• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: DHCP External to ISA for Internal LAN

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> RE: DHCP External to ISA for Internal LAN Page: <<   < prev  1 2 [3] 4   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: DHCP External to ISA for Internal LAN - 30.Oct.2006 8:34:33 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
.

< Message edited by x102020 -- 30.Oct.2006 8:41:52 AM >

(in reply to x102020)
Post #: 41
RE: DHCP External to ISA for Internal LAN - 30.Oct.2006 9:00:16 AM   
Guest
quote:

So your saying that my ISA Internal NIC should be changed to something like 192.168.1.x (for example). But won't this change my LAN IPs?

possible. this depends..
before adding ISA, your clients use to belong to network 192.168.2.x
with ISA as I said you cannot have two interface belonging to the same subnet.(ISA doesn't support the bridging mode).
a good news is that you only have nat between your sonicwall and exterior network so adding ISA into equation will make it just double nat.
by the way your settings look good except the ISA internal interface which should belong to another subnet.

< Message edited by adrian_dimcev -- 31.Oct.2006 6:29:27 AM >

(in reply to x102020)
  Post #: 42
RE: DHCP External to ISA for Internal LAN - 30.Oct.2006 9:06:55 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Now, do I need to change anything to make this work correctly (ie: dhcp publishing range?)

Or is it possible to change this around so the gateway changes to 192.168.1.x subnet instead of the client machines?

(in reply to Guest)
Post #: 43
RE: DHCP External to ISA for Internal LAN - 30.Oct.2006 9:15:00 AM   
Guest
what exatly do you mean with that?
if you are using dhcp on your internal lan you need to change the dhcp scope to cover the new subnet.
the clients from Internal network will use as gateway the ISA internal interface's ip address.

(in reply to x102020)
  Post #: 44
RE: DHCP External to ISA for Internal LAN - 30.Oct.2006 9:26:37 AM   
Guest
by the way it is more simple to change the network id on the internal interface of sonicwall so in this way you will have to make litlle changes:
on the sonic internal interface
on ISA external interface
and maybe some rules on your sonicwall.
in this way your internal network will be less affected.

(in reply to Guest)
  Post #: 45
RE: DHCP External to ISA for Internal LAN - 30.Oct.2006 9:33:30 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
so that means i would actually have 2 gateways? the clients use the gateway of ISA server (which is the ISA Internal NIC IP) and ISA External NIC connects to sonicwall gateway?

-So to make this happen correctly (and easily), i should change the ISA Internal NIC IP to 192.168.2.101 (so clients wouldn't notice the gateway change).
-Then change sonicwall Internal IP to something on a different subnet (like 192.168.1.101)
-Then change the ISA External NIC IP to the new gateway (192.168.1.101)
-Then change any policies and what not in sonicwall to reflect the subnet change.

Did I miss anything?

thanks,
10

< Message edited by x102020 -- 30.Oct.2006 9:42:04 AM >

(in reply to Guest)
Post #: 46
RE: DHCP External to ISA for Internal LAN - 30.Oct.2006 9:48:15 AM   
Guest
something like that except that ISA external interface:
ip address 192.168.1.102
dg: 192.168.1.101(the sonicwall ip address from internal interface)
dns: none
also with ISA now in place your clients are using it as a proxy server to connect to Internet.
so make sure you have the correct settings on them, maybe install FWC on them and use it alone(clients will use only FWC to connect to the Internet,....) or in combination with proxy.
for the proxy it is better to use the "automatically configuration script".
take a closer look here:
http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.html
http://blogs.isaserver.org/pouseele/2006/05/21/a-different-look-at-the-isa-clients/

< Message edited by adrian_dimcev -- 30.Oct.2006 10:45:52 AM >

(in reply to x102020)
  Post #: 47
RE: DHCP External to ISA for Internal LAN - 30.Oct.2006 11:04:27 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Now when I put this live, what needs to change on the client computers (for browsing since its web proxy).

I've setup the wpad in dhcp and dns. Now, to automatically apply the auto detect, I need to add the 'autodetect' into the gpo?

thanks,
10

< Message edited by x102020 -- 30.Oct.2006 11:34:14 AM >

(in reply to Guest)
Post #: 48
RE: DHCP External to ISA for Internal LAN - 30.Oct.2006 8:46:42 PM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Hey hey hey!

sweet, I have working internet!! thanks a ton for all the help, if there's anything I can do to repay you, lemme know :)

Now, I still have a few issues I need to get resolved concerning ISA.

1. We have an exchange server, it is now sending outbound emails, but inbound emails dont come in, is there something in nat in ISA i have to open aside from smtp?


thanks
10

(in reply to x102020)
Post #: 49
RE: DHCP External to ISA for Internal LAN - 31.Oct.2006 3:27:12 AM   
Guest
Great!
to set the proxy settings on clients an easy way to do this is to use a gpo.
another way if you have installed the FWC client to enable this option on ISA and the FWC set to automatically configure your browser settings.
To allow the mail server you need this time to use the publish rules not the access rules.
you need to use the publish rules because you have a nat relationship between your networks.(I guess external and internal if you did not put your excahnge server in dmz).
also make sure you are permitting on your sonicwall the inbound mail connection to be forward to ISA.

(in reply to x102020)
  Post #: 50
RE: DHCP External to ISA for Internal LAN - 31.Oct.2006 8:30:38 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
I've published the server and the necessary protocols.

I see the smtp packets (in sonicwall) being dropped, they are trying to access the exchange server directly?

I have an smtp relay server setup on ISA (so the exchange passes to the ISA server, because we have our spam control on there), but it's not active yet.


*edit, found the nat policy in sonicwall that is WAN > LAN for the exchange (but it's still being dropped?), so I guess I'll need to apply the smtp relay.

Now for the nat policy, should it be pointing to the Ext ISA NIC or Int ISA NIC for smtp?

< Message edited by x102020 -- 31.Oct.2006 8:33:11 AM >

(in reply to Guest)
Post #: 51
RE: DHCP External to ISA for Internal LAN - 31.Oct.2006 9:24:42 AM   
Guest
As I said you have to allow inbound connection on your sonicwall.
I don't know how you configure your sonicwall to do this 'cause I haven't worked with sonicwalls.
a simple way to do it probably will be to use the dmz interaface on the sonicwall rather than its lan interface for the connection between him ans ISA external interface.
for beggining allow all incoming connection on it to the ISA external interface?
don't install your mail server on ISA.
http://www.isaserver.org/tutorials/Publishing_A_Mail_Server_With_ISA_Server.html

(in reply to x102020)
  Post #: 52
RE: DHCP External to ISA for Internal LAN - 31.Oct.2006 9:25:14 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Alrighty then! :)

I've got inbound email now, but no outbound. lol.

This is getting confoozing this part.

1. On the exchange server, when I forward, to I forward to the Internal or External NIC of ISA?

2. On the SMTP relay server (in IIS), do I bind to a) 'all unassigned', b) Internal ISA NIC, or c) External ISA NIC

3. On the mail publishing, do I need to setup 'server-to-server', our just 'client access'?

I know that mail coming in needs to come into the External ISA NIC, but what about outgoing email? Internal or External?


thanks,
10  

(in reply to x102020)
Post #: 53
RE: DHCP External to ISA for Internal LAN - 31.Oct.2006 10:13:49 AM   
Guest
the problem is what exactly are you trying to do?
read the following articles and maybe you will find your solution there:
http://www.isaserver.org/articles/2004inboundsmtprelay.html
http://www.isaserver.org/articles/isa2004smtprelayinoutp2.html
http://www.isaserver.org/articles/smtprelayinboundoutbound.html.
http://www.isaserver.org/articles/2004troubleshootsmtp.html
http://www.isaserver.org/articles/2004outboundsmtprelay.html
http://www.petri.co.il/configure_iis_to_be_a_smart_host_for_exchange.htm

(in reply to x102020)
  Post #: 54
RE: DHCP External to ISA for Internal LAN - 31.Oct.2006 10:47:40 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
hmmm, read through all that, didn't seem to be the answer, I checked my IIS again, that's all pointing fine.

What we have setup is an inbound & outbound smtp relay. The inbound is great, but everytime I try to setup the outbound, it sends, but doesn't arrive where it should.

Pretty sure its a nat policy.

The exchange server (192.168.2.11) needs to be allowed >> to >> internal or external ISA NIC? I'm seeing it being blocked in ISA monitor, looks like its internal?

I checked the nat policies in sonicwall for inbound/outbound emails, they are routing fine, so ISA is the problem.

just need to confirm though.

thx,
10

< Message edited by x102020 -- 31.Oct.2006 10:51:36 AM >

(in reply to Guest)
Post #: 55
RE: DHCP External to ISA for Internal LAN - 31.Oct.2006 11:41:41 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Alright,

got it working nicely. That's alot of rules!

had to setup inbound (which was done already), relay rules, and outbound rules. As well as create another network for the sonicwall (didn't like it being on a different subnet).

Now that that's going good, I'm gunna search the forums for the other answer, because I know I've seen it in here before. I think I'm going to write a tutorial on sonicwall for this because there is ZIP on there... :(


thanks for all your help!!!! x100


10

(in reply to x102020)
Post #: 56
RE: DHCP External to ISA for Internal LAN - 1.Nov.2006 1:10:07 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Hey there!

well strange things are happening with my outbound smtp relay. I followed the tutorial for a 2nd time (based on isa 2004). I changed the system policy to send to External as well, it sent out the emails that were on the server from a few hours back, but nothing new, and then it doesn't seem to send anything now. I see it sending ok in the event viewer (it relays fine and sends to the wan partially ok). I get an e21 error (ill report the whole error code tomorrow). the smtp relay is bound to both ext. and int. IPs of ISA. I'm confused.

*edit: The error code I get is:
0x80074e21 fwx_e_abortive_shutdown

First I get the Error Success, then the Abortive Shutdown, and I don't get the outbound emails on the other end..

any ideas?


thx,
10

< Message edited by x102020 -- 1.Nov.2006 8:57:22 AM >

(in reply to x102020)
Post #: 57
RE: DHCP External to ISA for Internal LAN - 1.Nov.2006 8:56:46 AM   
Guest
ha, your troubles seems to never end. now it is working, now it is not.
now i have outbound connection but not inbound.
now both.
now I not sure.
easy come, easy go.
quote:

hmmm, read through all that, didn't seem to be the answer

well, looks clear to me:
you are setting a smtp relay on your ISA probably for inbound and outbound for your exchange server.
I'm pretty sure that these articles are very clear and explicit on how to do that.
quote:

1. On the exchange server, when I forward, to I forward to the Internal or External NIC of ISA?
2. On the SMTP relay server (in IIS), do I bind to a) 'all unassigned', b) Internal ISA NIC, or c) External ISA NIC
3. On the mail publishing, do I need to setup 'server-to-server', our just 'client access'?
I know that mail coming in needs to come into the External ISA NIC, but what about outgoing email? Internal or External?

all the answers are in those articles.
quote:

*edit, found the nat policy in sonicwall that is WAN > LAN for the exchange (but it's still being dropped?), so I guess I'll need to apply the smtp relay.

easy, my friend, easy.
one at a time.
You have already enables smtp relay on ISA.
I don't know how this smtp relay works on sonicwall, but since you have enabled it on ISA then on your sonic you need to do port forwording.
if you want a better smtp relay, one of those articles discuss this problem too.
quote:

As well as create another network for the sonicwall (didn't like it being on a different subnet).

ha, this looks trouble to me.

< Message edited by adrian_dimcev -- 1.Nov.2006 8:58:20 AM >

(in reply to x102020)
  Post #: 58
RE: DHCP External to ISA for Internal LAN - 1.Nov.2006 9:02:23 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Alright I'll read through those articles again then :) I don't mind reading.

I'm getting this error (smtp): 0x80074e21 fwx_e_abortive_shutdown
which doesn't turn up useful results in google.

(in reply to Guest)
Post #: 59
RE: DHCP External to ISA for Internal LAN - 1.Nov.2006 9:09:57 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
hmmm, this is so weird, now its working???

so in isa, does this sound right?

-setup a publishing rule from internal network to localhost (ext. nic of isa)
-add external to system policy of smtp


thats all i really changed and now i get the graceful shutdown and outbound emails

(in reply to x102020)
Post #: 60

Page:   <<   < prev  1 2 [3] 4   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> RE: DHCP External to ISA for Internal LAN Page: <<   < prev  1 2 [3] 4   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts