Windows server in DMZ going over PIX 515E to obtain Norton updates

[hellboy101]

Hello everyone-

I have a Windows 2000 server within a DMZ environment that needs to obtain Norton antivirus updates from a NAV server from within our secured LAN going over the PIX 515E..

The drawing looks something like this and any help that anyone could provide would be great! Please be aware that
the server in need of Norton updates in connected to a Cisco CAT 3550 switch and that switch has a connection to the PIX 515E(on FE port 2) and the inside port on this PIX is connecting to a 2948 which then connects to a 6509 core switch where the Norton Antivirus server resides.. sheesh! there is alot going on here and my drawing only shows the correlation between server(LAN) to PIX to Server(DMZ -that needs updates).. Would an access-list do on the PIX do the trick?? How to begin? thanks again.. drawing below..


(Inside Eth port 1) PIX 515E (DMZ Eth port 2)
| |
Secured LAN-------------| |------------DMZ
172.16.x.x 172.17.x.x
Norton the server
Antivirus server that
needs
updates
from
norton
server

Hellboy101

 

[Triplejolt]

Hi hb101

1st of all, the CODE portion is just a formatting to better show the command lines. It's not meant to be entered into the PIX. Only use the statements below the CODE line

The host portion of the access-list statements is meant to tell the PIX to expect 1 host-address only. This to prevent others using the same port(s).

Use name statements to help showing who's behind the various IP-addresses in your PIX
eg:

name [ip-address] [name of your NAV server]
name 206.204.52.98 [Liveupdate server at Symantec]

If your PIX does name-lookups, you can just use the host gateways.dis.symantec.com. It'll save you the aggrivation of changing the IP-address later when Symantec changes theirs

A firm beleiver of "Keep it Simple" philosophy
Cheers
/T

 

[hellboy101]

Thanks i see what your getting at. so I still need to write an additional access-list which states the need for udp 2301?

is this correct?

hb101 and thanks again!

 

[hellboy101]

hello triplejolt,

I receive an invalid protocol line when I enter this acl in the PIX.. just wondering of you could take a peak.

access-list acl_dmz line 1 permit tcp host (ip of my NAV)host gateways.dis.symantec.com object-group Liveupdate

should I be typing in something specific for object-group? or leave as is?

thanks again for all your efforts.
hb101

 

[ixleplix]

Hi Hb101,

I've got the test set up, but got slammed at work. Hopefully I'll be able to have the entire list of ports in use for you by Monday next week.

I can't comment on the object groups--I know about them but haven't used them.

Roland




*****************

What's ADD again?

 

[hellboy101]

no worries thx ixleplix!

I can't wait to hear more.. I'm trying on my side too, another colleague of ours TripleJolt has provided some additional info but am still trying to work it out!

thx again
hb101

 

[bwilliam13]

Well, I have a question.

What's the protocol by which the server in the DMZ is supposed to get antivirus updates? Is it http, ftp, https...what is it?

When you install the corporate or enterprise edition of Symantec Antivirus (who makes Norton) and you choose the managed install and specify a server and all that, it needs to initially be in the same LAN (same subnet) and joined to the domain in question. THEN, you move it to the DMZ once you know it's working right, and you need to open specific ports for the managed server in question to communicate with the server it's getting AV updates from.

Symantec Corporate Edition 7.X and above uses UDP port 2967...that's it. I DO know that it does not use any http or ftp or anything in a managed environment.

For me, the syntax of the command on the PIX is pretty simple:

access-list acl_dmz permit udp host dmz_host host anti_virus _server eq 2967

That's it.

Unless Norton uses a different port range, generally speaking, that should solve your issue.

 

[hellboy101]

Hi bwilliam13,

I'm trying that now.. it looks quite promising what your saying here.. I'm not using anything http oriented at all. all I want is my DMZ's host to be able to see the NAV server in my LAN and acquire updates..

At this moment, the server is already in the DMZ unfortunately so I can't test it the way your stating but would have been great if I could..:-(

your access-list looks exactly like what I'm looking for though.. I'll keep you posted.
thanks
hb101

 

[hellboy101]

hi bwilliam13,

Unfortunately it didn't work. Here's what happens,

This is truly not a true Active Directory environment.. this company at this point just has Windows 2003 installed, we have DC's in place but AD structure will be built soon.

I am taking the NAV (Symantec Antivirus corp edition) media disk and trying to install the Install Symantec Antivirus/Install Antivirus Client but then immediately fails with error "an error has occurred that prevents the installation from completing".. this is obviously due to this server being in the DMZ and different subnet 172.17.XX.XX.. My NAV server is in our "inside LAN" IP 172.16.XX.XX range.. Unless my dmz'd host can see the NAV server in the network it will never work.

hb101

 

[hellboy101]

hi bwilliam-

you mentioned above that specific ports would need to be opened? can you tell me which ports.. when you say managed server do you mean the NAV box or the DMZ'd host

thx again
hb101

 

[bwilliam13]

1. For a managed environment, you MUST have NT domains or Active Directory working. If not, you're wasting your time.

2. Otherwise, you should just be able to load the Anti-Virus CLIENT, and configure that machine with the client to automatically go out to Symantec's site on the internet and get the updates from there. The client in this case should be the machine in the DMZ. The server on the inside network right now is worthless for providing virus signature updates to other machines until you get Active Directory working.

