Welcome to ISAserver.org

Cannot publish web site

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Cannot publish web site

Page: [1]

Message

<< Older Topic Newer Topic >>

Cannot publish web site - 14.Dec.2007 2:08:04 AM

jrobinson

Posts: 4
Joined: 29.Oct.2007
Status: offline

I am trying to resolve an issue with creating a web publishing rule and need help.

Here is a description of our network.

I have ISA2006 std running on W2K3 std edition with all patches and KB's applied.

The ISA is configured as a 3-leg perimeter (although we have nothing connected to the DMZ at present and the i/f is disabled).

The external i/f (172.20.x.x) is connected to our managed WAN via a Cisco 2950 series router and this segment also has a diagnostic PC attached (for debuuging ISA rules etc).

The internal i/f (192.168.x.x) is connected to our LAN where we have ~500 PC clients, 8 servers and numerous web enabled devices most of the workstations have addresses assigned via DHCP (Static for the Servers, Printers, WAP's etc)

I have a public IP address routed onto the external i/f and is being resolved correctly via Public Nameservers and in the form www.domainname.tld

I want to publish a webserver hosted on our LAN to the Internet and access it using the Public address above.

My initial tests to get familiar with ISA 2006 web publishing was to take a simple webserver which already exists on our LAN and publish it.

Here is a description of the problem

Clients on the LAN are able to access all LAN based webservers OK by using any of the following http://machinename or http://machinename.domainname.local or http://192.168.x.x (thanks phil for your reply to my previous post)

I picked a simple apache-based server and created a web publishing rule using the Publish Web Sites wizard giving the following responses:

name=test
action=allow
type=publish single web site or load balancer
server connection security= use non-secured (I haven't sorted out our ssl cert yet)
internal details=machinename (this is what we type into LAN client browser to connect), I tick the use a computer name or ip add and use the browse to pick the machinename from active directory which then completes the field with machinename.domainname.local
internal publishing details=no changes default blank 'next'
public name details= change Accept requests for to Any domain name, no other changes
Select web listener= Http (created with n/w external, port(http)80, port(https)disabled, Auth=No Auth
Auth Delegation= No delegation but client may auth directly
User sets=All users

The ISA rule changes have been applied

I know that the rule is not very 'tight' but wanted to get something working and then improve security.

When I try to access the published website from the Internet I get a message from the Cisco ACNSS software saying:

While trying to retrieve the URL http://machinename.domainname.local/

The following error was encountered

Unable to determine IP address from hostname for unknown server name

When I try to access the published site from the diagnostic PC connected on the external i/f I get the same message.

It is almost as though the HTTP request is hitting the external i/f and is being bounced back out as a request on the WAN looking for an internal domain name on the external i/f.

I suspect that either previous work on the ISA and/or changes to existing rules may be affecting the ISA's behaviour.

Please can you give me some pointers on what to do next to check, diagnose and hopefully resolve this issue.

TIA as always.
Julian

update 15 Dec 07

I have now checked the 3 NIC settings and bindings to confirm that they are correct as per your tutorials. No issues found.

I have also noticed that attempts to access the internal website using IE on the ISA machine itself using either http://machinename or http://192.168.x.x also result in the failure message from the ACNSS s/w on the WAN i/f being displayed.

Can anyone tell me how to check the IP Routing please?

< Message edited by jrobinson -- 15.Dec.2007 9:57:23 AM >

Post #: 1

Featured Links*

RE: Cannot publish web site - 27.Dec.2007 7:12:24 PM

jrobinson

Posts: 4
Joined: 29.Oct.2007
Status: offline

Found and Fixed the problem.

Whilst awaiting an answer from the forum I decided to try and diagnose/fix this issue myself by going over everything one more time plus trying to use the ISA debugging tools.

I went back to basics and started by setting up a live query to monitor port 80 requests received on the external i/f in logging tab on ISA monitor section and turning on diagnostic logging from the troubleshooting section -> trying to access internal webserver from the test client -> getting failure message on client then reviewing ISA diagnostic logging in event log using timestamps from the live query. Stepping through the event log info shows the tests performed on the packet and any actions taken.

Hey Presto! One of the event log entries showed that the default web chaining rule (which was enabled) was referring all requests to an upstream proxy. This rule had been setup this way because we are compelled to route all client requests through this upstream proxy as part of our webfiltering service. This would seem to explain the incoming requests appearing to 'bounce' off of the external i/f.

Adding a new web chaining rule above (before) the Default Rule to route requests to the internal webserver 'direct' rather than 'upstream' has fixed the problem.

I am posting my method, findings and solution here for the benefit of others who may be experiencing the same sort of problems with web publishing in the hope that it may help in effort to resolve.

(in reply to jrobinson)

Post #: 2