We access our school management software through the internet. Up until
Friday we had no trouble accessing it at all. On Friday the company
decided to activate SSL on the server that we access. How do I make the
site available to our teachers. I know that the port is 7443 and I
tried to set up a filter to allow access through that port, but it is
still being blocked. I can access the site if I unload the filters so I
know it is a filtering issue. Any guidance would be appreciated.


--
ksteinbrueck
------------------------------------------------------------------------
ksteinbrueck's Profile: http://forums.novell.com/member.php?userid=21376
View this thread: http://forums.novell.com/showthread.php?t=345362

In article <ksteinbrueck.3gin5b@no-mx.forums.novell.com>, Ksteinbrueck
wrote:
> I can access the site if I unload the filters so I
> know it is a filtering issue. Any guidance would be appreciated.
>
Have a copy of my BMgr filtering book somewhere?

If I understand you correctly, you access a server on the internet that
is now using custom port 7443. Are you accessing it with a browser
through the proxy?

How you access the server controls what filter exception(s) you need to
configure. If you get there via proxy, you need to put in at least one
filter exception from Public to Public, source IP = BM public IP
address, and destination port=7443. You would have to configure this
in FILTCFG (or iManager if you want). If you make it stateful, you
should only need one filter exception.

If you are accessing this without using a proxy, then you use the same
(stateful) exception, except you go from Private to Public interfaces.

The BMgr default exceptions, since 3.7sp1, don't allow the proxy to use
a non-standard port like 7443, so you have to configure something
custom there. Prior versions of BMgr were more open, and the proxy
would have been able to use that port without a problem. Non-proxy
(nat) traffic always requires a custom exception.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

Thanks Craig - I do have your books but have not been able to get this one
working. I'll delete the filter I set up for it and recreate following your
directions.
Thanks,
Kathy

"Craig Johnson" <craigsj@ix.netcom.com> wrote in message
news:VA.00004047.01947ae0@ix.netcom.com...
> In article <ksteinbrueck.3gin5b@no-mx.forums.novell.com>, Ksteinbrueck
> wrote:
>> I can access the site if I unload the filters so I
>> know it is a filtering issue. Any guidance would be appreciated.
>>
> Have a copy of my BMgr filtering book somewhere?
>
> If I understand you correctly, you access a server on the internet that
> is now using custom port 7443. Are you accessing it with a browser
> through the proxy?
>
> How you access the server controls what filter exception(s) you need to
> configure. If you get there via proxy, you need to put in at least one
> filter exception from Public to Public, source IP = BM public IP
> address, and destination port=7443. You would have to configure this
> in FILTCFG (or iManager if you want). If you make it stateful, you
> should only need one filter exception.
>
> If you are accessing this without using a proxy, then you use the same
> (stateful) exception, except you go from Private to Public interfaces.
>
> The BMgr default exceptions, since 3.7sp1, don't allow the proxy to use
> a non-standard port like 7443, so you have to configure something
> custom there. Prior versions of BMgr were more open, and the proxy
> would have been able to use that port without a problem. Non-proxy
> (nat) traffic always requires a custom exception.
>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://www.craigjconsulting.com ***
>
>

Check the book section on using filter debugging if the filter
exception you make doesn't work. That should show you what port is
being blocked, in what direction it is blocked, etc. From that, you
can figure out what isn't working, look at the filters, and fix them.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

I have set up the following filter:
Source Interface: Public
Dest. Interface: Public
Protocol: TCP
Src Port: All
Dest Port: 7443
STateful Filtering:Enabled
Src Addr:Host
Src IP: (our public ip address)
Dest Addr:Any Address

We still cannot get to the gradebook part of powerschool if the filters
are turned on. It will give a Java Connection error. The rest of the
program works fine.

I have tried to use Wireshark to determine what additional ports might
need to be opened, but I'm not sure what I'm looking for.

Kathy


--
ksteinbrueck
------------------------------------------------------------------------
ksteinbrueck's Profile: http://forums.novell.com/member.php?userid=21376
View this thread: http://forums.novell.com/showthread.php?t=345362

In article <ksteinbrueck.3h4mtb@no-mx.forums.novell.com>, Ksteinbrueck
wrote:
> Src Addr:Host
> Src IP: (our public ip address)
>
Still working on this? I just got back from vacation and can help
again.

The conditions should allow the proxy to make requests on that port
number, but not internal hosts. If the requests are coming from the
clients without actually going through the proxy, you would have to
allow from private to public, any source address.

You can use filter debug to see packets being filtered on the server to
see exactly what is being filtered when you try hitting the site. You
can also use pktscan.nlm on the server to capture packets (filtered and
unfiltered) and save them to a file. Then use Wireshark to look at the
file and see port 7443 requests, which should then tell you just what
is going on (with filters unloaded).

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

Craig,
I finally got back to this today.

It seems to be working with the following filter exception:
Source:All
Destination:Public
Protocol: TCP
Src Port:All
Dest Port:7443
Src Addr:Any
Dest Addr:Any

Is this exception too open or does it look OK?

Thanks,
Kathy


--
ksteinbrueck
------------------------------------------------------------------------
ksteinbrueck's Profile: http://forums.novell.com/member.php?userid=21376
View this thread: http://forums.novell.com/showthread.php?t=345362