Welcome to ISAserver.org

Strangeness with new Server Publishing Rule

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Publishing] >> Server Publishing >> Strangeness with new Server Publishing Rule

Page: [1]

Message

<< Older Topic Newer Topic >>

Strangeness with new Server Publishing Rule - 25.Sep.2008 5:55:06 AM

brummy21

Posts: 3
Joined: 25.Sep.2008
Status: offline

Hi,

This is my first post here so apologies in advance if I don't get it quite right.

We have a small LAN with ISA2006 operating as web proxy and perimeter firewall. recently updated to SP1. We publish Exchange 2007 OWA, Exchange ActiveSync, Sharepoint 2007. Everything works fine for our internal LAN.

We have a sister company whose network we want to link to ours with ISA as their proxy/firewall also. As we want to manage traffic between the LANs and utilise our ISA server to the full, I've installed an additional NIC (2 already - Internal and External) with an address on a different subnet. I've added an additional "Internal" network to ISA networks config (as the sister LAN is also "trusted"), created a 'Route' rule between the networks and a 'NAT' rule from the new network to 'External' for their internet access. Our LAN is 192.168.0.0/24 and theirs is 192.168.100.0/24.

Based on Tom's guidelines from "Configure ISA2004 as a Network Services Segment Perimter Firewall", I created a rule to publish our primary DNS server (Windows 2003 R2 DC, forwarding to our ISP's DNS servers). I selected DNS Server protocol and chose "From" the sister LAN in the Networks list. When I saved the new rule and examined the properties I was surprised to see that the new DNS server publishing rule was 'Listening' from 'Everywhere' and not just the sister LAN's private IP address range.

I certainly don't want to publish our internal DNS server to the world ! If I edit the rule, removing 'Anywhere' listener and replacing with the sister LAN, the rule then shows as intended. On our ISA 2006 this is entirely repeatable behaviour - every time I create a server publishing rule selecting the additional internal network from the list (but not the default 'Internal' network) the rule saves as listening from "Everywhere".

Is this right, am I being thick here or is this an oddity?

_____________________________

Mike

Post #: 1

Featured Links*

RE: Strangeness with new Server Publishing Rule - 14.Oct.2008 8:21:02 AM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Mike,

If you've got a route relationship between the source and destination network, why are you creating a Server Publishing Rule instead of an Access Rule?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to brummy21)

Post #: 2

RE: Strangeness with new Server Publishing Rule - 14.Oct.2008 10:59:48 AM

Jason Jones

Posts: 2247
Joined: 30.Jul.2002
From: United Kingdom
Status: online

To kick in the DNS filter perhaps?

Don't think DNS filter works in access rules...not 100% though...

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to tshinder)

Post #: 3

RE: Strangeness with new Server Publishing Rule - 15.Oct.2008 7:18:02 AM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Jason,

You're right about that. DNS filter only works for Server Publishing Rules.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Jason Jones)

Post #: 4