Those are your only two options at this point.

 

[hellboy101]

yes I agree.. that is what I'm up against.. there is no managed environment at this point.. stinks!

thank you .. this keeps me from spinning my wheels any further.

hb101

would you know what acl (the format) I'd need if I just wanted the server in my DMZ to have access to the Internet and grab live updates from the symantec site?

thx again
hb101

 

[bwilliam13]

Well, I have the following for DMZ hosts:

access-list acl_dmz permit tcp xxx.xxx.xxx.0 255.255.255.0 any eq www
access-list acl_dmz permit tcp xxx.xxx.xxx.0 255.255.255.0 any eq https
access-list acl_dmz permit tcp xxx.xxx.xxx.0 255.255.255.0 any eq ftp

With those lines, I have no problems getting AV updates. This is assuming that your DMZ is also nat'ed through a global PAT address(es).

 

[ixleplix]

Hey HB101,
Sorry for the absence. I've been slammed at work. But I've got good news.

I was able to get it working using a machine that is on the DMZ and isn't a part of the domain by...

Doing the access-list statements we talked about before and the static mapping and

Adding a host file to the DNS server on my DMZ that points to the IP address I assigned to the static mapping and uses the same name for the computer. So nortonserver.blah.blah.blah (on the DMZ)
points to x.20.1.24 which is statically mapped to y.1.2.5 which has a domain name of nortonserver.whatever.blah. (Inside)

Then I went to the Network TCP/IP properties and added the .blah.blah.blah as a suffix to be searched.

Then I installed from the symantec disk and chose complete, managed, and entered the name "nortonserver". It installed and when I opened it, it has the latest signature file and will not allow liveupdate--which means it is connected to the management server. Also I can find the host name in the Server group on the NortonServer. And I can start a manual scan from the parent server too.


And sniffing the traffic I found these ports in use.

UDP 37004
TCP 2967
UDP 38293
UDP 137


*****************

What's ADD again?

 

[hellboy101]

Thats awesome Ixleplix!

However I do have a question...\

I don't have a DNS server in my DMZ, all I really have is that sales_server. Am I screwed?

My real parent NAV server is inside my LAN..

If I can get past that point, you wrote
"Then I went to the Network TCP/IP properties and added the .blah.blah.blah as a suffix to be searched"

Will I add this suffix to the Sales_server TCP/IP or the Norton server inside the LAN

Sorry.. still trying to wrap my head around this hee hee!!

thank you for replying though!!
hb101

 

[ixleplix]

I'm sorry, I wrote that quickly.

The DNS Suffix I added was on the client. Or in your case, on the Sales_Server. But if you don't have a DNS server in the DMZ you don't need to do that part.

Without a DNS server you can modify the local host table on the sales_server. Just add an entry that points to the IP address we assigned the PIX (172.17.xx.54)--for the mapping to the Norton Sever--and make sure the host name is the same as the inside device name--minus the FQDN.

What you want to happen is the Norton program to use the name of the inside NortonServer to pull the 172.17.xx.54 IP.

Did that make sense? I wish we could paste screen shots in here...

Roland


*****************

What's ADD again?

 

[hellboy101]

Hi Ixleplix,

Gotcha, so I would add a host file that says

172.17.80.54 sales_server



is that it?
I'll try it

thx for all your help
hb101

 

[hellboy101]

actually what I meant to write is I added a host file on the sales_server within the DMZ that reads this:

172.17.80.54 Norton_Inside_server



the IP is the virtual IP that we're passing info from to get to the inside LAN and communicate with the NAV server.. but undortunately it didn't work.

sorry wish I could say woo-hoo!!
:-(
hb101

 

[ixleplix]

Hmmmm...

Which part didn't work? Were you able to instal and select the NortonServer as the management server, or is that where it choked?

Roland


*****************

What's ADD again?

 

[hellboy101]

Hi ixleplix,

it looks like the same thing thats been going on all along.. when the disk is executed, it just fails to find the NAV server thus resulting with same events..

sorry :-(

hb101

 

[ixleplix]

If you go to the command prompt and ping Norton_Inside_server does it resolve the IP?

If it does, then try leaving the static mapping in place:

static (inside,dmz) 172.17.xx.54 172.16.xx.54 netmask 255.255.255.255 0 0

and remove any acl_dmz statements that reference sales_server and 172.17.xx.54 and replace them with:

access-list acl_dmz permit ip host sales_server host 172.17.xx.54

That will open all IP traffic from sales_server to 172.16.xx.54 and wihll help determine if it's because we've failed to open some needed ports.


Roland


*****************

What's ADD again?