Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Server publishing behind VPN/IPSEC connection

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> Server publishing behind VPN/IPSEC connection Page: [1]
Login
Message << Older Topic   Newer Topic >>
Server publishing behind VPN/IPSEC connection - 5.Sep.2006 11:53:59 AM   
gijsbert

 

Posts: 24
Joined: 5.Nov.2004
Status: offline 		Hi,

I have a (working) VPN/IPSEC tunnel with a partner. I want to publish an internal (FTP) server to users in the partner's network at the other end of the IPSEC tunnel (our internal addresses are not routed in the partner's network). I presume I have to define the network relation as NAT (from inside to IPSEC network), but I also tried all kinds of other combinations, nothing worked. I presume the issue is with the listener. When defining the server publishing rule with the IPSEC network as the listener network I cannot specify an IP address to listen on.

How to do this? Or am I trying to do something that is not supported?

Gijsbert
Post #: 1
RE: Server publishing behind VPN/IPSEC connection - 8.Sep.2006 2:52:37 PM   
hennish

 

Posts: 26
Joined: 1.Dec.2004
Status: offline 		Good question! I'm having the exact same issue at my customer. Actually, I've never really understood how server publishing rules are supposed to work. When using web publishing rules, all you have to do is create a listener which binds to an IP address. How does one accomplish that using server publishing rules?

/Anders

(in reply to gijsbert)
Post #: 2
RE: Server publishing behind VPN/IPSEC connection - 8.Sep.2006 3:52:38 PM   
gijsbert

 

Posts: 24
Joined: 5.Nov.2004
Status: offline 		Basically there is not much difference between a web and a server publishing rule. In both cases you define a network that is listened on, possibly allowing all IP addresses used by the interface for that network or a single IP address. In the case of a web publishing rule via a web listener, in the case of a server publishing rule directly.

I guess my problem is that I don't have, in the case of a VPN network, an interface address to listen on, both in the case of a web as well as a server publishing rule.

Gijsbert

(in reply to hennish)
Post #: 3
RE: Server publishing behind VPN/IPSEC connection - 18.Dec.2006 7:42:04 AM   
Polom

 

Posts: 2
Joined: 5.Apr.2006
Status: offline 		Hi gijsbert, hennish,

I have the same problem and I guess we are many in the same situation

My company is using numerous VPN tunnels to support our customers. The traffic between these "remote sites" and us is translated so that our internal networks remain hidden. Therefore, the only IP seen by our customer's firewalls is our primary public IP (the first IP on the external NIC, I think there's no way to change that behaviour ).

We are also using ISA to protect our SMTP server and of course, it's outbound IP address is the same (I don't think there's a way to configure ISA to provide a host or subnet with a different outbound public IP).

Therefore when one of our customers is trying to send us a message, it tries to pass thru the VPN tunnel and fails. Like you I haven't found a way to publish the SMTP server.

Any help would be greatly appreciated !

Best regards,
Polom.

(in reply to gijsbert)
Post #: 4
RE: Server publishing behind VPN/IPSEC connection - 18.Dec.2006 10:35:42 AM   
gijsbert

 

Posts: 24
Joined: 5.Nov.2004
Status: offline 		Hi Polom,

For regular SMTP users, coming from the public Internet, publishing your SMTP server on the same ISA server as used for your VPN connections is not a problem of course. But publishing the SMTP server for your customers behind the VPN connections is, using the same ISA server, as far as I know, indeed not possible.

I haven't yet checked ISA2006 on this though.

Greetings,

Gijsbert


(in reply to Polom)
Post #: 5
RE: Server publishing behind VPN/IPSEC connection - 19.Dec.2006 3:36:41 AM   
Polom

 

Posts: 2
Joined: 5.Apr.2006
Status: offline 		Hi Gisbert,

Thank you for you answer.

If making an SMTP server accessible thru a translated site to site connection is not supported, we are facing a very annoying ISA shortcoming, since using the external interface's primary outbound IP address is mandatory in both case (NAT and SMTP publishing)

The other ISA / Windows Server drawbacks I noticed are :


-The HUGE amount of largely useless IPSec specific filters that are generated must be parsed by the system for each packet. The more NIC and remote sites, the more filters : if you have many VLANS and remote site it can quickly become a problem

-The impossibility to assign an outbound IP address to a server or the a translated VPN tunnel

-The impossibility to create "rules containers", it would help browsing the rules when they are numerous  

    I think I'll have to use a Pix in parallel to my ISA as a workaround

    Best regards,
    Polom.

    < Message edited by Polom -- 19.Dec.2006 10:22:20 AM >

    (in reply to gijsbert)
    Post #: 6

    Page:   [1] << Older Topic    Newer Topic >>
    All Forums >> [ISA Server 2004 General ] >> Server Publishing >> Server publishing behind VPN/IPSEC connection Page: [1]
    Jump to:

    New Messages No New Messages
    Hot Topic w/ New Messages Hot Topic w/o New Messages
    Locked w/ New Messages Locked w/o New Messages
     Post New Thread
     Reply to Message
     Post New Poll
     Submit Vote
     Delete My Own Post
     Delete My Own Thread
     Rate Posts