Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Publishing to 3 servers
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Publishing to 3 servers - 26.Jul.2007 6:45:30 AM
|
|
|
carwynnott
Posts: 12
Joined: 19.Jun.2007
Status: offline
|
This is my setup-
One ISA 2004 server with 4 NICs...
- LAN - 172.16.1.0 for internal network
- WAN - 10.37.213.1 for publishing to server1
- WAN2 - 10.37.213.2 for publishing to server2
-WAN3 - 10.37.213.3 for publishing on server3
I am publishing various ports on these servers not just HTTP and HTTPS.
Server2 and server3 have two Nics and are also accessible externally from a different link via a cisco router. The 2nd public address is 87.7.7.?
So I have two external IP that can access two internal servers.
Now this works apart from once a day I get this error-
"Routing (chaining) failure ISA Server detected a proxy chain loop"
and the outgoing web browsing stops, so I restart the firewall service to get it going again.
Should I be using Just ONE External Nic on ISA with 3 IP on same card?
Should I be adding the 87.7.7.? range somewhere in ISA?
Many Thanks
|
|
|
|
|
RE: Publishing to 3 servers - 26.Jul.2007 10:28:11 AM
|
|
|
Rotorblade
Posts: 973
Joined: 27.Feb.2007
Status: offline
|
quote:
Should I be using Just ONE External Nic on ISA with 3 IP on same card?
Should I be adding the 87.7.7.? range somewhere in ISA?
Basically in a nut shell your configuration is very flawed. ISA does not support multiple gateways. Going to 1 external facing NIC and assigning additional IP’s will fix part of the problem. The other issue is that Servers 2 and 3 are multi-homed as well which is not going to work. If you are publishing, the routing path will need to be through the ISA server and with multiple gateways (Cisco router GW to Internet); packets will be dropped by ISA because the 87.7.7.x network is not known to the ISA. The rule is, In through ISA out through ISA!
http://www.microsoft.com/technet/isa/2004/plan/unsupportedconfigs.mspx
HTH
RB
|
|
|
|
|
RE: Publishing to 3 servers - 26.Jul.2007 11:05:40 AM
|
|
|
carwynnott
Posts: 12
Joined: 19.Jun.2007
Status: offline
|
OK if I want to publish multiple server with there individual public IPs then I need to publish these IP on a single WAN card on ISA.
OK I will give that a try, didn't work the last time I did it but will give it another go.
u wrote---
The other issue is that Servers 2 and 3 are multi-homed as well which is not going to work. If you are publishing, the routing path will need to be through the ISA server and with multiple gateways (Cisco router GW to Internet); packets will be dropped by ISA because the 87.7.7.x network is not known to the ISA. The rule is, In through ISA out through ISA! ---
It does work, well for a bit anyway, the way I see it servers 2 and 3 have 2 NICS one for LAN and one for WAN. The WAN cards are on Cisco router and the LAN card are used for internal administration, testing and our ISA server publishing to this card as a backup.
As far as server2&3 is concerned the ISA requested appears to be from LAN anyway and the Cisco requests are uninterrupted. There doesn't appear to be an issue with servers 2 and 3 but maybe what you are saying is that ISA will not publish to a multi homed server? Is this true?
All ISA traffic is going and out of ISA. All Cisco traffic is going in and out of the Cisco router, so why would the ISA router need to know the 87.7.7.x network since this is only used by the Cisco router and the WAN card of Server 2 and 3.
Thanks for the quick reply your help is truly appreciated.
|
|
|
|
|
RE: Publishing to 3 servers - 26.Jul.2007 5:13:45 PM
|
|
|
Rotorblade
Posts: 973
Joined: 27.Feb.2007
Status: offline
|
This is a bit off subject but if I understand you correctly, how are you protecting your servers and internal domain with this type of configuration? Just thought I would throw that out and ask. Not a very secure solution from my view point.
quote:
All ISA traffic is going and out of ISA. All Cisco traffic is going in and out of the Cisco router, so why would the ISA router need to know the 87.7.7.x network since this is only used by the Cisco router and the WAN card of Server 2 and 3.
I guess the answer would depend on if the servers are routing between both networks. If packets are traversing across and going through the ISA server, they will be dropped. I can’t envision this ever working correctly. How do you properly resolve DNS lookups, internal domain and Internet? Through ISA or the other network WAN access? I would think that you are also experiencing DNS issues. Are the published servers configured as SecureNAT clients? Have you done any network or ISA monitoring to see if you are flooding network and the ISA firewall service to a point of failure?
HTH
RB
|
|
|
|
|
RE: Publishing to 3 servers - 27.Jul.2007 4:43:08 AM
|
|
|
carwynnott
Posts: 12
Joined: 19.Jun.2007
Status: offline
|
No servers 2and3 are not routing between network. I will call them LAN and Cisco networks. They simply have two IPs for access from both networks.No DNS issues.
I see your point now in order to publish to two routers the server would need two gateways. Now that you spell it out to me I'm not sure how it works at all.
Can you recommend any Load-balancing WAN routers?
What about this one http://www.peplink.com/products/balance-380/
Or can you recommend another way to have two links with one either as passive or active standby, or maybe a way to load-balance?
Cheers
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
