I was reading Stepto's blog about Microsoft design and deployment challenges and I have to say, it's a real eye opener, particularly an example of the challenges Microsoft themselves has with using the Xbox Live service through their own corporate firewall product.
Set up an Xbox on a network that goes through an ISA Server 2000, 2004 or 2006 to get to the internet.
Set up ISA Server to allow ALL traffic.
Do the Xbox LIVE Connection test and note that the NAT type is "strict".
Wait 5 years for these two teams to talk to each other.
Do the Xbox LIVE Connection test and note that the NAT type is still "strict".
thanks, that explains allot about the pain I went through :)
Not to dispute the distortion field he discusses in his blog, I think he has it spot on, but for the xbox live example above, isn't this actually indicative of something wonky with the xbox live protocol itself? I actually suffer from a similar distortion field for security products, and have had the pleasure of setting up xbox live on what would be considered 'corporate' level firewalls (NOT an ISA server), and I am amused to see Microsoft having the same challenges with their corporate firewall product, as I do with mine. In order to use the xbox live service as open (and therefore actually connect to all the games you are paying to access) you need to buy a 'certified xbox live friendly' router. Why would they do this to home users? I searched all over for how to do it, and could not find details on how xbox live actually works. And since I had at my hands a very advanced firewall technology, I did not appreciate zero information on how to at least try to configure it.
So for those of you that have advanced firewall technologies, know what it does, and just want to play some games without having to buy something else. Here you are. For those of you that don't quite grasp what I am saying next. . . err. . I guess buy the router with the xbox live stamp. Microsoft needs the money.
To get past the 'strict' issue you have to maintain the same tcp source port (nat configurations traditionally will change this field to maintain the table of what goes where) when forwarding the packet to the internet. I don't understand at a TCP level, why xbox live would bother with checking this. Before you rush out to buy a 'certified' router that can handle xbox live, just see if it can nat without changing source port, and you too, can be xbox live friendly. To sum it up, it needs to be a static nat with no change to the source port. You can still do this with a hide nat behind a single IP (I'm doing it now) by setting up the inbound NAT forwarding through a catch-all rule if you are forwarding ports for other services, basically forward everything into the firewall after you filter out other services (such as web, email, ftp, if you are running those services as well).
Of course this is not a safe thing to do from a network perspective, and the new Microsoft, who is suppose to be concerned about user safety, could have done the protocol setup a whole lot better and safer (ssl tunnel various protocols through a single service port anyone?). I had to figure this out through trial, error and protocol analyzers. When I asked about this not so safe reality, Stepto himself recommended a DMZ to segment the xbox from the rest of the network. Great idea until you try to use the media extender on a local XP or Vista machine, and now I have a lovely proxy into the network from my unsecured game server. Not good Microsoft. Not good at all.
Lucky for you xbox, I love those games, so after weighing the risks versus the rewards, I have reached an acceptable level of deployment risk. I love my gaming machine, too bad I won't be trying out any of the media extensions. I see there is a new xbox live update coming, perhaps instead of creating Mii's for us, you could consider tightening up your live protocols? I don't really expect this to happen, I'm guessing I'm the only one that cares, but it's a great example that for all the press Microsoft uses to show us how security for users is important to them, it's still the same old Microsoft.
0 comments:
Post a Comment