Allow Wimba Live Classroom via ISA 2004 on SBS 2003

Discussion in 'Windows Small Business Server' started by Jim G, Feb 20, 2008.

  1. Jim G

    Jim G Guest

    I'm trying to access a Wimba Live Classroom server at 208.185.32.145 from my
    workstation through ISA 2004 SP3. I get a prompt to enter my HTTP Proxy
    credentials (username and password). I enter either my personal credentials
    or the Administrator credentials in either "Domain\username" or just
    "username" format, but the prompt keeps coming back.

    How do I permanently allow this IP address in ISA server? I haven't had to
    muck around too much in the ISA console except to allow outbound FTP
    traffic, so I guess, I'll always be an ISA noob.

    I also posted this to microsoft.public.isaserver.

    Thanks, Jim
     
    Jim G, Feb 20, 2008
    #1
    1. Advertisements

  2. By default, the ISA ruleset on SBS allow all known and authenticated
    traffic out. The key point there is "known". You need to know what Wimba
    is up to, so that you can tell ISA what it is. Unfortunately, this
    information doesn't appear to be readily available on the Wimba website
    (at least I couldn't find it), so you may have to ask them.

    Once you have the technical specification for how it communicates, you
    would define a Wimba protocol in ISA and then it should be allowed
    automatically without you needing any new rules.
    The other way to work it out is to use the ISA logs to see what is being
    blocked (ie what Wimba is trying to do), but this is really something that
    requires a good level of understanding of ISA and networking protocols to
    achieve.
     
    Steve Foster [SBS MVP], Feb 21, 2008
    #2
    1. Advertisements

  3. Are you prompted for your HTTP Proxy credentials (username and
    password) every time you access the web, or just with this site?
    By default you should be a member of the security group Internet Users
    (SBS Internet Users). Members of this group can access the Internet
    through ISA Server.

    The default SBS Internet Access Rule is Allow All outbound from All
    Protected (all networks except Internet) to External (only Internet)
    for SBS Internet Users.

    I have no difficulty accessing eu.spsu.horizonwimba.net
    (208.185.32.145) with a firewall client (Vista) or SecureNAT (XP).

    jas
     
    Jon-Alfred Smith, Feb 22, 2008
    #3
  4. Jim G

    Jim G Guest

    I put a snippet of the Wimba log file at the bottom of this reply. It looks
    as though I have to create an ISA protocol for UDP 5997 - 5998, and maybe
    TCP? 4569 to allow HZTC tunneling, whatever that is. It seems to be
    searching ports including -a 5998 -a 443 -a 5190 -d -t 5998 -A 5998 -t
    33434 -A 33434 -t 5190 -A 5190 -t 16384 -A 16384.

    Does "*proxy is null terminated" mean that my ISA won't allow the traffic?

    I'm promted for HTTP Proxy credentials just for this site/application and
    only after I click OK to run these additional executables
    C:\Users\username\AppData\LocalLow\HorizonWimba\JSecureDoor\horizonmedia_1.3.0\data\horizonmedia.exe
    C:\Users\username\AppData\LocalLow\HorizonWimba\JSecureDoor\horizonmedia_1.3.0\data\wimbasecproxy-low.exe
    C:\Users\username\AppData\LocalLow\HorizonWimba\JSecureDoor\horizonmedia_1.3.0\data\wimbasecproxy-high.exe

