Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Please help with server publishing problem

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> Please help with server publishing problem Page: [1]
Login
Message << Older Topic   Newer Topic >>
Please help with server publishing problem - 20.Aug.2007 9:57:12 AM   
RScipione

 

Posts: 4
Joined: 15.Aug.2007
Status: offline 		Hi,

I am attempting to publish a server on our internal network, but know next to nothing about ISA 2004.  I have read enough to know (think?) that I need a server publishing rule to send requests bound for our specific port to the correct server.  The publishing rule setup is pretty straightforward, but requests are falling through it and being denied by the default rule.

I think I've traced it to a problem with the way ISA sees the request.  It seems to think the request is outbound even when coming from the External network, and I verified this by creating an access rule that catches these requests with an outbound protocol.  I can't figure out how to publish the server with an access rule however, and even if I could, it sure doesn't seem like the correct way to solve this problem.

Further reading on my part points me to a problem in the Network configuration in ISA, but I have no idea what, if anything, is incorrectly set up.  There is a NAT relationship defined from the perimeter (source) to External (destination).  That seemed backwards to me, but when I reversed it, no computers inside the firewall could access the Internet, so I put it back (and it didn't fix the problem anyway).

Thanks in advance for any advice,

Richard
Post #: 1
RE: Please help with server publishing problem - 20.Aug.2007 12:32:01 PM   
Rotorblade

 

Posts: 976
Joined: 27.Feb.2007
Status: offline 		Hi Richard,


To start, a little more information would be needed to help you with your issue. If you could provide a general overview (by not jeopardizing your security, please mask your IP’s, server names, etc…) of your network setup in relation to ISA, NIC configuration detail, (Internal, External and rule relationship, route or NAT) Windows server and ISA version and service pack level and server publishing rules and protocols need.

Any information would be very helpful to help resolve your issue.

Regards,

RB

(in reply to RScipione)
Post #: 2
RE: Please help with server publishing problem - 20.Aug.2007 4:16:31 PM   
RScipione

 

Posts: 4
Joined: 15.Aug.2007
Status: offline 		Hi RB, thanks for the quick response.

I think this should provide the information you requested.  If not just let me know.  Specifics on where to find any additional information would be really appreciated!

We have the ISA server computer set up as the front firewall with one NIC connected to the perimeter network and one to the External (Internet) network through our ISP.  The server we are trying to publish is located on the perimeter network.

In ISA Configuration Manager under Networks, we have four built-in objects:  External, Local Host, Quarantined VPN Clients and VPN Clients.  There are also two others: Perimeter with a couple of internal IP address ranges defined, and EMPDC, a remote VPN site-to-site connection using L2TP.

Under Network Sets, there are just two predefined: All Networks and All Protected Networks.

Under Network Rules, I have 1: Local Host Access routed from Local Host to All Networks (and Local Host), 2: Perimeter Access NATed from Perimeter to External, 3: VPN Site to Site routed from Perimeter to EMPDC, and 4: VPN Clients to Internal Networks routed from Quarantined VPN Clients and VPN Clients to Perimeter.

Finally, under Web Chaining, I only see Order: Last, Name: Default Rule, To: All Networks (and Local Host), Action: Retrieve Request Directly.

There is a back firewall between the perimeter and the Internal network, but I don't know anything about it, and I don't think it's involved anyway since we're trying to publish from the perimeter out.  If you need more information about this, I would be glad to get it for you as quickly as I can.

Thanks again for your help,

Richard

(in reply to Rotorblade)
Post #: 3
RE: Please help with server publishing problem - 20.Aug.2007 4:37:51 PM   
RScipione

 

Posts: 4
Joined: 15.Aug.2007
Status: offline 		Sorry, I forgot to include Windows and ISA Server version numbers in my post.

We currently have Windows Server 2003 Service Pack 1 installed, and are using ISA Server 2004 version 4.0.2167.887.  I am still in the process of figuring out what service pack that is.

We are prepared to install Windows Server Service Pack 2 and ISA Server Service Pack 3 if necessary (assuming we don't already have ISA Server Service Pack 3 installed).

Richard

(in reply to Rotorblade)
Post #: 4
RE: Please help with server publishing problem - 20.Aug.2007 8:37:08 PM   
Rotorblade

 

Posts: 976
Joined: 27.Feb.2007
Status: offline 		Richard,

Thanks for the information which helps a little but what I specifically need to know is how your two NICs are configured for a start. IP subnet x.x.x, DNS and GW settings) It’s obvious from the information you have supplied that the front-end ISA firewall was configured using the Front-firewall template, thus the reason for not seeing the Internal network defined. Using the Front-firewall template generally by default sets a route relationship from the perimeter network to external. You are using NAT, which sounds like its working; allowing Internet access (depending on Firewall policy access rules) from your Internal back-end firewall out through your front-end firewall and is not the issue.

To focus on the server publishing problem a little more, there is one thing that you mentioned that caught my attention in regards to the perimeter network address definition. You said:
quote:



“There are also two others: Perimeter with a couple of internal IP address ranges defined “  


 Internal? On what network? There should be one IP address definition here not two; the perimeter network and only the perimeter network. This makes me wonder how your back-end access is configured. NAT? Different subs? Sounds like all the makings of a network-behind-a-network scenario. It also sounds like this is actually an Edge-firewall placement and the wrong template has been applied.  A little more information may help clear-up the confusion.

On the server you’re trying to publish, is it configured as a SecureNAT client?

The server publishing rule, please detail if you can.

The articles below should make for some good reading:

http://blogs.isaserver.org/shinder/2006/08/13/best-practices-for-creating-isa-firewall-networks/

http://www.microsoft.com/technet/isa/2004/plan/firewall_policy.mspx

http://www.microsoft.com/technet/isa/2004/plan/bp_networks.mspx


http://www.isaserver.org/articles/2004isafirewallnetworks.html

http://www.isaserver.org/articles/2004isanetworks.html

http://blogs.isaserver.org/pouseele/2006/09/29/how-does-a-server-publishing-rule-behave-when-the-network-relationship-is-route/

https://www.microsoft.com/technet/isa/2004/help/SRSP2_AccessPubComp.mspx?mfr=true

https://blogs.technet.com/isablog/archive/2006/01/16/AccessPolicyRulesVsServerPublishingRules.aspx

http://www.isaserver.org/tutorials/Advanced-ISA-Firewall-Configuration-Network-Behind-Network-Scenarios.html%C2%A0

http://www.microsoft.com/technet/isa/2004/plan/unsupportedconfigs.mspx

http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html

BTW: you are running ISA SP 3
Regards,

RB

(in reply to RScipione)
Post #: 5
RE: Please help with server publishing problem - 22.Aug.2007 2:44:51 PM   
RScipione

 

Posts: 4
Joined: 15.Aug.2007
Status: offline 		RB,

I spent most of yesterday trying to better understand how the network is set up so that I could hopefully answer your questions a little more intelligently.  In the process, I learned that the second IP range defined in the "Perimeter" network on the front firewall was actually the range of IP addresses assigned to machines on the "Internal" network behind the back firewall.  This seemed very odd to me, and after a little more digging found out that the contractor who initially set this whole thing up did it that way to get some VPN connection or other working.  Once I removed this range from the Perimeter, my requests coming in from the External network bound for my published server are being correctly identified as "Incoming".  Woo!

I am still not sure why removing that range suddenly made requests having nothing to do with that range behave differently, but as long as it's working, I'm not going to lose too much sleep over it. 

Thanks again for your help, I really appreciate it!

(in reply to Rotorblade)
Post #: 6
RE: Please help with server publishing problem - 23.Aug.2007 1:56:56 PM   
Rotorblade

 

Posts: 976
Joined: 27.Feb.2007
Status: offline 		Good, glad to hear you got it working!

Cheers,

RB

(in reply to RScipione)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> Please help with server publishing problem Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts