RSTP via a "single NIC ISA Server 2004 SE" 1

[EderaciCook]

Hi,

few month ago I installed an "ISA Server 2004 SE" on a W2k3 SE server.
That machine, placed on LAN, is used as proxy server because the "perimetral security" is handle by a Checkpoint Firewall1 system.

What I'm trying to do is to allow proxy users to navigate to external server that publish streamed videos using "RSTP" (port 554) or MMS (port 1755).

I changed the "firewall rules" by adding those protocols for "internet users" but all the attempts to access to remote RSTP server are dropped by the default rule.

I'm an ISA newbie so, if possible, help me with an step by step method.

Best Regards

Ederaci Cook

 

[EderaciCook]

Sorry I did a mistake while writing down the post.
Protocol's name is RTSP (Real Time Streaming Protocol) and not RSTP.

Ederaci Cook

 

[coco10]

Hi, first off all check the order of the firewall rules, and afer that check the protcols port may be some another port its need , but check first the order of the rules.

check this for help:

http://www.isaserver.org/articles/ISA2004_AccessRules.html

let me kown if you solve or not this issue

coco10

 

[EderaciCook]

Hi coco10,

I followed your instructions but in my ISA configuration there is something wrong that I cannot figure out... because of my poor knowledge, I suppose.

I found MS documentation a bit confusing so I'm asking to skilled ones an help.

In order to be clear, I'm explainig you all the situation.
ISA server is hosted by a single NIC machine and during the installation I used a wizard to set it as WebProxy. All ISA client are "web proxy client".
A "firewall rule" allow the "web proxy clients" to go to internet through it. Our perimetral firewall (Checkpoint) allow ISA server only to use http, https and ftp to connect to "internet".
I made other rules that allow..
1. ISA to go internet itself (i know it is dangerous and I'm going to deactivate it);
2. Administrative hosts to magage ISA via RDP;
3. Administrative hosts to reach "Surfcontrol Report Central", a Tomcat Web server installed on ISA that listen on port 8888;
4. A remote management server to send query and commands to ISA on port 402.

All those rules work correctly.

The problem:
Some clients need to browse to a site that hosts streaming resources: the users open the site (

http://siteaddress)

click on the "movie" link and Windows Media Player opens trying to get the resouce on "mms://siteaddress/movie.wmv".
I watched what happens using "netstat" seeing that...
1. by default "Windows Media Player" try to open the movie directly. Netstat tells me that my host is getting the web page via proxy (i used port 8080) and is trying to get the movie on port 554 of "siteaddress". Our perimetral filewall drops it...

2. I can configure Windows Media Player to use proxy for protocols MMS (port 1755) and RTSP (port 554)...and here begins my "ignorance"...

"Windows Media Player" option allow me to set some "streaming proxy settings"; I can configure them for both MMS and RTSP. By default those protocols connect to the "streaming proxy server" using their standard port numbers. My ISA proxy listen on port 8080; how can I configure it to listen on 554 and 1755 too? Is it sufficient to enable ISA to act as proxy for streaming type contents?
At the moment if I set "Windows Media Player" the ISA Default Rule drops it.

Anoter choice is to use port 8080 (the http, https, ftp standard proxy port) for streaming protocols too. In that case, the connections are logged and "denied" as "Unidentified IP traffic".

The term "Unidentified IP Traffic" is logged when client successfully reach an http site too. In that case the "action" logged si "Initiated connection" o "closed connection".

As I've written at the begin of this post, my ISA is a "single NIC" proxy server. I'm asking if it is possible to obtain what I want with a similar configuration or if it require ISA to be configured and structured as a complete firewall.

Hoping you will help me I send you my

Warm Regards

Ederaci Cook

 

[coco10]

the sonic wall have allow this type of traffic?

you create a rulle to allow the clients to use the protocol?

you need to create a allow rule to permite the client acces de internet with this protocol

I think its better when you have the isa server multihome and use firewall client.

coco10

 

[EderaciCook]

>>the sonic wall have allow this type of traffic?

What's the sonic wall? From the server desktop the streaming correctly works!

>>you create a rulle to allow the clients to use the protocol?

I began with adding the protocols in the rule that allow user to get http and ftp but it did not work (ehm...it works well for http and ftp but not for streaming protocols).
Then I tryed to put the protocols in a different firewall rule obtaining the same results.
As last try I made a firewall rule to open ALL the protocols for the test client (mine); all the connection have been dropped by the default rule.

>>you need to create a allow rule to permite the client acces de internet with this protocol

What I'm asking is: "Windows Media Player" has to connect to the proxy using standard 8080 port or must be configured to use the required protocol ports (554 ...)?
If I have to use MMS and RTSP how can I enable the right listeners on ISA server side?

>>I think its better when you have the isa server multihome and use firewall client.

I cannot do it! I'm quite desperate and I'm considering to setup a Linux server and use Apache as "streaming proxy"...but it would be better to use ISA as unique proxy.

What I'm asking is if I'm facing to a ISA server technical limit or I'm simply unable to find the right way to configure it....

Thanks for your time.

Ederaci Cook

 

[coco10]

give a detail of the allow rules you have

coco10

 

[EderaciCook]

Hi Coco10,

thanks a lot for your support. I tryed to export the rules but the xml result could be quite tricky to read.
So I'm going to write down a "readable" report of the rules.

FW rules:
All the following rules are "allow" ones. The only "deny" is the "Default Rule"

Legend:
Internet Enabled: domain group enabled to browse internet sites;
HTTP_4_Report_Access: custom protocol on port 8888;
Remote Management Computers: custom group containing the list of the internal PCs used to manage ISA server;
svtodeploy: ISA server is on HPBL20, a blade server. svtodeploy is the server where the balede management software is installed;
svtocaadhd: A MS_SQL server.

Rule1.
Name: Convivenza
Protocols: NetBios Datagram, NetBios Name Service, NetBios Session
From/Listener: Internal
To: Local Host
Condition: All Users

Note: before creating that rule EV was plenty of NEtbos warnings

Rule2.
Name: Streaming
Protocols: MMS, RTSP
From/Listener: Internal
To: All networks (and Local Host)
Condition: Internet Enabled

Note: I used that rule to find a way to "proxy" MMS and RTSP without modify the 3rd one...and it has been unsuccessfull

Rule3.
Name: Fruitori Navigazio
Protocols: FTP, HTTP, HTTPS, MMS, RTSP
From/Listener: Internal
To: External;Internal
Condition: Internet Enabled

Note: Rule created by ISA setup at the end of the "Apply template Wizard" where I decided to use the server as proxy. I only added the streaming protocols...

Rule4.
Name: Host Navigazio
Protocols: FTP, HTTP, HTTPS, MMS, RTSP
From/Listener: Local Host
To: All networks (and Local Host)
Condition: All users

Note: Dangerous. Allow ISAServer to navigate from its desktop. In that way streaming correctly works.

Rule5.
Name: Web_reporter
Protocols: HTTP, HTTP_4_Report_Access
From/Listener: Remote Management Computers
To: Local Host
Condition: All users

Note: some PC must access and Apache/Tomcat local server for SurfControl reporting purposes.

Rule6.
Name: RDP_Administration
Protocols: RDP (terminal services)
From/Listener: Remote Management Computers
To: Local Host
Condition: All users

Note: allows some PCs to get the ISA server desktop via RDP connection.

Rule7.
Name: Altiris_Connector
Protocols: All Outbound Traffic
From/Listener: svtodeploy
To: Local Host
Condition: All users

Note: svtodeploy (see legend) must be able to connect to an agent installed on ISAServer; I could limit the traffic to port 402 only...I'll do it asap.

Rule8.
Name: Gestione_Remota_Database
Protocols: Microsoft SQL(TCP); Microsoft SQL(UDP); NetBios Session
From/Listener: svtocaadhd
To: All networks (and Local Host)
Condition: All users

Note: Allow admins to manage the local MSDE db from the console installed on "svtocaadhd".

Rule"Last": The Default Rule.

As I wrote the server is a single NIC; I suppose that the only networks it really see are "local host" and "internal"...but in the rules I put other networks too. If it is a mistake it is not causing any side effect.
Inside the rules (right click on the rule list and "Configure HTTP" and "configure FTP" entries) HTTP has a default configuration and FTP read only option is unckeched (but proxed FTP don't work too well...I'll open another thread about it).
The listener for proxy clients is configured on "internal network" and listens on port 8080 (default settings).
Looking at the "Add-ins" I can find "HTTP Filter" inside "WebFilter" list, "MMS Filter" "RTSP Filter" and "FTP Access Filter" in the "Application Filters" list. I don't know how filters work.

Warm Regards

Ederaci Cook

 

[coco10]

I come back to you on monday, give me the weekend to check one thing.

coco10

 

[EderaciCook]

Hi Coco,

thanks a lot for your support.

Ederaci Cook

 

[coco10]

hi, i am back.. afert some test the only solution i have ist install the firewall client for that you need to use a multihomed isa server...

sorry but its the only solution i know.

coco10

 

[EderaciCook]

Hi Coco10,

thanks a lot for the valuable support.
I'll try to setup a Linux based streaming proxy (I've to learn how to perform the task but I hope to find some docs on the net).

Thaks a lot

Ederaci Cook