Welcome to ISAserver.org

DMZ Communication Breaks with NLB

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> DMZ >> DMZ Communication Breaks with NLB

Page: [1]

Message

<< Older Topic Newer Topic >>

DMZ Communication Breaks with NLB - 16.Sep.2006 10:21:08 PM

Merddyn

Posts: 3
Joined: 11.May2004
Status: offline

First, the configuration:

Presently have 2 ISA 2004 Enterprise Edition systems configured in an array.

Clean (internal) Network - 10.x.x.x - Integrated NLB is engaged and functional - one physical IP and one VIP is tied to this NIC
DMZ (external) Network - 172.27.7.x - INLB is off - 3 physical IPs are tied to each ISA Node
Private (crossover) Network - 2.x.x.x - INLB is off - Used as dedicated connection for SQL server logging and has a single IP

One IP on each ISA is the primary IP and one ISA node of the two is used for web publishing over it's primary IP. In our DMZ we have a Netscaler appliance that is performing SSL load balancing with one DNS zone pointed to each of the remaining IPs on the ISA nodes. This is because we have need of multiple SSL DNS zones with some overlapping.

www.zone1.com points to PIX which NATs to primary IP of ISA Node B (ISA Node A has its primary IP tied to the same publishing rule to keep it from griping) and hosts both HTTP and HTTPS using the public cert for www.zone1.com.

www.zone2.com points to PIX which NATs to our Netscaler appliance and load balances between another set of IPs on the ISA array and holds the public cert. The listener on ISA is an enterprise CA generated wildcard cert for *.zone2.com.

www.zone3.com is configured the same as zone2 using the remaining pair of IPs on the ISA array.

ISA sits behind the PIX firewall and has full outbound access in the PIX ACLs to the outside world and appropriate rules set up to allow web publishing inbound over 80 and 443.

In this configuration everything is working and users get out and web publishing comes in and everything seems happy.

The problem:
We have servers in our DMZ that have services such as SSH that, in my experience, aren't too pleased with being NATed. Today, these are accessed via static IPed clients with firewall ACLs and manual bypasses set up in their client to allow them to reach the DMZ systems without going over ISA which doesn't work no matter how much I have tried. In addition, we have web sites that must remain published to the internet even if one node of ISA goes offline (lets disregard the fact that there is only one webserver...they just don't want the failure to be ISA) and since ISA is designed to be able to handle this aspect via INLB, it was determined to use this rather than having to make an excessive number of firewall changes for the 54 websites presently published through ISA in order to use Netscaler.

My answer to the above needs:
Install additional NIC on each ISA node and connect to a new 'special' DMZ segement that is 172.27.31.x (I'll call this 'ODMZ' for Outbound DMZ) to route outbound traffic over (this is primarily to make our InfoSec team feel warm and fuzzy and also to seperate the bandwidth of inbound vs. outbound) and convert the existing DMZ segement to a perimeter leg with routing and INLB.

Where I am stuck:
I have managed to convert the existing DMZ to a perimeter (or IDMZ - Inbound DMZ) and get all outbound traffic flowing out the new ODMZ segement while leaving web publishing on the IDMZ (which is now a routed perimeter network). In this configuration publishing works and outbound proxy works. I decided to use the existing primary IDMZ IP from ISA Node B and assign a new primary IP as all of the PIX configurations are already set for that IP. I removed the old IP and added new as primary on the IDMZ and rebooted and then engaged INLB using the previously removed IP as my VIP. Unfortunately, when I turn on INLB on the IDMZ, all traffic stops reaching or leaving ISA from the perimeter network. Pings to the physical ISA IPs from another system in the IDMZ don't work (and yes, I turned ping capability on first for the system I was using to test) and web publishing doesn't work though outbound traffic was still fine on the ODMZ. I had no errors in ISA or the event log that indicated a problem, but I still could communicate through this interface. This also happened when I had previously attempted to simply turn on INLB on the external interface but I had assumed I just wasn't supposed to use INLB on the external interface, and so with the business requirements mentioned above I thought this might be a better way.

The only thing I have found anywhere that might be a problem is the present unknown of whether the PIX is blocking the flooding required by NLB but I somehow doubt that is the issue (our network team is looking into it). Any ideas on another approach or what I might be overlooking?

Thanks in advance - Chris