microsoft Software Forum

Hi,

We use a service that is called iPass and allows us to
connect to the internet from anywhere in the world.

When users connect to our LAN they can update the POP's
and the software if there is an update. However, ISA
blocks that.

Currently there is a 4.2 MB update (new version) and that
is very anoying for travellers to update on a 56K modem
connection (usually getting 25K or so)...

Please find below the ISALogs... I'm unable to understand
this: the IPPD log seems to have a problem with UDP ports
67, 68 and 137.

I noticed these same ports in the log when I tried to use
Netscape from inside our network and when I tried to setup
FTP from outside to inside...

What is it with these ports? Do I have some weird NAT
config?

Please help!!!
Thanks,
Sam


ISALogs\FWSD....log (firewall)

192.168.16.35, sam, idialer.exe:3:5.0, -, 7/30/2003,
16:59:42, -, PALMA, -, -, 216.239.111.201, 80, -, 0, 0,
80, TCP, Connect, -, -, -, 0, -, BackOffice Internet
Access Protocol Rule, -, 390, 1379
192.168.16.35, sam, idialer.exe:3:5.0, -, 7/30/2003,
16:59:42, -, PALMA, -, -, 216.239.111.201, 80, 15, 0,
3370, 80, TCP, Connect, -, -, -, 20001, -, BackOffice
Internet Access Protocol Rule, -, 390, 1379
192.168.16.35, sam, idialer.exe:3:5.0, -, 7/30/2003,
17:00:05, -, PALMA, -, pb.ipass.com, 216.239.99.200, 0, -,
0, 0, -, -, GHBN, -, -, -, 0, -, BackOffice Internet
Access Protocol Rule, BackOffice Internet Access Site and
Content Rule, 390, 0
192.168.16.35, sam, idialer.exe:3:5.0, -, 7/30/2003,
17:00:05, -, PALMA, -, -, 216.239.99.200, 80, -, 0, 0, 80,
TCP, Connect, -, -, -, 0, -, BackOffice Internet Access
Protocol Rule, -, 390, 1380
192.168.16.35, sam, idialer.exe:3:5.0, -, 7/30/2003,
17:00:06, -, PALMA, -, -, 216.239.99.200, 80, 140, 0,
3370, 80, TCP, Connect, -, -, -, 20000, -, BackOffice
Internet Access Protocol Rule, -, 390, 1380

192.168.16.35, sam, idialer.exe:3:5.0, -, 7/30/2003,
17:05:05, -, PALMA, -, -, 216.239.111.201, 80, -, 0, 0,
80, TCP, Connect, -, -, -, 0, -, BackOffice Internet
Access Protocol Rule, -, 390, 1385
192.168.16.35, sam, idialer.exe:3:5.0, -, 7/30/2003,
17:05:05, -, PALMA, -, pb.ipass.com, 216.239.99.200, 0, -,
0, 0, -, -, GHBN, -, -, -, 0, -, BackOffice Internet
Access Protocol Rule, BackOffice Internet Access Site and
Content Rule, 390, 0
192.168.16.35, sam, idialer.exe:3:5.0, -, 7/30/2003,
17:05:05, -, PALMA, -, -, 216.239.111.201, 80, 16, 0,
3370, 80, TCP, Connect, -, -, -, 20001, -, BackOffice
Internet Access Protocol Rule, -, 390, 1385
192.168.16.35, sam, idialer.exe:3:5.0, -, 7/30/2003,
17:05:05, -, PALMA, -, -, 216.239.99.200, 80, -, 0, 0, 80,
TCP, Connect, -, -, -, 0, -, BackOffice Internet Access
Protocol Rule, -, 390, 1386
192.168.16.35, sam, idialer.exe:3:5.0, -, 7/30/2003,
17:05:05, -, PALMA, -, -, 216.239.99.200, 80, 188, 0,
3370, 80, TCP, Connect, -, -, -, 20000, -, BackOffice
Internet Access Protocol Rule, -, 390, 1386

ISALog\IPPD...log (protocol)

7/30/2003, 17:00:13, 172.26.0.99, 172.26.0.255, Udp, 137,
137, -, BLOCKED, 172.26.0.99, 45 00 00 4e 16 b7 00 00 80
11 00 00 ac 1a 00 63 ac 1a 00 ff, 00 89 00 89 00 3a af 47
7/30/2003, 17:00:14, 172.26.0.99, 172.26.0.255, Udp, 137,
137, -, BLOCKED, 172.26.0.99, 45 00 00 4e 16 c2 00 00 80
11 00 00 ac 1a 00 63 ac 1a 00 ff, 00 89 00 89 00 3a af 47
7/30/2003, 17:00:15, 172.26.0.99, 172.26.0.255, Udp, 137,
137, -, BLOCKED, 172.26.0.99, 45 00 00 4e 16 d4 00 00 80
11 00 00 ac 1a 00 63 ac 1a 00 ff, 00 89 00 89 00 3a af 43
7/30/2003, 17:00:15, 172.26.0.99, 172.26.0.255, Udp, 137,
137, -, BLOCKED, 172.26.0.99, 45 00 00 4e 16 d9 00 00 80
11 00 00 ac 1a 00 63 ac 1a 00 ff, 00 89 00 89 00 3a af 43
7/30/2003, 17:00:16, 172.26.0.99, 172.26.0.255, Udp, 137,
137, -, BLOCKED, 172.26.0.99, 45 00 00 4e 16 ea 00 00 80
11 00 00 ac 1a 00 63 ac 1a 00 ff, 00 89 00 89 00 3a af 43
7/30/2003, 17:04:36, 192.168.16.2, 255.255.255.255, Udp,
68, 67, -, BLOCKED, 172.26.0.99, 45 00 01 10 44 43 00 00
80 11 24 f0 c0 a8 10 02 ff ff ff ff, 00 44 00 43 00 fc 63
59 01 01 06 00 a5 65 d4 73 0a 00 80 00 c0 a8 10 02 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
7/30/2003, 17:04:44, 192.168.16.2, 255.255.255.255, Udp,
68, 67, -, BLOCKED, 172.26.0.99, 45 00 01 10 46 f5 00 00
80 11 22 3e c0 a8 10 02 ff ff ff ff, 00 44 00 43 00 fc dd
32 01 01 06 00 00 00 00 00 0a 00 80 00 c0 a8 10 02 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
7/30/2003, 17:04:44, 192.168.16.2, 255.255.255.255, Udp,
67, 68, -, BLOCKED, 172.26.0.99, 45 00 01 48 46 f6 00 00
80 11 00 00 c0 a8 10 02 ff ff ff ff, 00 43 00 44 01 34 3a
37
7/30/2003, 17:04:53, 192.168.16.2, 255.255.255.255, Udp,
68, 67, -, BLOCKED, 172.26.0.99, 45 00 01 10 49 a2 00 00
80 11 1f 91 c0 a8 10 02 ff ff ff ff, 00 44 00 43 00 fc dd
32 01 01 06 00 00 00 00 00 0a 00 80 00 c0 a8 10 02 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
7/30/2003, 17:04:53, 192.168.16.2, 255.255.255.255, Udp,
67, 68, -, BLOCKED, 172.26.0.99, 45 00 01 48 49 a3 00 00
80 11 00 00 c0 a8 10 02 ff ff ff ff, 00 43 00 44 01 34 3a
37
7/30/2003, 17:05:00, 192.168.16.2, 255.255.255.255, Udp,
68, 67, -, BLOCKED, 172.26.0.99, 45 00 01 10 4a be 00 00
80 11 1e 75 c0 a8 10 02 ff ff ff ff, 00 44 00 43 00 fc dd
32 01 01 06 00 00 00 00 00 0a 00 80 00 c0 a8 10 02 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
7/30/2003, 17:05:00, 192.168.16.2, 255.255.255.255, Udp,
67, 68, -, BLOCKED, 172.26.0.99, 45 00 01 48 4a bf 00 00
80 11 00 00 c0 a8 10 02 ff ff ff ff, 00 43 00 44 01 34 3a
37

ISALog\WEBD....log (weblog)
127.0.0.1, anonymous, iPassConnect, -, 7/30/2003,
17:00:12, -, PALMA, -, did01.ipass.com, -, 80, 0, 478,
3370, http, -, POST,
http://did01.ipass.com/dialerId/DialerId, -, -, 403, -, -
, -
127.0.0.1, anonymous, iPassConnect, -, 7/30/2003,
17:05:34, -, PALMA, -, did01.ipass.com, -, 80, 0, 478,
3370, http, -, POST,
http://did01.ipass.com/dialerId/DialerId, -, -, 403, -, -
, -
Top

RE: ISA blocks ipass update: UDP 67, 68 and 137. by dabutler

dabutler
Wed Jul 30 18:44:24 CDT 2003

Hi Sam,

Thank you for using Microsoft Technical Support Newsgroups.

