Firewall Settings for Communications Web Access RRS feed

  • Question

  • We are using one Standard server and one Communications Web Access server for IM only.  The CWA server provides both internal and external web access, using distinct names and certificates.  The basic installation and testing went well.


    In attempting to tighten up security, I tried using the Security Configuration Wizard on the CWA installation.  The SCW did not have a defined role of Communications Web Access server, and the initial read turned off the NetLogon service, along with not picking up the correct SSL ports being utilized for the web sites.  The ports were added to the firewall exception rule, and the new security policy was applied.


    After correcting the NetLogon service, clients were able to start a session, but thier client showed locally to be Offline.  Clients directly connected to the Standard server saw these web access connected as being Available.  When the web access session was ended, the status went to Offline.


    Sending a message from a Standard session to the web session resulted in an ID 504 error, server timed out.  Turning off the Firewall changed the presence information ability at the web client, but still would not allow a message session to go through (error changed to the recipient was Offline although thier presence information showed Available) until the web client logged off and back onto thier session - then everything works again.


    So, I know its a firewall issue, but can't seem to find the correct documentation or tools to discover what needs to be changed.  Thanks in advance to those who know more and are willing to share.




    Wednesday, May 28, 2008 10:05 PM

All replies

  • I would start by ensuring that SIP (TCP 5061) is not being blocked by the firewall.
    Thursday, May 29, 2008 12:12 PM
  • Thanks, Mike.  I did try opening 5061, 5060, 5062 on the off chance that it was a TLS/MTLS communication issue, with no better results.  The only other clue that I can come up with is that when accounts do work properly, I am seeing some security related event log entries that indicate that ports in the 1000+ range are being used while the local server IIS account and the CWAService account are using the passed log on credentials for validation.  My concern would be that I will open up far more ports than needed or open them up in a too unsecure way (i.e., for all programs as opposed to a more defined use to the ports).

    Thursday, May 29, 2008 2:19 PM
  • Are you, by chance, using ISA to publish CWA?


    Thursday, May 29, 2008 2:26 PM
  • Are you protecting against an internal or external attack?  Typically CWA is published via a reverse proxy (preferred) or NAT and only port 443 is open.  In this configuration you do not have to go through the process of figuring out which ports are in use on the internal network.
    Thursday, May 29, 2008 2:35 PM
  • Thanks for your interest, Jeff.  Yes, we are using ISA 2006 to publish CWA.  The rule is for a web listener, and translates all requests to port 443 to present to our internal server using port 444.  This allowed us to have unique internal and external web addresses, without having to have the browser set to specific SSL ports by address.


    Because of how some of our users work (both on and off location), having one address that can be used internally and externally without having to specifiy a non-default SSL port made this an appealing solution.  They only have to use one address in thier favorites to be able to access our company IM infrastructure, and not remember different addresses based on where they are working from.



    Monday, June 2, 2008 3:26 PM
  • Are you not running a split-DNS configuration internally and externally for the same domain name?  You could get the same functinoailty (one URL regardless of location) but allow name resolution to connect to the desired hostname over the default ports.


    When changing services away from their default ports things can get much more complicated and tricky.


    Monday, June 2, 2008 3:45 PM
  • Thanks for your interest, Mike.  The intent of turning on the firewall on the local server was to gain an additional level of protection, since the server is pretty wide open internally without it.  We are using a web publishing rule from ISA to open direct all traffic from our publica address through the ISA server, and doing a translation of port 443 to port 444 for the SSL connection.  We are not using NAT; it is a routing rule at the firewall.

    Monday, June 2, 2008 8:17 PM
  • Thanks for your response, Jeff.  The only reason I can give for not running a split DNS set-up is that the original configration documentation that I read suggested using an ISA server to do port translation on the External interface to Internal web server.  However, having done some quick testing going to the local FQDN website (which uses default SLL port 443), I am recieving the same result.


    It's an oddity, but I'm sure that eventually some one else will run into a similar situation.  We have not tried turning on the firwewall at the OCS 2007 server because of concerns that it would just add another layer of complictation.  I have not checked to see if that had added a template in for the Security Configuration Wizard (but, hopefully, it did on the initial installation). 




    Monday, June 2, 2008 9:13 PM