Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

cannot publish non-web server

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Server Publishing >> cannot publish non-web server Page: [1]
Login
Message << Older Topic   Newer Topic >>
cannot publish non-web server - 24.Aug.2007 2:13:48 PM   
jorjetheone

 

Posts: 7
Joined: 24.Aug.2007
Status: offline 		have ISA 2006 on win 2003 srv r2 with 2 nics in edge fw config. I'm trying to create a very simple rule: alow 3389 from internet to one of our domain machines (isa srv part of the domain). If I specify localhost at destination instead of any machine from domain it works otherwise not. I tried to create different rules (e.g. rpc 135) but it seems that none of the is working to any of the machine from the internal network.
I've laso created a new publishing non-web server rule like this: server ip addres: internal server that accepts rdp connections selected protocol: RDp (Terminal Services) Server listen for requests from these networks: external apply :) still not workin' :(
Any idea?
Thank you.
Andrei
Post #: 1
RE: cannot publish non-web server - 24.Aug.2007 2:44:43 PM   
jorjetheone

 

Posts: 7
Joined: 24.Aug.2007
Status: offline 		Here is the isa server log when I try to connect rdp from hoe to one of my servers.
As far as I see there is no error but also the rdp connection cannot be initiated. It does the same for any other non-web server I try to publish (e.g. rpc 135 to our http proxy server/exchange - no log-on screen).


"my home ip"                "isa server 2006 machine"    -        TCP    -                        -                8/24/2007 6:37:41 PM    33525    0    0    0    0x0 ERROR_SUCCESS        0x0    Firewall    -    8/24/2007 2:37:41 PM    10.0.0.30    3389    RDP (Terminal Services) Server    Initiated Connection    RDP to "server in the internal network"    "my home ip"        External    Internal    -    -    0x0

(in reply to jorjetheone)
Post #: 2
RE: cannot publish non-web server - 24.Aug.2007 4:45:00 PM   
4242jpg

 

Posts: 12
Joined: 21.Aug.2007
Status: offline 		Hello

Perhaps it is solved changing these data to you in the registry and reinitiating. 
I'd recommend disabling some of the "extras" that were added by SP2. The
three problem ones that have become somewhat "famous" are EnableTCPA,
DisableTaskOffload, and EnableRSS. They are found in the registry at:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\

Some may already exist, some you may have to create.

They are all DWord Values

EnableRSS=0
EnableTCPA=0
DisableTaskOffload=1

(in reply to jorjetheone)
Post #: 3
RE: cannot publish non-web server - 27.Aug.2007 10:39:43 AM   
jorjetheone

 

Posts: 7
Joined: 24.Aug.2007
Status: offline 		Hey 4242jpg,

I tried that. Still not working.
None of the rules I've created from external to internal work. I do have a network rule created for external->internal. I have no idea what to do.
I'm having in one end (my home machine) the winsocktool.exe and in the other end the isa server.
Here is what I got when for example when I try an ftp port 21.

"my home ip - public"    "isa server" -  TCP -      -    8/27/2007 2:35:34 PM 33388 0 0 0 0xc004000d FWX_E_POLICY_RULES_DENIED  0x0 Firewall - 8/27/2007 10:35:34 AM 192.168.0.101 21 FTP Denied Connection Default rule "my home ip - public"  External Local Host - - 0x0

It's been denied by the deafult rule like I've never published the ftp server.
Any other idea?

Thank you.
Andrei

(in reply to 4242jpg)
Post #: 4
RE: cannot publish non-web server - 27.Aug.2007 11:32:55 AM   
jorjetheone

 

Posts: 7
Joined: 24.Aug.2007
Status: offline 		I've published for example a non-web server for ftp port 21. The ftp server is in the same netowk as isa server internal nic.
I put a machine in the same external network with isa server.
I'm using winsocktools as client and I'm testing on 21.

Here is what I get in isa logs:
192.168.0.100    "isa server name" -  TCP -      -    8/27/2007 3:18:01 PM 1610 0 0 0 0xc004000d FWX_E_POLICY_RULES_DENIED  0x0 Firewall - 8/27/2007 11:18:01 AM 192.168.0.101 21 FTP Denied Connection Default rule 192.168.0.100  External Local Host - - 0x0

Here is what I get from fwengmon:
ID               Destination             One-Shot
--      --------  ------                -----------             --------
10805   TCP(6)    0.0.0.0:0             10.0.0.2:21             No
1       TCP(6)    0.0.0.0:0             10.0.0.14:8080          No
14      TCP(6)    10.0.0.14:0           10.0.0.3:1026           No
10133   TCP(6)    10.0.0.31:0           10.0.0.6:1081           No
10184   TCP(6)    10.0.0.31:0           10.0.0.6:1150           No
10146   TCP(6)    10.0.0.31:0           10.0.0.6:1214           No
4919    TCP(6)    10.0.0.102:0          10.0.0.6:1081           No
4971    TCP(6)    10.0.0.102:0          10.0.0.6:1150           No
4940    TCP(6)    10.0.0.102:0          10.0.0.6:1214           No
3959    TCP(6)    10.0.0.103:0          10.0.0.6:1081           No
4085    TCP(6)    10.0.0.103:0          10.0.0.6:1150           No
4064    TCP(6)    10.0.0.103:0          10.0.0.6:1214           No
3371    TCP(6)    10.0.0.104:0          10.0.0.6:1081           No
3413    TCP(6)    10.0.0.104:0          10.0.0.6:1150           No
3382    TCP(6)    10.0.0.104:0          10.0.0.6:1214           No
10210   TCP(6)    10.0.0.107:0          10.0.0.3:1026           No
3455    TCP(6)    10.0.0.107:0          10.0.0.6:1081           No
3486    TCP(6)    10.0.0.107:0          10.0.0.6:1150           No
3466    TCP(6)    10.0.0.107:0          10.0.0.6:1214           No
4151    TCP(6)    10.0.0.107:0          10.0.0.16:1025          No
4493    TCP(6)    10.0.0.108:0          10.0.0.16:1025          No
10872   TCP(6)    10.0.0.109:0          10.0.0.3:1026           No
9580    TCP(6)    10.0.0.109:0          10.0.0.6:1081           No
9573    TCP(6)    10.0.0.109:0          10.0.0.6:1150           No
9568    TCP(6)    10.0.0.109:0          10.0.0.6:1214           No
25 Creations.

So the listener has been created but still denied.

Here is the ipconfig /all:

Windows IP Configuration
  Host Name . . . . . . . . . . . . : isa server name
  Primary Dns Suffix  . . . . . . . : domain.com
  Node Type . . . . . . . . . . . . : Unknown
  IP Routing Enabled. . . . . . . . : Yes
  WINS Proxy Enabled. . . . . . . . : Yes
  DNS Suffix Search List. . . . . . : tvmi.com
PPP adapter RAS Server (Dial In) Interface:
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
  Physical Address. . . . . . . . . : 00-53-45-00-00-00
  DHCP Enabled. . . . . . . . . . . : No
  IP Address. . . . . . . . . . . . : 10.0.0.110
  Subnet Mask . . . . . . . . . . . : 255.255.255.255
  Default Gateway . . . . . . . . . :

Ethernet adapter Internal network:
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
  Physical Address. . . . . . . . . : 00-06-5B-C9-4B-EA
  DHCP Enabled. . . . . . . . . . . : No
  IP Address. . . . . . . . . . . . : 10.0.0.14
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . :
  DNS Servers . . . . . . . . . . . : 10.0.0.3
  Primary WINS Server . . . . . . . : 10.0.0.3

Ethernet adapter External network:
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Intel(R) PRO/100+ Server Adapter (PILA847
0B)
  Physical Address. . . . . . . . . : 00-D0-B7-C9-C8-D1
  DHCP Enabled. . . . . . . . . . . : No
  IP Address. . . . . . . . . . . . : 192.168.0.101
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 192.168.0.1
  DNS Servers . . . . . . . . . . . : 192.168.0.1

Any help please?



(in reply to jorjetheone)
Post #: 5
RE: cannot publish non-web server - 27.Aug.2007 4:44:24 PM   
jorjetheone

 

Posts: 7
Joined: 24.Aug.2007
Status: offline 		I found this article:
http://www.isaserver.org/tutorials/ISA-Firewall-Publishing-OWA-RPC-HTTP-Single-IP-Address-Part1.html 
part 1-5 which fits perfectly to my config and I started all over again.
Everything went fine until I got to the point where I had to instal the SSL listener and then stuck again.
ISA server found both of my SSL certificates invalid.
Validity: Invalid
Certificate Store: incorrectly installed (Curent User Account, Persdonal)
One of them was issued by our internal CA and the other one by a free CA from the internet.
I followed step by step everything in that article and I don't understand what's wrong.
I have two problems now:
1. no published rule is working (denied by default rule)
2. cannot install SSL certificate under ISA because it's found INVALID

Any help highly appreciated.

(in reply to jorjetheone)
Post #: 6
RE: cannot publish non-web server - 27.Aug.2007 4:59:32 PM   
jorjetheone

 

Posts: 7
Joined: 24.Aug.2007
Status: offline 		Solved the problem with the SSL certificate.
Still have the main problem that no web (non-web) server published rule is working.
Basically nothing from external to internal is working. Everything denied by the default rule.
Any help?
Thank you.

(in reply to jorjetheone)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Server Publishing >> cannot publish non-web server Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts