• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about Publishing DMZ Servers on a Public Address DMZ

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Discussion about Publishing DMZ Servers on a Public Address DMZ Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion about Publishing DMZ Servers on a Public Add... - 18.Jun.2004 6:35:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread if for discussing the article on publishing Servers on a public address DMZ segment at http://isaserver.org/articles/2004pubdmzservers.html.

Thanks!
Tom

[ June 18, 2004, 06:57 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion about Publishing DMZ Servers on a Public... - 27.Jun.2004 12:19:00 AM   
AesirNet

 

Posts: 1
Joined: 27.Jun.2004
From: Dallas
Status: offline
Thanks for the excellent write-up, we have trying to figure out this possibility for weeks. [Smile]

(in reply to tshinder)
Post #: 2
RE: Discussion about Publishing DMZ Servers on a Public... - 27.Jun.2004 7:31:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi AesirNet,

Thanks! It was an interesting article to do, because some of the behavior isn't what most people would expect.

Thanks!
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion about Publishing DMZ Servers on a Public... - 30.Jun.2004 12:37:00 AM   
xenomorph

 

Posts: 4
Joined: 28.Jun.2004
From: Dallas, TX
Status: offline
Hi Tom, thanks for your great tutorial for setting this all up. I'm trying to do exactly this now for my network. I have a question though, I'm using ISA 2004 Beta2 for this, and I have 2 DNS servers in the DMZ zone that need to be accessed from the External zone (the internet). In the article you mention having DNS servers in the internal portion of the network.

What should I do different and what should I watch out for to have these DNS servers in the DMZ zone and to have them accessible from the Internet and at the same time allowing the DMZ hosts to do lookups through the DNS servers?

Should I just skip the parts for allowing DNS from DMZ to Internal and just change the allowing DNS from Internal to External part to allow DNS from DMZ to External?

The internal network is not important to me right now, my main goal is to get an IP block with HTTP, SMTP, DNS, FTP and other servers published on the internet with their public addresses while at the same time being firewalled by ISA.

Wow I hope this makes sense [Smile] Thanks in advance.

(in reply to tshinder)
Post #: 4
RE: Discussion about Publishing DMZ Servers on a Public... - 30.Jun.2004 6:39:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Xeno,

You can put your public access DNS servers on the public address DMZ segment. Just make sure they are DNS advertisers *only* and not resolvers. You want to configure them to host the records for your public domains, but not resolve queries for domains for which the DNS is not authoritative.

Remember to configure the machine to prevent cache poisoning too.

HTH,
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion about Publishing DMZ Servers on a Public... - 30.Jun.2004 8:41:00 PM   
xenomorph

 

Posts: 4
Joined: 28.Jun.2004
From: Dallas, TX
Status: offline
thanks for your reply. One more thing, on which Zone's NIC configuration do I need to have all the IPs of the Class C subnet. Do I add them all to the DMZ NIC, the external NIC, or both?

Also, would it be a problem to add various Class C subnets to the ISA firewall?

Actually nevermind on the 1st question, I've set up the ISA as follows (not real IPs)

IPs of ISA server on External
(gateway 172.3.50.1)
172.3.50.2
185.34.6.2
182.47.9.2

IPs of ISA server on DMZ
172.3.50.3
185.34.6.3
182.47.9.3

set up access rules to HTTP, HTTPs, FTP, etc for subnet ranges 172.3.50.3-255 and so on...
DNS servers are inside the DMZ and published to external. At the moment not using Internal for anything. I'm going to start testing this setup and hope it works.

Once fully functional, this ISA will have to deal with lots of traffic and different hosts, I hope the beta2 can handle everything that will be thrown at it. There is no other firewall on this network.

[ July 01, 2004, 12:14 AM: Message edited by: xenomorph ]

(in reply to tshinder)
Post #: 6
RE: Discussion about Publishing DMZ Servers on a Public... - 1.Jul.2004 1:45:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Xeno,

The only problem I see here are the IP addresses on each segement are on different network IDs. The DMZ segment needs to be on its own nework ID an the external interface the same.

HTH,
Tom

(in reply to tshinder)
Post #: 7
RE: Discussion about Publishing DMZ Servers on a Public... - 29.Nov.2004 2:05:00 AM   
phillipm

 

Posts: 23
Joined: 7.Jun.2004
From: Wellington, New Zealand
Status: offline
DNS On DMZ ( Using Private Address on Perimeter )
Trihomed ISA2004 Configuration

WE are a small web hosting company going through the proces of updating our DNS Servers/ISA2004

How do we pulish our DNS Servers residing in the Private DMZ with Private Addresses ie.

NS1 = 192.168.100.100
NS2 = 192.168.100.101

their Name Records are on DNS Servers as

NS1 = x.x.x.100
NS2 = x.x.x.200

Have entered these public IP's in the External NIC of the ISA 2004 Server

we are having some problems and would like some input as to what would be the correct method
have read all the MS articles etc..

(in reply to tshinder)
Post #: 8
RE: Discussion about Publishing DMZ Servers on a Public... - 27.Jan.2005 10:55:00 AM   
chris99099

 

Posts: 1
Joined: 27.Jan.2005
From: Netherlands
Status: offline
Hi Thomas,

In the article you write : "The next step is to create the route relationship between the DMZ Network and the Internal Network. In this case, well use the NAT route relationship between DMZ and Internal network.

Perform the following steps to create the NAT route relationship between DMZ and Internal networks:
"

But when I look at the steps it seems to me it creates a route relationship between the internal and the DMZ zone?! Or am I wrong??

(in reply to tshinder)
Post #: 9
RE: Discussion about Publishing DMZ Servers on a Public... - 28.Jan.2005 3:46:00 AM   
sniper

 

Posts: 687
Joined: 9.Aug.2001
From: OK, USA
Status: offline
Chirs

Keep in mind you have to define how the DMZ will communicate with the External and Internal. So a Network relationship should be defined for each. Since there could be firewall policy defined for each network.

[ January 28, 2005, 03:48 AM: Message edited by: cgregory ]

(in reply to tshinder)
Post #: 10
RE: Discussion about Publishing DMZ Servers on a Public... - 28.Jan.2005 3:53:00 PM   
Guest
Hi C.

I understand what you mean, the only thing I meant to say is that in the article Thomas says "Perform the following steps to create the NAT route relationship between DMZ and Internal networks:" but when you read the "following steps" it it turns out that a route relationship is being created between Internal and the DMZ network.

Cheers,
Chris

(in reply to tshinder)
  Post #: 11
RE: Discussion about Publishing DMZ Servers on a Public... - 31.Jan.2005 1:37:00 PM   
Guest
Another thing that won't work as described in the article is the DNS-test query to www.hotmail.com. The reason is the fact that a NAT network-rule from the Internal to <> the DMZ network needs to be created too. Without that rule the DNS-test query won't work, DNS queries made from the DMZ network will be stopped at the ISA Server.... (on their way back that is).

(in reply to tshinder)
  Post #: 12
RE: Discussion about Publishing DMZ Servers on a Public... - 11.Feb.2005 5:41:00 PM   
Jemmer

 

Posts: 15
Joined: 23.Dec.2002
From: Denmark, Kge
Status: offline
Hi

I have created the following

ISA2004
3 NIc's

External:
IP: 81.64.156.70
Mask 255.255.255.252
GW 81.64.156.69

Internal:
IP: 10.0.1.1
Mask: 255.255.255.0

DMZ1:
IP: 81.200.115.33
Mask: 255.255.255.224

Then i have a host on the DMZ1 segment called 81.200.115.34

When i from an ip from the internet ping the host it works fine
When i trace route works fine
Last 2 jumps like this

1 1 ms <1 ms <1 ms 81.64.156.70
2 1 ms <1 ms <1 ms 81.200.115.34

So i have a routet DMZ im happy [Wink]

BUT.. when i log on to the host 81.200.115.34 an visit a webpage that displays my own external ip.. I whould think that it whould be 81.200.115.34 but www.myip.dk shows 81.64.156.70

To me that looks like the DMZ host is connecting to the internet using NAT ??

I have created the network (DMZ1) and under network rules thare are the following

Local host >> Route >> All networks
DMZ1 >> Route >> External
VPN Clients >> Route >> Internal
Internet access >> NAT >From> Internal, QuarantiVPN, VPN clients >to> External

In firewall policy i have an rule that pirmits trafic:

From: External and DMZ1
To: External and DMZ1

What am i doing wrong ?

(in reply to tshinder)
Post #: 13
RE: Discussion about Publishing DMZ Servers on a Public... - 11.Feb.2005 8:33:00 PM   
Jemmer

 

Posts: 15
Joined: 23.Dec.2002
From: Denmark, Kge
Status: offline
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=29;t=000090

I just found this [Wink]

But still i whould be nice to use webproxy on outgoing connections from my LAN an not use it from my "serverfarm"..

But i found that i truely was natting my HTTP out

(in reply to tshinder)
Post #: 14
RE: Discussion about Publishing DMZ Servers on a Public... - 17.Feb.2005 10:30:00 AM   
hennish

 

Posts: 26
Joined: 1.Dec.2004
Status: offline
Hi Tom (and everyone else, of course). Great write-up on public addressed DMZs.

