Pre-blurb

About a week ago, I signed up for iRacing again, after letting my subscription lapse back in, oh, looks like 2008. Time flies!

Since then, I’ve been trying to get updates to install, but I’ve been having no luck with it – the update web page would just vanish when I ticked the updates I wanted and clicked Update.

(Actually, that’s the second symptom - at first I suspected a WPAD problem, as the update window would hang on a blank 127.0.0.1 address, but after disabling proxy settings, that stopped, and I simply didn’t get the updater working.)

One full OS reinstall (well hellooo crazy/hot SSD), UAC, Windows Firewall and AV shenanigans, and a bunch of file- and security-related fiddling later, I was trawling through the IracingService log (Iracingservice.out) and noticed a bunch of network-looking errors, including a 10054 socket error.

TMG logs also noted the 10054 (connection forcibly closed by remote host), so I got to thinking: Could this be another XBL-style HTTP/TCP thing where the Web Proxy filter gets upset?

In short: yes!  Cue obligatory “see-it-works-now” screenshot:

image

Oooooh. Ahhhhh.

Fixing It

I used a variation on the Xbox Live HTTP technique, to disengage the Web Proxy filter from Iracing.com, but constrained it by source IP (just my home gaming machine) and by target IP.

Toolbox Objects:

Computers:

  • RacingPod - Your client computer IP. It’s fixed, right? This can be skipped if you’re using DHCP, just specify the internal network – the Computer Set for Iracing will still “partition off” the relevant requests.

Computer Set:

  • IRacing IPs: the IP address of members.iracing.com (ping or nslookup for the current IP). I could have used a Domain Name Set, but I didn’t want to incur possible name resolution overhead on any HTTP request that might have matched these conditions. It will break when the IP changes, but I’m OK with that for now.

Protocol Definitions:

  • Xbox HTTP - TCP/80 Outbound , not based on HTTP base definition, not bound to the Web Filter . (That's the important part). I’m reusing a protocol I created earlier for something else. See if you can guess what?

Rules (in this order)

  • Iracing Special HTTP – Access Rule,
    • Action: Allow
    • From: RacingPod
    • To: IRacing IPs
    • Protocol: Xbox HTTP (only)
  • Iracing Block Regular HTTP – Access Rule,
    • Action: Deny
    • From: RacingPod
    • To: IRacing IPs
    • Protocol: HTTP (only) – that’s regular HTTP, not the new special Xbox HTTP

These should be considered inseparable rules – move them as a single unit (shift-selecting allows you to move whole blocks of rules up and down, by the way – to quickly move these to the top, shift –select the other rules above them, and r-click Move Down that group). Put them ahead of any general Allow rules – they will only affect traffic to Iracing’s Member site, only for the HTTP protocol, and should be very, very quick to process.

See the Notes on the Xbox post for the nitty-gritty on why this works. (This’d probably also work for ISA Server 2006 and ISA 2004, if it’s a problem for them, by the way).

Caveat Racer

Threat Management Gateway probably isn’t called Fluffy Home Network And Gaming Gateway for a reason. It’s designed to mitigate possible security threats for corporate environments, not to get all UPnP-laissez-faire and cosy with strange remote hosts. But it’s kinda fun to force it to.