Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Unihomed DMZ Exchange SMTP
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Unihomed DMZ Exchange SMTP - 24.Jun.2008 4:50:28 AM
|
|
|
Jit@bhail.com
Posts: 10
Joined: 23.Jun.2008
Status: offline
|
I’m no expert on ISA and have to admit I don’t like it. I’ve been playing around with it for 3 weeks and can’t get to work they way I want. Let me explain my problem:
Right I have Hardware based router & firewall (Domestic Netgear DG 834). I’m using dynamic DNS to host my public domain. I have ISA 2006 setup within the Routers DMZ. I have Sharepoint 2007 & exchange Server 2003 on windows domain that shares same subnet as the DMZ. If I allow SMTP port forwarding on the Hardware Router to exchange server directly…no problem. If I remove this entry...its forwarded to the DMZ. I ran the wizard for SMTP etc to point to the Exchange server using Internal, Everywhere etc as the listener. As I understand it from the forums, I can’t forward emails through this, as its uni-homed, to Exchange server.
If I place two network cards on the ISA server and have one within the DMZ could I configure it to forward emails.? I cant remove hardware router from the equation, as client wont allow it. Is there a workaround ?
|
|
|
|
|
RE: Unihomed DMZ Exchange SMTP - 24.Jun.2008 9:55:34 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Yes, put a NIC in the DMZ and a NIC on the internal network. Then SMTP forwarding will work. Remember, the ISA Firewall is just a firewall, like the other device you have, so you have to treat the firewall as a second firewall.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Unihomed DMZ Exchange SMTP - 24.Jun.2008 4:20:02 PM
|
|
|
Jit@bhail.com
Posts: 10
Joined: 23.Jun.2008
Status: offline
|
Thanks Tom for the prompt reply. Let me get this straight. Say the assigned IP from the ISP, i.e.the outside world, is currenty 189.999.888.111. The Hardware Router is setup as 100.100.20.1 with a DMZ IP Setting of 100.100.20.2. The DMZ in turn would host the ISA which has 2 network cards. These would be configured as 100.100.20.2(External) and 50.23.10.1(Internal). The latter being the internal network housing sharepoint, exchange etc. Are you saying that would work? I thought the ISA had to have the ISP (internet) IP address assigned to it for the external network as opposed to a assigned DMZ IP?
|
|
|
|
|
RE: Unihomed DMZ Exchange SMTP - 25.Jun.2008 10:38:15 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
No! That's not required. You can NAT for the hardware box to the ISA firewall's external interface. Then the ISA firewall can NAT or ROUTE from there to the Internal Network.
I wrote an article that went by the name "playing well with others" that gives some examples of this configuration.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
RE: Unihomed DMZ Exchange SMTP - 26.Jun.2008 6:01:22 AM
|
|
|
Jit@bhail.com
Posts: 10
Joined: 23.Jun.2008
Status: offline
|
Thanks for the document. Very helpful.You have to pardon me...as I'm not a ISA Router expert. Bit lost on the IP settings. In the DMZ scenerio you have the DMZ set at 10.0.0.1 and the ISA has IP external as 10.0.0.2. I though the ISA IP had to be the same as the DMZ else all paths routed to the DMZ have no temination point. The ISA acst as the last station on the rail track, so-to-speak. Unless the
the default gateway(DG) IP acts as channel. I always thought that the GW was for outbound connections.
|
|
|
|
|
RE: Unihomed DMZ Exchange SMTP - 26.Jun.2008 9:08:53 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
The ISA firewall's external interface is on the same network ID as the DMZ interface of the hardware device. Then the ISA firewall's external interface uses the DMZ interface on the hardware as it's default gateway.
The internal SMTP server then uses the internal interface IP address of the ISA firewall as its default gateway.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Unihomed DMZ Exchange SMTP - 27.Jun.2008 6:34:52 AM
|
|
|
Jit@bhail.com
Posts: 10
Joined: 23.Jun.2008
Status: offline
|
Right..I'm about to give up ! I've got the network setup as follows:
Router
Gateway: Public
External: Public
Internal: 10.0.10.1
DMZ: 10.0.10.254
ISA
Gateway: 10.0.10.254
External: 10.0.10.253
Internal: 1.0.20.1
Questions
1.)Whats the DNS setting for the ISA for the network cards for Internal and External?
2.) Is the gateway setting of 10.0.10.254 required for both network cards ?
3.) What template am I supposed to use: Edge, Back to Back ?
4.) Once I've run the template to I need to change the external to any specific IP?
< Message edited by Jit@bhail.com -- 27.Jun.2008 4:17:17 PM >
|
|
|
|
|
RE: Unihomed DMZ Exchange SMTP - 29.Jun.2008 10:49:35 AM
|
|
|
Jit@bhail.com
Posts: 10
Joined: 23.Jun.2008
Status: offline
|
Thought I'd post my findings for others. Never got the configuration to work as per the paper. I did however get it to work as an Edge configuration by having the external IP address of the ISA the same as the DMZ Setting within the router. The issue I had with the router was the subnet could only be the same as the internal IP address assigned to it (Netgear DG834). SMTP works fine as do all outbound connections. I do however have a problem with hosting a forms based web site (posted as seperate blog) which require asp.net authentication. I would appreciate any advice on the configuration posed:
Router
Gateway: Public
External: Public
Internal: 10.0.10.1
DMZ: 10.0.10.254
ISA:
DMZ Network Card Setting
Internal: 10.0.10.254
Subnet: 255.255.255.0
Gateway: 10.0.10.1
DNS: 10.0.10.1
Corporate Network Card Setting
Internal: 1.0.2.1
Subnet: 255.255.255.0
Gateway: <blank>
DNS: 1.0.2.100 (the same as the active controller dns service)
|
|
|
|
|
RE: Unihomed DMZ Exchange SMTP - 29.Jun.2008 11:45:22 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: Jit@bhail.com
Right..I'm about to give up ! I've got the network setup as follows:
Router
Gateway: Public
External: Public
Internal: 10.0.10.1
DMZ: 10.0.10.254
ISA
Gateway: 10.0.10.254
External: 10.0.10.253
Internal: 1.0.20.1
Questions
1.)Whats the DNS setting for the ISA for the network cards for Internal and External?
2.) Is the gateway setting of 10.0.10.254 required for both network cards ?
3.) What template am I supposed to use: Edge, Back to Back ?
4.) Once I've run the template to I need to change the external to any specific IP?
Questions
1.)Whats the DNS setting for the ISA for the network cards for Internal and External?
TOM: No DNS settings on the external interface. Internal DNS server on the innternal interface.DNS server should be able to resolve both internal and external names.
2.) Is the gateway setting of 10.0.10.254 required for both network cards ?
TOM: No default gateway on the internal interface. Default gateway on the external interface of the firewall. DG would be the LAN interface of the device in front of the firewall.
3.) What template am I supposed to use: Edge, Back to Back ?
TOM: Don't use templates unless you really understand what they're doing.
4.) Once I've run the template to I need to change the external to any specific IP?
TOM: Don't use templates unless you really understand what they're doing, otherwise you'll get yourself in a pack of trouble. However, if you use the "Edge" firewall template, you'll get a good configuration.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Unihomed DMZ Exchange SMTP - 30.Jun.2008 5:55:28 AM
|
|
|
Jit@bhail.com
Posts: 10
Joined: 23.Jun.2008
Status: offline
|
Thanks. I did post the changes I made..that did work. However, for curiosity I thought I'd try it your way. Unfortunately it doesn't work. If the ISA isn't the exact same IP as the DMZ setting on the router...no requests are routed regardless of the gateway settings. I also note if you remove the DNS setting for the ISA external network card it won't allow any outbound routing and needs to be either the router or DNS service before the firewall(ISP for example). My understanding is that if the ISA is placed squarly within the DMZ it satisfies the egde scenerio as its publically visible on the net. I should add I'm using DYDNS to resolve the public domain name to a dynamic IP address. The router (Netgear DG834) doesn't allow a DMZ IP address thats not on the same subnet as the router itself. Also all servers including ISA are hosted within virtual machines. I've included my settings below for your consideration.
One thing I have noticed is that web sites hosted within the internal network that have form based authentication (not ISA authenticated) takes 20 mins to resolve each page. Not sure if this is related to the configuration. Thoughts/views appreciated?
Router
Gateway: Public
External: Public
Internal: 10.0.10.1
DMZ: 10.0.10.254
ISA:
DMZ Network Card Setting (external)
Internal: 10.0.10.254
Subnet: 255.255.255.0
Gateway: 10.0.10.1
DNS: 10.0.10.1
Corporate Network Card Setting (internal)
Internal: 1.0.2.1
Subnet: 255.255.255.0
Gateway: <blank>
DNS: 1.0.2.100 (the same as the active controller dns service)
|
|
|
|
|
RE: Unihomed DMZ Exchange SMTP - 30.Jun.2008 9:16:46 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
That's very strange, because what happens when the IP address on the external interface of the firewall is the same IP address of the LAN interface on the router, then Windows will disable that NIC because of a duplicate IP address on the network.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Unihomed DMZ Exchange SMTP - 30.Jun.2008 11:06:44 AM
|
|
|
Jit@bhail.com
Posts: 10
Joined: 23.Jun.2008
Status: offline
|
I think we're talking at cross purphoses. The external interface to the firewall is the DMZ IP and not the Router IP.
I thought it works as follows: (1.)Some chappie on the internet trys to access my web site. (2.)Dynamic DNS provider maps the request to the dynamic IP address assigned by the ISP. (3.)The router picks up the request and checks the port. (4.)If no NAT is assigned for that port it allows/forwards it, unchanged, to the DMZ(single IP). (5.)ISA happens to be the DMZ and therefore inspects the contents and uses it's routing to forward to the respective target.
I might be wrong...as the web sites being served, using ISA are incredibly slow.
< Message edited by Jit@bhail.com -- 30.Jun.2008 11:08:52 AM >
|
|
|
|
|
RE: Unihomed DMZ Exchange SMTP - 1.Jul.2008 7:30:50 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
OK, let's get a clearer picture.
You have some sort of NAT device in front of the firewall
The ISA Firewall has an internal and external interface
What IP address is on the LAN interface of the NAT device?
What IP address is on the external interface of the firewall?
What IP address is on the internal interface of the firewall?
What IP address is assigned to the Web site
What is the IP address for the default gateway configured on the firewall's external interface.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Unihomed DMZ Exchange SMTP - 2.Jul.2008 8:25:30 AM
|
|
|
Jit@bhail.com
Posts: 10
Joined: 23.Jun.2008
Status: offline
|
What IP address is on the LAN interface of the NAT device?
10.0.1.200 (255.255.255.0)
What IP address is on the external interface of the firewall?
10.0.1.254 (255.255.255.0)
What IP address is on the internal interface of the firewall?
10.0.2.254 (255.255.255.0)
What IP address is assigned to the Web site ?
Dynamic IP Currenty 92.34.56.123. Locally served on 10.0.2.253
What is the IP address for the default gateway configured on the firewall's external interface ?
10.0.1.200
|
|
|
|
|
RE: Unihomed DMZ Exchange SMTP - 2.Jul.2008 11:03:18 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
OK, so the dynamic address is on the NAT device.
The NAT device needs to forward the connections to the external IP address on the ISA firewall.
You create a Web Publishing Rule on the ISA firewall to publish the Web site.
Since the NAT device is handling the IP address changes, you don't need to worry about the ISA firewall's external address. It can always start the same.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