Do you have your ISA Site & Content Rule and Protocol Rule set to allow "Users
and Groups" or "Any Request". If set to Users & Groups, change it to Any
Request and restart the ISA Services.

Once again, thank you for using the newsgroups.

Best Regards,



David Butler - MCSE NT4/2000
Microsoft Technical Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties,
and confers no rights.


Top

Re: ISA blocks ipass update: UDP 67, 68 and 137. by Susan

Susan
Wed Jul 30 23:09:54 CDT 2003

David...an "any request" turns off egress filtering. Not good, not good at all
with 03-026 RDP/Dcom worm in the works.

We have one of the best dang firewalls in the marketplace at our fingertips.
Let's learn how to set up our systems the right way.

Let's try to build a hole...Build a specific rule in ISA for those ..specifically
UDP ports..

[don't mean to be mean to you ..... and please accept my suggestions ...]

"David Butler [MSFT]" wrote:

> Hi Sam,
>
> Thank you for using Microsoft Technical Support Newsgroups.
>
> Do you have your ISA Site & Content Rule and Protocol Rule set to allow "Users
> and Groups" or "Any Request". If set to Users & Groups, change it to Any
> Request and restart the ISA Services.
>
> Once again, thank you for using the newsgroups.
>
> Best Regards,
>
> David Butler - MCSE NT4/2000
> Microsoft Technical Support
>
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> When responding to posts, please "Reply to Group" via
> your newsreader so that others may learn and benefit
> from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties,
> and confers no rights.

--
"Don't lose sight of security. Security is a state of being, not a
state of budget. He with the most firewalls still does not win.
Put down that honeypot and keep up to date on your patches. Demand
better security from vendors and hold them responsible. Use what
you have, and make sure you know how to use it properly and effectively."
~ Rain Forest Puppy

http://www.wiretrip.net/rfp/txt/evolution.txt


Top

Re: ISA blocks ipass update: UDP 67, 68 and 137. by Sam

Sam
Thu Jul 31 05:59:38 CDT 2003

Hi Susan and David,

Thanks for your replies. I'm abit of a stubborn guy and
like to understand everything I'm configuring.

I have set the "BackOffice Internet Access Site and
Content Rule" to apply to "Users and groups specified
below" and the account listed is "OFFICE\BackOffice
Internet Users" group.

Now, I have studied lots of material on HTTP and FTP,
including the 20+ pages of Stefaan Pouseele on
isaserver.org and I still don't get where the traffic on
these UDP port 67, 68 and 137 comes from. Browsers, FTP
and this iPass update process claim to use TCP only! Is it
them generating this traffic or is it ISA?

Secondly, I'd like to know what kind of rule Susan is
referring to: "The BackOffice Internet Access" Protocol
rule applies to all IP traffic. So why are internally
initiated sessions blocked on UDP level???? This seems
like a lack of functionality/intelligence within ISA to me.

Last, but not least, I have no idea on security issues
implications if I poke a hole in our firewall for those 3
UDP ports.

Thanks in advance for your help!
Kind regards,
Sam
>-----Original Message-----
>David...an "any request" turns off egress filtering. Not
good, not good at all
>with 03-026 RDP/Dcom worm in the works.
>
>We have one of the best dang firewalls in the marketplace
at our fingertips.
>Let's learn how to set up our systems the right way.
>
>Let's try to build a hole...Build a specific rule in ISA
for those ..specifically
>UDP ports..
>
>[don't mean to be mean to you ..... and please accept my
suggestions ...]
>
>"David Butler [MSFT]" wrote:
>
>> Hi Sam,
>>
>> Thank you for using Microsoft Technical Support
Newsgroups.
>>
>> Do you have your ISA Site & Content Rule and Protocol
Rule set to allow "Users
>> and Groups" or "Any Request". If set to Users &
Groups, change it to Any
>> Request and restart the ISA Services.
>>
>> Once again, thank you for using the newsgroups.
>>
>> Best Regards,
>>
>> David Butler - MCSE NT4/2000
>> Microsoft Technical Support
>>
>> Get Secure! - www.microsoft.com/security
>>
>> =====================================================
>> When responding to posts, please "Reply to Group" via
>> your newsreader so that others may learn and benefit
>> from your issue.
>> =====================================================
>> This posting is provided "AS IS" with no warranties,
>> and confers no rights.
>
>--
>"Don't lose sight of security. Security is a state of
being, not a
>state of budget. He with the most firewalls still does
not win.
>Put down that honeypot and keep up to date on your
patches. Demand
>better security from vendors and hold them responsible.
Use what
>you have, and make sure you know how to use it properly
and effectively."
> ~ Rain Forest Puppy
>
>http://www.wiretrip.net/rfp/txt/evolution.txt
>
>
>.
>
Top

RE: ISA blocks ipass update: UDP 67, 68 and 137. by Sam

Sam
Thu Jul 31 06:29:08 CDT 2003

Hi David,

Thanks for your reply. With Sunsan's warning in my head, I
tried your suggestion. It failed...

The site and content rule is an IP rule and altough I
cannot find evidence anywhere, I think it manages TCP/IP
and NOT UDP.

Another ugly thing is that when I restored the original
setting (from "Any Request" to "Users & Groups") and
restarted the ISA management service (which restarts 3
dependent services), all user were unable to use the
internet and the firewall client was unable to find ISA
server.

A reboot of the server solved that, lucky me!

Kind regards,
Sam
>-----Original Message-----
>Hi Sam,
>
>Thank you for using Microsoft Technical Support
Newsgroups.
>
>Do you have your ISA Site & Content Rule and Protocol
Rule set to allow "Users
>and Groups" or "Any Request". If set to Users & Groups,
change it to Any
>Request and restart the ISA Services.
>
>Once again, thank you for using the newsgroups.
>
>Best Regards,
>
>
>
>David Butler - MCSE NT4/2000
>Microsoft Technical Support
>
>Get Secure! - www.microsoft.com/security
>
>=====================================================
>When responding to posts, please "Reply to Group" via
>your newsreader so that others may learn and benefit
>from your issue.
>=====================================================
>This posting is provided "AS IS" with no warranties,
>and confers no rights.
>
>
>.
>
Top

RE: ISA blocks ipass update: UDP 67, 68 and 137. by Sam

Sam
Thu Jul 31 07:52:26 CDT 2003

Hi David,

I tested your solution again, using another PC in our LAN.
This time the switch from "users and groups" to "any
request" and back to "users and groups" went OK.

I only noticed Microsoft web proxy event 14148 (failed to
bind to port 80, due to other service using that port
(which is untrue!)) in the application log, directly
followed by a 14186 (started succesfully).

The second test also did not bring any solution!

kind regards,
Sam
>-----Original Message-----
>Hi Sam,
>
>Thank you for using Microsoft Technical Support
Newsgroups.
>
>Do you have your ISA Site & Content Rule and Protocol
Rule set to allow "Users
>and Groups" or "Any Request". If set to Users & Groups,
change it to Any
>Request and restart the ISA Services.
>
>Once again, thank you for using the newsgroups.
>
>Best Regards,
>
>
>
>David Butler - MCSE NT4/2000
>Microsoft Technical Support
>
>Get Secure! - www.microsoft.com/security
>
>=====================================================
>When responding to posts, please "Reply to Group" via
>your newsreader so that others may learn and benefit
>from your issue.
>=====================================================
>This posting is provided "AS IS" with no warranties,
>and confers no rights.
>
>
>.
>
Top

Re: ISA blocks ipass update: UDP 67, 68 and 137. by Chad

Chad
Thu Jul 31 10:25:28 CDT 2003

Hi Sam - see inline

--
Chad A Gross

Lerman's Law of Technology: Any technical problem can be overcome
given enough time and money. Corollary: You are never given enough
time or money.



Sam wrote:
> Hi Susan and David,
>
> Thanks for your replies. I'm abit of a stubborn guy and
> like to understand everything I'm configuring.
>
> I have set the "BackOffice Internet Access Site and
> Content Rule" to apply to "Users and groups specified
> below" and the account listed is "OFFICE\BackOffice
> Internet Users" group.
>
> Now, I have studied lots of material on HTTP and FTP,
> including the 20+ pages of Stefaan Pouseele on
> isaserver.org and I still don't get where the traffic on
> these UDP port 67, 68 and 137 comes from. Browsers, FTP
> and this iPass update process claim to use TCP only! Is it
> them generating this traffic or is it ISA?
>

137 is netbios related and could be normal network traffic, 67 & 68 are
BOOTP . . . which makes me doubt that these are being used by iPass. Just
out of curiosity, I'd try booting workstations one by one and see if you can
associated these log entries with a particular machine (or machines) boot
process.

> Secondly, I'd like to know what kind of rule Susan is
> referring to: "The BackOffice Internet Access" Protocol
> rule applies to all IP traffic. So why are internally
> initiated sessions blocked on UDP level???? This seems
> like a lack of functionality/intelligence within ISA to me.
>

The "All IP Trafic" option in ISA protocol rules is a little misleading - as
it does not allow all IP traffic. This option allows all protocols
currently defined in ISA. Thus if there is not a protocol definition for a
certain port, ISA will block that traffic. By default, ISA doesn't include
protocol definitions for BOOTP, which is by UDP 67 & 68 are being blocked

> Last, but not least, I have no idea on security issues
> implications if I poke a hole in our firewall for those 3
> UDP ports.

There shouldn't be much of a security risk in allowing this traffic outbound
for testing purposes. If this doesn't solve the problem, then I'd close the
holes back up.

>
> Thanks in advance for your help!
> Kind regards,
> Sam
>> -----Original Message-----
>> David...an "any request" turns off egress filtering. Not good, not
>> good at all with 03-026 RDP/Dcom worm in the works.
>>
>> We have one of the best dang firewalls in the marketplace at our
>> fingertips. Let's learn how to set up our systems the right way.
>>
>> Let's try to build a hole...Build a specific rule in ISA for those
>> ..specifically UDP ports..
>>
>> [don't mean to be mean to you ..... and please accept my suggestions
>> ...]
>>
>> "David Butler [MSFT]" wrote:
>>
>>> Hi Sam,
>>>
>>> Thank you for using Microsoft Technical Support Newsgroups.
>>>
>>> Do you have your ISA Site & Content Rule and Protocol Rule set to
>>> allow "Users and Groups" or "Any Request". If set to Users &
>>> Groups, change it to Any Request and restart the ISA Services.
>>>
>>> Once again, thank you for using the newsgroups.
>>>
>>> Best Regards,
>>>
>>> David Butler - MCSE NT4/2000
>>> Microsoft Technical Support
>>>
>>> Get Secure! - www.microsoft.com/security
>>>
>>> =====================================================
>>> When responding to posts, please "Reply to Group" via
>>> your newsreader so that others may learn and benefit
>>> from your issue.
>>> =====================================================
>>> This posting is provided "AS IS" with no warranties,
>>> and confers no rights.
>>
>> --
>> "Don't lose sight of security. Security is a state of being, not a
>> state of budget. He with the most firewalls still does not win.
>> Put down that honeypot and keep up to date on your patches. Demand
>> better security from vendors and hold them responsible. Use what
>> you have, and make sure you know how to use it properly and
>> effectively." ~ Rain Forest Puppy
>>
>> http://www.wiretrip.net/rfp/txt/evolution.txt
>>
>>
>> .


Top

Re: ISA blocks ipass update: UDP 67, 68 and 137. by dabutler

dabutler
Thu Jul 31 13:30:16 CDT 2003

Hi Susan,

Thank you for your suggestions and you are correct, ideally we should be
concerned not only with ingress, but also egress as an infected client
computer could, with unrestricted outbound access, cause problems for other
servers.

Details on how to create specific rules to accommodate 3rd party software
can be found in our knowledge base as well as 3rd party websites.

Here are two articles which offer specific recommendation regarding common
configurations. You would want to modify these recommendations to fit your
specific scenario:

297479 How to Use America Online 6.0 with ISA
http://support.microsoft.com/?id=297479

295667 How to Allow Third-Party Internet Connections Through ISA
http://support.microsoft.com/?id=295667

Once again, thank you for using the newsgroups.

Best Regards,



David Butler - MCSE NT4/2000
Microsoft Technical Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties,
and confers no rights.


Top