today I´ll post an article about an application that gives a lot of headaches for system administrators in Brazil. This is not exclusive for ISA firewalls administrator, but other systems either. Since this blog is intend to talk about Microsoft products, I will show how it´s done in ISA firewall. 😉
The name of this application is Conectividade Social –Conexão Segura (Secure Connection).
Although, this is most intended to Brazil´s ISA firewall administrators, it has some tips to configure ISA firewall for likely applications around the world. Don´t stop here continue reading. J
Conectividade Social is an application that allows Brazil´s companies to exchange employees’ related information with a federal bank in Brazil (Caixa Econômica Federal – CEF).
How the application works?
There is two ways to access the application:
The first one, you have to install a program on the user´s desktop.
The second one, you “just” have to access the URL http://cmt.caixa.gov.br/ search for the digital certificate provided by CEF, insert password and voilà (well, at least it was mean to be like that, I think!).
Setup the client-side application
The first access method
It is very easy to configure, once the application is installed you just have to create a custom protocol in ISA firewall allowing the port TCP Outbound 2631.
The second access method
It is a nightmare!! Besides the firewall (server-side) configurations, you still have to do A LOT OF client-side changes! Argh!! You need to allow TCP Outbound 80.
Let´s start on client-side. The link below provides a step-by-step procedure to configure the client machine:
From a very interesting blog post: http://blog.escritoriobrum.com.br/2009/01/07/erro-conectividade-social/ (portuguese)
I couldn´t find on the CEF web site. Maybe they removed from there, because it was very old.
After all steps accomplished, it´s time to access the application. Okay, you open Internet Explorer web browser, go to http://cmt.caixa.gov.br/, you prompted to install an ActiveX control to encrypt the connection between your browser and CEF web application (Conexão Segura). When you install it, fill the form requirements and click on Login button.
After sometime, you receive an error message:
“Failed to exchange keys with the Gateway”
You question yourself – “What!? Why!? The TCP Outbound 80 port is allowed!”
The problem here is not about ports or protocols, it all about ISA Server Web Proxy Filter. The web application MUST have no intervention when exchanging keys with Conexão Segura web application. The connection is encrypted using an ActiveX control that requires a direct connection, no proxy (no intermediation). Since every web request is intercepted by Web Proxy filter for inspection, the connection fails.
Setup the server-side
The Common Solution
Most of the web sites about ISA firewall recommend (disable) unbind the Web Proxy filter from HTTP protocol. This setting allows the client machine bypass the Web Proxy filter, clearing the connection until Conexão Segura application server.
The solution works, but have some disadvantages:
– You cannot use Configure HTTP option for access rules or web publishing rules anymore. Although, this does not affect the behavior of HTTP Filter application inspection;
– You cannot benefit from caching.
The Real Solution
There´s other ways to bypass the Web Proxy filter without need to unbind it from HTTP protocol. ISA firewall has a feature called DirectAccess.
Assuming you already published Automatic Discovery information for Internal Network.
Open the ISA firewall console and go to Configuration node – Networks node – Networks tab.
Right click on Internal Network and select properties. Configure you Web Browser tab like the following:
Now go to Firewall Policy node and create the following access rules:
Port 80 No Filter – TCP Outbound 80. Don´t select Web Proxy filter and select NO on Secondary Connections page.
Conn_Social – TCP Outbound 2631.
The computer object cmt.caixa.gov.br is the IP (220.127.116.11) of CEF web site (For some reason it does not work with URL set, I think it is because the Web Proxy filter is disabled on this protocol, thus ISA does not perform reverse DNS).
The computer object Conectividade Social is the IP (18.104.22.168) of Conexão Segura application.
The computer object Conectividade Social2 is the old IP (22.214.171.124) of Conexão Segura application. I put it there in case they change it back.
Note that you need to create new protocol, Port 80 No Filter, to allow direct access to web application.
Now you ready to go!
Access the Conexão Segura web application and enjoy it!
Today I presented how to configure the client and server to access Conexão Segura web application through ISA firewall. The most important was that we did not disable any ISA feature, instead used a nice one!
I hope this was great reading for you and make your life easier about this particular CEF application or other related.