I am struggling with an issue that I hope someone may be able to help with.
Quick Summary - when I try to ping between different zones using temporary "Allow all" rules, I see "Initiated Connection" in logging, but no data actually passes between the zones. eg: ping, rdp, telnet... nothing seems to work, but the connections are shown as being initiated!
Background: we have a test environment running entirely as virtual machines that has been running successfully until recently. The test environment consists of four zones around a central ISA 2004 server. We recently migrated our corporate LAN infrastructure to a new domain/network, moving from 192.168.99.0/24 to 192.168.55.0/24. [EDIT] ISA Server is running on Win 2003 Std SP2, ISA Server 2004 SP3 [/EDIT]
The ISA Server network configuration is as follows:
The last ethernet adapter (WebsphereMQ) is a direct connection (back-end!) to the Corporate LAN for routing MQ messages from a server on the Internal network to a WebsphereMQ server in the corporate LAN (IP: 192.168.55.42) effectively bypassing the external firewalling outside the ISA server (Juniper Netscreen 5GT).
Within ISA I have configured Networks accordingly and created network rules routing between the various networks. I have also created a temporary "Allow all Outbound traffic between all networks" rule. As previously mentioned, this all worked fine. The WebsphereMQ back-end connection however was redirected to the previous Corporate LAN and I updated it to the current Corporate LAN. That is when things have stopped working. To be fair, I'm not entirely certain when communication between the zones stopped working, as I was alerted to it by one of our developers, so it may or may not be tied into the modifications for this connection.
From the ISA server I am able to RDP and ping to the WebZone and TransportZone servers without issue. However I am unable to connect to the servers on the Internal from any zone, or from the ISA server. When attempted, ISA server logging simply shows the "Initiated Connection" and the appropriate rule, and nothing else.
I have tried a number of different things to get around this, (removing the websphereMQ adapter/network/network rule, defining explicit rules, etc) but everything I have tried gets the same result - Initiated Connection, but nothing else happening.
If anyone has any ideas or help regarding this, I am getting desperate to find a solution!!!
Many thanks in advance Vance
< Message edited by vmachine -- 29.Dec.2008 7:07:23 PM >
For any who read this - I found a couple of networking issues that were at fault - nothing to do with ISA after all!
The host server running the Virtual machines had two default gateways - running server core, configuring the interface for the Corporate LAN the gateway was set by accident:
netsh interface ipv4 set address name=3 source=static address=192.168.55.43 mask=255.255.255.0 gateway=192.168.55.254
should have been:
netsh interface ipv4 set address name=3 source=static address=192.168.55.43 mask=255.255.255.0 gateway=
The second issue was another NIC connecting the Internal network (running on a separate Hyper-V server) to the ISA server - this NIC a) didn't have a default gateway set, and b) wasn't being used by Hyper-V! Not sure how that came about, as nowhere in my modifications did I modify the Hyper-V settings to configure which adapter to use for that server!
Oh well, we live and learn. Just remember that when everything looks like it's working fine, it probably is and there's something somewhere else that's not working right! =)