Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Web site woes
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Web site woes - 20.Jul.2005 6:20:00 AM
|
|
|
packet46
Posts: 11
Joined: 20.Jul.2005
From: UK
Status: offline
|
Hi,
I've just installed ISA2004 on SBS2003 (all service packed properly) to host a small company's office infrastructure. Everything is working fine except external access to the corporate web site.
Everything is on one server. I have site-to-site VPN's working with no worries and my client is happy except for this issue.
The URL is www.redrockconsulting.co.uk
I have a rule in ISA which allows the External network object to open comms on tcp_80 and tcp_443 to the destination of the server internal hostname(its the only one), I am forwarding original host headers and the request is set to appear as coming from the original client.
The listener is configured as above and the URL is entered correctly. The path is /* and bridging is configured for 80 & 443. All Users are allowed and the web site is configured in IIS for anonymous/integrated access
Additionally, I have set up ethereal on the server and can see SYN packets hitting it but no ACK's are being returned.
The site is accessible from an internal machine. I know I have dropped the ball somewhere, but at the moment I can't see the wood for the trees....
Any ideas?
Cheers
Packet46
|
|
|
|
|
RE: Web site woes - 20.Jul.2005 8:10:00 AM
|
|
|
tshinder
Posts: 47668
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Packet,
Don't the wizards handle this sort of thing?
Thanks!
Tom
|
|
|
|
|
RE: Web site woes - 20.Jul.2005 9:01:00 AM
|
|
|
packet46
Posts: 11
Joined: 20.Jul.2005
From: UK
Status: offline
|
Hello,
Yes they do. I created the web publishing rule using the built in wizards.
My point is that I have obviously got something wrong somewhere and I can't see it for looking.
I was wondering whether anyone knew any "features" regarding Web Publishing with I2004 that I was blissfully unaware of...
Thanks,
|
|
|
|
|
RE: Web site woes - 20.Jul.2005 10:14:00 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
You're saying the SYN is reaching the IIS Server and it is not responding?
Who does it point to for it's default gateway?
Can you change the ISA rule temporarily to use ISA's address as the source and see if the behavior changes?
|
|
|
|
|
RE: Web site woes - 20.Jul.2005 2:51:00 PM
|
|
|
packet46
Posts: 11
Joined: 20.Jul.2005
From: UK
Status: offline
|
Well, remembering that there is only one server here (SBS 2003 sp1), which I manage from a remote location, I can filter traffic on the public interface to capture my public ip_addr and tcp_80.
When I do this, I see SYN packets hitting the public interface of the server. I don't see any SYN/ACK replies.
I have a lot of experience using PIX, FW-1, WatchGuard and home made BSD (IPFW2) firewalls with web servers and the like, but ISA2004 is new to me. I must say I like the product, and the HW appliances will make it even better.
Back to my woes...enough back slapping! I have IIS6.0 installed as part of SBS2003 and the public website is installed on the default web server instance listening on 80/443.
I used the 'publish web server wizard' to create the access rule. I think I have it right -but obviously I don't.
I can remotely access one of the office machines, and if I type in the URL from that machine the web site is returned properly.
It's my cock-up, I just can't see where....
Cheers
Packet
|
|
|
|
|
RE: Web site woes - 20.Jul.2005 3:02:00 PM
|
|
|
packet46
Posts: 11
Joined: 20.Jul.2005
From: UK
Status: offline
|
The only other thing I can think of is that both the intranet and the public web site are running on tcp_80. However I am using host headers for the intranet so that should take care of any connection clash at layer 7.
The URL in question is www.redrockconsulting.co.uk, it's not a live site just yet so I do have some flexibility with the web server instance and the FW policy if anybody can suggest a way forward.
I am going to delete the web publishing rule now and start again.
MSN= david.henderson@packetconsulting.com
cheers..
Packet
|
|
|
|
|
RE: Web site woes - 21.Jul.2005 9:28:00 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Are there any Alerts generated on the ISA Server? Make sure you do an F5 so that you don't have an old view of the Alerts. I woudl think you'd have an alert that ISA can't bind to the port.
Since you're publishing to the ISA Server itself, both ISA and IIS are competing for the IP:Port combo so you may have to use the HTTPCFG utility to disable socket pooling and make IIS listen on the internal interface and allow ISA to listen on the external interface.
|
|
|
|
|
RE: Web site woes - 21.Jul.2005 11:11:00 AM
|
|
|
zinno
Posts: 15
Joined: 14.Jul.2004
Status: offline
|
Make your life easy and place IIS & SSL on a different port number ... reroute trafic from the internet port 80 443 to some other internal port like 12345 12346. Ofcourse the LAN dns should point to the external port.
No idea why ISA allows 2 services to listen on the same port number on the same server. Doesn't make any sence really + it causes unwanted loops, strange logs etc...
|
|
|
|
|
RE: Web site woes - 22.Jul.2005 4:51:00 AM
|
|
|
packet46
Posts: 11
Joined: 20.Jul.2005
From: UK
Status: offline
|
Clint/Zinno,
Bang on the money guys. After checking the logs it appears that I have an error regarding port binding.
"The WebProxy Filter failed to bind to its socket;10.10.10.10:80"
This error message is repeated for the public interface, the private interface and the loopback interface.
I'll try the HTTPCFG utility. I did try the alternate port concept, (81 &444) but that didn't seem to work, unless I screwed that up as well!
Also, because this is an SBS scenario and the client wants to run Sharepoint Team Services for collaboration technologies, the intranet site (internal adapter) will be listening on the internal adapter for tcp_80 because I am running [all unassigned]-however I do have host headers set up for this which might help.
Thanks for sticking with me so far, I will implement these changes over the weekend and update progress.
Regards
Dave H
|
|
|
|
|
RE: Web site woes - 22.Jul.2005 5:48:00 AM
|
|
|
zinno
Posts: 15
Joined: 14.Jul.2004
Status: offline
|
quote:
Originally posted by packet46:
I'll try the HTTPCFG utility. I did try the alternate port concept, (81 &444) but that didn't seem to work, unless I screwed that up as well!
Reboot the whole system when making major port changes... just to be 100% sure all is bound correctly.
Start debugging from ground up.
-> can i access the webserver on port 81
-> can i access the website port 80 on the webserver/on the LAN on the WAN.
|
|
|
|
|
RE: Web site woes - 24.Jul.2005 1:17:00 PM
|
|
|
packet46
Posts: 11
Joined: 20.Jul.2005
From: UK
Status: offline
|
Clint/Zinnio,
Problem solved. Took the easy route rather than go with HTTPcfg.exe, just used alternate listening ports on the web server and forwarded tcp_80 / tcp_443 traffic to them.
It did take a reboot to make it happen. I guess once a NIC or filter has bound to a port then it doesn't give it up without a local cache flush.
Thanks again.
Dave
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
