locked
Are any ports blocked inside a UAG DA tunnel? RRS feed

  • Question

  • I have a web resource that I can't get to over DA. It passes traffic over port 5449. I can get to it internally using hostname, but not via DA. When I use Telnet to see if that port if open, I can see it open internally, but on my DA client when I telnet to that port it does not respond.

    Two questoins, I guess. Does Telnet even work from a DirectAcces client and are any ports blocked *inside* the DA tunnel. I can get to all other resources on the corp net, so I don't think it's a DA problem, per se.

    thanks in advance for the help!

    RTS

    Wednesday, April 20, 2011 8:59 PM

Answers

  • No, the DA tunnels are not filtered by port/protocol unless you place a firewall between the UAG server and the intranet.

    Telnet should would via DA, as long as you are using DNS name and not IPv4 addresses...I can telnet to my Exchange server on port 25 from a DA client.

    Are you accessing that resource using NAT64 or ISATAP?

    Cheers

    JJ

     


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, April 20, 2011 11:18 PM

All replies

  • I think I can answer one part of my question. I can succesfully telnet other resources on the corpnet from my UAG DA client, so I guess Telnet does work over DA.

    So, are any ports blocked, or any ideas why I couldn't telnet to that resource over port 5449? I can telnet to it when on CorpNet. Thanks again,

    RTS

    Wednesday, April 20, 2011 9:03 PM
  • No, the DA tunnels are not filtered by port/protocol unless you place a firewall between the UAG server and the intranet.

    Telnet should would via DA, as long as you are using DNS name and not IPv4 addresses...I can telnet to my Exchange server on port 25 from a DA client.

    Are you accessing that resource using NAT64 or ISATAP?

    Cheers

    JJ

     


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, April 20, 2011 11:18 PM
  • Thanks JJ,

     

    I am accessing the resource over ISATAP, I think. How can I tell for sure? There is no firwall in front of my UAG server, so I don't think those ports are being filtered anywhere. The UAG is local to my LAN, and has two external IPs assigned and attached Internet facing. Still can't access the resource over that port. I was thinking maybe it's the firewall on the local DA client, so I created an incoming rule allowing that port. But still no joy.

     

    Thanks for the help

    RTS

    Thursday, April 21, 2011 8:27 PM
  • When you ping the resource, what format of IPv6 address do you get back?

    Do you get the same or different IPv6 format for servers than you can telnet to?

    If you check the TMG logs in the management console, do you see actually see your telnet connection over port 5449 reaching the UAG server?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, April 21, 2011 11:03 PM
  • Rich,

    What was the actual answer?  I too cannot access two interal resources, one is on port 8014, the other one is on port 8443.  All other resorces are accessible, some are 6to4 translated and others are ipv6 resources.  I can access them via my cisco VPN just fine, but DA is a no go.

    One of these ports is used by our Symantec Endpoint Protection Manager and clients to talk to each other.

    Please help!

    Thanks,

    Ryan


    - Ryechz

    Monday, March 26, 2012 5:09 AM
  • There is a good topic on this in the below URL: hope it helps..

    http://www.isaserver.org/tutorials/Creating-Parallel-ISA-Firewall-Configuration-Netscreen-DMZ.html

    Thursday, March 7, 2013 8:00 PM
  • please check this link:

    http://www.isaserver.org/tutorials/Creating-Parallel-ISA-Firewall-Configuration-Netscreen-DMZ.html

    Thursday, March 7, 2013 8:00 PM