Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
MS Loopback adapter as external IP on a listener
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
MS Loopback adapter as external IP on a listener - 4.Oct.2004 2:05:00 PM
|
|
|
Guest
|
Dear,
in order to integrate with a customer RADWARE solution we had to install the MS loopback adapter on the ISA 2004 server.
The External IP's for the ISA server are:
NIC 1: IP's 160.50.50.1
LOOPBACK NIC 2 : IP 160.50.50.2
NIC 3 : IP 10.10.10.1
For simplicity sake I made a small webpage on my internal network
Webserver IP: 10.10.10.2
Hosted site is "www.test.local" resolving to 160.50.50.2
the RADWARE is configured with a Virtual IP being 160.50.50.2 which will point to the ISA IP (160.50.50.1)
The LAT on the ISA is configured with the 10.10.10.x range.
I created a simple web publishing rule that would accept from anywhere to "www.test.local" with a listener on port 80 using the external interface IP (which are identified by the GUI being 160.50.50.1 and 160.50.50.2)
I checked to see if the listeners where active and they where both active on 160.50.50.1 and 160.50.50.2
when I try to connect from the external side to www.test.local I get an "Denied by Default Rule" in the logs.
The strange part is that when I force nameresolution to point to 160.50.50.1 (the ISA box) it all works great so the config of the listener is correct.
It seems to me as soon as I try to use the loopback adapter's IP as the listener it fails to accept incomming connections from the external side.
any thoughts on this would be nice...
Sincerly,
Tonino Bruno
|
|
|
|
|
RE: MS Loopback adapter as external IP on a listener - 4.Oct.2004 3:16:00 PM
|
|
|
Jason Jones
Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
I am pretty sure that the ISA listener only accepts requests using the FQDN when publishing. This a security feature to ensure valid requests.
[ October 04, 2004, 03:17 PM: Message edited by: Jason Jones ]
|
|
|
|
|
RE: MS Loopback adapter as external IP on a listener - 4.Oct.2004 3:30:00 PM
|
|
|
Guest
|
Hi,
thanx for your reply but we are accessing the listener using the fqdn "www.test.local"
I think the main issue here is if ISA can accept incomming connections to a MS Loopback Adapter.
Sincerely,
Tonino Bruno
|
|
|
|
|
RE: MS Loopback adapter as external IP on a listener - 4.Oct.2004 9:29:00 PM
|
|
|
Guest
|
Hi JJ,
I appreciate the efforts but the scenario is not quit the same as we are in..
I am not so worried publishing different authentication methodes using a single IP but more about publishing something on an MS Loopback adapter.
It just seems odd to me that I would be able to accept something comming externally on an MS Loopback adapter..
Sincerely,
Tonino Bruno
|
|
|
|
|
RE: MS Loopback adapter as external IP on a listener - 4.Oct.2004 11:45:00 PM
|
|
|
Jason Jones
Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
No worries...
To be honest, having to install a MS Loopback adpater sounds like a bit of a fudge anyhow and it doesn't sound like a very well integrated ISA application.
Have you looked at products like RainWall from Rainfinity as these are specifcally deisgned for ISA and are often much better for balancing??
JJ
|
|
|
|
|
RE: MS Loopback adapter as external IP on a listener - 5.Oct.2004 7:03:00 AM
|
|
|
Guest
|
my thoughts exactely when I first heard of the solution but it seems that it would be the only way for a load balancer to do this type of balancing...
All other implementation implicate that the traffic is going bidirectional through the loadbalancer switch rather than triangular.
for example Cisco also uses this methode..
Unless we get a magic solution or a confirmation that the MS loopback isn't going to work have to resort back to NLB or see if we can use the loadbalancer in bidirectional mode.
Greetz..
Tonino Bruno
|
|
|
|
|
RE: MS Loopback adapter as external IP on a listener - 5.Oct.2004 12:39:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Why is the loopback adapter required?
Thanks!
