An ISA question.. re: dialup application

TheMSsForum.com: The Microsoft Software Forum

I have posted this question in one of the ISA groups and so far no
response, so I thought I would hit the trusty SBS group for a possible
answer.

Scenario:
Customer uses SBS with an ADSL connection for internet access.
Client machines behind SBS with ISA enabled uses a dialup application to
connect directly to a non-internet connected service which uses TCP/IP
and port 443 for connection.

Problem:
What is happening is that the modem dials, connects and then tries to
communicate to remote port 443. Of course the firewall client then
busily tries to route the traffic out through ISA and onto the net.
Because the IP address range is not internet connected, the request
times out and the modem connections fail.

Of course by disabling the FW client it will get through but this is not
practicle. (More so if it is NT4 SBS that use Microsoft Proxy.)

What I need to know is if there is any way to set ISA to ignore/not
route the traffic for the modem on the workstation when it is trying to
establish a connection to this particular service.



Raa
Top

Re: An ISA question.. re: dialup application by Javier

Javier
Fri Sep 19 08:22:11 CDT 2003

I have experienced this problem also... with a piece of software that
connects directly to the bank to download transactions (I have never
determined which ports are used). Also, this question has been asked before
(more than one time) here and I don't recall ever seeing an answer. Since
the program is not used that much my solution (same as yours) is to
disable/enable the firewall client (I can still get internet access thru
proxy settings even when fw client is disabled).

For my client is a minor nuisance, but if you figure it out... please post
back (or email me directly). I would appreciate it !!!

Thanks,

-Javier

<< SBS ROCKS !!! >>

"Raa" <raa@myspamaddy.com> wrote in message
news:MPG.19d5630816e23bc6989689@msnews.microsoft.com...
> I have posted this question in one of the ISA groups and so far no
> response, so I thought I would hit the trusty SBS group for a possible
> answer.
>
> Scenario:
> Customer uses SBS with an ADSL connection for internet access.
> Client machines behind SBS with ISA enabled uses a dialup application to
> connect directly to a non-internet connected service which uses TCP/IP
> and port 443 for connection.
>
> Problem:
> What is happening is that the modem dials, connects and then tries to
> communicate to remote port 443. Of course the firewall client then
> busily tries to route the traffic out through ISA and onto the net.
> Because the IP address range is not internet connected, the request
> times out and the modem connections fail.
>
> Of course by disabling the FW client it will get through but this is not
> practicle. (More so if it is NT4 SBS that use Microsoft Proxy.)
>
> What I need to know is if there is any way to set ISA to ignore/not
> route the traffic for the modem on the workstation when it is trying to
> establish a connection to this particular service.
>
>
>
> Raa


Top

Re: An ISA question.. re: dialup application by Les

Les
Fri Sep 19 09:39:10 CDT 2003

Raa/Javier,

I think that's the tick box in the properties of the dialup connection on
the client machine - use default gateway on remote network.

It's on the tcp/ip advanced page.

--
Les Connor [SBS MVP]
-------------------------------------
SBS Rocks !



"Javier Gomez" <javier_gomez@remove.this.bit.engineer.com> wrote in message
news:uiWwJErfDHA.2252@TK2MSFTNGP12.phx.gbl...
> I have experienced this problem also... with a piece of software that
> connects directly to the bank to download transactions (I have never
> determined which ports are used). Also, this question has been asked
before
> (more than one time) here and I don't recall ever seeing an answer. Since
> the program is not used that much my solution (same as yours) is to
> disable/enable the firewall client (I can still get internet access thru
> proxy settings even when fw client is disabled).
>
> For my client is a minor nuisance, but if you figure it out... please post
> back (or email me directly). I would appreciate it !!!
>
> Thanks,
>
> -Javier
>
> << SBS ROCKS !!! >>
>
> "Raa" <raa@myspamaddy.com> wrote in message
> news:MPG.19d5630816e23bc6989689@msnews.microsoft.com...
> > I have posted this question in one of the ISA groups and so far no
> > response, so I thought I would hit the trusty SBS group for a possible
> > answer.
> >
> > Scenario:
> > Customer uses SBS with an ADSL connection for internet access.
> > Client machines behind SBS with ISA enabled uses a dialup application to
> > connect directly to a non-internet connected service which uses TCP/IP
> > and port 443 for connection.
> >
> > Problem:
> > What is happening is that the modem dials, connects and then tries to
> > communicate to remote port 443. Of course the firewall client then
> > busily tries to route the traffic out through ISA and onto the net.
> > Because the IP address range is not internet connected, the request
> > times out and the modem connections fail.
> >
> > Of course by disabling the FW client it will get through but this is not
> > practicle. (More so if it is NT4 SBS that use Microsoft Proxy.)
> >
> > What I need to know is if there is any way to set ISA to ignore/not
> > route the traffic for the modem on the workstation when it is trying to
> > establish a connection to this particular service.
> >
> >
> >
> > Raa
>
>


Top

Re: An ISA question.. re: dialup application by Javier

Javier
Fri Sep 19 10:42:33 CDT 2003

> I think that's the tick box in the properties of the dialup connection on
> the client machine - use default gateway on remote network.

Thanks Les for the suggestion,

However, I don't think that in my case it would work because the program
itself is the one which performs the dial-up (I can't configure this
connection). But, I could check if the program created a dial-up connected
(I don't remember... but I don't think so either)... I will need to RDC
there later today. Any other comments/ideas?

--
-Javier

<< SBS ROCKS !!! >>


Top

Re: An ISA question.. re: dialup application by Raa

Raa
Fri Sep 19 19:08:37 CDT 2003

In a previous post, Les Connor [SBS MVP] allegedly said......
->Raa/Javier,
->
->I think that's the tick box in the properties of the dialup connection on
->the client machine - use default gateway on remote network.
->
->It's on the tcp/ip advanced page.
->
->--
->Les Connor [SBS MVP]
->-------------------------------------
->SBS Rocks !
->
->
->
->"Javier Gomez" <javier_gomez@remove.this.bit.engineer.com> wrote in message
->news:uiWwJErfDHA.2252@TK2MSFTNGP12.phx.gbl...
->> I have experienced this problem also... with a piece of software that
->> connects directly to the bank to download transactions (I have never
->> determined which ports are used). Also, this question has been asked
->before
->> (more than one time) here and I don't recall ever seeing an answer. Since
->> the program is not used that much my solution (same as yours) is to
->> disable/enable the firewall client (I can still get internet access thru
->> proxy settings even when fw client is disabled).
->>
->> For my client is a minor nuisance, but if you figure it out... please post
->> back (or email me directly). I would appreciate it !!!
->>
Les, I have tried that and unfortunately no go.

This program is also a banking package which dials directly to a server.
From here it tries to pickup a dynamic IP address (this is can do when
you dial directly via the DUN entry) but when it tries to instigate its
connection to port 443 (from something like a port range of 1000-1200 on
the local machine) the traffic is routed out through ISA.

I have been able to confirm exactly what is happening by keeping a
recurring NETSTAT on the workstation and server during the connection.
If the connection made it through the software would then open up 2
further connections on ports ranging from 10000-11000.

It just bombs out.

I actually don't think that there is an answer to this mainly because
ISA is doing exactly what it should be doing.
Disabling the FW Client certainly solves the problem and in Win2k SBS is
not a big issue but when you start talking about something like MS Proxy
which requires a reboot after changing the status of the WSP Client it
becomes another issue.

Thanks all the same for the response... still searching for a 'trick'



Raa
Top

Re: An ISA question.. re: dialup application by Merv

Merv
Fri Sep 19 23:08:30 CDT 2003

I'm probably missing something here but...
What about including the other subnet (associated with the dynamic IP
address assigned by the bank server to your workstation) in the LAT in ISA
and then putting a static route on the workstation specifying the IP scheme
of the bank's server?

--
Merv Porter [SBS MVP]
===================================
"Raa" <raa@myspamaddy.com> wrote in message
news:MPG.19d64592bb064c0498968a@msnews.microsoft.com...
> In a previous post, Les Connor [SBS MVP] allegedly said......
> ->Raa/Javier,
> ->
> ->I think that's the tick box in the properties of the dialup
connection on
> ->the client machine - use default gateway on remote network.
> ->
> ->It's on the tcp/ip advanced page.
> ->
> ->--
> ->Les Connor [SBS MVP]
> ->-------------------------------------
> ->SBS Rocks !
> ->
> ->
> ->
> ->"Javier Gomez" <javier_gomez@remove.this.bit.engineer.com> wrote in
message
> ->news:uiWwJErfDHA.2252@TK2MSFTNGP12.phx.gbl...
> ->> I have experienced this problem also... with a piece of software
that
> ->> connects directly to the bank to download transactions (I have
never
> ->> determined which ports are used). Also, this question has been
asked
> ->before
> ->> (more than one time) here and I don't recall ever seeing an
answer. Since
> ->> the program is not used that much my solution (same as yours) is
to
> ->> disable/enable the firewall client (I can still get internet
access thru
> ->> proxy settings even when fw client is disabled).
> ->>
> ->> For my client is a minor nuisance, but if you figure it out...
please post
> ->> back (or email me directly). I would appreciate it !!!
> ->>
> Les, I have tried that and unfortunately no go.
>
> This program is also a banking package which dials directly to a server.
> From here it tries to pickup a dynamic IP address (this is can do when
> you dial directly via the DUN entry) but when it tries to instigate its
> connection to port 443 (from something like a port range of 1000-1200 on
> the local machine) the traffic is routed out through ISA.
>
> I have been able to confirm exactly what is happening by keeping a
> recurring NETSTAT on the workstation and server during the connection.
> If the connection made it through the software would then open up 2
> further connections on ports ranging from 10000-11000.
>
> It just bombs out.
>
> I actually don't think that there is an answer to this mainly because
> ISA is doing exactly what it should be doing.
> Disabling the FW Client certainly solves the problem and in Win2k SBS is
> not a big issue but when you start talking about something like MS Proxy
> which requires a reboot after changing the status of the WSP Client it
> becomes another issue.
>
> Thanks all the same for the response... still searching for a 'trick'
>
>
>
> Raa


Top