Forefront Edge Security TechCenter >
Forefront Edge Security Forums
>
Forefront Edge Security - Publishing
>
ISA Block Legitimate LDAP traffic form Exchange 2003 in DMZ
ISA Block Legitimate LDAP traffic form Exchange 2003 in DMZ
- Hello
i have a situation with Exchange 2003 /windows 2003 in a three way DMZ scenario - one NIC to the LAN, one to the DMZ and one fo Internet Access (DMZ access LAN by Routing, not by publishing)
sometimes Exchange stop working and investigating i find that ISA block LDAP TCP traffic, both on port 389 that on 3268. UDP Traffic is not blocked.
sometimes this block cause also the block of oll the traffic from the DMZ Exchange Server and the only way to solve this is a restart of Exchange and Isa Service on respetcive machine.
when this happen in the event viewer of ISA Server Machine i find:
The number of concurrent TCP connections from the source IP address 192.168.2.2 exceeded the configured limit. As a result, ISA Server will not allow the creation of new TCP connections from this source IP. This IP address probably belongs to an attacker or an infected host. See product documentation for more info about ISA flood resiliency.
what can be the cause? is a exchange or a isa Issue?
why ISA truncate GOOD LDAP TCP traffic ?
Davide Gatta
Answers
- Actually, the error code "0x80074e24" indicates that the RPC fiter foud the RPC traffic to be unpalatable and told the firewall to kill the session.
Are any of the non-ISA computers runnig a x64 version of Windows?
If so, http://support.microsoft.com/kb/948749 may be the answer.
Jim Harrison Forefront Edge CS- Marked As Answer byNick Gu - MSFTMSFT, ModeratorFriday, September 25, 2009 5:45 AM
- Proposed As Answer byJim Harrison IsaDewd Thursday, September 17, 2009 4:05 PM
All Replies
- Davide,
Thanks for posting.
Can you give us a bit more information? What version of ISA Server is this? The IP address 192.168.2.2, is that your Domain Controller? - The error message is the key.
"The number of concurrent TCP connections from the source IP address 192.168.2.2 exceeded the configured" indicates that the Exchange server is triggering ISA flood mitigation.
Have a read in http://technet.microsoft.com/en-us/library/bb794735.aspx and http://technet.microsoft.com/en-us/library/bb838988.aspx for all the details.
Jim Harrison Forefront Edge CS - Sure Keith
isa is ISA server 2006 Std sp1.
192.168.2.2 is the exchange 2003 sp2 server in DMZ.
DC is in 192.168.1.0/24 subnet (LAN)
Davide Gatta - Jim
i have already check the Flood Mitigation Setting, but without success.
Maximum TCP connect request per minute per IP Address is set to 600 (with exception to 6000)
Maximum concurrent TCP connection per IP Address is set to 160 (with exception to 4000)
Exchange Server in DMZ is in the IP Exception list, but in the log, i never see this limits joined.
sure Exchange trigger Flood Mitigation, not for Flood Attack but for the "standard" exchange traffic.
Davide Gatta Hi,
Thank you for your post.
After you have enabled “Mitigate flood attacks and word propagation”, do you have still received the error message in the event viewer? Do you have also enabled “Log traffic blocked by flood mitigation settings”? Meanwhile, please also check the alert definitions, edit the alert “TCP Connections per Minute from One IP Address Limit Exceeded”, on the tab of actions, choose “Report to windows event log” and see if you have selected “Stop selected services”?
Regards,
Nick Gu - MSFT- Hi Nick
good Suggestion
i checked but "Stop Selected Services" is not selected.
but maybe i can set the restart of the service
or something similar.
good countermeasure, but not root cause solution
Davide Gatta - The alert you provided is from ISA flood mitigation.
Nothing else will generate this alert.
You need to examine the ISA logs tfor that same timeframe to see what's being blocked.
Jim Harrison Forefront Edge CS - Hi Jim
in the log seems that is some RPC traffic cause the problem
computer date time IP protocol source destination original client IP source network destination network action status rule application protocol bidirectional bytes sent bytes sent intermediate bytes received bytes received intermediate connection time connection time intermediate source proxy destination proxy source name destination name username agent session ID connection ID interface IP header protocol payload
FIRESRV02 2009-09-01 09:31:17 TCP 192.168.2.2:2144 192.168.1.1:135 192.168.2.2 Perimeter Internal Terminate 0x80074e24 dmz to lan RPC (all interfaces) N 428 428 388 388 19781 19781 - - - - - - 2 29834 - - -
Davide Gatta - Actually, the error code "0x80074e24" indicates that the RPC fiter foud the RPC traffic to be unpalatable and told the firewall to kill the session.
Are any of the non-ISA computers runnig a x64 version of Windows?
If so, http://support.microsoft.com/kb/948749 may be the answer.
Jim Harrison Forefront Edge CS- Marked As Answer byNick Gu - MSFTMSFT, ModeratorFriday, September 25, 2009 5:45 AM
- Proposed As Answer byJim Harrison IsaDewd Thursday, September 17, 2009 4:05 PM
