Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Can a client using one ISA server access a DMZ on a different server?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Can a client using one ISA server access a DMZ on a dif... - 4.Sep.2006 11:58:21 PM
|
|
|
Stevenrlong
Posts: 44
Joined: 26.Oct.2002
From: San Francisco
Status: offline
|
I started asking about this in a different fourm. It likely belongs here.
I have a multiple ISA 2004 Standard Edition environment with a split DNS.
ISA1 is connected to its own router and fractional T3 supporting business applications, Email, Web server and outside DNS.
ISA2 is on its own router and T1 and will support only employee outbound Internet access and inbound OWA and VPN and outside DNS.
I cannot get clients that are using ISA2 to connect to the web server in the DMZ that’s part of ISA1. I can ping it, I can trace route to it, my nslookup resolves to the inside address (192.168.100.10) but my clients that use ISA2 can’t connect to it. The connection times out with a 10060 HTTP status code with Error Information 0xc0 trying to use the External interface. As far as I can tell ISA2 is clueless about the DMZ on ISA1.
If clients us ISA1 access to the web server thing work as expected.
I think I’ve tried every possible setting in “Directly access these servers of domains” without luck.
Right now it comes down to one important question:
Can a client using a second ISA server (ISA2) access a web server in a DMZ that’s part of another ISA server (ISA1) without looping through the external interfaces?
|
|
|
|
|
RE: Can a client using one ISA server access a DMZ on a... - 5.Sep.2006 11:24:10 PM
|
|
|
Stevenrlong
Posts: 44
Joined: 26.Oct.2002
From: San Francisco
Status: offline
|
Sure,
T1 T1
---------- ----------
| Router | | Router |
---------- ----------
| |
| |
- ----------- ------------
| | | |
DMZ1 ----| ISA1 | | ISA2 |-----DMZ2
| 10.0.4.1 | | 10.0.4.2 |
------------ ------------
| |
| |
------------------------------------
| Switch |
------------------------------------
|
---------------------------------------------------
| 10.0.4.254 |
| Router |
| 10.0.0.0/22 198.199.32.0/24 198.199.33.0/24 |
---------------------------------------------------
| | |
| | |
Clients Clients Clients
The problem website is in the DMZ on ISA1. It is our business site and is published through ISA1.
The internal website adress is 192.168.100.10 and I can both ping and trace to it from any client so I don't think its a router issues.
Clients configured to use ISA1 can get to the website 192.168.100.10 from any of the subnets. Clients that use ISA2 can't .
Logs on ISA2 tell me that it is trying to reach the address 192.168.100.10 through the external interface of ISA2
Looks like my split DNS works great for ISA1 users and makes problems for ISA2 users.
-Steve
|
|
|
|
|
RE: Can a client using one ISA server access a DMZ on a... - 6.Sep.2006 3:16:43 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Steven,
This can work. Just create a DMZ between the two ISA firewalls, then create routing table entries on each of the ISA firewalls so that they know the correct interface and gateway to use to reach the remote DMZs.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Can a client using one ISA server access a DMZ on a... - 6.Sep.2006 7:21:31 PM
|
|
|
Stevenrlong
Posts: 44
Joined: 26.Oct.2002
From: San Francisco
Status: offline
|
Thanks Tom,
Let me be clear in my understanding.
Thankfully I have extra interfaces on both firewalls so what I need to do is something like this:
Create a new DMZ on both ISA servers
Create a network rule that routes internal to DMZ
On ISA1 assign an address 192.168.200.1
On ISA2 assign the address 192.168.200.2
--------------- (192.168.200.1) ----------------
DMZ1 --------------| ISA1 | ------------- DMZ2 ----------------- | ISA2 |
(192.168.100.0/24) | 10.0.4.1 | (192.168.200.2) | 10.0.4.2 |
--------------- -----------------
Or are you suggesting:
I create a new DMZ on ISA2 and use an IP in the same subnet as the DMZ1 on ISA that has the website in then add a route on ISA2 route add –p 198.199.100.0 MASK 255.255.255.0 192.168.100.2
--------------- (192.168.100.1) ----------------
| ISA1 | ------------- DMZ1 ----------------- | ISA2 |
| 10.0.4.1 | (192.168.100.2) | 10.0.4.2 |
--------------- -----------------
The website that users need to connect to 192.168.100.10
|
|
|
|
|
RE: Can a client using one ISA server access a DMZ on a... - 7.Sep.2006 3:25:05 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Steven,
Create the 192.168.200 network between ISA1 and ISA2
Then create the routing table entries on each ISA firewall
Create the appropriate ISA Firewall Networks on each ISA firewall
Create the appropriate Network Rules on each ISA firewall
Create the appropriate Access Rules on each ISA firewall
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
