Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Web Proxy/Publishing
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Web Proxy/Publishing - 22.Jan.2007 2:26:26 AM
|
|
|
dionppp
Posts: 6
Joined: 22.Jan.2007
Status: offline
|
I have 2 Nics
Internal Nic
10.0.0.5
255.255.255.0
10.0.0.1
External Nic
15.0.0.5
20.1.1.2
20.1.1.3
20.1.1.4
20.1.1.5
255.255.255.0
15.0.0.1
I have set up Web Chaining/Web Proxy for Authentication for Internal Network Users on Internal Nic.
I have set up a Web Listener/Publishiong Rule for Publishing external IP Address Request 20.1.1.2 goto a web server on my internal network.
I have come accross an issue, when i plug in the external nic or the internal nic the one service or the other stops.
My Proxy stops if i plug in the external nic.
My Publishing Rule works if i plug the external nic in.
Im stumped the isa box has four nics on it and im not sure where i should go from here.
|
|
|
|
|
RE: Web Proxy/Publishing - 22.Jan.2007 4:21:23 AM
|
|
|
Guest
|
HI dionppp,
let's take it step by step:
first: on your Internal Nic should not have any default gateway.
second: on the external Nic here you must put the default gateway.
here is a guide:
http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html
Also take care about DNS settings: on external interface" no DNS, on the internal interface put the address of your Internal DNS server which should have forwarders set on it. check the following:
http://www.elmajdal.net/ISAServer/Internal_DNS_Forwarding.aspx
ISA should be a member of your domain too(I supposed you have already added it to your internal domain).
What are you doing with the Web chaining feature?
Do you have un upstream proxy?
If you don't, delete what you have created there.
You should make your internal clients proxy clients if you need authentication or caching.
For authentication you will set your rule which allows htpp/https for example to "all authenticated users".
"All users" means anonymous. you may like to read the following:
http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.html
That internal web server depending on what purposes serves you might want to publish it on a perimeter network. To configure authentication on it use the web listener in your publishing rule.
Also you might be interested in reading ISA's help file reagarding the networks types available.
Regards.
< Message edited by adrian_dimcev -- 22.Jan.2007 10:20:30 AM >
|
|
|
|
|
RE: Web Proxy/Publishing - 22.Jan.2007 7:17:58 AM
|
|
|
dionppp
Posts: 6
Joined: 22.Jan.2007
Status: offline
|
Thanksfor your help....
The isa server is plugged into two vlans. Internal =VLAN1 and External = VLAN2.
Our ISP has provided us with four public ip address for egsample the 20.1.1.x address.
They have also provided us with a cisco router, we cannot get into it and they wont change anything on it.
Im being told that for our web listner rule to work we need to have the 20.1.1.x address' on the NIC that also has the 15.0.0.x address.
When request come in through 15.0.0.x for 20.1.1.x then isa box will forward request to an intenal 10.0.0.x address. (Providing i have set up the web listener rule)
Appariently we also canot initiate web proxy request to 15.0.0.x.
Our normal internet traffic without the proxy comes from 10.0.0.1 using an external proxy server.
So if i remove the gateway from the interal nic how to i get the isabox to forward http request to our isp's proxy if the 15.0.0.x address wont allow http request to be initiated.
I had someone look at it he thinks that when both nics are plugged in there shouldn't be the following routes.
0.0.0.0 255.255.255.0 15.0.0.1
0.0.0.0 255.255.255.0 10.0.0.1
My point i guess is how do i get the internal traffic when surfing the net to proxy auth against our proxy server whitch can be found beyond 10.0.0.1 if i have to remove the gateway.
Everything works if i unplug one or the other nic as well, so its most likely a conflict between routes im just nt sure how or where to start fixing the issue.
< Message edited by dionppp -- 22.Jan.2007 7:20:04 AM >
|
|
|
|
|
RE: Web Proxy/Publishing - 22.Jan.2007 9:17:16 AM
|
|
|
Guest
|
ISA only supports one default gateway and that belongs to the external adapter.
Do you have a network diagram ?
|
|
|
|
|
RE: Web Proxy/Publishing - 22.Jan.2007 9:48:44 AM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
I would agree. A network diagram showing the IP addressing information on the ISA Firewall, and all devices to which the ISA Firewall is connected, would help a lot. This should be an easy problem to solve, but we need this information to solve it.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Web Proxy/Publishing - 22.Jan.2007 4:31:26 PM
|
|
|
dionppp
Posts: 6
Joined: 22.Jan.2007
Status: offline
|
I have tried to draw it as clear as possible. Im not good with network diagrams....
http://www.smartfleet.com.au/Drawing1.jpg
You will see that from the Curric Lan we can only initiate internet connections to surf the internet.
You will see that from the DMZ Lan we Listen for External IP Request and forward them to an internal server and we cannot initiate internet request through that Lan from Curriculum Lan.
I hope this is clear, its hard to explain.
|
|
|
|
|
RE: Web Proxy/Publishing - 23.Jan.2007 4:41:01 AM
|
|
|
Guest
|
Let's first define some clear points:
Your ISA in terms of networks should have at least two networks:
A must one: External and at your choise maybe internal or dmz.
From your drawing: you have Curriculum Lan and DMZ Lan.
As I see your External interface should belong to subnet id 10.191.191.0/24.
You have set a default gateway to it: 10.191.191.1.
Question: this means the address of yor ISP Router is 10.191.191.1?
If so it's OK.
Another network define on ISA is 10.130.16.0/24.
This is definetely unclear:
DMZ Lan: 10.191.191.0/24
Curriculum Lan: 10.130.16.0/24
What is that switch doing behind ISA and why it has the DMZ Vlan1 set it on it?
That's wrong.
The DMZ Lan as appears from your drawing should be between ISA External Interface and ISP Router's internal interface. It is the network that connects the two
devices.
So it should not appear behind ISA!
How have you defined Curriculum Lan 10.130.16.0/24 to ISA ?
As internal network?
Your Exhange server lies in this network.
Also an interesting fact is that you are using private IP addresses on the network between ISP Router and ISA but you need ISA to listen on public IP addresses.
So your network should appear like so:
ISP External Proxy
|
|
|
|
ISP Router
| IP Address 10.191.191.1/24
|
|
|
| ISA's External IP Address 10.191.191.2/24 -> Default IP Address
| Extra IP addresses: 210.9.164.56-59
| DG: 10.191.191.1
| DNS: None
ISA Firewall
| ISA's Internal IP Address: 10.130.16.1/24
| DIFFERENT FROM EXCHANGE's IP ADDRESS!!!
| DG: None
| DNS: Your Internal DNS Server IP Address
| (which serves your local domain)
|
|
|
Switch (Carefull with Vlans on it: as I see you don't need any extra Vlan)
/ \
/ \
/ \
/ \
Curric USer Exchange Server
IP Address: 10.130.16.5/24
DG: 10.130.16.1/24(ISA's Internal interface IP Address)
DNS: Your Internal DNS Server IP Address(which serves your
local domain)
You should have on ISA a publishing rule and you have.
Also you should create a Web Chaining Rule to the Upstream Proxy(ISP's Proxy) and you said you have done this too. Take note that ISA is now a proxy for your Curriculum Lan and therefore in your Web Chaining Rule the "To" will be the LocalHost(ISA itself).
If you want to separate that Exchange Server from your network you should add one more Nic to ISA and create a perimeter network(a DMZ) on it and move the server there. Don't create a separate Vlan for it(it is more secured if you publish it on ISA's DMZ).
|
|
|
|
|
RE: Web Proxy/Publishing - 23.Jan.2007 5:33:06 AM
|
|
|
dionppp
Posts: 6
Joined: 22.Jan.2007
Status: offline
|
My god you actually understood what i was trying to draw. Thats amazing.
Ok heres the thing your saying dont have a DG on the Internal NIC.
I noticed that your telling me to put ISA Server as 10.130.16.1/24 how ever i cannot as the ISP's Router has two interfaces on it.
On the ISP's Router
10.130.16.1/24 is Curric Lan
10.191.191.1/21 is DMZ Lan
The other thing is that for our upstream internet proxy access we need to point from the ISA box to our ISP's Proxy whitch is behind 10.130.16.1.
I tested the IPS Router by putting 210.9.164.56 on my PC and i couldn't get to it unless i had set on it DG: 10.191.191.1.
< Message edited by dionppp -- 23.Jan.2007 5:40:45 AM >
|
|
|
|
|
RE: Web Proxy/Publishing - 23.Jan.2007 6:16:03 AM
|
|
|
Guest
|
Who are the fools that designed that crap?
It is a mess!
ISA does not support multiple wans connections.
For reaching Internet you will have to use as external interface the Curriculum Lan.
Take Note that each ISA interface must be on its own network id:
you can't have IP addresses that belong to the same network id on two different interfaces: External and Internal(ISA does not support bridge mode).
From what I see what you need are two different "wans":
one will serve you to connect to the Internet from ISA's internal network(this must be on a different network id than Curriculum Lan) through Curriculum Lan.
the other one will serve for outside clients to reach your Exhange Server(located on your internal network).
Well with ISA you cannot do that because it does not support multiple wans.
What's the point with those Vlans?
Are defined on that Router ISP?
If so there is a big mess!
One logical solution is to put a router in front of ISA to take care of those two "wans".
if the second one is not actually a real wan: this means only request are coming from it and you don't need to forward anything in that direction(you don't need a DG for that) it migh work if you create a perimeter network on ISA(dmz) for DMZ Lan and add to the interface that is serving it the extra ip addresses and make that publishing rule from here. In other words make ISA believe that this is a simple network connected to it and some DMZ clients are trying to access the Exchange server located on its internal network.
< Message edited by adrian_dimcev -- 23.Jan.2007 6:31:54 AM >
|
|
|
|
|
RE: Web Proxy/Publishing - 23.Jan.2007 6:47:55 AM
|
|
|
dionppp
Posts: 6
Joined: 22.Jan.2007
Status: offline
|
I cant say who designed this because i might loose my job.
I was hoping for another solution...
What is annoying is that i can have two servers And get the Job Done, but i was thinking ISA Server can have the abilities to merge a couple of roles.
Proxy Server #1
IP:10.130.16.4/24
DG:10.130.16.1
And point this to an Upstream Proxy for users of 10.130.16.0/24 Network.
Publishing Server #2
Nic 1
IP:10.191.191.2/24
Additional IP: 210.9.164.56
Additional IP: 210.9.164.57
Additional IP: 210.9.164.58
Additional IP: 210.9.164.59
DG:10.191.191.1
Nic 2
IP:10.130.16.5/24
And have my Exchange Server Get Published.
We use VLAN so that the ISPS Two Interfaces on the Router can be kept seperate on the network as the router needs to come through a couple of switches before reaching the physical servers.
|
|
|
|
|
RE: Web Proxy/Publishing - 23.Jan.2007 8:25:16 AM
|
|
|
Guest
|
ISP External Proxy
|
|
|
|
|-----------------------------ISP Router
| IP 10.191.191.1/24 | IP Address 10.130.16.1/24
| \
| \
| Curriculum LAN: 10.130.16.0/24
|-----DMZ Network /
10.191.191.0/24 /
(Also ISA's DMZ network) |
| |
| | ISA's External IP Address 10.130.16.2/24
| | DG: 10.130.16.1/24
------------------------ISA Firewall
ISA's DMZ Interface | ISA's Internal IP Address: i.e. :192.168.1.1/24
IP:10.191.191.2/24 | DG: None
DG: None | DNS: Your Internal DNS Server IP
Extra IPs: 210.9.164.56-59 |
|
|
|
ISA's Internal network
/
/
|
Switch
/ \
/ \
/ \
/ \
Curric USer Exchange Server
IP Address: 192.168.1.5/24
DG: 192.168.1.1/24 (ISA's Internal interface IP
Address)
DNS: Your Internal DNS Server IP
Address(which serves your local domain)
As I suggested there might be a posibility to accomplish this with the above diagram.
In which I have created a perimeter network(DMZ) 10.191.191.0/24 and also 210.9.164.0/24 because if ISA detect that ip addresses 210.9.164.56-59 belongs to dmz adapter and are not in dmz network will issue an error stating something like: ip addresses 210.9.164.56-59 should belong to external and they are found on dmz Nic interface.
As I said in order to function like so ISA must see the request coming from DMZ clients.
According to ISA's help file about networks we have the follwing:
quote:
The External network includes all Internet Protocol (IP) addresses not explicitly included in any other network. Upon installation, the External network includes all addresses not in the Internal network, the IP address of the Local Host network (127.0.0.1), and the IP addresses of all other network adapters on the ISA Server computer.
This means that when you define a network to ISA you define the ip addresses that belongs to that network.
According to all those ISA will expect on its DMZ interface request from the DMZ network:
they should have a source ip address that belongs to 10.191.191.0/24 or 210.9.164.0/24. If the source address is not from that network ISA will drop the packet with as a spoof attempt. the source ip address does not belong to the network associated with that adapter.
In other words if that ISP router will not translate the ip addresses of clients that are
trying to access your Exchange server to ip addresses that belongs to 10.191.191.0/24 or 210.9.164.0/24(ISA must see them as being actually on 10.191.191.0/24 or 210.9.164.0/24) it will not work.
Another thing to take care is that there must be a NAT relationship between DMZ and Internal in order to be able to access the Exhange Server with one of those IP addresses 210.9.164.56-59.
Be mindful that adding any networks you will exclude them from the external network which might create you troubles.
Also ISA will only forward traffic to the DMZ network from its client only it this is destined to go to that network(source ip).
That's because ISA does not support multiple wans or multiple gateways.
The most simple solution to this will be as I said before to put a router that can handle 2 wans(you can get a simple on for about 300$ netgear...).
ISA can handle with no problem the connection to the Internet through Curriculum LAN with the upstream proxy.
But for the second connection to work you will have to meet the above requirements.
By the way if you don't put all the network layout here it is difficult for us to understand the traffic path on your network.
I still don't get a clear picture of those VLANs: as you have described them the switch should be in front of ISA not behind it.
< Message edited by adrian_dimcev -- 23.Jan.2007 1:16:00 PM >
|
|
|
|
|
RE: Web Proxy/Publishing - 23.Jan.2007 9:02:15 AM
|
|
|
dionppp
Posts: 6
Joined: 22.Jan.2007
Status: offline
|
Sorry you are correct the switch should be in front of the ISA Server.
I dont think i can change the IP Address of the internal network for the domain.
Just to make things complicated there are rules on the ISP Router that allows certain IP Address Certain Port Access. the internal network needs to stay 10.130.16.0/24.
Thanks so much for your help. If there is anything else let me know. I might just have to build a second ISA Server for Proxy Auth.
In order for me to block some applications like p2p with signature filters, i would have to have the internet connection plugged diretly into the ISA Server.
|
|
|
|
|
RE: Web Proxy/Publishing - 23.Jan.2007 9:40:10 AM
|
|
|
Guest
|
I finally get it clear.
So your ISP has a foot in your network design.
You already have a dmz network(10.191.191.0/24) where you should publish your servers and you have your internal network(domain) in 10.130.16.0/24 created by them with that router.
you wanted to separate that dmz network from your internal network in order to publish the Exchange server in a secure way with a firewall.
You also intended to use ISA's application layer proxy firewall capabilities with its web filter for http traffic(filtering, authentication, caching).
You have a strange network design in my opinion(complicated for nothing).
Well you can use ISA with only one Nic in your internal network for http filtering, authentication and caching as Microsoft gives a hint that there is possible such a configuration with only one Nic(you can check on their web site the supported configurations for ISA and the network templates available, I think there is an article about ISA 2006 with this mode on this site too).
However in my opinion Microsoft should have said that this setup should not be supported since ISA is a firewall not a proxy(can function as a "web" proxy firewall with its Web Filter, big difference here).
Tom names this kind of setup hork mode and I agree with him.
Also I had never used ISA in such a mode so I know nothing about it.
Unfortunetely due to that network design you have the following problems: ISA does not support multiple wans-DGs(maybe this could been solved as described in that diagram) and cannot be install in bridge mode(transparent firewall) in order not to change your internal ip addresses.
Best Regards,
Adrian
< Message edited by adrian_dimcev -- 23.Jan.2007 10:01:23 AM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
