• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Problems Publishing Multiple Websites on Multiple Servers with 1 External IP

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Problems Publishing Multiple Websites on Multiple Servers with 1 External IP Page: [1]
Login
Message << Older Topic   Newer Topic >>
Problems Publishing Multiple Websites on Multiple Serve... - 12.Oct.2009 8:05:46 PM   
link470

 

Posts: 18
Joined: 27.Jun.2007
Status: offline
Hello!  First off, I'm very new to ISA, I'm working with ISA 2006 Enterprise and have a couple questions.

The first question is, I'm trying to publish 3 internal servers with web services.  I wanted to use ISA 2006's Web Publishing feature originally to avoid the use of port forwards to other ports besides port 80 for websites hosted on other servers, I wanted all web based services to be hosted under 80 and 443 for SSL, regardless of what server it was hosted on inside, and for the correct domain to be forwarded to the correct server.

So here's what I've done so far, I've installed ISA 2006, and I've created a publishing rule.  I set the publishing rule to the published site website.com, and entered the computer IP address as the local IP address of the server since I'm using host headers within IIS.  For the Listener, I put the internal server name as the Listener name [this appears to be where I'm going wrong but I can't understand why...wait, see next paragraph], and set the Networks value to External, Port value to 80, HTTPS is disabled since this is for hosting public websites that don't have any HTTPS sections, authentication to No Authentication, and Always Authenticate to No.  In my mind, I should need to create a different web listener for each internal server+port combination?  So a new web listener for server1 on port 80, new for server2 on port 80, new for server2 on port 25 and port 110.  However, when I try to create the next listener for the next web server and port 80, I get an error message "a web listener specifying the same port and similar ip addresses is already used by rule [first server name I made the first listener name]". 

Now, as I type this, I'm going to make a guess as to what I did wrong.  Do I actually have to create ONE web listener per port on the external interface, and then set rules within the Firewall Policy Rules for each of the 10 websites or so on the first server and let those use the external port 80 listener, which means the external listener on port 80 will check those 10 rules and if a request matches for one of the websites it will send to the corresponding server?  I really hope I'm right :D

Next question is, since I use ISA 2006 Enterprise, is that Default Deny Rule there going to cause a problem?  I was able to add RDC rules, DHCP rules, and Web Access rules to the Enterprise policy so that the ISA server could access the internet for Windows Updates, I could RDC into the ISA server from my home network, and so that the ISA server's external interface could obtain an IP address from our ISP, but I can't apply publishing rules to an Enterprise rule.  How am I going to make those Publishing rules work?  Is there a way to completely ignore the Enterprise Policy and just use the Firewall Policies, hopefully WITHOUT having to reinstall ISA if possible to save time.

Thanks so much for any responses and being patience with my n00b questions.

Take care.


< Message edited by link470 -- 12.Oct.2009 8:11:37 PM >
Post #: 1
RE: Problems Publishing Multiple Websites on Multiple S... - 12.Oct.2009 9:29:50 PM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
For your first question, check http://support.microsoft.com/?kbid=885186

If your IIS host headers are configured with internal names then clear the "Forward the original host header..." option under the "To" tab of the publish rules. Otherwise, keep it checked.

For Second Question, Enterprize policy is required to deploy policies through out your ISA Array Servers. You need not have to apply policies at Enterprise level if you only have single ISA Server. Create them at Array level.

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to link470)
Post #: 2
RE: Problems Publishing Multiple Websites on Multiple S... - 14.Oct.2009 12:28:14 AM   
link470

 

Posts: 18
Joined: 27.Jun.2007
Status: offline
quote:

For Second Question, Enterprize policy is required to deploy policies through out your ISA Array Servers. You need not have to apply policies at Enterprise level if you only have single ISA Server. Create them at Array level.


Thank you very much for your reply!  I really appreciate your support.

I haven't tried Web Publishing yet.  I'd like to solve my deny rule at the enterprise level first.  First off, I am only running a single ISA 2006 Enterprise server, and if I create a rule for say, localhost [the ISA server] to access a local server behind it [since it's only protecting 7 servers and 3 will be published for web access, other published for other services] for say, RDP access from the ISA server to one of the servers behind it I'm testing, and I create that rule at the array level, and enable logging and watch what happens when I try to connect from ISA to the local server via RDP, ISA denies me and says the rule that's denying me is the default Deny rule.  However, if I make the exact same RDP allow rule within the Enterprise policies [Enterprise Access Rule], it works!

As of now, I have two rules.  One Array, one Enterprise.  They're identical.  Array uses RDP from LOCALHOST, to SERVER for ALL USERS.  So does the Enterprise Policy.  If I disable the Array?  Connection works.  Disable the Enterprise?  Connection fails.  Enable Array and keep Enterprise Disabled?  Connection failed.

The system is responding ONLY to Enterprise policies and whatever I place in Firewall policy rules is denied thanks to the overall Deny Default Rule in Enterprise policies.

Normally I wouldn't care and I'd just say screw it, I'll only make the policies under Enterprise then.  But that would defeat the purpose, because I need ISA for web publishing above all, and I can't publish servers via Enterprise, it has to be via an Array rule.

Any help on that would be greatly appreciated.  Thanks!

(in reply to inderjeet)
Post #: 3
RE: Problems Publishing Multiple Websites on Multiple S... - 14.Oct.2009 9:15:44 AM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
Did you install both Firewall and the Configuration Storage Server on the same ISA box?

Actually, the behavior you described is not how it works. There is a misconfiguration in ISA which is blocking the Array level policies to trigger. Can you see that ISA Server under the "servers" option under the "Array" you created? Can you share some more details on how your ISA is configured currently (not the rules)?

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to link470)
Post #: 4
RE: Problems Publishing Multiple Websites on Multiple S... - 14.Oct.2009 9:25:38 PM   
link470

 

Posts: 18
Joined: 27.Jun.2007
Status: offline
quote:

ORIGINAL: inderjeet

Did you install both Firewall and the Configuration Storage Server on the same ISA box?

Actually, the behavior you described is not how it works. There is a misconfiguration in ISA which is blocking the Array level policies to trigger. Can you see that ISA Server under the "servers" option under the "Array" you created? Can you share some more details on how your ISA is configured currently (not the rules)?


Sure no problem!  Thanks for your continued support.

At the moment, ISA 2006 Enterprise is installed on one system with both the Configuration Storage Server and ISA on the same box.  When I open ISA Server Management on the box, I can see Enterprise rules along the side as well as the current server directly under Arrays, and all the options for that.  I'm able to edit those options no problem, as well as the Enterprise Policies.  I'm doing this all under local administrator for now so I can learn how the software works and get it up and running.  I'll fine tune the permissions later once I solve these initial issues.  I only expect to need a single ISA box, so the configuration server and ISA are both operating on the same system.  That's all it does, 2 NIC's, ISA 2006, Edge Firewall.  The system is not part of a domain [yet].

If I go to Arrays>Computer Name>Configuration>Networks, I have the system set up as an Edge Firewall, since that's what it will be doing, acting as a Firewall for servers behind it.

I only have a few policies at the moment in there.  All of which are under Enterprise since if I make one under Array, it doesn't appear to do anything.  I have allow web access from local host to external, so the ISA firewall can access Microsoft Update and antivirus updates.  I have Allow Remote Desktop from my home network to local host, so that I can access the ISA server remotely to work on it, and I have allow DHCP, which enables the ISA server to pull an IP address from our ISP [it's dynamic for now, but with the ISP we have, I've had the same "dynamic" address for the last 4 years on my other networks so I'm not worried about losing that anytime soon, this is just for testing while I get er running].  All of those initial policies are "Enterprise Policy Rules Applied After Array Firewall Policy" with nothing in Array [since I've cleared them all and they don't appear to do anything so far] and nothing Applied Before Array.

That's literally the only configurations I have in place on the box.  I don't think I've done anything else except for define an internal network of a range of 10 IP's [only 7 servers], and defined a Computer by putting a description to an IP address so I can use it in rules.  But so far, that's everything that I know of.

Please let me know if you need more information, thanks so much!


< Message edited by link470 -- 15.Oct.2009 4:01:45 AM >

(in reply to inderjeet)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Problems Publishing Multiple Websites on Multiple Servers with 1 External IP Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts