Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
3-Homed DMZ problem with in-place upgrade from ISA2000
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
3-Homed DMZ problem with in-place upgrade from ISA2000 - 1.Nov.2004 7:18:00 PM
|
|
|
dulouz
Posts: 29
Joined: 23.Apr.2002
Status: offline
|
Hello all,
first, I apologize for the dummy questions: i didn't have much time to get deeper into ISA server 2004, but i have an urgent issue which should need to be fixed.
I have a network architecture at one of my customer's site as described in the following topic:
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=9;t=000558
Which i got finally running fine thanks to precious suggestions from Spouseele.
as it may be read from the thread, i had to server publish a FTP server on the DMZ interface and use a static route to make it work. (as suggested by Stefaan: " server publish the FTP server on the DMZ interface ")
Now, after performing an in-place upgrade with ISA server 2004 i have the following 2 issues:
1) the server publishing rule used to publish FTP server on the DMZ interface returns the following error:
Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 21174
Date: 01/11/2004
Time: 18.10.32
User: N/A
Computer: PERCIVAL
Description:
Server publishing rule [ISA37: FTPDmz (Ftp/DMZ)] failed because there was no valid network listener. For
requests to reach the published server there must be a network relationship between the selected listener networks and the published server. Location 325.871.4.0.2161.50. For more information about this event, see ISA Server Help.
2) I had 2 packet filter rules to allow a L2TP server to listen on the DMZ interface, one inbound, one outbound. although they both seem to have migrated correctly, the following warning is shown in the rule
description:
Note: An ISA packet filter rule with bidirectional protocols mapped to two ISA Server 2004 access rules.
3) i get this error which seems dependant on the static route configured on the machine (details in previous post link).
Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 14147
Date: 01/11/2004
Time: 19.37.46
User: N/A
Computer: PERCIVAL
Description:
ISA Server detected routes through adapter "EXT" that do not correlate with the network element to which this adapter belongs. The address ranges in conflict are: 192.168.2.0-192.168.2.255;. Fix the network element and/or the routing table to make these ranges consistent; they should be in both or in neither. If you recently created a remote site network, check if the event recurs. If it does not, you may safely ignore this message.
I am note sure on how to deal with no. 2 and 3 and i'd need a hint on no.1. i'd be grateful with any suggestions. thank you!
[ November 01, 2004, 07:35 PM: Message edited by: dulouz ]
|
|
|
|
|
RE: 3-Homed DMZ problem with in-place upgrade from ISA2000 - 3.Nov.2004 12:21:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Dulouz,
Do you have a network diagram and a display of your firewall policy?
Thanks!
Tom
|
|
|
|
|
RE: 3-Homed DMZ problem with in-place upgrade from ISA2000 - 4.Nov.2004 4:42:00 PM
|
|
|
dulouz
Posts: 29
Joined: 23.Apr.2002
Status: offline
|
Dear Tom, thanks for you interest
You can find the network diagram in this thread:
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=9;t=000558
The rule with the problem was used in ISA server 2000 to do a server publish on the DMZ of an application using port 1236 TCP. This rule is needed to allow "gprs device" (see diagram) to access a server published from the LAN to the DMZ. Here are details of the rule as it was in ISA2000:
General
NAME: WSA Server
Action
IP ADDRESS OF INTERNAL SERVER: 192.168.1.15
EXTERNAL IP ADDRESS ON ISA SERVER: xxx.yyy.66.134
MAPPED SERVER PROTOCOL: WSA Server (1236)
Here follows the rule as it has been migrated in ISA2004 (this is the rule causing the error specified in my previous post):
ACTION: allow
TRAFFIC: WSA server (1236)
FROM: external
TO: 192.168.1.15
NETWORKS: DMZ > xxx.yyy.66.134
please let me know if you need further details
thanks!
dulouz
|
|
|
|
|
RE: 3-Homed DMZ problem with in-place upgrade from ISA2000 - 14.Nov.2004 5:48:00 PM
|
|
|
dulouz
Posts: 29
Joined: 23.Apr.2002
Status: offline
|
hello Tom,
do you need more details? can you please help?
thank you
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
