ISA Firewall Fact: Do Not Use Netstat to Assess Listener Status

By /

I’ve been seeing a number of posts recently from people stating that Web and Server Publishing Rules are not working because they’ve done a netstat -na and don’t see the port listed as Listening.

The reason for this is that you can’t use netstat to determine whether or not the ISA firewall is listening on a specific port. While this was a valid method for ISA 2000, it does not work with ISA 2004.

In order to determine the active listeners used by the ISA firewall, you need to use the Firewall Kernel Mode Tool, which goes by the name fwengmon.

From the Fwengmon.doc:

Creations in the driver represent a potential for creating new connections, and the driver maintains a list of creations in parallel with the list of connections. A creation element has the following attributes:

Properties

  • Protocol number. Indicates the protocol anticipated by the creation.
  • Source (IP address and port or endpoint). Indicates the anticipated source address or port.
  • Destination (IP address and port or endpoint). Indicates the anticipated destination or port.
  • Protocol-specific control flags. Allows finer control of this creation element. For example, a creation element for a TCP connection may indicate that the creation element can only create one connection, or an infinite number of connections.

Properties mask. Indicates which properties to match.

Source address range and networks. Limits the applicable sources to match against.

Optional address translation. Copies to the connection rule if one is created from this creation element:

  • Source address translation, which limits the application sources to match against.
  • Destination address translation.

Creation elements are created in the following cases:

  • When there is a server publishing rule, one or several creation elements are created in anticipation of incoming connections to the published server.
  • When a Firewall client uses a complex protocol, creation elements are created for the secondary connections.
  • When an application filter enables the creation of complex protocols, creation elements are created for the secondary protocol.
  • When a Firewall client listener is defined for a network element (allowing Firewall clients to connect to the firewall), creation elements are created.
  • When a Web listener is defined for a network element (allowing Web clients or proxy clients to connect to the firewall), creation elements are created.

Download the fwengmon.exe tool at http://www.microsoft.com/downloads/details.aspx?FamilyId=F3306399-D4F9-4989-865E-C61F8293C330&displaylang=en

HTH,

Tom

Thomas W Shinder, M.D.

Site: www.isaserver.org

Blog: http://blogs.isaserver.org/shinder/

Book: http://tinyurl.com/3xqb7

MVP — ISA Firewalls

About The Author

Debra Littlejohn Shinder is a technology and security analyst and author specializing in identity, security and cybercrime, utilizing her past experience as a police officer and police academy/criminal justice instructor. She has written numerous books and articles for web and print publications and has been awarded the Microsoft MVP designation for fourteen years in a row.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top