Tom
|
|
|
|
RE: MS Loopback adapter as external IP on a listener - 5.Oct.2004 2:26:00 PM
|
|
|
paulbaldwin
Posts: 139
Joined: 2.Apr.2004
From: Lancashire, UK
Status: offline
|
Hi Tonino,
This situation will work but:
Are you allowing ISA to use its IP in the web publishing rules? If you do this you get a routing situation of:
Client->NIC1->NIC2->Web->NIC2->NIC1->Client
If you don't you get something like:
Client->NIC1->NIC2->Web->NIC1->STOP!
Also, I can't see why you use IPs from the same subnet on two interfaces - that can't be healthy.
Cheers
P.S. I figured this a while back trying to make that 2004pubowamobile trick work with bi-directional affinity in NLB - but it can't work for the reasons above.
|
|
|
|
RE: MS Loopback adapter as external IP on a listener - 5.Oct.2004 2:33:00 PM
|
|
|
paulbaldwin
Posts: 139
Joined: 2.Apr.2004
From: Lancashire, UK
Status: offline
|
Hi Tom,
Have you tried using the loopback adapter to create 'virtual dmzs'? Just the stuff for testing configs though I'm not sure if its actually working in the way I think it is - MS say you can't use Virtual Server on a firewall.
Cheers
|
|
|
|
|
RE: MS Loopback adapter as external IP on a listener - 5.Oct.2004 10:11:00 PM
|
|
|
Guest
|
Hi Tom,
You can find my previous reply on why we need the loopback adapter in another thread. I must have hit the wrong button somewhere which generated 2 threads :-)
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=21;t=000156
Hi Paul,
yes the listener is configured to listen on both external IP addresses configured on both the physical adapter and the loopback adapter.
We are getting closer and closer to the fact that this simply won't work. The backup plan is to disable the local triangulation and have all traffic go bidirectional through the loadbalancer.
Sincerely,
Tonino Bruno
|
|
|
|
|
RE: MS Loopback adapter as external IP on a listener - 6.Oct.2004 11:40:00 AM
|
|
|
paulbaldwin
Posts: 139
Joined: 2.Apr.2004
From: Lancashire, UK
Status: offline
|
Hi Tonino,
You might have missed my point. I realise you have two configured listeners.
But the Web publishing rules using these listeners must not be configured to pass the client IP to the published server or the server's response will not route back through the listeners in the correct manner.
I have set up two listeners in daisy-chain fashion and it will work if you don't make this mistake.
Cheers
|
|
|
|
|
RE: MS Loopback adapter as external IP on a listener - 6.Oct.2004 1:35:00 PM
|
|
|
Guest
|
Hi Paul,
Unfortunately I didn't miss your point :-)
The packets are being dropped on the ISA by the last default rule altough there is a listener ready to accept incomming connections on that destination IP.
And indeed we do use the "Use Isaserver IP address" in order to have the published servers respond back to the correct ISA server as we have no default gateway setup.
Sincerely,
Tonino Bruno
|
|
|
|
|
RE: MS Loopback adapter as external IP on a listener - 7.Oct.2004 1:33:00 PM
|
|
|
paulbaldwin
Posts: 139
Joined: 2.Apr.2004
From: Lancashire, UK
Status: offline
|
That's good. With that sorted out I still claim that daisy-chaining listeners within an ISA server will work. I'd turn your attention to the IP addressing which seems very dodgy to me.
Can't you subnet these addresses, at least as far as ISA is concerned, so that you can configure ISA to treat the two listeners as in seperate networks?
|
|
|
|
|
RE: MS Loopback adapter as external IP on a listener - 7.Oct.2004 7:33:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Paul,
Are you thinking of daisy chaining the listeners like we did with the local host network listener? Like we described in the article on getting FBA to work with a single listener for OWA and RPC/HTTP?
Thanks!
Tom
|
|
|
|
|
RE: MS Loopback adapter as external IP on a listener - 7.Oct.2004 10:15:00 PM
|
|
|
Jason Jones
Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
quote:
Originally posted by Jason Jones:
Check out Tom's article as he has a procedure for using the localhost listener which may help:
http://www.isaserver.org/tutorials/2004pubowamobile.html
JJ
Tonino already said this didn't apply, although I thought the concept could be adapted to do what was required. I agree with the NIC addressing though...
JJ
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Smile]](/image/smiles/smile.gif)
