• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Connecting applications from DMZ to Internet on non standart ports

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Connecting applications from DMZ to Internet on non standart ports Page: [1]
Login
Message << Older Topic   Newer Topic >>
Connecting applications from DMZ to Internet on non sta... - 22.Mar.2010 3:16:35 PM   
javila

 

Posts: 7
Joined: 29.Mar.2005
Status: offline
Hi,
Ive been searching for information about my case without success.

I have a small network, in front I have an ISA2004 and behind are the LAN and a DMZ, on the DMZ its installed and W2k3 server with IIS that has an application.
This app offers services both internet and intranet, at this ponit al works OK.

Now I got a new goal, to consume a webservice on the internet from my webserver on DMZ via 8081 and 8081 with SSL.

I have made the configuration to use TPR and from LAN all works OK, but fails from DMZ. My counterpart on the other (company) servers says something about "configure ISA with references to works with those ports" but I dont know what he means.

From DMZ I can reach the internet webserver ports via an access policy combined with a listener on DMZ that "redirects" all connections to the internet webservice using Telnet,but not with the web application.

Is thete anything Im missing? maybe the aproach? its safe make this connection from lan?
Thanks in advande.

Javier
Post #: 1
Aditional info - 25.Mar.2010 10:38:45 AM   
javila

 

Posts: 7
Joined: 29.Mar.2005
Status: offline
Guys.
Aditional info:

I am working with the conterparts that tells me that mi web server its actually contacting his webserver but with iternal ip 192.168.1.10 then maybe there is the problem my internal DMZ needs to use the only one public IP that i have on my networks and that already is asigned to my exchange server that is on the LAN that way my publick IP will reach the internet webserver and the transaction will work.

Any idreas from here?
Regards

Javier

PS.:sorry the english its not my orgininal language.


< Message edited by javila -- 25.Mar.2010 10:40:01 AM >

(in reply to javila)
Post #: 2
RE: Aditional info - 25.Mar.2010 2:15:43 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
It is completely impossible that your machine would ever reach the other machine with an RFC Address because it would never get past your ISP.  It would be dropped at the first Internet Router it came to.

So your counter part is misinterpreting what he is seeing.

If your Web Application is the one that is telling him the source address, then there is a serious design flaw in the web application.

_____________________________

Phillip Windell

(in reply to javila)
Post #: 3
RE: Aditional info - 25.Mar.2010 2:18:04 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
You also cannot use SSL on odd-ball ports by default.  The first choice is always to keep SSL on the standard 443 port.

To use different ports you must do this:

Managing Tunnel Port Ranges
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/managingtunnelports.mspx

GUI Tool for managing Tunnel Port Ranges
http://www.isatools.org/tools.asp?Context=ISA2004

_____________________________

Phillip Windell

(in reply to pwindell)
Post #: 4
RE: Aditional info - 25.Mar.2010 4:42:17 PM   
javila

 

Posts: 7
Joined: 29.Mar.2005
Status: offline
Hi,
quote:

You also cannot use SSL on odd-ball ports by default.  The first choice is always to keep SSL on the standard 443 port.

Please explain why not?

quote:

To use different ports you must do this:

Managing Tunnel Port Ranges
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/managingtunnelports.mspx

GUI Tool for managing Tunnel Port Ranges
http://www.isatools.org/tools.asp?Context=ISA2004

Yeap I did that at the begining, thanls for note it.

Thank you.

(in reply to pwindell)
Post #: 5
RE: Aditional info - 25.Mar.2010 4:53:49 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
You also cannot use SSL on odd-ball ports by default.  The first choice is always to keep SSL on the standard 443 port.

Please explain why not?

When ISA was first developed it was considered to be a security risk to run SSL on anything other than the standard port because the firewall/proxy (by design) could not verify the stream content due to the encryption. There was an RFC Draft at the time that recommended restricting SSL to 443 and MS chose to follow it.  They even quoted the draft and gave a link to it in their KB article describing the situation at the time.  So MS Proxy Server v1 & v2, ISA2000, ISA2004, and ISA2006 had SSL "locked" to 443.

I believe the Draft was never ratified.  MS has changed their KB Article.  MS then came up with the GUI Tool for adjusting the Tunnel Port Range after everyone probably got tired of using a script that they first gave out.

I don't know how MS handled TMG with respect to this.



_____________________________

Phillip Windell

(in reply to javila)
Post #: 6
RE: Aditional info - 25.Mar.2010 5:03:16 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Jim Harrison came up with the port tool....

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to pwindell)
Post #: 7
RE: Aditional info - 25.Mar.2010 5:06:14 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Yea. I'm pretty sure he came up with the ealier script that the GUI Tool is based on too.  Heck I think he came up with most of the ISA scripts,...he is on the ISA Team,..he has an unfair advantage over all of us 

_____________________________

Phillip Windell

(in reply to SteveMoffat)
Post #: 8
RE: Aditional info - 26.Mar.2010 10:49:27 PM   
javila

 

Posts: 7
Joined: 29.Mar.2005
Status: offline
And what happens if I buy another public IP from my ISP? can I asign that new public IP to my private DMZ and turn it public? and then publish it as a public web server from DMZ?
It look to me that I will have 2 LANs with public IP on each.
what you think?
ISA can handle this?

Thanks.

(in reply to pwindell)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Connecting applications from DMZ to Internet on non standart ports Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts