Successmaker program not working behind Cisco SA520

Unanswered Question
Mar 4th, 2011

My customer is a small school in British Columbia. They have used the Successmaker program (written by Pearson Education) to teach numeracy and literacy skills. Since installing a SA520 the teachers are saying that Successmaker does not work properly.

I am at my wits end.

I have disabled content filtering for the SA520, I have disabled IDS on the SA520. I am using the default outbound firewall rule allowing inside addresses access anywhere on the Internet, and I have created an inbound firewall rule allowing all traffic and all services from the Successmaker server IP address that their tech support gave us.Their app is still unable to work properly.

What am I missing?

Before the SA520 was installed the school was using PAT to map different ports on the public IP on the school cable modem to inside addresses. The whole school was a big DMZ, and any port scanning would have reached into their network. The port mappings were never communicated to the Successmaker folks, so I doubt they were ever relevant to the issue. The Successmaker App is web based, and according to their tech support uses "transfer encoding:chunked" technology. I read up on this and it dates back pre Web 2.0 (pre flash, pre silverlight, pre basically the silicon chip). It is discussed in RFC 2616, the SA520 is Linux based, not IOS based. Does that mean that it does not understand RFC2616? I doubt it, and even if it didn't understand RFC 2616 surely all the steps I have taken above would blow a hole the size of a barn door through the firewall?

If this weren't a school would not be as emotionally connected as I am to their situation. Without this firewall they will be without much protection at all.

Can you help?

Message was edited by: dirkventer - I added the feedback received from Successmaker tech support. It suggests that the Cisco SA520 may be a problem, something I don't want to believe.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
qumartin Fri, 03/04/2011 - 16:39

I am sorry that you are having this problem. I have read all the information that you provided. I think a good test would be to connect a pc to the DMZ port.

This is done by connecting a PC to the DMZ port. After making this connection you need to go to gui interface and click on "networking"==>Option Port===>Option Port Mode. Change the port mode to DMZ and click apply. By doing this will allow the PC to bypass all firewall rules and see if the programs works.

One other thing that you will need to do is make a firewall rule to allow the DMZ connection out to the WAN. This is done by going to the firewwall===>IPv4 Rules. Once on the page click on add and just make a simple rule from zone DMZ and the to Zone WAN. Leave the rest of the setting to be the defaults and hit apply.

Next thing to do is to check your program and see if it works.

Hope this was helpful!

Quendale

dirkventer Fri, 03/04/2011 - 17:18

Thanks for writing Quendale.I value your time and opinion. I will try it and see.

I am half worried that your suggestion will work. If it does then I need to find out what still needs to be done on the firewall to make a PC behind the fireall function like it might in the DMZ. There's nowhere I can see in the interface to open any more traffic between an Internet address and a PC. If the PC works in the DMZ as you suggest and there is nowhere else to open Internet traffic through the firewall then the firewall is breaking the application. That would be awful, as the only fix is to put all the school computers in the DMZ with nothing more than NAT to shield them.

It would also mean that (after disabling IPS and content filtering) the firewall rule allowing traffic in from an Internet address does not do what is says it does.

And that for me would be big loss of confidence in this product. The school has requested a second SA520 for their branch but there is no way I can sell them something that does not do what it is configured to do. Successmaker is a popular teaching program, and many schools need content filtering, you would hope with this unit's capabilities it would be a good fit.

qumartin Fri, 03/04/2011 - 19:17

If this works for you please let me know and I will take a look at what firewall rules that you currently have in place. I will do my best to see what has to take place to get the rest of your PC's working behind the SA500.

I hope that we can take care of your problem and make this a good experience for you.

Thanks for your respond

Quendale

dirkventer Tue, 03/08/2011 - 09:10

Hi Quendale

I'm sorry to say that putting a student computer in the DMZ didn't resolve the issue.


In setting up the DMZ I made the following changes -

1) I confirmed that the Option interface was in DMZ mode, and that it had a static IP on a new subnet.

2) We also configured the DMZ DHCP to assign addresses in the subnet, using the firewall DMZ IP as default gateway, and using the firewall DMZ IP as DNS server.

3) I created a default firewall rule allowing all outbound traffic from the DMZ to the Internet, and created a firewall rule allowing all inbound traffic from the Successmaker server on the Internet (insecure) zone to the DMZ.

4) I confirmed that IPS was off for the DMZ (Default) and that the content filter exception for the DMZ was still disabled.

The same problem occurred, which makes me believe that the reason for the application not working in the LAN zone had nothing to do with IPS or content filtering. As far as the firewall rule goes, the impact of the inbound rule seems to have been the same - i.e. ineffectual.

Connecting the PC running successmaker directly to the school cable modem works.

The possibility that the application in question has traffic blocked because of a RFC (2616?)  governing the way get and post requests should be formatted would still exist so long as integrity/compliance checking of packets is something that cannot be bypassed via the firewall configuration. Suffice it to say that the application appears dated and uses nothing of web 2.0. One of the options available to my customer is the purchase of the Web 2.0 version of successmaker ($600/seat), but they are only prepared to explore this option if the indications are that the older application, not the firewall is at fault. Pearson Education support swears blindly that thousands of BC school children continue to use the old app behind Cisco firewalls. I don't deny that the possibility exists that the Pearson support technician is stretching the truth, having an older application that has ceased to function with more sophisticated firewalls because RFC violations in packet formatting have become significant would doubtless present a solid easy-sell for their upgraded version, which is expensive, especially for a school.

weilia Thu, 03/10/2011 - 09:31

We have checked over internet and unable to find the trial version of successmaker. We would request you to provide the following.

1. Topology diagram and setup details.
2. Download link if any or remote access to setup.

Regards,

Wei

dirkventer Fri, 03/11/2011 - 11:30

Hi Wei, thanks for writing.

The network is a single subnet, no vlans, reserved addressing. The firewall was tried in the configurations described above.

The theory I ended up forming is that there is a level of checking in the firewall which precedes whitelisting - such as rfc2616 compliance checking - and that packets failing will be dropped before they are forwarded in terms of a whitelist.

I guess we can write this up as unresolved as the school is buying the web 2.0 version of successmaker and the performance of the old version is now inconsequential as they are concerned.

tks,
Dirk

Actions

Login or Register to take actions

This Discussion

Posted March 4, 2011 at 2:50 PM
Stats:
Replies:6 Avg. Rating:
Views:912 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard