Internal access to DMZ web (Full Version)

All Forums >> [ISA Server 2004 General ] >> General



Message


jasonWI -> Internal access to DMZ web (16.Dec.2004 4:04:00 PM)

I have a 3-legged ISA config. External 222.222.222.x\24, DMZ 10.1.10.x\24, Internal 10.0.10.x\24. I have published a web server in the DMZ that points to 10.1.10.22 in the DMZ. All external access works fine. But when users on the internal network try to access the site. They get "Page not Found". Logging looks like a GET request is never even being sent. Just initiates a HTTP connection and that's the end of it.

I have a ROUTE relationship set up between DMZ and internal (which shouldn't matter, as the request should be going out ISA and then back in, all through the public interface on ISA, shouldn't they?) Internal users attempt to access the public URL.
I've circumvented the problem temporarily by putting a internal DNS entry pointing to the internal address of the DMZ server. Not the solution i want necessarily.
All other web browsing functionality works fine, just viewing the webs on the published DMZ server seems to cause me a problem.

If you know the answer to this one, please see my other post in "ISA 2004: Web Publishing" about viewing local sites through VPN.




tshinder -> RE: Internal access to DMZ web (17.Dec.2004 12:10:00 PM)

Hi Jason,

NO! The Internal Network clients SHOULD NOT loop back through the external interface to get into the DMZ. They should source from the Internal Network and destination to the DMZ Network. NEVER LOOP BACK through the ISA firewall!

HTH,
Tom




jasonWI -> RE: Internal access to DMZ web (20.Dec.2004 3:18:00 PM)

Thanks much Tom. I did finally find an article asking a similar question and saw the same answer there. What is the correct way to do this? I would assume the alternative DNS zone that point everything to the 10.1.10.x ip addresses.

Could you also take a look at this post.
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=21;t=000248




denli -> RE: Internal access to DMZ web (28.Jul.2005 9:35:00 AM)

If you use "floating addresses" with webpublish rules you will enable your clients on the inside to access the published sites with their published addresses.

When you select the network for the weblistener, select 'All Networks (and Local Host)' and don't specify an IP address anywhere for the weblistener to listen on.




Page: [1]