zspetya
Posts: 4
Joined: 22.Feb.2006
Status: offline
|
Hello for everyone,
I have a hopefully interesting scenario, may be one can help me what happens and why.
We have two firewalls, the internal one is an ISA 2004 standard edition, with SP2 installed on a W2k3 standard server. There is routing between the DMZ and the Internal network. We have a web server at the internal network, and another web server from the DMZ send some HTTP request to this internal one. the internal server is not published, but there is a simple rule to allow HTTP protocoll from the DMZ webserver to the internal web server everytime all users. It is working fine, there is no problem.
<----> ROUTING <----->
----------- | ------------ | -----------
| | | | | | | |
| internal | | | ISA |--------------| DMZ |
| web |----------| 2004 | | Web |
| server | | standard | | server |
----------- ----------- -----------
Recently we decided, to introduce NLB (I know microsoft does not support it on standard ISA 2k4, I read the corresponding articles here and other sites as well...). I used to be very carefull, so first I wanted to turn on the NLB for this one already existing server only, and not even use a second second server, just to see, if everything is working. Obviously it is not. I turned on the NLB first only to the internal interface of the ISA (multicast NLB, the first IP in in the IP list is the Cluster's IP address, there is a second one, the host address). The default gateway on the Internal webserver is the Cluster's IP address.
When I try to connect from the DMZ Web server to the internal one it time out. I checked it with network monitor, the syn packet arrives to the internal web server the source IP is the DMZ web server, source port random, source MAC is the MAC of the ISA 2k4 internal interface, destination IP internal webserver, destination port 80, destination MAC is the internal web server's MAC.
The web server sends the syn-ack packet: source IP, it's own IP, source port: 80, source MAC: it's MAC, Destination IP is the IP of the DMZ web server, port: same random, MAC: ISA servers Microsoft multicast NLB MAC, seems to be correct.
This second packet is is dropped by the ISA server, I can not see it even with network monitor. If I make a rule, to allow everything from the internal network to the DMZ it works again, but it is not a solution.
Anyone could explain me what happens here? I used only one ISA yet, so the answer (syn-ack) goes to the same ISA definitely, theoretically it sould allow it because of statefullness, but it does not. I have no idea.
Thanks for your help in advance
|
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
ISA-NLB - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread