• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

DMZ website with unique port

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> DMZ website with unique port Page: [1]
Login
Message << Older Topic   Newer Topic >>
DMZ website with unique port - 9.Mar.2006 8:04:40 PM   
Angie

 

Posts: 38
Joined: 24.Jun.2003
Status: offline
Trying to configure access (from internal) to a website in the DMZ that uses port 2002.  I have a web access rule (for http, https) that allows Internal access to Perimeter.  I have a protocol rule for port 2002 that allows access from Internal to Perimeter. 

My logs show Initiated Connection for the protocol rule, but my client browser simply times out on the page.  What am I missing?  Internal to Perimeter is setup to ROUTE traffic.
Post #: 1
RE: DMZ website with unique port - 21.Mar.2006 4:28:41 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Angie,

Are these Web proxy clients?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Angie)
Post #: 2
RE: DMZ website with unique port - 21.Mar.2006 1:27:37 PM   
Angie

 

Posts: 38
Joined: 24.Jun.2003
Status: offline
Both web proxy and firewall clients.  If we disable the firewall client, it works.  I was just wondering if there was a way to do it without the extra step for the users.

(in reply to tshinder)
Post #: 3
RE: DMZ website with unique port - 21.Mar.2006 2:28:22 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Angie,

Why does it work when you disable the Firewall client?

Web proxy client takes precedence for HTTP connections, so the Firewall client settings don't even apply.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Angie)
Post #: 4
RE: DMZ website with unique port - 21.Mar.2006 2:36:40 PM   
Angie

 

Posts: 38
Joined: 24.Jun.2003
Status: offline
Good question.  I have no clue why it works with the firewall client disabled.

Might I have rules out of order?  I'm new to 2004, so there may be something I'm overlooking.

How would you typically go about creating rules for an alternate port site in 2004?  I know how it's done in 2000, but things are a bit different now.

(in reply to tshinder)
Post #: 5
RE: DMZ website with unique port - 21.Mar.2006 2:48:44 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Angie,

You can create a new protocol definition for the new protocol and then create an Access Rule that will allow Firewall and SecureNAT clients to access the site on the alternate port. The Web proxy client doesn't require this because all it knows is that you're allowing access to HTTP, so the port number is irrelevant.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Angie)
Post #: 6
RE: DMZ website with unique port - 21.Mar.2006 3:20:43 PM   
Angie

 

Posts: 38
Joined: 24.Jun.2003
Status: offline
I have an access rule that allows the protocol definition (configured as outbound 2002) from Internal to Perimeter for the specified user (Active Directory) groups who need access. 

Do I need to do something extra to 'allow Firewall and SecureNAT clients to access the site'?

Still only works with firewall client disabled.  If it's enabled, the site times out within the browser.

(in reply to tshinder)
Post #: 7
RE: DMZ website with unique port - 21.Mar.2006 6:59:10 PM   
Angie

 

Posts: 38
Joined: 24.Jun.2003
Status: offline
My bad.  I had a local exception setup in my proxy settings to bypass that adddress.  That's why it was working.  When I remove that address from any bypass list, it does not work no matter what I enable/disable on the client. 

Not sure if that's better or worse...

(in reply to Angie)
Post #: 8
RE: DMZ website with unique port - 23.Mar.2006 3:18:38 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Angie,

Time for real troubleshooting. We'll need:

1. A network diagram with network IDs and IP addresses

2. All Network Rules

3. All Direct Access Lists and Direct Access Domains

4. Log file entries for connections that aren't working

That'll get things started.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Angie)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> DMZ website with unique port Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts