Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Web Server on DMZ to Internal App Server
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Web Server on DMZ to Internal App Server - 15.Mar.2002 7:13:00 PM
|
|
|
haridp
Posts: 2
Joined: 5.Mar.2002
Status: offline
|
Our current setup is a PIX firewall to the internet, a DMZ and than an internal ISA firewall. Our Web servers are sitting in the DMZ and I need to open up a port for the Web Servers to communicate with an App server on our internal network using TCP port 8500. I have tried setting up protocol rules and packet filters, but neither seem to work. I can successfully setup a Server Publishing rule and telnet to the external IP address of the ISA port 8500 and connect but I still cannot connect directly from our web servers to the App server using this port. Any and all help will be appreciated.
Thanks,
Dave
|
|
|
|
RE: Web Server on DMZ to Internal App Server - 15.Mar.2002 11:47:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Dave,
I assume your setup is App srv --- ISA --- DMZ --- PIX --- Internet
You must server publish the App server. Note that the App server must be setup as a SecureNAT client: no firewall client installed and default gateway must point to the internal interface of ISA.
First create a protocol definition for it: TCP port 8500 Inbound. Next server publish the App server. When done you can check with the command 'netstat -an' on ISA, that the published port is indeed listening on the external interface of ISA.
From the webserver try a 'Telnet host 8500'. Host is the name or IP-address on which the App server is published. The connection should succeed. You can check it also in the ISA logs.
Hope this helps,
Stefaan
|
|
|
|
RE: Web Server on DMZ to Internal App Server - 16.Mar.2002 9:24:00 PM
|
|
|
haridp
Posts: 2
Joined: 5.Mar.2002
Status: offline
|
Is a client still considered to be a SecureNat Client if the Default Gateway is not set to the Internal NIC on the ISA Server but the routing on the network forwards any communication that is not local to the Internal NIC on the ISA server ?
The App Server in question is on the same subnet as the Internal NIC on the ISA server. When I changed it's default gateway to point to the Internal NIC on the ISA server, I was unable to communicate with the App Server internally. We are currently testing this APP server internally, so I didn't get a chance to see if your suggestion worked from the Web Server on the DMZ.
Thanks For your suggestion.
Dave
|
|
|
|
|
RE: Web Server on DMZ to Internal App Server - 16.Mar.2002 10:18:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Dave,
for a SecureNAT client the default gateway must point somehow to the ISA internal interface. This can be directly (same subnet) or indirectly (routed network). So, the answer on your first question is Yes.
In your case, the App server sits on the same segment as the ISA internal interface. So, you should set definitely the default gateway to the ISA internal interface. To be able to communicate with the other internal subnets, you'll have to add persistente static routes to the App server with the command 'route add -p ...'.
Hope this helps,
Stefaan
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
