Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Web Publishing Loopback Internal->External->Internal Broken
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Web Publishing Loopback Internal->External->Inter... - 28.Dec.2005 10:04:05 PM
|
|
|
ChrisKinsman
Posts: 5
Joined: 28.Dec.2005
Status: offline
|
I have a couple of dozen web sites hosted behind ISA Server.
For monitoring purposes I am using IPCheck on a host in the colocation to go out through ISA Server and make requests of the web servers to make sure they are up and that the ISA mapping is still correct.
This was all working until recently when I changed how a couple of the web sites proxy requests to the published server. I set it up so that the requests should appear to come from the original client.
This worked great for any web servers that were hosted on the lowest IP address on my external interface. Any web sites not hosted on the lowest address stopped being accessible from the internal network. When I changed their settings back to "requests appear to come from the ISA server computer" they continued to not work! I have rebooted the box, etc.
I can't seem to access these sites any longer.
I have searched the web, played with settings and am still out of luck. Any thoughts on what might be at issue here?
I tried an Ethereal trace on the host making the request and can see the GET / HTTP1.1 headed out from the internal to external. A response never comes back...
|
|
|
|
|
RE: Web Publishing Loopback Internal->External->I... - 29.Dec.2005 3:33:37 PM
|
|
|
tshinder
Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Chris,
Can you give some specific examples of what works and what's not working so that I can replicate the scenario?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Web Publishing Loopback Internal->External->I... - 29.Dec.2005 5:47:20 PM
|
|
|
ChrisKinsman
Posts: 5
Joined: 28.Dec.2005
Status: offline
|
Will do.
ISA Box:
Internet NIC 64.246.187.194-64.246.187.220. 255.255.255.224
LAN NIC 10.10.2.1 255.255.0.0
Site1: 64.246.187.194
Site2: 64.246.187.198
All sites web published not server published.
Using host headers and redirecting to the same internal box at 10.10.2.100
Tried with both ISA as the client ip and the client as the client ip.
IPCheck Host:
10.10.3.2
Can hit Site1 just fine. Cannot even get a request back from Site2.
Some more investigation shows that Site2 never receives the request. i.e. nothing in the server logs.
Anything else that would be helpful?
|
|
|
|
|
RE: Web Publishing Loopback Internal->External->I... - 30.Dec.2005 9:33:32 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Can you go into Monitoring\Logging and add an entry for 'Client IP' of the IPCheck host (or whatever its external IP is after NAT, proxy, etc...) and see if you can determine what ISA is doing with the request.
|
|
|
|
|
RE: Web Publishing Loopback Internal->External->I... - 30.Dec.2005 10:45:23 PM
|
|
|
ChrisKinsman
Posts: 5
Joined: 28.Dec.2005
Status: offline
|
Not sure how I "determine what ISA is doing with the request." The information in the logging is pretty limited from what I can see.
I can see the request leave 10.10.3.2 and initiate a connection with 64.246.187.198. Then I see a closed connection message immediately following.
What else are you looking for?
Thanks,
Chris
|
|
|
|
|
RE: Web Publishing Loopback Internal->External->I... - 31.Dec.2005 1:17:41 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
My apologies - I didn't really understand your post earlier.
I re-read your post (after I realized you said loopback in the title thread (duh)) and from what I understand, you are trying to have a host on the Internal network initiate a connection to the outside interface of ISA which then forwards the request to the internal web server which is also on the Internal network. Is this right?
With the option to send the original client IP to the web server, this won't work in this loopback scenario because the client will drop the packet from the web server. I understand that you have some sites working in this setup, but I'd be interested to see how those rules are configured.
I'll describe why it won't work step by step so we can discuss each point...
1. Client and ISA complete TCP handshake on Web Proxy port (8080 by default)
2. Client sends a GET for 'external URL' that you host on the ISA Server
3. ISA finds the rule and inititates a TCP connection (TCP SYN) request to the web server and includes the original clients IP (from the internal network)
4. The web server receives this request and since the source IP of the packet (the original client from the Internal network) is on the same segment as the web server, it replies directly back to the client (TCP SYN-ACK)
Note : even though the web server and client might not be on the same subnet (I don't know the subnet mask involved) the router that the web servers uses would still deliver the packet directly to the client
5. The client now receives a TCP SYN-ACK directly from the web server and since it never sent a TCP SYN to that web server directly (it was sent to the ISA Server) it either silently drops the packet or sends a RESET back to the web server. I believe it sends a RESET but don't quote me on that.
In the network captures you took from the client, do you see any traffic directly from the web server and do you see the client reply to that with a RESET? From the way you described it in the first post, I implied that you had a filter configured for the Client IP to the External IP and you wouldn't have seen this TCP SYN-ACK directly from the web server.
Did I mention 'directly' enough? Sorry...
This would also explain why the web server logs never show the request - the HTTP request never makes it because ISA never completes the TCP handshake in order to send the HTTP request. If you could take a network capture on the web server when the IPCheck client makes a request for Site2, we could prove/disprove if I'm out of my mind, but I think this is what's happening.
< Message edited by ClintD -- 31.Dec.2005 1:22:26 AM >
|
|
|
|
|
RE: Web Publishing Loopback Internal->External->I... - 31.Dec.2005 5:10:36 PM
|
|
|
tshinder
Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Clint,
I missed that too. I'm assuming that the internal interface is the loopback adapter and the Web sites are on the ISA firewall?
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Web Publishing Loopback Internal->External->I... - 7.Jan.2006 1:34:29 AM
|
|
|
ChrisKinsman
Posts: 5
Joined: 28.Dec.2005
Status: offline
|
Well that's kind of weird. I definitely have it working for some sites and not others. The weird part however is that once I switch it to pass the client IP and it breaks switching it back doesn't appear to fix it! That is the really crazy part...
|
|
|
|
|
RE: Web Publishing Loopback Internal->External->I... - 7.Jan.2006 7:15:50 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Who do those machines point to for their Default Gateway? If they point to ISA, I can see it working, but if they're behind a router, then I could understand it failing.
It'd be interesting to take network sniffs from the 'working' web servers to see what source IP is truly passed, and also see what subnet they're on.
|
|
|
|
|
RE: Web Publishing Loopback Internal->External->I... - 7.Jan.2006 7:28:08 PM
|
|
|
ChrisKinsman
Posts: 5
Joined: 28.Dec.2005
Status: offline
|
Default Gateway is the ISA server for all machines behind the ISA server. I have done sniffs using ethereal at various locations but didn't think to look at the TCPSYN stuff.
|
|
|
|
|
RE: Web Publishing Loopback Internal->External->I... - 28.Feb.2006 4:16:27 AM
|
|
|
gkuyat
Posts: 6
Joined: 19.Jul.2005
From: San Francisco
Status: offline
|
This scenario seems to only effect Secure Nat clients. Clients running the FW Client work fine for looping like this. You might see if the FW client helps here?
-Gary
|
|
|
|
|
RE: Web Publishing Loopback Internal->External->I... - 5.Mar.2006 3:42:33 PM
|
|
|
tshinder
Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Gary,
If you have the book you'll understand why you should NOT loop back through the ISA firewall and it also explains why you're seeing what you're seeing.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
