Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Server Publishing rule won't enable on Internal network IP
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Server Publishing rule won't enable on Internal network IP - 21.Dec.2006 12:05:46 AM
|
|
|
olivero
Posts: 42
Joined: 23.Oct.2003
Status: offline
|
Hi all,
I have a 2004 Ent server that is publishing an non-standard port SSL Tomcat web site via a Server Pub rule. The rule is configured to publish on both the External network (primary IP or 3) and the Internal network (secondary IP of 2).
The rule works when I connect via the External network (whether I'm inside or outside the network), but not when I attempt a connection via the Internal network.
If I telnet to 10.10.10.1:443, I don't get a connection, whereas I do when I telnet to the external IP.
It seems as if the rule didn't activate on the second network.
Any ideas would be much appreciated!
Thanks,
Oliver
|
|
|
|
|
RE: Server Publishing rule won't enable on Internal net... - 27.Dec.2006 11:03:04 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
That's correct. It can't work (basic network) from the internal network clients. Configure a split DNS to support this solution.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Server Publishing rule won't enable on Internal net... - 27.Dec.2006 5:50:46 PM
|
|
|
olivero
Posts: 42
Joined: 23.Oct.2003
Status: offline
|
Hi Tom,
Thanks for the reply. In fact, I have a split DNS architecture set up and working. At the moment, I've got the internal DNS pointing to the External IP of ISA because if I point it to the Internal IP of ISA, I don't get a response. To work around this, I've added a HOSTS entry on the ISA box that points to the internal IP address of the server that is hosting the Tomcat web site. This allows ISA to resolve the FQDN of the site (the same name as appears on the cert.) to an internal IP so that it can be published, otherwise ISA would just resolve the name back to its own External IP. This works, but Internal clients are using the External IP of ISA as a result. I would prefer if they could use the Internal IP instead. I might have missed something else, but I don't think so.
Thanks,
Oliver
|
|
|
|
|
RE: Server Publishing rule won't enable on Internal net... - 28.Dec.2006 11:53:39 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
With a split DNS, internal hosts will resolve the names of the internal resources to the actual IP address of the resource and bypass the ISA Firewall.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Server Publishing rule won't enable on Internal net... - 28.Dec.2006 12:20:56 PM
|
|
|
olivero
Posts: 42
Joined: 23.Oct.2003
Status: offline
|
Hi Tom,
True, but not if I've given the internal resources an alias (CNAME in DNS). This also doesn't explain why the ISA box isn't allowing me to telnet to port 443 of its Internal IP. Don't forget, the ISA box has a HOSTS entry that would cause it to locate the correct internal IP of the internal server. This mechanism works for the publishing rule on the External IP.
So to recap:
1) Internal DNS has a CNAME that points to the actual internal host.
2) The cert. used on the web server has the FQDN of this CNAME assigned to it (it works for the external IP).
3) The ISA box has multiple IPs on the External and Internal interfaces, one of which is being used for publishing this site.
4) The ISA box has a HOSTS entry that points the FQDN to the internal IP of the actual host that is running the Tomcat server. This allows ISA to find it correctly.
5) I can telnet to the port 443 of the External IP, but not port 443 of the Internal IP.
Thoughts?! :)
Thanks!
Oliver
|
|
|
|
|
RE: Server Publishing rule won't enable on Internal net... - 28.Dec.2006 12:33:56 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
ISA Firewall, NOT "ISA box".
Make sure your split DNS is configured so that the connections from internal hosts are not looped back through the ISA Firewall.
Is this the problem?
What are the EXACT names and DNS RRs you are using for your split DNS in the internal and external zone files?
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Server Publishing rule won't enable on Internal net... - 28.Dec.2006 12:53:28 PM
|
|
|
olivero
Posts: 42
Joined: 23.Oct.2003
Status: offline
|
Hi Tom,
First, the network is routed, and all the servers are in their own subnet. All the workstations and other resources are in a number of other subnets. All subnets can route to all servers and the Internet without any issues. The only two servers that communicate directly within the same subnet are the "ISA Firewall" :) and the "Tomcat Web Server". The internal DNS server is in the same subnet as the ISA Firewall and the Tomcat Web Server. Everyone/thing can query without problems.
Tomcat Web Server Host name is sryulwis0comx01, this is autoregistered in internal DNS. It also has a CNAME in internal DNS called mailq. The CNAME points to sryulwis0comx01. CORRECTION ---> At some point I changed this to an A record which points mailq to the secondary IP on the Internal interface of the ISA Firewall. It can't be a CNAME otherwise it would point to the wrong address. I flushed all DNS caches after doing this. The rest of this message contains accurate information, based on this configuration.
Tomcat Web Server's Host name sryulwis0comx01 is in the external DNS zone file but it points to the primary IP on the ISA Firewall. This doesn't matter however, because the Tomcat site never sends it's actual Host name, and External access to the rule is working anyway. The external zone file also has a mailq A record that points to the seconday External IP on the ISA Firewall. The Server Publishing rule uses the secondary IPs exclusively, to publish the Tomcat Web Server.
ISA Firewall is using internal DNS for name resolution, but it also has a HOSTS entry for mailq. This entry points mailq to the internal IP of the Tomcat Web Server.
From all internal servers and workstations, I can ping sryulwis0comx01 and get the internal IP of the Tomcat Web Server. From all internal servers and workstations (except the ISA Firewall) I can ping mailq and get the secondary internal IP of the ISA Firewall. From the ISA Firewall, I can ping mailq and get the internal IP of the Tomcat Web Server.
From the internet, I can telnet to mailq:443. From anywhere on the Internal Network (except from the ISA Firewall), I CAN NOT telnet to mailq:443 (it resolves to the secondary IP of ISA, but doesn't open the session because the session is not available). From the ISA Firewall, I can telnet to mailq:443 (because of the HOSTS entry).
Does this help?
Thanks, Tom.
Oliver
< Message edited by olivero -- 28.Dec.2006 5:44:16 PM >
|
|
|
|
|
RE: Server Publishing rule won't enable on Internal net... - 2.Jan.2007 1:38:31 PM
|
|
|
olivero
Posts: 42
Joined: 23.Oct.2003
Status: offline
|
Hi Tom,
I just wanted to follow up with you after the holidays. Is this what you were looking for? Do you need more information?
Thanks,
Oliver
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
