DMZ website with unique port

DMZ website with unique port (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> DMZ

Message

Angie -> DMZ website with unique port (9.Mar.2006 8:04:40 PM)
Trying to configure access (from internal) to a website in the DMZ that uses port 2002. I have a web access rule (for http, https) that allows Internal access to Perimeter. I have a protocol rule for port 2002 that allows access from Internal to Perimeter. My logs show Initiated Connection for the protocol rule, but my client browser simply times out on the page. What am I missing? Internal to Perimeter is setup to ROUTE traffic.

tshinder -> RE: DMZ website with unique port (21.Mar.2006 4:28:41 AM)
Hi Angie, Are these Web proxy clients? Thanks! Tom

Angie -> RE: DMZ website with unique port (21.Mar.2006 1:27:37 PM)
Both web proxy and firewall clients. If we disable the firewall client, it works. I was just wondering if there was a way to do it without the extra step for the users.

tshinder -> RE: DMZ website with unique port (21.Mar.2006 2:28:22 PM)
Hi Angie, Why does it work when you disable the Firewall client? Web proxy client takes precedence for HTTP connections, so the Firewall client settings don't even apply. HTH, Tom

Angie -> RE: DMZ website with unique port (21.Mar.2006 2:36:40 PM)
Good question. I have no clue why it works with the firewall client disabled. Might I have rules out of order? I'm new to 2004, so there may be something I'm overlooking. How would you typically go about creating rules for an alternate port site in 2004? I know how it's done in 2000, but things are a bit different now.

tshinder -> RE: DMZ website with unique port (21.Mar.2006 2:48:44 PM)
Hi Angie, You can create a new protocol definition for the new protocol and then create an Access Rule that will allow Firewall and SecureNAT clients to access the site on the alternate port. The Web proxy client doesn't require this because all it knows is that you're allowing access to HTTP, so the port number is irrelevant. HTH, Tom

Angie -> RE: DMZ website with unique port (21.Mar.2006 3:20:43 PM)
I have an access rule that allows the protocol definition (configured as outbound 2002) from Internal to Perimeter for the specified user (Active Directory) groups who need access. Do I need to do something extra to 'allow Firewall and SecureNAT clients to access the site'? Still only works with firewall client disabled. If it's enabled, the site times out within the browser.

Angie -> RE: DMZ website with unique port (21.Mar.2006 6:59:10 PM)
My bad. I had a local exception setup in my proxy settings to bypass that adddress. That's why it was working. When I remove that address from any bypass list, it does not work no matter what I enable/disable on the client. Not sure if that's better or worse...

tshinder -> RE: DMZ website with unique port (23.Mar.2006 3:18:38 PM)
Hi Angie, Time for real troubleshooting. We'll need: 1. A network diagram with network IDs and IP addresses 2. All Network Rules 3. All Direct Access Lists and Direct Access Domains 4. Log file entries for connections that aren't working That'll get things started. Thanks! Tom

Page: [1]