• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Publish Internal server to DMZ

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Publish Internal server to DMZ Page: [1]
Login
Message << Older Topic   Newer Topic >>
Publish Internal server to DMZ - 26.Sep.2006 12:35:48 AM   
mcdg

 

Posts: 1
Joined: 20.Sep.2001
From: New Zealand
Status: offline
Hi,
I am having problems forwarding ports from my DMZ to the internal network.

Network Diagram
                            DMZ Subnet
                            10.100.1.x
                           DMZ Interface
                           (10.100.1.1)
                               |
                               |
                           __________                                 _____________
                          |                |                              |                     |
Internet ---------- | ISA 2004   |   ----10.100.2.x ---- | Cisco Router   |  ---192.168.100.x
                          |__________|                              |_____________|

ISA is configured as a 3-leg DMZ as per TS's book. That is, I have changed the Perimeter Access Network Rule to NAT and the Perimeter Configuration Network Rule to Route. I have a server in the DMZ that accesses servers on the Internal Network. Due to limitations of the existing firewall (Gnatbox), the apps on the DMZ server have been configured to send their requests to the interface on the firewall rather than the IP address of the destination server. For example, a SQL request will be directed to 10.100.1.1 on port 1433. There are other ports used as well.

I have configured Server Publishing Rules to implement this. The problem I have is that the rules I configure are being ignored by ISA.

As an example one port that is used is port 1526 (Acumen Application). I have configured Custom Protocols for this port for both Outbound (Acumen 1526) and Inbound (Acumen Server 1526), and a Server Publishing Rule to forward Acumen Server 1526 to an internal server on the 192.168.100.0 network.

When I telnet to 10.100.1.1 on port 1526 the request is denied by the last default rule. Specifically "Acumen 1526" (the outbound protocol, not the inbound one) is denied access from perimeter to localhost.

I have changed the "Request appears to come from....." setting. I have also tried changing the Perimeter Configuration Network Rule to NAT. Nothing works.

An Access Rule works. Obvioulsy, getting the developers to change the way their app works would be preferable but am not sure if this is possible at this stage.

Any help would be appreciated.

Cheers
Murray
Post #: 1
RE: Publish Internal server to DMZ - 27.Sep.2006 7:59:02 PM   
mrupright

 

Posts: 68
Joined: 18.Oct.2004
Status: offline
Hi Murray,

You don't need to publish the servers to the DMZ.  The real problem I see is how development setup the application...is it possible for them to change it so that you can point it to the 192.168.100 network?  What you want to do isn't difficult and I understand your frustration. All you need is a route network rule from isa's internal network to isa's dmz network.  Looks like you have already done this part.  Now create a firewall rule that will allow your DMZ server access to the server on your internal network.

Happy to help

Mark    

< Message edited by mrupright -- 27.Sep.2006 8:05:02 PM >

(in reply to mcdg)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Publish Internal server to DMZ Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts