Allow Wimba Live Classroom via ISA 2004 on SBS 2003

I'm trying to access a Wimba Live Classroom server at 208.185.32.145 from my
workstation through ISA 2004 SP3. I get a prompt to enter my HTTP Proxy
credentials (username and password). I enter either my personal credentials
or the Administrator credentials in either "Domain\username" or just
"username" format, but the prompt keeps coming back.

How do I permanently allow this IP address in ISA server? I haven't had to
muck around too much in the ISA console except to allow outbound FTP
traffic, so I guess, I'll always be an ISA noob.

I also posted this to microsoft.public.isaserver.

Thanks, Jim

Jim G wrote:

>I'm trying to access a Wimba Live Classroom server at 208.185.32.145 from
>my workstation through ISA 2004 SP3. I get a prompt to enter my HTTP Proxy
>credentials (username and password). I enter either my personal
>credentials or the Administrator credentials in either "Domain\username"
>or just "username" format, but the prompt keeps coming back.

By default, the ISA ruleset on SBS allow all known and authenticated
traffic out. The key point there is "known". You need to know what Wimba
is up to, so that you can tell ISA what it is. Unfortunately, this
information doesn't appear to be readily available on the Wimba website
(at least I couldn't find it), so you may have to ask them.

Once you have the technical specification for how it communicates, you
would define a Wimba protocol in ISA and then it should be allowed
automatically without you needing any new rules.

>How do I permanently allow this IP address in ISA server? I haven't had to
>muck around too much in the ISA console except to allow outbound FTP
>traffic, so I guess, I'll always be an ISA noob.

The other way to work it out is to use the ISA logs to see what is being
blocked (ie what Wimba is trying to do), but this is really something that
requires a good level of understanding of ISA and networking protocols to
achieve.

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.

On Wed, 20 Feb 2008 17:32:47 -0500, "Jim G" <> wrote:

>I'm trying to access a Wimba Live Classroom server at 208.185.32.145 from my
>workstation through ISA 2004 SP3. I get a prompt to enter my HTTP Proxy
>credentials (username and password). I enter either my personal credentials
>or the Administrator credentials in either "Domain\username" or just
>"username" format, but the prompt keeps coming back.

Are you prompted for your HTTP Proxy credentials (username and
password) every time you access the web, or just with this site?

>How do I permanently allow this IP address in ISA server? I haven't had to
>muck around too much in the ISA console except to allow outbound FTP
>traffic, so I guess, I'll always be an ISA noob.

By default you should be a member of the security group Internet Users
(SBS Internet Users). Members of this group can access the Internet
through ISA Server.

The default SBS Internet Access Rule is Allow All outbound from All
Protected (all networks except Internet) to External (only Internet)
for SBS Internet Users.

I have no difficulty accessing eu.spsu.horizonwimba.net
(208.185.32.145) with a firewall client (Vista) or SecureNAT (XP).

jas

I put a snippet of the Wimba log file at the bottom of this reply. It looks
as though I have to create an ISA protocol for UDP 5997 - 5998, and maybe
TCP? 4569 to allow HZTC tunneling, whatever that is. It seems to be
searching ports including -a 5998 -a 443 -a 5190 -d -t 5998 -A 5998 -t
33434 -A 33434 -t 5190 -A 5190 -t 16384 -A 16384.

Does "*proxy is null terminated" mean that my ISA won't allow the traffic?

"Jon-Alfred Smith" <> wrote in message
news:...
> On Wed, 20 Feb 2008 17:32:47 -0500, "Jim G" <> wrote:
>
>>I'm trying to access a Wimba Live Classroom server at 208.185.32.145 from
>>my
>>workstation through ISA 2004 SP3. I get a prompt to enter my HTTP Proxy
>>credentials (username and password). I enter either my personal
>>credentials
>>or the Administrator credentials in either "Domain\username" or just
>>"username" format, but the prompt keeps coming back.
>
> Are you prompted for your HTTP Proxy credentials (username and
> password) every time you access the web, or just with this site?

I'm promted for HTTP Proxy credentials just for this site/application and
only after I click OK to run these additional executables
C:\Users\username\AppData\LocalLow\HorizonWimba\JS ecureDoor\horizonmedia_1.3.0\data\horizonmedia.exe
C:\Users\username\AppData\LocalLow\HorizonWimba\JS ecureDoor\horizonmedia_1.3.0\data\wimbasecproxy-low.exe
C:\Users\username\AppData\LocalLow\HorizonWimba\JS ecureDoor\horizonmedia_1.3.0\data\wimbasecproxy-high.exe


>>How do I permanently allow this IP address in ISA server? I haven't had to
>>muck around too much in the ISA console except to allow outbound FTP
>>traffic, so I guess, I'll always be an ISA noob.
>
> By default you should be a member of the security group Internet Users
> (SBS Internet Users). Members of this group can access the Internet
> through ISA Server.
>
> The default SBS Internet Access Rule is Allow All outbound from All
> Protected (all networks except Internet) to External (only Internet)
> for SBS Internet Users.
>
> I have no difficulty accessing eu.spsu.horizonwimba.net
> (208.185.32.145) with a firewall client (Vista) or SecureNAT (XP).
>
> jas

09:47:46 EST 2008 - [debug] command_string =>
C:\Users\username\AppData\LocalLow\HorizonWimba\JS ecureDoor\horizonmedia_1.3.0\data\wimbasecproxy-low.exe
-l ../logs horizonmedia.exe -c 24 -fr 15 -fs 1400 -br 128000 -ww 320 -wh
240 -w 160 -h 120 -jbte -1 -- -U default -c 208.185.32.145:4569 -H
208.185.32.145:80 -a 5998 -a 443 -a 5190 -d -t 5998 -A 5998 -t 33434 -A
33434 -t 5190 -A 5190 -t 16384 -A 16384 -L ../logs/hztc_debug.log -v 4
09:47:46 EST 2008 - [debug] DoorController.launchAgent(), about to execute
agent, command =>
C:\Users\username\AppData\LocalLow\HorizonWimba\JS ecureDoor\horizonmedia_1.3.0\data\wimbasecproxy-low.exe
-l ../logs horizonmedia.exe -c 24 -fr 15 -fs 1400 -br 128000 -ww 320 -wh
240 -w 160 -h 120 -jbte -1 -- -U default -c 208.185.32.145:4569 -H
208.185.32.145:80 -a 5998 -a 443 -a 5190 -d -t 5998 -A 5998 -t 33434 -A
33434 -t 5190 -A 5190 -t 16384 -A 16384 -L ../logs/hztc_debug.log -v 4
09:47:46 EST 2008 - [debug] HZTunnel connected 00 00 29 06 | EA 40 E8 22
09:47:46 EST 2008 - [debug] tcp_connect()
09:47:46 EST 2008 - [debug] DoorReader
stream=1,in=java.io.BufferedInputStream@1e75e89
09:47:46 EST 2008 - [debug] DoorReader
stream=2,in=java.io.FileInputStream@128e909
09:47:46 EST 2008 - [debug] DoorController.launchAgent(), agent started
09:47:46 EST 2008 - [info] DoorController.run(), entering door controller's
main while loop
09:47:46 EST 2008 - [info] handling AGENT_STARTED door event
09:47:46 EST 2008 - [debug] HZTunnel made raw TCP connection
Socket[addr=/208.185.32.145,port=443,localport=50928]
09:47:46 EST 2008 - [debug] You have connected successfully!
09:47:46 EST 2008 - [debug] IAX_OUT wsp_high_started
09:47:46 EST 2008 - [debug] WSP_OUT: high started, disabling timeout
09:47:46 EST 2008 - [debug] Initing: _school_username:Johhny_User:XXXXXXXX
09:47:46 EST 2008 - [debug] Starting ping pong thread
09:47:46 EST 2008 - [debug] Processing RemoteEvent => 2
09:47:46 EST 2008 - [debug] HZTunnel trying alternate port succeeded
09:47:46 EST 2008 - [debug] HZTunnel switching to URL:
http://208.185.32.145:443/HZTunnel/
09:47:46 EST 2008 - [debug] HZTunnel switched to raw TCP
09:48:04 EST 2008 - [debug] IAX_OUT wsp_high_initialized
09:48:04 EST 2008 - [debug] WSP_OUT: high initialized, enabling timeout
09:48:04 EST 2008 - [debug] IAX_ERR Launching with the following parameters:
09:48:04 EST 2008 - [debug] IAX_ERR Mode = Video iaxclient
09:48:04 EST 2008 - [debug] IAX_ERR Title = Live Classroom - Video
09:48:04 EST 2008 - [debug] IAX_ERR Width = 160
09:48:04 EST 2008 - [debug] IAX_OUT iaxc_ev_timeout_stop
09:48:04 EST 2008 - [debug] IAX_OUT: disabling timeout
09:48:04 EST 2008 - [debug] IAX_ERR Height = 120
09:48:04 EST 2008 - [debug] IAX_ERR WidgetWidth = 320
09:48:04 EST 2008 - [debug] IAX_ERR WidgetHeight = 240
09:48:04 EST 2008 - [debug] IAX_ERR Xpos = -1
09:48:04 EST 2008 - [debug] IAX_ERR Ypos = -1
09:48:04 EST 2008 - [debug] IAX_ERR JBTargetExtra = -1
09:48:04 EST 2008 - [debug] IAX_ERR Destination =
09:48:04 EST 2008 - [debug] IAX_ERR Bitrate = 128000
09:48:04 EST 2008 - [debug] IAX_ERR Framerate = 15
09:48:04 EST 2008 - [debug] IAX_ERR Format = 0x1000000
09:48:04 EST 2008 - [debug] IAX_ERR Initializing HZTC tunneling...
09:48:04 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:04 - bind/listen udp
5997-5997
09:48:04 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:04 - tunnel
208.185.32.145 80
09:48:04 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:04 - connect
208.185.32.145 4569
09:48:04 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:04 + wininet proxy
configuration PROXY_TYPE_AUTO_PROXY_URL
09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 * proxy is null
terminated, [servername.root.companyname.org:8080]
09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 * winhttp-proxy:
(post-parse) sub[1]= '8080'
09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 * winhttp-proxy:
(post-atoi) port = '8080'
09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 + winhttp autoproxy
for http://208.185.32.145:80/HZTunnel/ servername.root.companyname.org:8080
09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 * proxy is null
terminated, [servername.root.companyname.org:8080]
09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 * winhttp-proxy:
(post-parse) sub[1]= '8080'
09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 * winhttp-proxy:
(post-atoi) port = '8080'
09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 + winhttp autoproxy
for https://208.185.32.145:80/HZTunnel/ servername.root.companyname.org:8080
09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 + found proxy
configuration servername.root.companyname.org:8080
09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 - http_make primary
address 208.185.32.145 80
09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 - HTTP url:
http://208.185.32.145:80/HZTunnel/
09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 - HTTP host-header:
Host: 208.185.32.145:80
09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 - HTTP tcp:
servername.root.companyname.org:8080
09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 - proxy
servername.root.companyname.org 8080
09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 + HTTP proxy requires
authorization
09:48:05 EST 2008 - [debug] IAX_OUT iaxc_ev_timeout_stop
09:48:05 EST 2008 - [debug] IAX_OUT: disabling timeout
09:48:24 EST 2008 - [debug] IAX_OUT iaxc_ev_timeout_start
09:48:24 EST 2008 - [debug] IAX_OUT: enabling timeout
09:48:24 EST 2008 - [debug] IAX_ERR Proxy authentication user=name,
pass=password
09:48:24 EST 2008 - [debug] IAX_OUT iaxc_ev_timeout_stop
09:48:24 EST 2008 - [debug] IAX_OUT: disabling timeout
09:48:24 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:24 + HTTP proxy requires
authorization
09:48:28 EST 2008 - [debug] IAX_OUT iaxc_ev_timeout_start
09:48:28 EST 2008 - [debug] IAX_OUT: enabling timeout
09:48:28 EST 2008 - [debug] IAX_ERR Proxy authentication user=name,
pass=password
09:48:28 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:28 + HTTP proxy requires
authorization
09:48:28 EST 2008 - [debug] IAX_OUT iaxc_ev_timeout_stop
09:48:28 EST 2008 - [debug] IAX_OUT: disabling timeout

Wimba Live Classroom tech support tells me it uses:
* For TCP, and alternate HTTP: 5998, 443 and port 5190
* For UDP: port 5998, 33434, 5190, and 16384

Now if I can figure out how to create a protocol/filter and add it to a
Rule, I'll be in business. 443 should already be forwarded.

I'm on the fence whether to get a Tom Shinder book, or ditch ISA and get a
firewall appliance, although I realize I'd still have to configure/learn the
firewall appliance.

Jim

"Jim G" <Jim @ home.net> wrote in message
news:...
>I put a snippet of the Wimba log file at the bottom of this reply. It looks
>as though I have to create an ISA protocol for UDP 5997 - 5998, and maybe
>TCP? 4569 to allow HZTC tunneling, whatever that is. It seems to be
>searching ports including -a 5998 -a 443 -a 5190 -d -t 5998 -A 5998 -t
>33434 -A 33434 -t 5190 -A 5190 -t 16384 -A 16384.
>
> Does "*proxy is null terminated" mean that my ISA won't allow the traffic?
>
> "Jon-Alfred Smith" <> wrote in message
> news:...
>> On Wed, 20 Feb 2008 17:32:47 -0500, "Jim G" <> wrote:
>>
>>>I'm trying to access a Wimba Live Classroom server at 208.185.32.145 from
>>>my
>>>workstation through ISA 2004 SP3. I get a prompt to enter my HTTP Proxy
>>>credentials (username and password). I enter either my personal
>>>credentials
>>>or the Administrator credentials in either "Domain\username" or just
>>>"username" format, but the prompt keeps coming back.
>>
>> Are you prompted for your HTTP Proxy credentials (username and
>> password) every time you access the web, or just with this site?
>
> I'm promted for HTTP Proxy credentials just for this site/application and
> only after I click OK to run these additional executables
> C:\Users\username\AppData\LocalLow\HorizonWimba\JS ecureDoor\horizonmedia_1.3.0\data\horizonmedia.exe
> C:\Users\username\AppData\LocalLow\HorizonWimba\JS ecureDoor\horizonmedia_1.3.0\data\wimbasecproxy-low.exe
> C:\Users\username\AppData\LocalLow\HorizonWimba\JS ecureDoor\horizonmedia_1.3.0\data\wimbasecproxy-high.exe
>
>
>>>How do I permanently allow this IP address in ISA server? I haven't had
>>>to
>>>muck around too much in the ISA console except to allow outbound FTP
>>>traffic, so I guess, I'll always be an ISA noob.
>>
>> By default you should be a member of the security group Internet Users
>> (SBS Internet Users). Members of this group can access the Internet
>> through ISA Server.
>>
>> The default SBS Internet Access Rule is Allow All outbound from All
>> Protected (all networks except Internet) to External (only Internet)
>> for SBS Internet Users.
>>
>> I have no difficulty accessing eu.spsu.horizonwimba.net
>> (208.185.32.145) with a firewall client (Vista) or SecureNAT (XP).
>>
>> jas
>
> 09:47:46 EST 2008 - [debug] command_string =>
> C:\Users\username\AppData\LocalLow\HorizonWimba\JS ecureDoor\horizonmedia_1.3.0\data\wimbasecproxy-low.exe
> -l ../logs horizonmedia.exe -c 24 -fr 15 -fs 1400 -br 128000 -ww 320 -wh
> 240 -w 160 -h 120 -jbte -1 -- -U default -c 208.185.32.145:4569 -H
> 208.185.32.145:80 -a 5998 -a 443 -a 5190 -d -t 5998 -A 5998 -t 33434 -A
> 33434 -t 5190 -A 5190 -t 16384 -A 16384 -L ../logs/hztc_debug.log -v 4
> 09:47:46 EST 2008 - [debug] DoorController.launchAgent(), about to execute
> agent, command =>
> C:\Users\username\AppData\LocalLow\HorizonWimba\JS ecureDoor\horizonmedia_1.3.0\data\wimbasecproxy-low.exe
> -l ../logs horizonmedia.exe -c 24 -fr 15 -fs 1400 -br 128000 -ww 320 -wh
> 240 -w 160 -h 120 -jbte -1 -- -U default -c 208.185.32.145:4569 -H
> 208.185.32.145:80 -a 5998 -a 443 -a 5190 -d -t 5998 -A 5998 -t 33434 -A
> 33434 -t 5190 -A 5190 -t 16384 -A 16384 -L ../logs/hztc_debug.log -v 4
> 09:47:46 EST 2008 - [debug] HZTunnel connected 00 00 29 06 | EA 40 E8 22
> 09:47:46 EST 2008 - [debug] tcp_connect()
> 09:47:46 EST 2008 - [debug] DoorReader
> stream=1,in=java.io.BufferedInputStream@1e75e89
> 09:47:46 EST 2008 - [debug] DoorReader
> stream=2,in=java.io.FileInputStream@128e909
> 09:47:46 EST 2008 - [debug] DoorController.launchAgent(), agent started
> 09:47:46 EST 2008 - [info] DoorController.run(), entering door
> controller's main while loop
> 09:47:46 EST 2008 - [info] handling AGENT_STARTED door event
> 09:47:46 EST 2008 - [debug] HZTunnel made raw TCP connection
> Socket[addr=/208.185.32.145,port=443,localport=50928]
> 09:47:46 EST 2008 - [debug] You have connected successfully!
> 09:47:46 EST 2008 - [debug] IAX_OUT wsp_high_started
> 09:47:46 EST 2008 - [debug] WSP_OUT: high started, disabling timeout
> 09:47:46 EST 2008 - [debug] Initing:
> _school_username:Johhny_User:XXXXXXXX
> 09:47:46 EST 2008 - [debug] Starting ping pong thread
> 09:47:46 EST 2008 - [debug] Processing RemoteEvent => 2
> 09:47:46 EST 2008 - [debug] HZTunnel trying alternate port succeeded
> 09:47:46 EST 2008 - [debug] HZTunnel switching to URL:
> http://208.185.32.145:443/HZTunnel/
> 09:47:46 EST 2008 - [debug] HZTunnel switched to raw TCP
> 09:48:04 EST 2008 - [debug] IAX_OUT wsp_high_initialized
> 09:48:04 EST 2008 - [debug] WSP_OUT: high initialized, enabling timeout
> 09:48:04 EST 2008 - [debug] IAX_ERR Launching with the following
> parameters:
> 09:48:04 EST 2008 - [debug] IAX_ERR Mode = Video iaxclient
> 09:48:04 EST 2008 - [debug] IAX_ERR Title = Live Classroom -
> Video
> 09:48:04 EST 2008 - [debug] IAX_ERR Width = 160
> 09:48:04 EST 2008 - [debug] IAX_OUT iaxc_ev_timeout_stop
> 09:48:04 EST 2008 - [debug] IAX_OUT: disabling timeout
> 09:48:04 EST 2008 - [debug] IAX_ERR Height = 120
> 09:48:04 EST 2008 - [debug] IAX_ERR WidgetWidth = 320
> 09:48:04 EST 2008 - [debug] IAX_ERR WidgetHeight = 240
> 09:48:04 EST 2008 - [debug] IAX_ERR Xpos = -1
> 09:48:04 EST 2008 - [debug] IAX_ERR Ypos = -1
> 09:48:04 EST 2008 - [debug] IAX_ERR JBTargetExtra = -1
> 09:48:04 EST 2008 - [debug] IAX_ERR Destination =
> 09:48:04 EST 2008 - [debug] IAX_ERR Bitrate = 128000
> 09:48:04 EST 2008 - [debug] IAX_ERR Framerate = 15
> 09:48:04 EST 2008 - [debug] IAX_ERR Format = 0x1000000
> 09:48:04 EST 2008 - [debug] IAX_ERR Initializing HZTC tunneling...
> 09:48:04 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:04 - bind/listen udp
> 5997-5997
> 09:48:04 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:04 - tunnel
> 208.185.32.145 80
> 09:48:04 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:04 - connect
> 208.185.32.145 4569
> 09:48:04 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:04 + wininet proxy
> configuration PROXY_TYPE_AUTO_PROXY_URL
> 09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 * proxy is null
> terminated, [servername.root.companyname.org:8080]
> 09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 * winhttp-proxy:
> (post-parse) sub[1]= '8080'
> 09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 * winhttp-proxy:
> (post-atoi) port = '8080'
> 09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 + winhttp autoproxy
> for http://208.185.32.145:80/HZTunnel/
> servername.root.companyname.org:8080
> 09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 * proxy is null
> terminated, [servername.root.companyname.org:8080]
> 09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 * winhttp-proxy:
> (post-parse) sub[1]= '8080'
> 09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 * winhttp-proxy:
> (post-atoi) port = '8080'
> 09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 + winhttp autoproxy
> for https://208.185.32.145:80/HZTunnel/
> servername.root.companyname.org:8080
> 09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 + found proxy
> configuration servername.root.companyname.org:8080
> 09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 - http_make primary
> address 208.185.32.145 80
> 09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 - HTTP url:
> http://208.185.32.145:80/HZTunnel/
> 09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 - HTTP host-header:
> Host: 208.185.32.145:80
> 09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 - HTTP tcp:
> servername.root.companyname.org:8080
> 09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 - proxy
> servername.root.companyname.org 8080
> 09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 + HTTP proxy
> requires authorization
> 09:48:05 EST 2008 - [debug] IAX_OUT iaxc_ev_timeout_stop
> 09:48:05 EST 2008 - [debug] IAX_OUT: disabling timeout
> 09:48:24 EST 2008 - [debug] IAX_OUT iaxc_ev_timeout_start
> 09:48:24 EST 2008 - [debug] IAX_OUT: enabling timeout
> 09:48:24 EST 2008 - [debug] IAX_ERR Proxy authentication user=name,
> pass=password
> 09:48:24 EST 2008 - [debug] IAX_OUT iaxc_ev_timeout_stop
> 09:48:24 EST 2008 - [debug] IAX_OUT: disabling timeout
> 09:48:24 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:24 + HTTP proxy
> requires authorization
> 09:48:28 EST 2008 - [debug] IAX_OUT iaxc_ev_timeout_start
> 09:48:28 EST 2008 - [debug] IAX_OUT: enabling timeout
> 09:48:28 EST 2008 - [debug] IAX_ERR Proxy authentication user=name,
> pass=password
> 09:48:28 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:28 + HTTP proxy
> requires authorization
> 09:48:28 EST 2008 - [debug] IAX_OUT iaxc_ev_timeout_stop
> 09:48:28 EST 2008 - [debug] IAX_OUT: disabling timeout

On Fri, 22 Feb 2008 10:48:19 -0500, "Jim G" <Jim @ home.net> wrote:

>Wimba Live Classroom tech support tells me it uses:
>* For TCP, and alternate HTTP: 5998, 443 and port 5190
>* For UDP: port 5998, 33434, 5190, and 16384

>Now if I can figure out how to create a protocol/filter and add it to a
>Rule, I'll be in business. 443 should already be forwarded.

We need to create:
1) a destination network object (Wimba Live Classroom)
2) a custom protocol
3) an access rule

First let's create a computer object as the destination and call it
Wimba Live Classroom:

In the MS ISA Server 2004 console click Firewall Policy.
In the right pane you have three tabs. Click on Toolbox.
Click on Network Objects.
Click New. Computer
Name: Wimba Live Classroom (or a name of your choice)
Computer IP Address: 208.185.32.145
Click Apply -- (good practice to do so for every step you take).
Now you should see this object under Network Objects, Computers.

Second, lets create the Wimba custom protocol
Click Toolbox, Protocols
Click New
Name, Protocol
Name: Wimba Protocol

Click New
Protocol Type: TCP
Direction: Outbound
Port Range From: 5998 To: 5998. Click OK
Click New
Protocol Type: TCP
Direction: Outbound
Port Range From: 443 To: 443. Click OK
Click New
Protocol Type: TCP
Direction: Outbound
Port Range From: 5190 To: 5190. Click OK
Click New

Protocol Type: UDP
Direction: Outbound
Port Range From: 5998 To: 5998. Click OK
Click New
Protocol Type: UDP
Direction: Outbound
Port Range From: 33434 To: 33434. Click OK
Click New
Protocol Type: UDP
Direction: Outbound
Port Range From: 5190 To: 5190. Click OK
Click New
Protocol Type: UDP
Direction: Outbound
Port Range From: 16384 To: 16384.

Click Next
Do you want to use secondary connections: No
Click Finish
Click Apply

No you should see under Protocols, User-Defined:
Wimba Protocol
(Right-click for future editing if something need to be changed)

Third, we need the access rule
Let's create an access rule from Internal (the SBS internal network)
and Local Host (the SBS box) to the network object Wimba Live
Classroom:

Click on the Tasks tab (still within Firewall Policy).
Create New Access Rule
Access rule name: Wimba Access Rule (or a name of your choice)
Allow
This rule applies to: Selected protocols
Add: User-Defined, Wimba Protocol
Click Close (Note you could also edit the protocol here)
Click Next
This rule applies to traffic originating from the sources ...
Add: Internal, Local Host (btw, Local Host is not necessary)
This rule applies to traffic sent to these destinations
Click Add, Computers, Wimba Live Classroom
Click Close
Click Next
This rule applies to requests from the following user sets
Leave it for the time being with All Users
Click Finish
Make sure the Action is Allow
Click Apply

You can move the rule up and down by right-clicking (Move Down, Move
Up)

Leave the SBS Publishing Rules above.
Rule are evaluated from top to bottom. If you place under Last Default
rule, nothing will happen as the Last Default rule will deny all
traffic.

Make sure there is no blocking rule above / before the Wimba Access
Rule.

As an interesting note (at least I think so): By right-clicking a rule
you can temporary disable it, which I do no in order to test the Wimba
Access Rule.

I need to disable my SecureNAT rule (custom rule, not default)

Test
From my SecureNAT client I can't access anything but the Wimba site
Passed the Setup Wizard (but I don't have the audio equipment)
Managed to log in with a user name of my choice. Name:, not Username /
Password

For troubleshooting:
You can edit the UDP values and allow direction Send Receive (or the
other way round)
You can add the Web Proxy Filter.

You could create a Wimba User in the Toolbox and edit the Wimba Access
rule. Add the Wimba User, remove All Users ... you get the idea.

Just a last comment
What I really like about ISA Server it the approach taken with defined
self-contained objects and then you play around it as with Lego
bricks.

>I'm on the fence whether to get a Tom Shinder book,

No bad idea. Tom Shinder has written excellent books on ISA Server.
The first I read was back in 2001.

>or ditch ISA and get a
>firewall appliance, although I realize I'd still have to configure/learn the
>firewall appliance.

There are ISA Server appliances ...:-)
http://www.celestix.com/products/isa/index.htm

jas

Thank you for the detailed explanation, and with tests and troubleshooting
tips!

Unfortunately, I could not get it to work. After creating the network
object, protocol, and rule (and saving it all), I still get the same
authentication prompt. For UDP protocol, the options for Direction are
Receive, Receive Send, Send, and Send Receive. I tried both Send and Send
Receive. I also tried with and without Web Proxy Filter. I went through your
instructions three times. I'll go through a fourth time after getting some
rest in between.

Jim


"Jon-Alfred Smith" <> wrote in message
news:...
> On Fri, 22 Feb 2008 10:48:19 -0500, "Jim G" <Jim @ home.net> wrote:
>
>>Wimba Live Classroom tech support tells me it uses:
>>* For TCP, and alternate HTTP: 5998, 443 and port 5190
>>* For UDP: port 5998, 33434, 5190, and 16384
>
>>Now if I can figure out how to create a protocol/filter and add it to a
>>Rule, I'll be in business. 443 should already be forwarded.
>
> We need to create:
> 1) a destination network object (Wimba Live Classroom)
> 2) a custom protocol
> 3) an access rule
>
> First let's create a computer object as the destination and call it
> Wimba Live Classroom:
>
> In the MS ISA Server 2004 console click Firewall Policy.
> In the right pane you have three tabs. Click on Toolbox.
> Click on Network Objects.
> Click New. Computer
> Name: Wimba Live Classroom (or a name of your choice)
> Computer IP Address: 208.185.32.145
> Click Apply -- (good practice to do so for every step you take).
> Now you should see this object under Network Objects, Computers.
>
> Second, lets create the Wimba custom protocol
> Click Toolbox, Protocols
> Click New
> Name, Protocol
> Name: Wimba Protocol
>
> Click New
> Protocol Type: TCP
> Direction: Outbound
> Port Range From: 5998 To: 5998. Click OK
> Click New
> Protocol Type: TCP
> Direction: Outbound
> Port Range From: 443 To: 443. Click OK
> Click New
> Protocol Type: TCP
> Direction: Outbound
> Port Range From: 5190 To: 5190. Click OK
> Click New
>
> Protocol Type: UDP
> Direction: Outbound
> Port Range From: 5998 To: 5998. Click OK
> Click New
> Protocol Type: UDP
> Direction: Outbound
> Port Range From: 33434 To: 33434. Click OK
> Click New
> Protocol Type: UDP
> Direction: Outbound
> Port Range From: 5190 To: 5190. Click OK
> Click New
> Protocol Type: UDP
> Direction: Outbound
> Port Range From: 16384 To: 16384.
>
> Click Next
> Do you want to use secondary connections: No
> Click Finish
> Click Apply
>
> No you should see under Protocols, User-Defined:
> Wimba Protocol
> (Right-click for future editing if something need to be changed)
>
> Third, we need the access rule
> Let's create an access rule from Internal (the SBS internal network)
> and Local Host (the SBS box) to the network object Wimba Live
> Classroom:
>
> Click on the Tasks tab (still within Firewall Policy).
> Create New Access Rule
> Access rule name: Wimba Access Rule (or a name of your choice)
> Allow
> This rule applies to: Selected protocols
> Add: User-Defined, Wimba Protocol
> Click Close (Note you could also edit the protocol here)
> Click Next
> This rule applies to traffic originating from the sources ...
> Add: Internal, Local Host (btw, Local Host is not necessary)
> This rule applies to traffic sent to these destinations
> Click Add, Computers, Wimba Live Classroom
> Click Close
> Click Next
> This rule applies to requests from the following user sets
> Leave it for the time being with All Users
> Click Finish
> Make sure the Action is Allow
> Click Apply
>
> You can move the rule up and down by right-clicking (Move Down, Move
> Up)
>
> Leave the SBS Publishing Rules above.
> Rule are evaluated from top to bottom. If you place under Last Default
> rule, nothing will happen as the Last Default rule will deny all
> traffic.
>
> Make sure there is no blocking rule above / before the Wimba Access
> Rule.
>
> As an interesting note (at least I think so): By right-clicking a rule
> you can temporary disable it, which I do no in order to test the Wimba
> Access Rule.
>
> I need to disable my SecureNAT rule (custom rule, not default)
>
> Test
> From my SecureNAT client I can't access anything but the Wimba site
> Passed the Setup Wizard (but I don't have the audio equipment)
> Managed to log in with a user name of my choice. Name:, not Username /
> Password
>
> For troubleshooting:
> You can edit the UDP values and allow direction Send Receive (or the
> other way round)
> You can add the Web Proxy Filter.
>
> You could create a Wimba User in the Toolbox and edit the Wimba Access
> rule. Add the Wimba User, remove All Users ... you get the idea.
>
> Just a last comment
> What I really like about ISA Server it the approach taken with defined
> self-contained objects and then you play around it as with Lego
> bricks.
>
>>I'm on the fence whether to get a Tom Shinder book,
>
> No bad idea. Tom Shinder has written excellent books on ISA Server.
> The first I read was back in 2001.
>
>>or ditch ISA and get a
>>firewall appliance, although I realize I'd still have to configure/learn
>>the
>>firewall appliance.
>
> There are ISA Server appliances ...:-)
> http://www.celestix.com/products/isa/index.htm
>
> jas
>
>

Jon-Alfred Smith wrote:

>On Fri, 22 Feb 2008 10:48:19 -0500, "Jim G" <Jim @ home.net> wrote:
>
>>Wimba Live Classroom tech support tells me it uses:
>>* For TCP, and alternate HTTP: 5998, 443 and port 5190
>>* For UDP: port 5998, 33434, 5190, and 16384
>
>>Now if I can figure out how to create a protocol/filter and add it to a
>>Rule, I'll be in business. 443 should already be forwarded.
>
>We need to create:
>1) a destination network object (Wimba Live Classroom)
>2) a custom protocol
>3) an access rule

If the default SBS ISA ruleset is in place, and the Wimba client
application is capable of offering up proxy credentials (which sounds like
the case), no, we don't. All that is required in this scenario is the
protocol definition, and then the standard "SBS Internet Access" rule will
apply.

If either the default SBS ISA ruleset is not in use, or the application is
not secure-proxy-capable, *then* you'll need an access rule as well as the
protocol definition. Whether you restrict the rule to a single destination
set depends on whether this is the only Wimba classroom location that
needs to be accessed.


>First let's create a computer object as the destination and call it
>Wimba Live Classroom:
>
>In the MS ISA Server 2004 console click Firewall Policy.
>In the right pane you have three tabs. Click on Toolbox.
>Click on Network Objects.
>Click New. Computer

Personally, if I'm creating destination sets, I prefer to use set objects
rather than individual ones (ie I'd use a Computer Set, rather than a
Computer). I just really wish ISA let you put Computer items into Computer
Sets if you wanted to, rather than them being completely unrelatable.


>Name: Wimba Live Classroom (or a name of your choice)
>Computer IP Address: 208.185.32.145
>Click Apply -- (good practice to do so for every step you take).

If you're referring to the "big" Apply, I completely disagree. The whole
point of the "big" Apply is that you can work up a set of changes to the
overall ISA policy, building all the elements required and the rules that
use them, without disturbing the current policy. When you've completed all
the work, *then* you make the new policy effective with the "big" Apply.

>Second, lets create the Wimba custom protocol
>Click Toolbox, Protocols
>Click New
>Name, Protocol
>Name: Wimba Protocol
>
>Click New
>Protocol Type: TCP
>Direction: Outbound
>Port Range From: 5998 To: 5998. Click OK
>Click New
>Protocol Type: TCP
>Direction: Outbound
>Port Range From: 443 To: 443. Click OK
>Click New
>Protocol Type: TCP
>Direction: Outbound
>Port Range From: 5190 To: 5190. Click OK
>Click New
>
>Protocol Type: UDP
>Direction: Outbound

UDP has no concept of "Outbound". The UDP equivalent to this would be
"Send Receive". Whether that's actually the correct choice is unclear from
the incomplete information Jim has.

>Port Range From: 5998 To: 5998. Click OK
>Click New
>Protocol Type: UDP
>Direction: Outbound
>Port Range From: 33434 To: 33434. Click OK
>Click New
>Protocol Type: UDP
>Direction: Outbound
>Port Range From: 5190 To: 5190. Click OK
>Click New
>Protocol Type: UDP
>Direction: Outbound
>Port Range From: 16384 To: 16384.
>
>Click Next
>Do you want to use secondary connections: No

Well, some of those port ranges above should likely be under Secondary
Connections, rather than Primary. The only entries under Primary should be
those used to _initiate_ connections, not all the possible port/direction
combinations the protocol will ever use.

Secondary connections are like "+1" on a guest invite - they only get to
go to the party if they're with the nominated (Primary) guest. If they
show up on their own, they're refused entry (or exit).


>Third, we need the access rule
>Let's create an access rule from Internal (the SBS internal network)
>and Local Host (the SBS box) to the network object Wimba Live
>Classroom:

Why would you include the SBS/ISA box itself in the rule? That would only
be appropriate if the Wimba classroom software is installed on the SBS/ISA
box.


>Click on the Tasks tab (still within Firewall Policy).
>Create New Access Rule
>Access rule name: Wimba Access Rule (or a name of your choice)
>Allow
>This rule applies to: Selected protocols
>Add: User-Defined, Wimba Protocol
>Click Close (Note you could also edit the protocol here)
>Click Next
>This rule applies to traffic originating from the sources ...
>Add: Internal, Local Host (btw, Local Host is not necessary)

See comment above. I would *never* add LocalHost to rules intended to deal
with internal client access. It's usually better to keep rules for SBS/ISA
itself separate from those for its clients.

>>I'm on the fence whether to get a Tom Shinder book,
>
>No bad idea. Tom Shinder has written excellent books on ISA Server.
>The first I read was back in 2001.

The big problem with Tom is that he doesn't believe SBS should exist with
ISA on it.

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.

Thanks for the reply Steve.

I received a little more juice from the turnip:

"The wimbamedia client first tries to connect through UDP 5998 then TCP 5998
and works its way down to HTTP/TCP 443 and 80. If UDP 5998 is open, then it
should find and use that. UDP is primary over TCP. These ports should be
configured for outbound communication from your network to the Wimba server
address."

Maybe I can get it to work by defining the custom protocol with primary UDP
5998 Send or Send Receive and secondary TCP 5998 Outbound.

If not a custom access rule, to what rule do I attach the custom protocol?
Or is it automatically attached to the SBS Internet Access rule?

Jim G.


