Marcel Verstappen 
Netherlands
Member since
3/9/2006
Registered Users
Posts: 2
 |
| 3/28/2007 12:00 AM |
|
After the installing of isa 2004 rabobank telebankieren (offlline version) works no longer this software use gate 2901. We have also the firewall client installed who can help .....
|
|
|
|
|
|
Jeroen Lohuis
Netherlands
Member since
3/1/2007
Registered Users
Posts: 11
|
| 4/09/2007 01:46 PM |
|
What's your problem exactly? Is it that Rabobank can't get outside or can't communicate to the Raboabank? Or do you think it has a different port?
|
|
|
|
|
|
AT Your Service
The Netherlands
Member since
4/22/2005
Registered Users
Posts: 16
|
| 4/20/2007 09:45 AM |
|
Create Protocol 
And A firewall rule
Action: Allow
From: internal
To: External
Users: All users (or other group)
Protocols: Selected protocol (Rabobank)
This works with us
|
|
|
|
|
|
C. Keijzer
Netherlands
Member since
4/26/2007
Registered Users
Posts: 2
|
| 4/26/2007 03:17 PM |
|
I have the same problem.
I have created the new protocol and I have created the new firewall rule.
But it still doesn’t work………
|
|
|
|
|
|
AT Your Service
The Netherlands
Member since
4/22/2005
Registered Users
Posts: 16
|
| 5/02/2007 09:33 AM |
|
try disabling local windows xp firewall
|
|
|
|
|
|
C. Keijzer
Netherlands
Member since
4/26/2007
Registered Users
Posts: 2
|
| 5/03/2007 02:28 PM |
|
I have disabled the local xp firewall, but still no connection…………
|
|
|
|
|
|
Marina Roos
The Netherlands
Member since
3/24/2005
Forum Admins
Posts: 12507
|
|
Drew Hills
Australia
Member since
1/16/2007
Platinum Membership
Posts: 23
|
| 10/07/2007 11:19 AM |
|
Disable the firewall client. Right click - disable
that what we do here to make banking software work
|
|
|
|
|
|
Stewart Brown
United States
Member since
8/22/2005
Platinum Membership
Posts: 616
|
| 10/07/2007 06:30 PM |
|
I'm inclined to believe that disabling the Firewall Client is not the way to go. It may allow the one application to work but it probably doesn't address the problem in the way the overall system is intended to work, and you create problems for yourself elsewhere by disabling the Client. It seems to me that the way to solve the problem is to find out what is really needed and to include those provisions in ISA.
Example: to get my Symantec Antivirus to work properly, I had to add a Firewall Client Application Setting in ISA 2004. This was done by going to the ISA console, then to Configuration => General => Define Firewall Client Settings => Application => New, then adding the following:
Application: Lucoms~.exe
Key: ProxybindIP
Value: 1
This enabled the local stations to communicate thru the Firewall Client to the Symantec Liveupdate Servers.
I suggest you communicate with the vendor to find out what settings are actually required in ISA rather than disabling the firewall. |
|
|
|
|
|
Marina Roos
The Netherlands
Member since
3/24/2005
Forum Admins
Posts: 12507
|
| 12/10/2007 06:09 PM |
|
Hi Stewart,
Although it might work for you, it shouldn't even be necessary as Symancrap also has a central management system from where the workstations should get their updates.
About the banking software, I have seen that you indeed would need to disable the firewall client, if you are still using a modem on the workstation to connect to the bank.
|
|
| Marina Roos Smallbizserver.Net Administrator | Mission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain' |
|
|
|
|
Stewart Brown
United States
Member since
8/22/2005
Platinum Membership
Posts: 616
|
| 12/11/2007 03:31 PM |
|
Marina, yes that's correct about the Symantec Server on your LAN dowloading updates and distributing directly to the clients. It works rather like WSUS in that it manages the clients, downloads to the clients, sends out management reports about which clients have not been updated or which ones have had virus threats, etc. You can even move clients singly or in groups from being managed by one server to become managed by another, all in click and drag fashion.
But Symantec also provides the option, a checkbox you can check or uncheck, that enables or disables the ability of a client to connect directly to the Liveupdate servers at Symantec. If you check the box, a user can choose to run Liveupdate from the client and download whenever the user wants, rather than have to wait for the Symantec Server in your organization to do this. For the client to be able to connect directly to the Liveupdate servers at Symantecate is useful during the initial installs, to get everything updated. This is similar to what one would want to do to update a new client PC by using Microsoft Update directly, rather than try to do the initial updates thru WSUS. It is also useful when you have your laptop with you on the road for an extended business trip. But if you want to be able to run Liveupdate from the client while you are hooked up to your LAN and communicating thru your ISA, you have to do that trick Symantec gave me.
And I can understand what you are saying about the modem. Sometimes things are just incompatible, and even if they could be made compatible if one knew everything about why it is operately in an incompatible state, sometimes it is not worth the effort to figure it out when a simple fix is to just disconnect something. |
|
|
|
|
|
Anthony Littlewood-Johnson
Australia
Member since
7/31/2006
Platinum Membership
Posts: 10
|
| 3/20/2008 07:42 AM |
|
Hi All,
I am having a similar problem with banking software that uses a modem to dial the bank direct from the workstation. According to the banks help desk what is happening is once the modem dials and gos through its authentication (uses PPP) it then starts to communicate using TCP/IP. ISA server 2004 then sees that protocol and tries to route it itself via the internet connection which causes the software to hang. The help desk chap said that there is a way to tell ISA to not route TCP/IP if it originates from a modem on a workstation which will then sort the problem. Unfortunately he doesn't know that answer but is going to see if someone within his organization does.
Other info.
I know all the bank software and modem is good as it works fine if it is not on the domain. ie connect computer directly into the ADSL modem. Only hangs when part of the domain. The workstation has the ISA client installed. Due to group policy I am unable to disable the firewall on the workstation. I have setup exceptions in the firewall locally for the banking software and tried setting up a rule in ISA to allow traffic with the specific IP address to no avail.
Any ideas on the modem routing thing would be appreciated.
Cheers
AJ
|
|
|
|
|
|
robert pearman
United Kingdom
Member since
2/23/2007
Platinum Membership
Posts: 1771
|
| 3/20/2008 10:59 AM |
|
i would add a static route to the workstation to route traffic to the banks ip via the modem interface.
from a cmd prompt type
route print this will show you the workstations routing table
route add will show you how to add a static route. make sure you use the -p at the end to make it permanent (persistant route)
when the modem dials up and has authenticated, run an ipconfig /all to find out the ip you need to create the route for.
if you post up an ipconfig /all from the workstation when you have the modem connected we might be able to help you write the route.
let us know how it goes. |
|
|
|
|
|
Mick Malloy
Australia
Member since
4/6/2007
Microsoft MVP
Posts: 309
|
| 3/20/2008 12:33 PM |
|
Stewart, all you say is correct about how the mechanisms can be adjusted to allow Symantec or Windows updates to occur directly but I'm afraid I don't understand WHY.
WHY would you wish to allow AV to download a pattern that your central AV server does not yet have?
Why would you WU a workstation when it will, much more reliably, grab updates from your WSUS?
If anything I specifically DON'T want these things to happen.
In either case if I want a more recent thing on the workstation than is controlled by the server I wish to do that manually, I _wish_ for it to be too difficult for a normal user to do. Normal users shouldn't have the opportunity to do it, nor should they have the desire.
There's a couple of good suggestions about handling the firewall and bank. If possible I'd keep the ISA FWC active. There's a couple of bank, financial and tax systems I haven't been able to get going without disabling the FWC though. |
|
|
|
|
|
Stewart Brown
United States
Member since
8/22/2005
Platinum Membership
Posts: 616
|
| 3/23/2008 09:25 PM |
|
I was not giving a recommendation about how to run an Antivirus Server. I was just giving an example of how a program can be made to operate in compatibility with the firewall if you are in the know about the correct settings you need to make this compatibility happen. My recommendation is that one finds a way to make things work in a compatible manner. Sure, disable things if you must, if you can't find any other way to make some program you absolutely have to have running work, but in the long run I prefer to take the effort to make things compatible rather than take what I consider the "lazy or kludgy approach" of disabling things (Things I Know I Need - Like A Firewall), just to make some program work. So to that end I would communicate with the folks who wrote the program and hopefully work with them to find all the ports and exceptions needed to get things to work.
I'll give you another recent example that nearly had me baffled: a month or so ago I was trying to install a HP6310 All In One printer on my local LAN. We are using ISA and all clients have the Firewall Client. I could not get this printer to work directly connected to the LAN, thru it's ethernet port. None of my clients would recognize the printer and it created a problem with "Network Places" - it actually disabled Network Places. During the install program for the printer, it asks if you want to "unblock" programs the HP printer uses, but even with those programs unblocked, the thing just didn't work. After reviewing ALL the available literature HP provided, after chatting with 6 (SIX!!) techs on the HP chat support line, nobody could get it working. I guess I spent about 6 to 8 hours on tech support arguing with HP techs. They all wanted to tell me that it was not compatible with Windows Server 2003 (I had not installed it on the server!!) and they wanted me to connect it directly to a client and share it thru that client (I didn't want to do that, I wanted a network printer!!). I was pretty darn frustrated and actually considered shipping the printer back to HP. But on a quiet weekend I gave it another shot and I finally found a SEVENTH tech who was kind enough to contact engineering and find out a detailed list of the actual ports they were using. You would think they would have this info available to their tech staff for just this type of need. But instead they relied on their install program to ask the customer to "unblock' programs during install - and unfortunately this approach didn't work. But after getting the info on all the correct ports and making those exceptions, the thing now works beautifully. So you see it's all about getting the correct detailed info and applying it to the situation at hand.
On the antivirus issue, I think we are in agreement. Normally I prefer, as also you seem to prefer, for my desktop clinets to obtain everything thru the office servers, AV and WSUS.
But to answer your question of "why", one very good and reasonable explanation for why you would want to be able to communicate directly with Symantec is if you have a laptop and are on the road. When I am in the office my laptop gets it's updates from the AV server. However, if I am out of town for a few days (and I am frequently out for a week or more) I want to be able to download updates directly from Symantec. No point in dragging home a virus from a road trip, correct? And also when you are installing the AV software for the 1st time it's nice to be able to download everything at one whallop and know that the system is connected properly and working. Those two reasons are it I think. Mostly I want things to occur thru the AV server and WSUS. And with Symantec, this can be set quickly with a simple "one click" on a checkbox. With one click you can disable the ability of the clients to obtain updates directly, and also with one click in the management console you can disable the ability of the clients to exit out of the AV client. Both very useful functions, to keep order in your house of clients  |
|
|
|
|
|
Anthony Littlewood-Johnson
Australia
Member since
7/31/2006
Platinum Membership
Posts: 10
|
| 3/25/2008 05:17 AM |
|
Thanks Robert,
I have had a look at the route command and that makes a lot of sense.
I got a IPCONFIG /all sent over (I will not be back in that office till tomorrow) and it is as follows. Note that the unit is operating stand alone currently so that the NAB Banking software will work.
Windows IP Configuration
Host Name . . . . . . . . . . . . : MMSW1
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
Physical Address. . . . . . . . . : 00-01-6C-0A-9A-AB
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.1.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.1.1
DHCP Server . . . . . . . . . . . : 10.1.1.1
DNS Servers . . . . . . . . . . . : 10.1.1.1
Lease Obtained. . . . . . . . . . : Monday, 24 March 2008 3:58:21 PM
Lease Expires . . . . . . . . . . : Wednesday, 26 March 2008 3:58:21 PM
PPP adapter National Online:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 164.53.124.53
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
The notes from the bank state the following
Set your firewall so that it allows communication with the National through the IP address 164.53.124.4
Set your firewall so that it allows communication with the National through port number 443 on the above IP address
So from all that I am assuming that I need to run the route command as follows:
route -p ADD 164.53.124.4 MASK 255.255.255.255 164.53.124.53
Is it possible to use the gateway parameter with a wild card? i.e. 164.53.124.* for instance so that I can allow for the modems IP to be different. I wont be able to confirm till tomorrow but i am sure that I saw the modem as having a different IP last week.
Thanks again for your time.
Cheers
AJ
|
|
|
|
|
|
Anthony Littlewood-Johnson
Australia
Member since
7/31/2006
Platinum Membership
Posts: 10
|
| 3/26/2008 12:41 PM |
|
Got into the clients office today and tried to implement a static route with no success unfortunately.
Couple of issues arose as follows.
The command failed as it couldn't find the gateway connection and if I connected to the bank whilst as a stand alone workstation the ip assigned to the modem connection changed each dial up and also the interface ID was different each time as well.
I have attached bellow some of the ipconfig and route outputs to hopefully give a better idea as creating a static route still seems like the right idea.
Also at this stage of the game I am looking to see if I can create a rule to get ISA to ignore a IP range sort of the reverse of creating a static route. Problem with this though is it applies to the whole domain.
Cheers
AJ
ipconfig and route when connection is established with bank and then again to show the different values.
Windows IP Configuration
Host Name . . . . . . . . . . . . : MMSW1
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
Physical Address. . . . . . . . . : 00-01-6C-0A-9A-AB
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.1.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.1.1
DHCP Server . . . . . . . . . . . : 10.1.1.1
DNS Servers . . . . . . . . . . . : 10.1.1.1
Lease Obtained. . . . . . . . . . : Wednesday, 26 March 2008 3:03:03 PM
Lease Expires . . . . . . . . . . : Friday, 28 March 2008 3:03:03 PM
PPP adapter National Online:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 164.53.124.49
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
C:\Documents and Settings\Derek Mason>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 01 6c 0a 9a ab ...... NVIDIA nForce Networking Controller - Packet Scheduler Miniport
0x40004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.1.1.1 10.1.1.3 1
10.1.1.0 255.255.255.0 10.1.1.3 10.1.1.3 1
10.1.1.3 255.255.255.255 127.0.0.1 127.0.0.1 1
10.255.255.255 255.255.255.255 10.1.1.3 10.1.1.3 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
164.53.0.0 255.255.0.0 164.53.124.49 164.53.124.49 1
164.53.124.1 255.255.255.255 164.53.124.49 164.53.124.49 1
164.53.124.49 255.255.255.255 127.0.0.1 127.0.0.1 50
164.53.255.255 255.255.255.255 164.53.124.49 164.53.124.49 50
224.0.0.0 240.0.0.0 10.1.1.3 10.1.1.3 1
224.0.0.0 240.0.0.0 164.53.124.49 164.53.124.49 50
255.255.255.255 255.255.255.255 10.1.1.3 10.1.1.3 1
255.255.255.255 255.255.255.255 164.53.124.49 164.53.124.49 1
Default Gateway: 10.1.1.1
===========================================================================
Persistent Routes:
None
C:\Documents and Settings\Derek Mason>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 01 6c 0a 9a ab ...... NVIDIA nForce Networking Controller - Packet Scheduler Miniport
0x60004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.1.1.1 10.1.1.3 1
10.1.1.0 255.255.255.0 10.1.1.3 10.1.1.3 1
10.1.1.3 255.255.255.255 127.0.0.1 127.0.0.1 1
10.255.255.255 255.255.255.255 10.1.1.3 10.1.1.3 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
164.53.0.0 255.255.0.0 164.53.124.145 164.53.124.145 1
164.53.124.1 255.255.255.255 164.53.124.145 164.53.124.145 1
164.53.124.145 255.255.255.255 127.0.0.1 127.0.0.1 50
164.53.255.255 255.255.255.255 164.53.124.145 164.53.124.145 50
224.0.0.0 240.0.0.0 10.1.1.3 10.1.1.3 1
224.0.0.0 240.0.0.0 164.53.124.145 164.53.124.145 50
255.255.255.255 255.255.255.255 10.1.1.3 10.1.1.3 1
255.255.255.255 255.255.255.255 164.53.124.145 164.53.124.145 1
Default Gateway: 10.1.1.1
===========================================================================
Persistent Routes:
None
Windows IP Configuration
Host Name . . . . . . . . . . . . : MMSW1
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
Physical Address. . . . . . . . . : 00-01-6C-0A-9A-AB
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.1.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.1.1
DHCP Server . . . . . . . . . . . : 10.1.1.1
DNS Servers . . . . . . . . . . . : 10.1.1.1
Lease Obtained. . . . . . . . . . : Wednesday, 26 March 2008 3:03:03 PM
Lease Expires . . . . . . . . . . : Friday, 28 March 2008 3:03:03 PM
PPP adapter National Online:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 164.53.124.145
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
|
|
|
|
|
|
Mick Malloy
Australia
Member since
4/6/2007
Microsoft MVP
Posts: 309
|
| 3/26/2008 10:16 PM |
|
| Anthony, for the NAB dialup software I've done nothing other than disable FWC. Theoretically you could define the NAB application in ISA, tell the FWC not to pass it through ISA but through the modem. I generally explain to users it's not such a bad idea to lose internet while doing the banking. |
|
|
|
|
|
Anthony Littlewood-Johnson
Australia
Member since
7/31/2006
Platinum Membership
Posts: 10
|
| 3/27/2008 02:05 AM |
|
Hi Mick,
thanks for that. It gives me a bit of ammo to go back to the client with as when I suggested that (from your earlier post) I got shot down due to it being something else they would have to do and remember in order to get the job done.
Having said that though this is my first foray into ISA and as a learning tool to get this figured out would give me a lot more insight into the inner workings of ISA. Comes down to how much time I can throw at it now as the client just wants the job complete so your suggestion will probably be what gets implemented.
Now for the question... I have tried to do what you suggest as a proof of concept and it didn't want to play so I am guessing I am missing something. I am assuming that all that needs to be done is right click on the FWC icon in the tray and select disable. Run the software then re-enable FWC afterwards. All fairly straight forward. I need to have another go at my next visit (next week) and see if I need to reinstall the software as it has been played with abit now in between what the bank IT help guys have suggested and my own attempts, but if you do anything more than what I am assuming I would love to know.
Cheers
AJ
|
|
|
|
|
|
Mick Malloy
Australia
Member since
4/6/2007
Microsoft MVP
Posts: 309
|
| 3/31/2008 01:14 AM |
|
I can't think of having done anything additional.
Just a comment and don't read too much into it. We've actually 'hijacked' Marcel's thread which was originally about RaboBank. If you continue to have problems it is probably a good idea to create a new thread (maybe 'NAB dialup software') and possibly copy some of the content or put fresh content into it. |
|
|
|
|
|