    09:47:46 EST 2008 - [debug] command_string =>
    C:\Users\username\AppData\LocalLow\HorizonWimba\JSecureDoor\horizonmedia_1.3.0\data\wimbasecproxy-low.exe
    -l ../logs horizonmedia.exe -c 24 -fr 15 -fs 1400 -br 128000 -ww 320 -wh
    240 -w 160 -h 120 -jbte -1 -- -U default -c 208.185.32.145:4569 -H
    208.185.32.145:80 -a 5998 -a 443 -a 5190 -d -t 5998 -A 5998 -t 33434 -A
    33434 -t 5190 -A 5190 -t 16384 -A 16384 -L ../logs/hztc_debug.log -v 4
    09:47:46 EST 2008 - [debug] DoorController.launchAgent(), about to execute
    agent, command =>
    C:\Users\username\AppData\LocalLow\HorizonWimba\JSecureDoor\horizonmedia_1.3.0\data\wimbasecproxy-low.exe
    -l ../logs horizonmedia.exe -c 24 -fr 15 -fs 1400 -br 128000 -ww 320 -wh
    240 -w 160 -h 120 -jbte -1 -- -U default -c 208.185.32.145:4569 -H
    208.185.32.145:80 -a 5998 -a 443 -a 5190 -d -t 5998 -A 5998 -t 33434 -A
    33434 -t 5190 -A 5190 -t 16384 -A 16384 -L ../logs/hztc_debug.log -v 4
    09:47:46 EST 2008 - [debug] HZTunnel connected 00 00 29 06 | EA 40 E8 22
    09:47:46 EST 2008 - [debug] tcp_connect()
    09:47:46 EST 2008 - [debug] DoorReader
    stream=1,[email protected]
    09:47:46 EST 2008 - [debug] DoorReader
    stream=2,[email protected]
    09:47:46 EST 2008 - [debug] DoorController.launchAgent(), agent started
    09:47:46 EST 2008 - [info] DoorController.run(), entering door controller's
    main while loop
    09:47:46 EST 2008 - [info] handling AGENT_STARTED door event
    09:47:46 EST 2008 - [debug] HZTunnel made raw TCP connection
    Socket[addr=/208.185.32.145,port=443,localport=50928]
    09:47:46 EST 2008 - [debug] You have connected successfully!
    09:47:46 EST 2008 - [debug] IAX_OUT wsp_high_started
    09:47:46 EST 2008 - [debug] WSP_OUT: high started, disabling timeout
    09:47:46 EST 2008 - [debug] Initing: _school_username:Johhny_User:XXXXXXXX
    09:47:46 EST 2008 - [debug] Starting ping pong thread
    09:47:46 EST 2008 - [debug] Processing RemoteEvent => 2
    09:47:46 EST 2008 - [debug] HZTunnel trying alternate port succeeded
    09:47:46 EST 2008 - [debug] HZTunnel switching to URL:
    http://208.185.32.145:443/HZTunnel/
    09:47:46 EST 2008 - [debug] HZTunnel switched to raw TCP
    09:48:04 EST 2008 - [debug] IAX_OUT wsp_high_initialized
    09:48:04 EST 2008 - [debug] WSP_OUT: high initialized, enabling timeout
    09:48:04 EST 2008 - [debug] IAX_ERR Launching with the following parameters:
    09:48:04 EST 2008 - [debug] IAX_ERR Mode = Video iaxclient
    09:48:04 EST 2008 - [debug] IAX_ERR Title = Live Classroom - Video
    09:48:04 EST 2008 - [debug] IAX_ERR Width = 160
    09:48:04 EST 2008 - [debug] IAX_OUT iaxc_ev_timeout_stop
    09:48:04 EST 2008 - [debug] IAX_OUT: disabling timeout
    09:48:04 EST 2008 - [debug] IAX_ERR Height = 120
    09:48:04 EST 2008 - [debug] IAX_ERR WidgetWidth = 320
    09:48:04 EST 2008 - [debug] IAX_ERR WidgetHeight = 240
    09:48:04 EST 2008 - [debug] IAX_ERR Xpos = -1
    09:48:04 EST 2008 - [debug] IAX_ERR Ypos = -1
    09:48:04 EST 2008 - [debug] IAX_ERR JBTargetExtra = -1
    09:48:04 EST 2008 - [debug] IAX_ERR Destination =
    09:48:04 EST 2008 - [debug] IAX_ERR Bitrate = 128000
    09:48:04 EST 2008 - [debug] IAX_ERR Framerate = 15
    09:48:04 EST 2008 - [debug] IAX_ERR Format = 0x1000000
    09:48:04 EST 2008 - [debug] IAX_ERR Initializing HZTC tunneling...
    09:48:04 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:04 - bind/listen udp
    5997-5997
    09:48:04 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:04 - tunnel
    208.185.32.145 80
    09:48:04 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:04 - connect
    208.185.32.145 4569
    09:48:04 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:04 + wininet proxy
    configuration PROXY_TYPE_AUTO_PROXY_URL
    09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 * proxy is null
    terminated, [servername.root.companyname.org:8080]
    09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 * winhttp-proxy:
    (post-parse) sub[1]= '8080'
    09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 * winhttp-proxy:
    (post-atoi) port = '8080'
    09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 + winhttp autoproxy
    for http://208.185.32.145:80/HZTunnel/ servername.root.companyname.org:8080
    09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 * proxy is null
    terminated, [servername.root.companyname.org:8080]
    09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 * winhttp-proxy:
    (post-parse) sub[1]= '8080'
    09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 * winhttp-proxy:
    (post-atoi) port = '8080'
    09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 + winhttp autoproxy
    for https://208.185.32.145:80/HZTunnel/ servername.root.companyname.org:8080
    09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 + found proxy
    configuration servername.root.companyname.org:8080
    09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 - http_make primary
    address 208.185.32.145 80
    09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 - HTTP url:
    http://208.185.32.145:80/HZTunnel/
    09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 - HTTP host-header:
    Host: 208.185.32.145:80
    09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 - HTTP tcp:
    servername.root.companyname.org:8080
    09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 - proxy
    servername.root.companyname.org 8080
    09:48:05 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:05 + HTTP proxy requires
    authorization
    09:48:05 EST 2008 - [debug] IAX_OUT iaxc_ev_timeout_stop
    09:48:05 EST 2008 - [debug] IAX_OUT: disabling timeout
    09:48:24 EST 2008 - [debug] IAX_OUT iaxc_ev_timeout_start
    09:48:24 EST 2008 - [debug] IAX_OUT: enabling timeout
    09:48:24 EST 2008 - [debug] IAX_ERR Proxy authentication user=name,
    pass=password
    09:48:24 EST 2008 - [debug] IAX_OUT iaxc_ev_timeout_stop
    09:48:24 EST 2008 - [debug] IAX_OUT: disabling timeout
    09:48:24 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:24 + HTTP proxy requires
    authorization
    09:48:28 EST 2008 - [debug] IAX_OUT iaxc_ev_timeout_start
    09:48:28 EST 2008 - [debug] IAX_OUT: enabling timeout
    09:48:28 EST 2008 - [debug] IAX_ERR Proxy authentication user=name,
    pass=password
    09:48:28 EST 2008 - [debug] IAX_ERR 21/02/08 09:48:28 + HTTP proxy requires
    authorization
    09:48:28 EST 2008 - [debug] IAX_OUT iaxc_ev_timeout_stop
    09:48:28 EST 2008 - [debug] IAX_OUT: disabling timeout
     
    Jim G, Feb 22, 2008
    #4
  5. Jim G

    Jim G Guest

    Wimba Live Classroom tech support tells me it uses:
    * For TCP, and alternate HTTP: 5998, 443 and port 5190
    * For UDP: port 5998, 33434, 5190, and 16384

    Now if I can figure out how to create a protocol/filter and add it to a
    Rule, I'll be in business. 443 should already be forwarded.

    I'm on the fence whether to get a Tom Shinder book, or ditch ISA and get a
    firewall appliance, although I realize I'd still have to configure/learn the
    firewall appliance.

    Jim

     
    Jim G, Feb 22, 2008
    #5
  6. We need to create:
    1) a destination network object (Wimba Live Classroom)
    2) a custom protocol
    3) an access rule

    First let's create a computer object as the destination and call it
    Wimba Live Classroom:

    In the MS ISA Server 2004 console click Firewall Policy.
    In the right pane you have three tabs. Click on Toolbox.
    Click on Network Objects.
    Click New. Computer
    Name: Wimba Live Classroom (or a name of your choice)
    Computer IP Address: 208.185.32.145
    Click Apply -- (good practice to do so for every step you take).
    Now you should see this object under Network Objects, Computers.

    Second, lets create the Wimba custom protocol
    Click Toolbox, Protocols
    Click New
    Name, Protocol
    Name: Wimba Protocol

    Click New
    Protocol Type: TCP
    Direction: Outbound
    Port Range From: 5998 To: 5998. Click OK
    Click New
    Protocol Type: TCP
    Direction: Outbound
    Port Range From: 443 To: 443. Click OK
    Click New
    Protocol Type: TCP
    Direction: Outbound
    Port Range From: 5190 To: 5190. Click OK
    Click New

    Protocol Type: UDP
    Direction: Outbound
    Port Range From: 5998 To: 5998. Click OK
    Click New
    Protocol Type: UDP
    Direction: Outbound
    Port Range From: 33434 To: 33434. Click OK
    Click New
    Protocol Type: UDP
    Direction: Outbound
    Port Range From: 5190 To: 5190. Click OK
    Click New
    Protocol Type: UDP
    Direction: Outbound
    Port Range From: 16384 To: 16384.

    Click Next
    Do you want to use secondary connections: No
    Click Finish
    Click Apply

    No you should see under Protocols, User-Defined:
    Wimba Protocol
    (Right-click for future editing if something need to be changed)

    Third, we need the access rule
    Let's create an access rule from Internal (the SBS internal network)
    and Local Host (the SBS box) to the network object Wimba Live
    Classroom:

    Click on the Tasks tab (still within Firewall Policy).
    Create New Access Rule
    Access rule name: Wimba Access Rule (or a name of your choice)
    Allow
    This rule applies to: Selected protocols
    Add: User-Defined, Wimba Protocol
    Click Close (Note you could also edit the protocol here)
    Click Next
    This rule applies to traffic originating from the sources ...
    Add: Internal, Local Host (btw, Local Host is not necessary)
    This rule applies to traffic sent to these destinations
    Click Add, Computers, Wimba Live Classroom
    Click Close
    Click Next
    This rule applies to requests from the following user sets
    Leave it for the time being with All Users
    Click Finish
    Make sure the Action is Allow
    Click Apply

    You can move the rule up and down by right-clicking (Move Down, Move
    Up)

    Leave the SBS Publishing Rules above.
    Rule are evaluated from top to bottom. If you place under Last Default
    rule, nothing will happen as the Last Default rule will deny all
    traffic.

    Make sure there is no blocking rule above / before the Wimba Access
    Rule.

    As an interesting note (at least I think so): By right-clicking a rule
    you can temporary disable it, which I do no in order to test the Wimba
    Access Rule.

    I need to disable my SecureNAT rule (custom rule, not default)

    Test
    From my SecureNAT client I can't access anything but the Wimba site
    Passed the Setup Wizard (but I don't have the audio equipment)
    Managed to log in with a user name of my choice. Name:, not Username /
    Password

    For troubleshooting:
    You can edit the UDP values and allow direction Send Receive (or the
    other way round)
    You can add the Web Proxy Filter.

    You could create a Wimba User in the Toolbox and edit the Wimba Access
    rule. Add the Wimba User, remove All Users ... you get the idea.

    Just a last comment
    What I really like about ISA Server it the approach taken with defined
    self-contained objects and then you play around it as with Lego
    bricks.
    No bad idea. Tom Shinder has written excellent books on ISA Server.
    The first I read was back in 2001.
    There are ISA Server appliances ...:)
    http://www.celestix.com/products/isa/index.htm

    jas
     
    Jon-Alfred Smith, Feb 22, 2008
    #6
  7. Jim G

    Jim G Guest

    Thank you for the detailed explanation, and with tests and troubleshooting
    tips!

    Unfortunately, I could not get it to work. After creating the network
    object, protocol, and rule (and saving it all), I still get the same
    authentication prompt. For UDP protocol, the options for Direction are
    Receive, Receive Send, Send, and Send Receive. I tried both Send and Send
    Receive. I also tried with and without Web Proxy Filter. I went through your
    instructions three times. I'll go through a fourth time after getting some
    rest in between.

    Jim
     
    Jim G, Feb 25, 2008
    #7
  8. If the default SBS ISA ruleset is in place, and the Wimba client
    application is capable of offering up proxy credentials (which sounds like
    the case), no, we don't. All that is required in this scenario is the
    protocol definition, and then the standard "SBS Internet Access" rule will
    apply.

    If either the default SBS ISA ruleset is not in use, or the application is
    not secure-proxy-capable, *then* you'll need an access rule as well as the
    protocol definition. Whether you restrict the rule to a single destination
    set depends on whether this is the only Wimba classroom location that
    needs to be accessed.

    Personally, if I'm creating destination sets, I prefer to use set objects
    rather than individual ones (ie I'd use a Computer Set, rather than a
    Computer). I just really wish ISA let you put Computer items into Computer
    Sets if you wanted to, rather than them being completely unrelatable.

    If you're referring to the "big" Apply, I completely disagree. The whole
    point of the "big" Apply is that you can work up a set of changes to the
    overall ISA policy, building all the elements required and the rules that
    use them, without disturbing the current policy. When you've completed all
    the work, *then* you make the new policy effective with the "big" Apply.
    UDP has no concept of "Outbound". The UDP equivalent to this would be
    "Send Receive". Whether that's actually the correct choice is unclear from
    the incomplete information Jim has.
    Well, some of those port ranges above should likely be under Secondary
    Connections, rather than Primary. The only entries under Primary should be
    those used to _initiate_ connections, not all the possible port/direction
    combinations the protocol will ever use.

    Secondary connections are like "+1" on a guest invite - they only get to
    go to the party if they're with the nominated (Primary) guest. If they
    show up on their own, they're refused entry (or exit).

    Why would you include the SBS/ISA box itself in the rule? That would only
    be appropriate if the Wimba classroom software is installed on the SBS/ISA
    box.

    See comment above. I would *never* add LocalHost to rules intended to deal
    with internal client access. It's usually better to keep rules for SBS/ISA
    itself separate from those for its clients.
    The big problem with Tom is that he doesn't believe SBS should exist with
    ISA on it.
     
    Steve Foster [SBS MVP], Feb 26, 2008
    #8
  9. Jim G

    Jim G Guest

    Thanks for the reply Steve.

    I received a little more juice from the turnip:

    "The wimbamedia client first tries to connect through UDP 5998 then TCP 5998
    and works its way down to HTTP/TCP 443 and 80. If UDP 5998 is open, then it
    should find and use that. UDP is primary over TCP. These ports should be
    configured for outbound communication from your network to the Wimba server
    address."

    Maybe I can get it to work by defining the custom protocol with primary UDP
    5998 Send or Send Receive and secondary TCP 5998 Outbound.

    If not a custom access rule, to what rule do I attach the custom protocol?
    Or is it automatically attached to the SBS Internet Access rule?

    Jim G.
     
    Jim G, Feb 26, 2008
    #9
  10. Assuming the Wimba application is secure-proxy-capable (ie you can put in
    credentials as well as proxy information) _or_ you have the ISA Firewall
    Client installed, then any protocol you create should be usable by the SBS
    Internet Access rule (it applies to all protocols, which means all
    _defined_ protocols, rather than literally all).
     
    Steve Foster [SBS MVP], Feb 27, 2008
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.