"Steve Foster [SBS MVP]" <> wrote in message
news:...
> Jon-Alfred Smith wrote:
>
>>On Fri, 22 Feb 2008 10:48:19 -0500, "Jim G" <Jim @ home.net> wrote:
>>
>>>Wimba Live Classroom tech support tells me it uses:
>>>* For TCP, and alternate HTTP: 5998, 443 and port 5190
>>>* For UDP: port 5998, 33434, 5190, and 16384
>>
>>>Now if I can figure out how to create a protocol/filter and add it to a
>>>Rule, I'll be in business. 443 should already be forwarded.
>>
>>We need to create:
>>1) a destination network object (Wimba Live Classroom)
>>2) a custom protocol
>>3) an access rule
>
> If the default SBS ISA ruleset is in place, and the Wimba client
> application is capable of offering up proxy credentials (which sounds like
> the case), no, we don't. All that is required in this scenario is the
> protocol definition, and then the standard "SBS Internet Access" rule will
> apply.
>
> If either the default SBS ISA ruleset is not in use, or the application is
> not secure-proxy-capable, *then* you'll need an access rule as well as the
> protocol definition. Whether you restrict the rule to a single destination
> set depends on whether this is the only Wimba classroom location that
> needs to be accessed.
>
>
>>First let's create a computer object as the destination and call it
>>Wimba Live Classroom:
>>
>>In the MS ISA Server 2004 console click Firewall Policy.
>>In the right pane you have three tabs. Click on Toolbox.
>>Click on Network Objects.
>>Click New. Computer
>
> Personally, if I'm creating destination sets, I prefer to use set objects
> rather than individual ones (ie I'd use a Computer Set, rather than a
> Computer). I just really wish ISA let you put Computer items into Computer
> Sets if you wanted to, rather than them being completely unrelatable.
>
>
>>Name: Wimba Live Classroom (or a name of your choice)
>>Computer IP Address: 208.185.32.145
>>Click Apply -- (good practice to do so for every step you take).
>
> If you're referring to the "big" Apply, I completely disagree. The whole
> point of the "big" Apply is that you can work up a set of changes to the
> overall ISA policy, building all the elements required and the rules that
> use them, without disturbing the current policy. When you've completed all
> the work, *then* you make the new policy effective with the "big" Apply.
>
>>Second, lets create the Wimba custom protocol
>>Click Toolbox, Protocols
>>Click New
>>Name, Protocol
>>Name: Wimba Protocol
>>
>>Click New
>>Protocol Type: TCP
>>Direction: Outbound
>>Port Range From: 5998 To: 5998. Click OK
>>Click New
>>Protocol Type: TCP
>>Direction: Outbound
>>Port Range From: 443 To: 443. Click OK
>>Click New
>>Protocol Type: TCP
>>Direction: Outbound
>>Port Range From: 5190 To: 5190. Click OK
>>Click New
>>
>>Protocol Type: UDP
>>Direction: Outbound
>
> UDP has no concept of "Outbound". The UDP equivalent to this would be
> "Send Receive". Whether that's actually the correct choice is unclear from
> the incomplete information Jim has.
>
>>Port Range From: 5998 To: 5998. Click OK
>>Click New
>>Protocol Type: UDP
>>Direction: Outbound
>>Port Range From: 33434 To: 33434. Click OK
>>Click New
>>Protocol Type: UDP
>>Direction: Outbound
>>Port Range From: 5190 To: 5190. Click OK
>>Click New
>>Protocol Type: UDP
>>Direction: Outbound
>>Port Range From: 16384 To: 16384.
>>
>>Click Next
>>Do you want to use secondary connections: No
>
> Well, some of those port ranges above should likely be under Secondary
> Connections, rather than Primary. The only entries under Primary should be
> those used to _initiate_ connections, not all the possible port/direction
> combinations the protocol will ever use.
>
> Secondary connections are like "+1" on a guest invite - they only get to
> go to the party if they're with the nominated (Primary) guest. If they
> show up on their own, they're refused entry (or exit).
>
>
>>Third, we need the access rule
>>Let's create an access rule from Internal (the SBS internal network)
>>and Local Host (the SBS box) to the network object Wimba Live
>>Classroom:
>
> Why would you include the SBS/ISA box itself in the rule? That would only
> be appropriate if the Wimba classroom software is installed on the SBS/ISA
> box.
>
>
>>Click on the Tasks tab (still within Firewall Policy).
>>Create New Access Rule
>>Access rule name: Wimba Access Rule (or a name of your choice)
>>Allow
>>This rule applies to: Selected protocols
>>Add: User-Defined, Wimba Protocol
>>Click Close (Note you could also edit the protocol here)
>>Click Next
>>This rule applies to traffic originating from the sources ...
>>Add: Internal, Local Host (btw, Local Host is not necessary)
>
> See comment above. I would *never* add LocalHost to rules intended to deal
> with internal client access. It's usually better to keep rules for SBS/ISA
> itself separate from those for its clients.
>
>>>I'm on the fence whether to get a Tom Shinder book,
>>
>>No bad idea. Tom Shinder has written excellent books on ISA Server.
>>The first I read was back in 2001.
>
> The big problem with Tom is that he doesn't believe SBS should exist with
> ISA on it.
>
> --
> Steve Foster [SBS MVP]
> ---------------------------------------
> MVPs do not work for Microsoft. Please reply only to the newsgroups.

Jim G wrote:

>Thanks for the reply Steve.
>
>I received a little more juice from the turnip:
>
>"The wimbamedia client first tries to connect through UDP 5998 then TCP
>5998 and works its way down to HTTP/TCP 443 and 80. If UDP 5998 is open,
>then it should find and use that. UDP is primary over TCP. These ports
>should be configured for outbound communication from your network to the
>Wimba server address."
>
>Maybe I can get it to work by defining the custom protocol with primary
>UDP 5998 Send or Send Receive and secondary TCP 5998 Outbound.
>
>If not a custom access rule, to what rule do I attach the custom protocol?
>Or is it automatically attached to the SBS Internet Access rule?

Assuming the Wimba application is secure-proxy-capable (ie you can put in
credentials as well as proxy information) _or_ you have the ISA Firewall
Client installed, then any protocol you create should be usable by the SBS
Internet Access rule (it applies to all protocols, which means all
_defined_ protocols, rather than literally all).

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.