I still have one question, though: Is the "Networks" tab really neccesary in server publishing rules to publicly addressed DMZ servers?

I have got a DNS server with a public IP address .2 and an ISA Server with external public IP addresses .8 and .10.

My server publishing rule looks like this:

Action: Allow
Traffic: DNS Server
From: Anywhere
To: [public IP .2] - requests appear to come from the original client.
Networks: External <all IP addresses>
Schedule: Always

Now, if I sit externally and try to connect using nslookup to .2, it works. If I try .8 or .10, it doesn't.

If I run nslookup from the Internal network, my request won't hit the publishing rule, but it will hit a DNS access rule further down the rule set.

So apparently, server publishing rules don't have listeners the same way web publishing rules do, and the "Networks" tab only specifies which clients are allowed to use the publishing rule, not which IP addresses of the ISA server which should be listening for request. Am I right?

Thanx! /Anders

(in reply to tshinder)
Post #: 15
RE: Discussion about Publishing DMZ Servers on a Public... - 18.Feb.2005 1:30:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Anders,

You're right for the most part. However, you can choose a specific IP address from the Network that you select for the rule to listen on.

HTH,
Tom

(in reply to tshinder)
Post #: 16
RE: Discussion about Publishing DMZ Servers on a Public... - 26.Jul.2006 1:39:04 PM   
networxstudios

 

Posts: 8
Joined: 25.May2006
Status: offline
Hi Tom (and everyone else reading this excellent article!)

I have this setup:

3 NIC (Internal, External and DMZ). The fourth is going to be included whenever I get the basis to work...
This is also show in prioritised view

Internal NIC:
ip: 172.16.1.11
mask: 255.255.255.0
GW: none
DNS1: 172.16.1.6 (located on the LAN)
DNS2: 172.16.1.1 (located on the LAN)

External:
ip: 1xx.000.000.6
mask: 255.255.255.0
GW: 1xx.000.000.1
DNS1: none
DNS2: none

DMZ:
ip: 1xx.000.000.158 (same network as the external, since I have got to publish public ips on the webservers)
mask: 255.255.255.128
GW: none
DNS1: none
DNS2: none

I guess I am doing something wrong with the masks here? I need to split my 1xx.000.000.000-range in 2 and use the top-half for DMZ.

I have a client, webserver on the DMZ as well, that one is using:
ip: 1xx.000.000.157
mask: 255.255.255.128
GW: 1xx.000.000.158 (firewall dmz-nic)
DNS1: 1xx.000.000.158 (firewall dmz-nic)
DNS2: none

I was hoping you could help me out a litle bit here. I am as I wrote, going to add a 4th NIC for a totally separate segment here. This part will be isolated from the DMZ, but
I need some VPN-connections to connect to this 4th network.

Thank you anyways and thanks for some good books from you! :-)

Regards,
Kurt
Norway

(in reply to tshinder)
Post #: 17
RE: Discussion about Publishing DMZ Servers on a Public... - 27.Jul.2006 2:14:30 PM   
networxstudios

 

Posts: 8
Joined: 25.May2006
Status: offline
The problem is that I am able to:

PING from external and onto the firewall (I have made a temp-filter that allows this)
PING from local host to a DMZ-server (I have made a temp-filter that allows this)
HTTP from local host to a DMZ-server (I have made a temp-filter that allows this)
RDP from local host to a DMZ-server (I have made a temp-filter that allows this)

and NOT able to:

PING from external and onto the DMZ-server (I have made a temp-filter that allows this)
I just get answer from the firewalls external ip that the destination host is unavailable.
HTTP from external to the DMZ-server, no answer...

What am I doing wrong? This is an addition to my first post in this thread.

Regards from a frustrated norwegian :-)

Kurt

(in reply to tshinder)
Post #: 18
RE: Discussion about Publishing DMZ Servers on a Public... - 22.Aug.2008 9:46:16 PM   
nashfaq

 

Posts: 3
Joined: 22.Aug.2008
Status: offline
Tom,

I have successfully configured ISA Server 2006 SP1 to publish a web server on a public address DMZusing the technique described in your article. I have been unable to implement reverse caching of the websites on this server using this configuration. Can you please tell me if this is possible, how it is achieved, and how I can verify that the websites are in fact being cached.

Secondarily, is it possible in your configuration to pass the client IP address to the web server for logging purposes?

Best regards,
Naveed

(in reply to tshinder)
Post #: 19

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Discussion about Publishing DMZ Servers on a Public Address DMZ Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts