Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Web server publishing woes
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Web server publishing woes - 18.Mar.2004 11:55:00 AM
|
|
|
alto50
Posts: 11
Joined: 1.Dec.2003
Status: offline
|
For some reason, I cannot seem to make my internal web site accessible from the external network. I'm using ISA 2004 RC.
I'm using the 3-leg template, with the web server on the perimeter network. I *think* I'm doing everything right, but it's not working.
I have created a listener for the external network for port 80, then created a web publishing rule to allow HTTP using this listener, pointing to the internal web server.
The browser on the external machine returns the message: Cannot find server or DNS Error.
I have published other servers (DNS server on internal network, FTP server on the same web server on the perimeter network) and those work fine. The external client can resolve the name, but just can't browse.
I looked in logging, and I see the HTTP request come in, but it's getting denied by the default rule.
Edit: One more thing, I know that the site is up, because I can hit it from the local host.
[ March 18, 2004, 12:03 PM: Message edited by: alto50 ]
|
|
|
|
|
RE: Web server publishing woes - 20.Mar.2004 8:22:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Alto,
One problem with the trihomed DMZ template is that it misconfigures the Network Relationships. You should configure the Network Rule between the DMZ and the External to be NAT and the DMZ and the Internal as Route.
HTH,
Tom
|
|
|
|
|
RE: Web server publishing woes - 21.Mar.2004 8:33:00 AM
|
|
|
alto50
Posts: 11
Joined: 1.Dec.2003
Status: offline
|
I forgot to mention, that I did modify those network rules.
Here's something interesting, if I change the DNS record for www to the IP address of the external interface on the firewall, then I'm able to browse.
While I'm glad it's working, this seems like unexpected behavior. Maybe I'm mistaken, and this is the way it's supposed to work, but in the past I have always published an internal server by its actual IP address.
[ March 21, 2004, 08:34 AM: Message edited by: alto50 ]
|
|
|
|
|
RE: Web server publishing woes - 21.Mar.2004 5:41:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Alto,
Can you provide the details of the Web Publishing Rule? I'm not sure I understand exactly what the problem is here.
Thanks!
Tom
|
|
|
|
|
RE: Web server publishing woes - 22.Mar.2004 1:29:00 AM
|
|
|
alto50
Posts: 11
Joined: 1.Dec.2003
Status: offline
|
OK, I have a Web server on the perimeter network, IP address 192.168.32.2.
The external interface on the ISA server is 192.168.48.1
I have created a listener for the external network for port 80.
I have created a web publishing rule to allow HTTP from the listener to the internal machine (on the To tab).
On the public name tab, I have www.domainname.com.
Now, I have also published the internal DNS server, which originaly contained an alias for www pointing to webserver.domain.com. This didn't work, even though the external client could resolve the www hostname properly.
So instead, I removed the alias record, and created a host record for www with an IP address of 192.168.48.1 (the external ISA interface). This allows the external client to browse, but prevents the internal network from accessing the site (unless I change the listener to listen on both networks).
My point is, it works, but not in the way I expected. I expected to be able to publish the web server on its actual internal address, and not by the external address of the ISA server. It seems like theres something wierd going on with the listener, because as a test, I published and FTP server pointing to the internal address (and not the external ISA interface) and that did work, as I expected it to.
Hope that makes sense.
|
|
|
|
|
RE: Web server publishing woes - 22.Mar.2004 11:01:00 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Alto,
OK, I see the problem. What you need is a split DNS, so that internal clients access the resource on the DMZ segment directly, and *not* by looping back through the firewall's external interface. Web Proxy clients should also be configured to use Direct Access for these internally hosted resources. The split DNS is a key factor in hosted environment!
HTH,
Tom
|
|
|
|
|
RE: Web server publishing woes - 23.Mar.2004 11:38:00 AM
|
|
|
alto50
Posts: 11
Joined: 1.Dec.2003
Status: offline
|
Thanks for your help, Tom. You are the man.
|
|
|
|
|
RE: Web server publishing woes - 23.Mar.2004 12:25:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Alto,
Thanks!
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
