Windows Server - Port 8080 Blocked

Asked By Rob

14-Jun-10 11:07 AM

Hello All,

We are having an issue getting our machines to access any site that has port
8080 as part of the site name.  We use ISA 2004 and a web content filter
called WebMarshal.  When a user tries to go to a calculator on the Bureau of
Labor Statistics site - http://data.bls.gov:8080/IIRC/ we get a warning from
Marshal that a socket operation was attempted to an unreachable host.  I
do not expect any of you to know what to do with WebMarshal but it seems to be
trying to go through 8080 which is ISA's domain.  We do not use 8080 for our
web filtering since all client computers are told to use the proxy server
through 8082 (the port that WebMarshal uses).  WebMarshal does listen on 80
for information coming from ISA but not on 8080 since there would be a
conflict with what ISA is already doing.  We are really only using ISA as a
secondary firewall (some relaying and spambots got through when I turned the
firewall part of ISA off in the wizard) and for VPN access.  Our internal
range for IP addresses is correct (10.0.0.0 - 10.255.255.255) so I know that
this is not an IP conflict with the web and we are using two NICs (one
internal and one external).

Any suggestions would be greatly appreciated.

Regards,

Rob

14-Jun-10 11:33 AM

I can go to http://data.bls.gov:8080/IIRC/  perfectly fine with my ISA2006
using a normal HTTP Rule,... with no modifications or any special
accomidations.  An unreachable host means "the phone is ringing but nobody
is home",....means the server does not respond,...often and incorrect IP#.
It sounds like there is a DNS issue that is effecting Web Marshal assuming
ISA passes the actual FQDN to Web Marshal and not the IP#.  If the ISA is
sending just the IP#:port# to Web Marshal then it may be sending the wrong
IP#,..hence again still a DNS issue.

If Web Marshal is physically "upstream" from the ISA then there are no port
conflicts,...the ports are almost irrelevant.   You do have to make sure
that ISA sees the Web Marshal as an "upstream proxy" and not just a
to the Web Marshal (treating the Web Marshal as a proxy server).  The ISA
needs to pass the data to the Web Marshal to the Port that WM is configured
to listen for incomming connections,...does not matter what the port is,...it
just has to be correct.


10.0.0.0--10.255.255.255

That is way to big a subnet.  There is no way you can run a network with
16,777,214 Hosts on the same broadcasts domain.  Wasting all those addresses
will most certainly bite you in the rear end.  Even if you do not actually
use all those addresses,..they will absolutely have address conflicts with
any other company that you choose to interact with in the future with if
they use any address block involving 10.* at all.  An address conflict will
occur just because the address is "assigned" to another network (determined
by the mask) regardless if a machine is actually using the address of not.

Limit networks (aka broadcast domains, aka subnets) to 254 Hosts
(255.255.255.0).  Ethernet efficiency begins to break down around 250-300
hosts (maybe sooner if a lot of servers exist on the segment).  Follow the
general rule of "for ever 200 hosts create a new segment".


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------

14-Jun-10 12:06 PM

(Post #3)
Here is the log entry for my attempt.  Notice the Destination is the one you
indicated and is targeting port 8080,....yet the Rule is my normal Web
Access Rule using the normal HTTP protocol and the Protocol listed in the
log is HTTP.

Allowed Connection WANDPROXY 6/14/2010 10:59:01 AM
Log type: Web Proxy (Forward)
Status: 200 OK.
Rule: Standard Authenticated Web Access
Source: Internal (192.168.13.103)
Destination: External (data.bls.gov 146.142.4.24:8080)
Request: GET http://data.bls.gov:8080/IIRC/
Filter information: Req ID: 0845af7a
Protocol: http

14-Jun-10 02:00 PM

Phillip,

Thanks for the info.  I never actually changed the defaults for our IP range
when I set up SBS 2003 using the wizard.  Most of our machines are in the
10.0.0. range we have a few new computers that have for some reason jumped to
the 10.107.120. and 10.107.121. range - kind of odd.  I would not know what
to do to restructure this and lower the IP range.

Any suggestions?

Regards,

Rob

14-Jun-10 03:46 PM

If all your machines are in the 10.0.0.x and only a few are in 10.107.120.x
then the easiest thing to do is take the small group and readdress them to
fit within 10.0.0.x.   However the 10.107.120.x is actually a better range
because it is more rare and less over-used.

Anyway, pick whatever you want,...just get all the machines on an address so
that every host has the same matching first three Octets.   Then after that
is done (and not until then) start changing the Mask to 255.255.255.0 on
everything.  The old "over-sized" mask of 255.0.0.0 will continue to work
(because it is more broad) until you are finished.

After that is all cleaned up then just stay with the rule of "for every 200
hosts create a new segment".   It is alright to make smaller segments (128,
64, 32, 16, 8) but do not get on a binge and go over booard with that either.
Simpler, cleaner, less complex,....is always better.

All that aside,...where are things with the ISA -vs- Web Marshal battle?


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

14-Jun-10 09:22 PM

Phillip,

Thanks for the information.  I have never had to readdress client systems
before.  Is there a good article that you can direct me to?  Is this
something that will be transparent to the users or will I have to do
something on their systems?  Also, does this have a negative affect on VPN
users?  I would like to readdress everyone into the 10.107.120 or 121 range.
The battle does rage on between ISA and WebMarshal.  I have been using
Marshal products for my clients for about six years now and have had great
success with them.  I added WebMarshal into the mix last year to keep malware
like AVI and Systems Tools 2010 from "appearing" on machines.  I found that
ISA was not enough to keep them out.  WebMarshal also has great tools to
limit what users can access by content versus site address.  For now since
the 8080 protocol is not harming anything and it is security neutral I am
going to leave it in place.  One comment that I  get from the techs at
Marshal is that they do not like to support SBS with their software.  I do not
understand since SBS is basically a compilation of multiple servers and
services and the base applications are still the same - ISA, Server 2003,
SQL, Exchange, etc.

Regards,

Rob

15-Jun-10 09:29 AM

There is no article, it is just simple "Networking 101"


Yea,...you have to change the address,...and later the mask,...on their
machine.  You are scaring me Rob,...this is basic stuff, if you do not
already know this stuff, then you may have to call in outside help.


Maybe, maybe not


It does matter what you choose, but as long as there is less than 200
machines then get them to all fit in the last Octet,...first three Octets
will be the same on all machines,...mask will be 255.255.255.0 when it is
over.   But if you cannot handle the additional adjustments of re-addressing
servers, routers or other networking devices that may have to be corrected
then you are in trouble,...if you ask "what additional adjustments",...then
you need outside help,...you do not have a prayer.   It is easier to leave
the Servers and networking equipment where they are an bring everything else
to them.


SBS is horrible.  I will not go near it.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

15-Jun-10 12:58 PM

So you have: big bad internet
webmarshal
isa
awful users

or:                  big bad internet
webmarshal isa
users

or.                 big bad internet
isa
webmarshal



Explain your actual topology. Are you running the ISA and webmarshal in
parallel so that outbound traffic uses either one or the other?


Kind regards

Peter Larsen

15-Jun-10 01:05 PM

SBS is a violation of ISA's first rule: ISA box is not a server, it is a
network appliance. Dunno about the rest of its functionality ... too much in
one box for my liking. Its smaller brother - windows home server - is also
kinda strange, some other forum  ....

Kind regards

Peter Larsen

15-Jun-10 01:50 PM

Yea, and there is just a lot of strange things about SBS behavor due to all
that, too.  Disaster recovery with SBS is a mess too.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

15-Jun-10 01:53 PM

I took it to mean WM is a separate box as an upstream proxy

[LAN]--<ISA>---<web marshall>---[Internet]


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

22-Jun-10 07:50 PM

I thought so at first, but began wondering ... a clarification would be nice
in case this content is allowed to live as reference content, but of course
... the mousers rule, text and economy of transmission and information
storage is "legacy".

Kind regards

Peter Larsen