Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Publishing SSH Server
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Publishing SSH Server - 13.Jan.2006 5:24:37 PM
|
|
|
gatorz
Posts: 17
Joined: 28.Feb.2004
Status: offline
|
I am running ISA2k4EE and am having a problem publishing an SSH Server.
I have created the protocol rule
Port 22
TCP
Inbound
and setup the the publishing rule.
When i try to ssh to the listener on the firewall
i get a Denied Connection by the [enterprise]default rule
any ideas.
|
|
|
|
|
RE: Publishing SSH Server - 16.Jan.2006 2:32:00 PM
|
|
|
gatorz
Posts: 17
Joined: 28.Feb.2004
Status: offline
|
For this server there are no other protocols beside SSH
and its a SecureNat client.
Additional info
I have multiple Web Servers published which work fine. but for some reason i cant get any other protocol to publish. For testing purposes i tried the syslog protocal and received the same message in the logs.
|
|
|
|
|
RE: Publishing SSH Server - 17.Jan.2006 2:52:00 AM
|
|
|
rennera
Posts: 6
Joined: 15.Dec.2005
Status: offline
|
I have the same setup... I setup the SSH protocol as you did with port 22 Inbound.
I find a lot of times I have to restart the Firewall service to make it actually work... not sure why but that may help. That worked for me...
|
|
|
|
|
RE: Publishing SSH Server - 23.Jan.2006 3:07:42 PM
|
|
|
gatorz
Posts: 17
Joined: 28.Feb.2004
Status: offline
|
Restarting the services didnt work so I actually went ahead and bounced the box. I still have the same problem. I still get the same result Denied Connection by the [Enterprise] Default Rule. In addition the protocol labeled in the log files indicate an outbound protocol. I have double-checked the publishing rule and it is setup as port 22 inbound.
I am really puzzled and any help would be gladly appreciated.
|
|
|
|
|
RE: Publishing SSH Server - 24.Jan.2006 11:18:35 PM
|
|
|
Ibux
Posts: 5
Joined: 24.Jan.2006
Status: offline
|
Unless you've done this already:
You have to create an access rule for SSH as well.
Try "all networks (and local host)" on both "to" and "from", and then tighten if it works :-)
That said; I can't get SSH to work myself..
I've created
*the access rule
*the protocol rule
*the publishing rule
It seems as though I'm having a problem with the publishing rule; SSH-requests arrive at the ISA-server but aren't forwarded to my SSH-server.
I get no "denied connection" in the log.
Normal behaviour would be that
the SSH-request arrive at the ISA-server
the ISA-server establishes a connection between itself and the SSH-server
the SSH-requests are then forwarded to this connection
My problem seems to be that I don't get the connection established.
Any help og suggestions would be much appreciated.
|
|
|
|
|
RE: Publishing SSH Server - 25.Jan.2006 4:21:51 PM
|
|
|
gatorz
Posts: 17
Joined: 28.Feb.2004
Status: offline
|
No dice on your suggestion.
I have noticed that if I change the network relation to NAT instead of Route the publishing rule works. But in my situation I cant have it this way because of the number of access rules i need to have.
Another oddity is that on ISA2k4 STD the server publishing rules work for rather the network realtion is NAT or route but on ISA2k4EE(which this is what i need it to work on) the server publishing rules only work with a NAT network relationship.
Has anybody ran across this?
|
|
|
|
|
RE: Publishing SSH Server - 25.Jan.2006 6:23:18 PM
|
|
|
TitusHoc
Posts: 114
Joined: 17.Nov.2004
From: Canada - Toronto
Status: offline
|
Hi Gatorz,
You mentioned:
“Another oddity is that on ISA2k4 STD the server publishing rules work for rather the network relation is NAT or route but on ISA2k4EE(which this is what i need it to work on) the server publishing rules only work with a NAT network relationship.”
THAT IS WRONG
On both ISA 2k4 SE and EE the server publishing will not work if the relation between External and Internal is Route
The rule is not valid for web publishing- the web publishing will work
Titus
|
|
|
|
|
RE: Publishing SSH Server - 25.Jan.2006 9:55:56 PM
|
|
|
TitusHoc
Posts: 114
Joined: 17.Nov.2004
From: Canada - Toronto
Status: offline
|
Come on guys let’s be realistic here
Stefan, on that link is mentioned:
“Server publishing rules publishing a server in B to clients in A work if the address relationships is ROUTE A/B or if it is NAT BàA.”
And after that:
“Yes, you read that last point right: server publishing rules can operate when the address relationship is ROUTE. It works as you’d expect: the client connects to the server’s actual address (and not the publishing address on the ISA Server machine, although that might also work in some cases).”
