Compartilhar via

Firewall client and ISA server -How a data channel is negotiated over Firewall client control channel.

  • Artigo

We know that a firewall client first connects to ISA server on firewall client control channel which is created between any TCP ephumeral port on the firewall client machine and tcp port 1745 on the ISA server. In this post I will demonstrate using Network traces how data channel is negotiated and in case firewall client machine does not go by the negotiated agreement and try to create data channel using different ports what would happen.

In this post firewall client machine is trying to go to www.contoso.com. . After the initial TCP handshake on the control channel firewall client would send following

Client request

 Frame: Number = X, Captured Frame Length = X, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[XX-XX-XX-XX-XX-XX],SourceAddress:[XX-XX-XX-XX-XX-XX]

+ Ipv4: Src = 192.168.0.14, Dest = 192.168.0.1, Next Protocol = TCP, Packet ID = X, Total IP Length = X

+ Tcp: Flags=...AP..., SrcPort=2314, DstPort=1745, PayloadLen=X, Seq=X - Y, Ack=X, Win=X

- RWS: 0x2 Get host by name('www.contoso.com') from iexplore.exe

  - RwstPacket: Get host by name('www.contoso.com') from iexplore.exe

     NullChar: X

     ProtoSig: RWS

     PktLen: X

     Reserved1: X

     Flags: X

     Reserved2: X

     OpCode: Get host by name

     DataLength: X

   + ClientConnectionHandle: X

   + ServerConnectionHandle: X

   + ClientMappingHandle: X

   + ServerMappingHandle: X

   - RwsMessage: ('www.contoso.com') from iexplore.exe

    - Gxby: ('www.contoso.com') from iexplore.exe

       HostName: www.contoso.com

       Padding: Binary Large Object (X Bytes)

     - AppAndClientInfo: iexplore.exe

        Application: iexplore.exe

      - ClientInfo: - No detailed client information -

         Size: X

         Padding: Binary Large Object (X Bytes)

 

Comments: Here client Sent the request to the ISA server on firewall control channel for www.contoso.com using its own port 2314.

 

Server reply

 

+ Tcp: [Bad CheckSum]Flags=...AP..., SrcPort=1745, DstPort=2314, PayloadLen=393, Seq=Y - X, Ack=X, Win=X

- RWS: X Host entry response to iexplore.exe for 'www.contoso.com'

  - RwstPacket: Host entry response to iexplore.exe for 'www.contoso.com'

     NullChar: X

     ProtoSig: RWS

     PktLen: X

     Reserved1: X

     Flags: X

     Reserved2: X

     OpCode: Host entry

     DataLength: X

   + ClientConnectionHandle: X

   + ServerConnectionHandle: X

   + ClientMappingHandle: X

   + ServerMappingHandle: X

   - RwsMessage: response to iexplore.exe for 'www.contoso.com'

   - HOSTENTRY:

       ReqHostName: www.contoso.com

       Padding: Binary Large Object (X Bytes)

     - AppAndClientInfo: iexplore.exe

        Application: iexplore.exe

      - ClientInfo: - No detailed client information -

         Size: 0 (0x0)

         Padding: Binary Large Object (X Bytes)

       offHostName: X

       offAliasList: X

       AddrType: IPv4

       Length: X

       offAddrlist: X

       RealHostName: xyz.abc.com

     + Aliases: 3 entries

       Padding: Binary Large Object (X Bytes)

     - Addresses: 3 entries

        offAddr: X

        offAddr: X

        offAddrEnd: X

      - Address:

         Address: 2.3.4.5

         Address: 6.7.8.9

          Address: 12.13.14.15

Comments: ISA server after doing the name resolution for this client sends the list of available addresses for www.contoso.com.

 

Client's next response 

 

- RWS: X New Connect request from iexplore.exe to 2.3.4.5/80; client will send from 192.168.0.14/3225

  - RwstPacket: New Connect request from iexplore.exe to 2.3.4.5/80; client will send from 192.168.0.14/3225

     NullChar: X

     ProtoSig: RWS

     PktLen: X

     Reserved1: X

     Flags: X

     Reserved2: X

     OpCode: New Connect

     DataLength: X

   + ClientConnectionHandle: X

   + ServerConnectionHandle: X

   + ClientMappingHandle: X

   + ServerMappingHandle: X

   - RwsMessage: request from iexplore.exe to 2.3.4.5/80; client will send from 192.168.0.14/3225

    - ConnectData: request from iexplore.exe to 2.3.4.5/80; client will send from 192.168.0.14/3225

     - ConnectEndpoint: 2.3.4.5/80

        Family: IPv4

        Port: 80 (0x50)

        Addr: 2.3.4.5

        Padding: Binary Large Object (X Bytes)

       ClientPort: 3225 (0xC99)

       Padding: Binary Large Object (X Bytes)

     - AppAndClientInfo: iexplore.exe

        Application: iexplore.exe

      - ClientInfo: - No detailed client information -

         Size: X

         Padding: Binary Large Object (X Bytes)

 

Comment: Client then tells ISA server that it would like to set up the data channel from its port 3225.

 

 

Server's response

 

- RWS: X Connect reply to iexplore.exe; using 192.168.0.14/3225 with 192.168.0.1/52122 == 16.17.18.19/80 with 2.3.4.5/80

  - RwstPacket: Connect reply to iexplore.exe; using 192.168.0.14/3225 with 192.168.0.1/52122 == 16.17.18.19/80 with 2.3.4.5/80

     NullChar: X

     ProtoSig: RWS

     PktLen: X

     Reserved1: X

     Flags: X

     Reserved2: X

     OpCode: Connect reply

     DataLength: X

   + ClientConnectionHandle: X

   + ServerConnectionHandle: X

   + ClientMappingHandle: X

   + ServerMappingHandle: X

   - RwsMessage: to iexplore.exe; using 192.168.0.14/3225 with 192.168.0.1/52122 == 16.17.18.19/80 with 2.3.4.5/80

    - ConnReplyData: to iexplore.exe; using 192.168.0.14/3225 with 192.168.0.1/52122 == 16.17.18.19/80 with 2.3.4.5/80

     + InternalEndpoint: 192.168.0.1/52122

     + ExternalEndpoint: 16.17.18.19/80

       Padding: Binary Large Object (X Bytes)

     + AppAndClientInfo: iexplore.exe

 

Comments: Server then tells the client that he would provide its port 52122 for the data channel in the traces we can also see how it defines the internal and external end points.

In scenarios where if client after telling the ISA server that it would set up the data channel at a certain port then tries to create dat channel at some other port then ISA server drops that traffic with error

ERROR:Failed to find session's connection

 and in ISA logs we will see FWE_TCP_NOT_SYN

 As ISA server expects data channel connection to be on 192.168.0.14/3225 with 192.168.0.1/52122

 So if client tries to make it using any other port ISA would consider it non syn(out of session) packet and Hence drop it.

Comments

  • Anonymous
    January 01, 2003
    I just visited my blog today..so saw your message today..will surely reply with control channel initiation traffic..Thanks for posting this...as i guess i should have put that first then put the data channel negotiation..appreciate your query again...:)

  • Anonymous
    January 01, 2003
    I have written post regarding this, please have a look at that blogs.technet.com/.../firewall-client-channel-setup-just-before-the-data-channel-setup.aspx

  • Anonymous
    August 31, 2010
    This is the negotiation that happens when a client wants to send the traffic. Could you please explain what happens when the initial control channel is being setup, with the respective headers. Thanks