Works With Windows Firewall, Not With ISA
Elroy Jetson
I have a home network running Windows Server 2003. In addition to
securing my network, I also want to be able to give my TiVo video
recorder anonymous access to the internet so it can automagically
update. However, I also have a number of web sites to publish, as
well as Exchange 2003 OWA and email to publish. I need to be able to
allow TiVo to update as well as enable all other services to interact
with the internet.
Attempted Solutions:
1. Used the basic firewall in WIndows Server 2003. With this approach,
I am able to publish Exchange functionality and TiVo updates with no
problem. However, from what I can tell, I can only publish a single
site from the wwwroot directory. TiVo updates with no problem at all.
2. ISA 2000 configured to publish OWA, Exchange and web sites.
However, I cannot get anonymous access configured so that TiVo can
update automagically. All web site, OWA and Exchange publishing works
great - TiVo does not update.
This is how I currently have ISA configured:
1. For the Outgoing Web Requests property of the ISA server, I have
removed the requirement to ask unauthenticated users for
identification. The same listener is being used for all outbound
requests.T he HTTP port is set to the default of 8080 and the SSL port
is set to 8443.
2. In Access Policy\Site and Access Rules, I have a rule that permits
all IP traffic to all destinations, 24/7 and applies to any request.
3. In Access Policy\Protocol Rules, I have a rule that permits any IP
traffic, 24/7 and it applies to any request.
4. I have no specific Packet Filters defined to support the TiVo
update.
5. TiVo requires the following ports to be open:
TCP Port 2190
UDP Port 2190
TCP Ports 8080-8089
I have searched for solutions at Tom Shinder's site, isaserver.org and
none of those solutions has worked (or I have misunderstood what they
attempt to offer and have not applied them properly on ISA).
Any suggestions would be greatly appreciated.
![Tristan Kington [MSFT]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Tristan Kington [MSFT]
for non-HTTP traffic) for failures - they might indicate what's going wrong.
Where you've listed the ports below, it doesn't cover whether they're
inbound or outbound, so I'll assume outbound:
With ISA 2000, "All IP" in a protocol rule translates to "All Defined
Protocols" for non-Firewall clients (like the Tivo).
So, you'll need to create protocol definitions for each of the ports you
listed below.
A limitation of ISA 2000 is that you can't create port range-based
definitions for SecureNAT clients (2004 doesn't have this limitation), so
you need to create a protocol individually for each outbound port the client
uses.
Sometimes a client using multiple ports starts with 8080 and if that works,
doesn't use any others, so you might just need to define 2190 TCP outbound,
2190 UDP outbound, and 8080 TCP outbound (though creating the other nine
protocol definitions won't take too long if it doesn't pan out - try a
couple at a time).
You don't need to do anything with the protocols once they're defined
(they're included in the "all IP" collection at that point) with your
current access rules.
If you're still getting failures, check out the IPPEXT and FWSEXT logs, they
might suggest where it's failing.
Good luck!
--
http://blogs.msdn.com/tristank/
--
This post is provided "AS-IS", and confers no warranty.
"Elroy Jetson" <elroy.j...@gmail.com> wrote in message
news:92eb5f8e.04110...@posting.google.com...
Dennis Yourchisin
through ISA Server 2000. I have been attempting to do the same thing
without much luck.
Dennis
"Tristan Kington [MSFT]" <tris...@online.microsoft.com> wrote in message
news:e5iMexex...@tk2msftngp13.phx.gbl...