Now let’s talk about a case where we have Route relation between network B (external - public) and network A (internal - private)
I WANT TO SEE HOW AN EXTERNAL CLIENT (WITH A PUBLIC IP ADDRESS) WILL BE ABLE TO CONNECT TO A SERVER THAT SI HAVING PRIVATE IP ADDRESS
And yes this can work when the server behind ISA is having public IP address – but how may configuration I having public addresses internal?
Titus
|
|
|
|
|
RE: Publishing SSH Server - 25.Jan.2006 10:08:06 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Titus,
why are you still thinking in the black/white networking model of ISA 2000?
What if you have a public DMZ, or another private DMZ who needs to talk to another private segment, or ... ?
HTH,
Stefaan
< Message edited by spouseele -- 25.Jan.2006 10:10:46 PM >
|
|
|
|
|
RE: Publishing SSH Server - 25.Jan.2006 10:39:26 PM
|
|
|
Ibux
Posts: 5
Joined: 24.Jan.2006
Status: offline
|
A realistic scenario:
The ISA-server has two NIC's - 192.168.1.4 and 192.168.1.5.
192.168.1.4 is connected to the internet
192.168.1.5 is connected to the internal LAN
The SSH-server has the address 192.168.1.8
How, in your opinion, should this be configured on the ISA-server? I've spent hours and hours on this, and I just can't figure it out :(
It seems as though the SSH-requests are dropped at the ISA-server (since it obviously isn't running an SSH daemon) instead of being forwarded to the SSH-server.
That said - I also have http running on the same box as SSH - and that's published and working just fine..
|
|
|
|
|
RE: Publishing SSH Server - 25.Jan.2006 10:49:28 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Ibux,
quote:
The ISA-server has two NIC's - 192.168.1.4 and 192.168.1.5.
192.168.1.4 is connected to the internet
192.168.1.5 is connected to the internal LAN
Sorry, but this is a unsupported configuration! Each NIC in an ISA server must belong to a different network ID (subnet).
HTH,
Stefaan
< Message edited by spouseele -- 25.Jan.2006 10:50:46 PM >
|
|
|
|
|
RE: Publishing SSH Server - 25.Jan.2006 11:04:49 PM
|
|
|
Ibux
Posts: 5
Joined: 24.Jan.2006
Status: offline
|
Hi Stefaan,
My bad, I was trying to simplify.
192.168.1.4 is connected to an ISP-router.
The ISP-router has two adresses
xxx.xxx.xxx.xxx - internet
192.168.1.1 is connected to 192.168.1.4 (ISA-server)
So basically all traffic arrives at the ISP-router and is then forwarded to the ISA-server NIC 192.168.1.4.
Legal traffic is sent to 192.168.1.5 and passed on to the LAN.
But how to set up SSH..?
|
|
|
|
|
RE: Publishing SSH Server - 26.Jan.2006 12:06:17 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Ibux,
but if I understand you correctly the following is still true, right?
quote:
ISA External interface = 192.168.1.4
ISA Internal interface = 192.168.1.5
If that's the case, it will never work!
HTH,
Stefaan
|
|
|
|
|
RE: Publishing SSH Server - 26.Jan.2006 9:53:08 AM
|
|
|
Ibux
Posts: 5
Joined: 24.Jan.2006
Status: offline
|
Hi Stefaan,
Yes, the configuration
quote:
ISA External interface = 192.168.1.4
ISA Internal interface = 192.168.1.5
is true. More spesific:
ISA External interface:
IP 192.168.1.4
Subnet 255.255.255.0
Default gw 192.168.1.1
ISA Internal interface:
IP 192.168.1.5
Subnet 255.255.255.0
Default gw is set up without any value
I've got a webserver on the inside (192.168.1.8 - same as SSH-server), which is accessible from the Internet using a publish rule, so that's working.
But you mean this won't work for SSH?
|
|
|
|
|
RE: Publishing SSH Server - 26.Jan.2006 2:05:53 PM
|
|
|
Ibux
Posts: 5
Joined: 24.Jan.2006
Status: offline
|
Hi Stefaan,
you're absolutely right :)
I've changed my network setup and now it's all working like a charm :)
Thanks a bunch!
|
|
|
|
|
RE: Publishing SSH Server - 26.Jan.2006 3:40:59 PM
|
|
|
gatorz
Posts: 17
Joined: 28.Feb.2004
Status: offline
|
Stefaan
thanks for the link on Access Policy Rules vs. Server Publishing Rules
After reading that article I got it working using a Route relationship.
|
|
|
|
|
RE: Publishing SSH Server - 26.Jan.2006 10:44:09 PM
|
|
|
rfleites
Posts: 13
Joined: 9.Jun.2005
From: Miami, FL
Status: offline
|
Gatorz, I am having the same issue. How did you get it to work. I read the article, but can't make any sense out of it.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
