Registered users    
MembershipMembership:
Latest New UserLatest:jenisa villarin
New TodayNew Today:10
New YesterdayNew Yesterday:12
User CountOverall:23322
Private messaging    
You must be logged in to use this module.
Top 10 posters    
NamePosts
Mariette Knap12894
Marina Roos12507
Eriq Neale2114
Stan Guinn1913
Michael Patrick1912
Robert Pearman1771
Nick Pieters1425
Stewart Brown616
william warren598
Kevin D.579
Welcome unauthorized visitor    
If you want to join us in the discussions on this forum you need to register first. Registration is free! If you are already a registered user please login to join the forum.
Small Business Server Support Forum    
Forums > Microsoft Small Business Server 2003 & 2000 > ISA Server 2004
Subject: ISA Apparently Blocking AVG Update
Prev Next
You are not authorized to post a reply.

Author Messages
Jay Hallsworth User is Offline
United Kingdom
Member since
3/27/2007

Registered Users
Posts: 180
8/24/2007 03:47 PM  
Hi,
 
I'm troubleshooting an AV Update problem with AVG and I'm being advised that I should be able to browse to a particular file ... http://servername:4156/update/avginfo.ctf
 
I'm getting Error Code: 403 Forbidden. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
I understand it's using it's own internal webserver to distrabute updates to clients, more specific than that I'm not sure, I can browe to http://servername:4156/ but not any files within http://servername:4156/update/* (eg i created a default.htm and a test.txt file)
 
It's all internal, so can't see why it's being forbidden - I've not made any changed to the default SBS rules and havn't created any rules that would specifically prohibit this
 
I've tried creating a rule to specifically allow (based on reversing the philospohy in this art - http://www.smallbizserver.net/Default.aspx?tabid=266&articleType=ArticleView&ArticleID=217&PageID=302)
 
Also tried to allow an application based on this (http://www.smallbizserver.net/Default.aspx?tabid=266&articleType=ArticleView&articleId=50 ) - OK, granted, that was a stab in the dark!
 
The AV Admin app (and update files) are installed on a domain member server. I've not noticed any other similar issues of this nature internally (Externally I get the same error when trying to access RWW - but I am aware of this as the SBS RWW Inbound Access Rule is down because I did not enable it in CEICW.
 
The problem began with an update to the AVGADMIN software.
 
Any help would be apreciated ... many thanks
 
JH
robert pearman User is Offline
United Kingdom
Member since
2/23/2007

Platinum Membership
Posts: 1771
8/24/2007 04:30 PM  
to be honest i reckon isa is blocking traffic on that port.

if you run the logging in isa whislt trying to access that site you will probably see it as unknown protocol and denied by default rule.

you can add a custom protocol using those port numbers, and then either create a new rule for it, or add it an existing rule.

OR

in internet explorer properties on the server add that address and port to the list of servers to bypass the proxy.
Jay Hallsworth User is Offline
United Kingdom
Member since
3/27/2007

Registered Users
Posts: 180
8/24/2007 05:29 PM  
Hi Rob,

The port seem's fine, I can actually browse to http://servername:4156/ and get a page response.

When i browse to http://servername:4156/update/avginfo.ctf ISA monitoring shows a denied connection on the SBS Internet Access Rule from the AVGADMIN server (IP) to the AVG update server - by anonomous

I'm guessing what's happening is that the client makes a connection to the local update server, the local update server then checks the latest info from the remote server which is being blocked

The rule seems fine to me - is it prohibiting anonomous access? (this is where I get a bit flakey about the working of ISA etc ... vaguely recall something about three connection modes & not all allow anon acces?)
Action = Allow
Protocolls = All Outbound Trafic
From = Internal & All Protected Networks
To = External
Shedule = Always
Content Types = All
Users - SBS Internet Users (Windows group but that only includes authenticated users)

I've just added the all users group to the rule to test this theory and BINGO the client updates fine!

Now I need to figure out what rule to apply higher up the ladder!

I think I'm having a bad day today! Can't believe I didn't think to monitor what was happening - it's like ISA101 stuff! - it's a bugger sometimes being a sole admin, get wrapped up in a problem when the BBO is staring you in the face - just needs a sounding board at times so Thanks Rob

regards

JH
robert pearman User is Offline
United Kingdom
Member since
2/23/2007

Platinum Membership
Posts: 1771
8/24/2007 05:34 PM  
try creating a new computer object within ISA, with the external IP (or domain name set) then create a rule to allow all outbound traffic (or custom protocol) to that destination, for ALL USERS.

see how we go...
Marina Roos User is Offline
The Netherlands
Member since
3/24/2005

Forum Admins
Posts: 12507
8/24/2007 05:44 PM  
Hi Robert,
 
Hold on with that, there is no need for this, as I don't think the workstations aren't updating from the internet. I have yet to see the first AV program that is needing something special to get the server the AV updates.
Jay, have you checked with AVG?
Marina Roos Smallbizserver.Net AdministratorMission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local  network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain'
robert pearman User is Offline
United Kingdom
Member since
2/23/2007

Platinum Membership
Posts: 1771
8/24/2007 05:53 PM  
ok i shall bow to experience ;-)
Jay Hallsworth User is Offline
United Kingdom
Member since
3/27/2007

Registered Users
Posts: 180
8/24/2007 07:03 PM  
Hi Rob,
 
Yep, my thoughts exactly - That's just what I did - I've done it on the IP Address for now but I've asked AVG to confirm it's a perm address (I only recognised it while monitoring because they'd asked me to change it in doing diags)
 
Hi Marina,
 
Yes, the clients arn't updating from the internet directly, they are updating from the a local admin server which updates from the internet. My problem was that the update from the local server was failing. From what I can tell, when the client updates, it makes a call to the local webserver to check the Virus Def version. This forces the local server to check the remote server (to ensure it's the latest update I presume). This is what was being blocked by ISA and it was preventing the client from updating. Does that make sense? I recently updated the ADMIN server software which initiated the issue so I'm guessing it's a new feature - I've asked for clarification from AVG on this - wonder if I'll get an answer! If I do, I'll pass the info on. On the other hand, I do have a nagging feeling that screwed up and I took an option to clear some settings during the update process - that could have been the cause, but I've checked & re-checked all the settings with the manual before I escalated it to AVG and couldn't see anything amis
 
Ha! as I type, a reply back from them ... nothing on the cause of the problem, but they have confirmed the IP address I've allowed anon connections to is perm - reply attatched for info if interested.
 
Thanks for the prompt Rob, i've been tearing my hair out with this one.

Attachment: 18243035354.txt
robert pearman User is Offline
United Kingdom
Member since
2/23/2007

Platinum Membership
Posts: 1771
8/24/2007 07:05 PM  
no worries mate, glad to help.
Jay Hallsworth User is Offline
United Kingdom
Member since
3/27/2007

Registered Users
Posts: 180
8/25/2007 10:35 AM  
Hi,
 
Just had a response from AVG as follows:
 
***********
Dear Sir/Madam,
Thank you for your email.
The AVG TCP Server, which is the component of AVG Remote Administration, responsible for downloading and distributing AVG updates, has been changed significantly in the latest versions of AVG Remote Administration. AVG TCP Server now acts as a proxy server, which means that the particular update files are not downloaded periodically based on a schedule, but immediately after a station requests an update file. After the file has been downloaded for one of the stations, it is served to another station which is requesting this file, from a local directory, saving Internet traffic.
This new method has also another advantage - AVG TCP Server has always the latest available updates, not only those downloaded by the most recent scheduled download.
We hope that the new version of AVG TCP Server will work well for you. If you have any further questions or problems, please don't hesitate to contact us.
Thank you for your cooperation.
     Best regards,
     Daniel Rott
     AVG Second Level Support
***********
 
regards
 
JH
You are not authorized to post a reply.
Forums > Microsoft Small Business Server 2003 & 2000 > ISA Server 2004 > ISA Apparently Blocking AVG Update


ActiveForums 3.7
Forum policy    
These Discussion Forums are dedicated to the discussion of the Small Business Server and related server and client software. For the benefit of the community please observe the following posting guidelines:
  1. No Advertising. This includes promotion of commercial products and non-commercial products which are not directly related to Small Business Server and related server and client software.
  2. No Flaming or Trolling.
  3. No Profanity, Racism, or Prejudice.
  4. Site Moderators have the final word on approving/removing a thread or post or comment.
Copyright 2002-2008 Concentrix b.v.    :   Page generated in 0.3750024 seconds.   :   Terms Of Use   :   Privacy Statement