Welcome to ISAserver.org

Server publishing in route mode

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 General ] >> Server Publishing >> Server publishing in route mode

Page: [1]

Message

<< Older Topic Newer Topic >>

Server publishing in route mode - 17.Mar.2008 12:58:34 AM

chilait

Posts: 18
Joined: 21.Feb.2003
Status: offline

Are server publishing settings the same in route mode and in NAT mode?

We have a DNS publishing rule that works very fine in NAT mode, however, we have to switch to route mode because of the change of internal structure. The rule doesn't work in route mode anymore. I can't see the traffic hit the rule and it goes directly to the default deny rule, in logging.

Does it still need a listener in route mode? If the real ip is used in Route mode, what is the listener used for?

Post #: 1

Featured Links*

RE: Server publishing in route mode - 17.Mar.2008 8:56:59 AM

Rotorblade

Posts: 1002
Joined: 27.Feb.2007
Status: offline

Hi,

This should be of some help.

http://blogs.isaserver.org/pouseele/2006/09/29/how-does-a-server-publishing-rule-behave-when-the-network-relationship-is-route/

HTH

RB

_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to chilait)

Post #: 2

RE: Server publishing in route mode - 17.Mar.2008 3:43:19 PM

TitusHoc

Posts: 114
Joined: 17.Nov.2004
From: Canada - Toronto
Status: offline

What is the DNS server configuration for the machines that are using the DNS publishing rule? I bet you that is the IP of the ISA machine. Change the DNS server for those machines to pint to IP address of the internal DNS server

Titus

(in reply to chilait)

Post #: 3

RE: Server publishing in route mode - 18.Mar.2008 5:20:28 AM

chilait

Posts: 18
Joined: 21.Feb.2003
Status: offline

Then the external IP of isa server is set in the rule but no use actually ?

(in reply to TitusHoc)

Post #: 4

RE: Server publishing in route mode - 18.Mar.2008 5:56:24 AM

Jason Jones

Posts: 2247
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

When doing server publishing with a route relationship, you need to configure the network listener to listen on all IP addresses (on the approriate interface) and then define the actual server address of the server you wish to publish. It looks a little weird, but this is how it needs to be defined for routing.

What ISA does in this scenario is essentially listen on the interface for conncetions to the real address and then use something called "port stealing" to make eveything work.

Shout if you are still struggling...

Cheers

JJ

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to chilait)

Post #: 5

RE: Server publishing in route mode - 18.Mar.2008 10:10:23 AM

TitusHoc

Posts: 114
Joined: 17.Nov.2004
From: Canada - Toronto
Status: offline

Chilait,

I�m trying to guess your configuration here, my last comment was based on presumption that you have some machines on DMZ or another trusted network, and you are publishing the internal DNS for the DMZ (trusted network) machines. Based on your question it seems that you are publishing the DNS on the external interface. Can you give us more info about for configuration?

For Jason,
What about this scenario:

1 machine on DMZ zone � the DNS of that machine is pointing to the ISA DMZ IP
The published DNS server on the Internal network
Route relation between DMZ and Internal network
Server publishing of the internal DNS server (listener configured on all ISA DMZ IP)

In this scenario the DMZ machine cannot access the internal DNS server
Looking on ISA log I see an entry � default denied � from DMZ to Local Host
The only solution I found in this case was to configure the DNS of the DMZ machine with the IP address of the internal DNS server

Based on this scenario I advised Chilait to change the DNS configuration � but it seems that his scenario is different

What do you think?

Titus

(in reply to Jason Jones)

Post #: 6

RE: Server publishing in route mode - 18.Mar.2008 10:28:57 AM

Jason Jones

Posts: 2247
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

Which interface you apply the publishing to should be irrelevant, I was just talking generically about how it works...

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to TitusHoc)

Post #: 7

RE: Server publishing in route mode - 19.Mar.2008 12:38:09 AM

chilait

Posts: 18
Joined: 21.Feb.2003
Status: offline

I think TitusHoc's telling the situation. I'll test it during the holidays. All I want to know is in route mode, is it necessary to use separate listeners at all ?

(in reply to Jason Jones)

Post #: 8

RE: Server publishing in route mode - 19.Mar.2008 11:01:34 AM

Jason Jones

Posts: 2247
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

No, each publishing rule will listen on the same interface. ISA then matches the incoming request to the appropriate server published "real" address and does the port stealing magic!

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to chilait)

Post #: 9