Kaseya Community

Kaseya Agent via ISA/Proxy Server

  • A client of ours has a Windows Small Business Server 2003 Premium R2 with 10 clients connected. The local IP address details are as follows:

    Server
    IP 192.168.123.1
    Subnet 255.255.255.0
    Gateway 192.168.123.10 (This is a Watchguard Edge Firewall)
    DNS 192.168.123.1

    This machine uses all the SBS2003 components, DHCP, DNS, ISA, Exchange etc.

    Client IP Addresses are granted via DHCP and a typical Address is indicated below:

    Client1
    IP 192.168.123.100
    Subnet 255.255.255.0
    Gateway (No Gateway Address Specified)
    DNS 192.168.123.1
    DHCP 192.168.123.1

    Client2
    IP 192.168.123.101
    Subnet 255.255.255.0
    Gateway (No Gateway Address Specified)
    DNS 192.168.123.1
    DHCP 192.168.123.1

    etc

    Each Client machine has the Microsoft Firewall Client installed and Internet Access is via the ISA/Proxy Server. Internet connectivity works fine.

    We have added a new protocol Rule for port 5721 on ISA Server as per recommended in previous posts, however the agents will not connect to our KServer. The only way we can achieve a connection is to modify the DHCP to point the gateway address to the server 192.168.123.1. However the customer is not happy as he sees it as a security risk and does not wish to have the clients needing a gateway address.

    Has anyone out there any tips on establishing a connection via an ISA Server, or am I trying to achieve the impossible.

    Regards

    Jason Quinn

    Legacy Forum Name: Kaseya Agent via ISA/Proxy Server,
    Legacy Posted By Username: ITTeam
  • Jason,

    Have you tried the ROUTE /? command from your command prompt.
    This afternoon we also had a problem with an agent which couldn't connect to our server.

    Our networkengineer opted the ROUTE ADD command.
    Works fine now.

    When you feel this information is helpfull, please let me know.
    Then I will question him tommorow and post the exact procedure.

    Regards,
    Rick

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: ISL
  • "route add" adds a gateway address.
    There's no added security risk in having a gateway address. It's incorrect configuration *not* having one ...

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: Lmhansen
  • depends upon the config but ISA in this situation is assuming that all traffic will go through using the client which is authoritive traffic. The kaseya agent usually will end up trying to connect via nonauth which ISA is blocking. I actually still have one client where we added a couple sets and rules to get the client to work properly. I can look tomarrow and post it.

    Don

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: Don.Bentz
  • Don
    If you can provide me with any more information I would be grateful
    Jason

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: ITTeam
  • ScreenShot014.jpg
    See the attached screen shots for how one of ours is setup.

    I was thinking there was a Kaseya KB on this but this should help. I was off a little the other day. Any request that can't get auth'd is then handled as an "Secure NAT" type connection. Linux, Mac's, anything that isn't logged into AD would run under this type of connection.

    So you will need:
    a protocol definition
    a outbound protocol rule4 for Kaseya4 agents.
    ip packet filter.

    This will allow anyonomus outbound without auth happening.

    Now these are all accounting that ISA is the primary Firewall and no other gateways are available. The Clients must also have the ISA servers IP as their gateway for this Secure Nat to function properly. Many ISA tips can be found at www.isaserver.org.


    Another issue you will have is for Windows Updates using the K Patching system. We had to add simular rules, such as content & content rule, protocol rule, destination set for that to work properly.

    Hope this helps.

    Don

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: Don.Bentz
  • ScreenShot015.jpg
    Attachment refers to previous post.

    Legacy Forum Name: ,
    Legacy Posted By Username: Don.Bentz
  • ScreenShot016.jpg
    Attachment refers to previous post.

    Legacy Forum Name: ,
    Legacy Posted By Username: Don.Bentz
  • ScreenShot017.jpg
    Attachment refers to previous post.

    Legacy Forum Name: ,
    Legacy Posted By Username: Don.Bentz
  • we've deployed about 70 SBS Premium servers and to be honest I thought I was the only person who used 192.168.123.1 as the server IP!!!!!

    The clients MUST have a DG of 192.168.123.1 to point to ISA and get out, and make sure your watchguard has that port opened outbound. THAT IS YOUR ISSUE! Trust me!

    We breathe ISA and are now moving to Untangle as SBS will not have a firewall. Consider moving from Watchguard as Untangle works well with K.

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: markmancini