Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
MSMQ DMZ to LAN
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
MSMQ DMZ to LAN - 29.Mar.2006 12:21:26 AM
|
|
|
khowlette
Posts: 33
Joined: 21.May2003
Status: offline
|
Hi
I need to publish MSMQ server on the internal LAN so that the web farm servers can access them. Presently the MSMQ servers are in the DMZ because the guy that left couldn't get it to work. All the server in the DMZ are on their own AD domain. When I move the MSMQ servers to the internal LAN they will be on the internal AD domain.
All the servers are Windows 2000
Has anyone done this. I read a few MS articles e.g. http://support.microsoft.com/kb/q183293 but searching this site they appear from previous posts not to work. Would IPsec/VPN be a possibility
Thanks in advance
Keith
|
|
|
|
|
RE: MSMQ DMZ to LAN - 29.Mar.2006 10:44:57 PM
|
|
|
khowlette
Posts: 33
Joined: 21.May2003
Status: offline
|
Hi Tom
According to MS it uses
The following ports are used for Microsoft Message Queuing operations:
•
TCP: 1801
•
RPC: 135, 2101*, 2103*, 2105*
•
UDP: 3527, 1801
* These port numbers may be incremented by 11 if the initial choice of RPC port is being used when Message Queuing initializes. A connecting QM queries port 135 to discover the 2xxx ports.
I'm concerned about opening RPC from the DMZ to the LAN.
Keith
|
|
|
|
|
RE: MSMQ DMZ to LAN - 30.Mar.2006 5:17:36 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Keith,
No problems with RPC. Remember the ISA firewall has an RPC filter that protects you.
Note that you'll need a ROUTE network rule for LAN to DMZ connections.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: MSMQ DMZ to LAN - 30.Mar.2006 9:49:28 PM
|
|
|
khowlette
Posts: 33
Joined: 21.May2003
Status: offline
|
Thanks Tom
Greatly appreciated. I'll do some testing very soon
Keith
|
|
|
|
|
RE: MSMQ DMZ to LAN - 4.Jul.2006 5:16:36 PM
|
|
|
cellarstudio
Posts: 1
Joined: 4.Jul.2006
Status: offline
|
I am having the same issue...I have a web server in the DMZ and I need to get MSMQ to send messages from the web server to an internal database server through SBS with ISA 2004. I tried adding a policy rule to allow the required ports from the web server (192.168.1.106) to the internal database (192.168.16.5), but the outbound message queue only said "waiting to connect" (I'm using DIRECT TCP:192.168.16.5 in the MSMQ script)...and the message never goes.
I then installed MSMQ on the SBS server(192.168.1.100 -external NIC & 192.186.16.2 - internal NIC)and changed the script to "DIRECT TCP:192.168.1.100" and created a publishing rule for MSMQ. The message makes it to the SBS server queue. I have found a document for creating an XML document for redirecting MSMQ messages from the firewall server to an internal computer, but I can't get it to work.
How do I set up a direct connection over these ports from the web server to the internal DB server, so that I can use "DIRECT TCP:192.168.16.5"?
Thanks.
|
|
|
|
|
RE: MSMQ DMZ to LAN - 31.Jan.2007 6:22:20 AM
|
|
|
khowlette
Posts: 33
Joined: 21.May2003
Status: offline
|
Hi
I got it to work with the following this doc http://support.microsoft.com/kb/319454
but I also had to allow RPC135 outbound on secondary connections. Is this safe. I tried with the RPC filter but couldn't get it to work.
I ran a scan against my ISA server and its only showing ports 1801, 2103 and 2105 as open.
My ISA is a backend firewall we have a Sonicwall PRO on the front end.
Keith
|
|
|
|
|
RE: MSMQ DMZ to LAN - 7.Mar.2007 6:52:08 PM
|
|
|
khowlette
Posts: 33
Joined: 21.May2003
Status: offline
|
Hi
I've succesfully configured my ISA 2004 server to connect to my Clustered MSMQ server on the LAN. Its caused me some head scratching but it now works. If any one's interested let me know and I provide the details. Its similar to Exchange RPC publishing but the UDDI are different for MSMQ. There are some security gotcha's on Windows 2003 that block remote read of queues. What threw me for a while was that I could read queues from XP but not 2003 server, some registry hacks fix this.
Keith
|
|
|
|
|
RE: MSMQ DMZ to LAN - 31.Aug.2007 4:03:17 AM
|
|
|
bsingh
Posts: 12
Joined: 21.Mar.2005
Status: offline
|
Clarify the following
In your article you have mentioned port 135 direction both. As primary connection does not allow inbound and outbound so outbound may be defined in secondary.
Only two publishing rules you have defined is required for or any other access rule is required for RPC
bsingh
|
|
|
|
|
RE: MSMQ DMZ to LAN - 31.Aug.2007 4:27:00 AM
|
|
|
khowlette
Posts: 33
Joined: 21.May2003
Status: offline
|
Hi bsingh
Please check out the article on my website http://www.khowlette.btinternet.co.uk/isa_msmq.htm . The RPC rules are defined within the document. Some of the early post I made were made when I didn't fully understand MSMQ but once I had it all working with the security I needed I published the article on my website. Have a look at it and if its still not clear contact me again and I expand further.
Keith
|
|
|
|
|
RE: MSMQ DMZ to LAN - 1.Sep.2007 1:11:12 AM
|
|
|
bsingh
Posts: 12
Joined: 21.Mar.2005
Status: offline
|
HI keith
Thanks for timely reply
I read your article , it well explained. Only Following is not clear to me.
--------------------------------------------------------
You mentioned that following is to be included in MSMQ Inbond Rule
---------------------------------
port | protocol | direction
--------------------------------
135 | Tcp | both
---------------------------------
AS ISA 2004 allows inbond or outbond in same rule. Inform me How to include the above port in both direction in MSMQ Inbond.
bsingh
|
|
|
|
|
RE: MSMQ DMZ to LAN - 3.Sep.2007 7:46:40 AM
|
|
|
bsingh
Posts: 12
Joined: 21.Mar.2005
Status: offline
|
I have made two rules as you mentioned in the artilcle (msmq inbond and msmq rpc) but log is showing 1801 unidetified denied connection by default rule.
in place of my server i have mentioned ISA server name directing to externel IP of ISA server.
Is any other configuration is required in ISA SErver 2004 or queue name mentioned in publishing server should also be on ISA server
bsingh
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
