This is a great forum with very useful information. I have a problem that I can not find a solution on the forum. Please read on.
We have 2 ISA 2006 ENT. on a cluster mode doing reverse proxy for our Website. We have 2 NICs on each ISA plus a third one for the NLB.
1 NIC connected to Internal (where the Web Server is) (No Gateway) (Private IP) 2 NIC connected to External with Public IP (81.4.X.44), Default gateway is the Ethernet of our Checkpoint Firewall (81.4.X.39)
Now on the same subnet as the ISA Ext. NIC we have 2 more servers configured with IP that belong to the same subnet.
All works very well, the problem is that sometime the Servers on the same Subnet as the ISA Ext NIC loose communication with ISA cannot reach our website.
The other problem if a user from the Internal LAN (192.168.X.X) tries to reach the Website but is using NAT from the Checkpoint with a Static IP from the same subnet as the ISA Ext. NIC, will fail to get an answer back. It will reach ISA but the answer will not return.
Thank you for your reply. I will try to explain our setup and the problem the best I can.
Below is our Network Diagram:
Internet | | (81.4.X.X)DMZ-----Checkpoint Firewall | | |(81.4.X.X) | ISA 2006 ENT Local Lan (192.168.X.X) NLB |(192.168.X.X) no Gateway) | WEB SERVER (192.168.X.X)
Basically the ISA 2006 ENT (NLB) is used as a Reverse Proxy for our Web Server. The ISA Card on the DMZ (outside) is configured with an 81.4.X.X IP with Gateway the Ethernet of the CheckPoint (81.4.X.X). The NIC Card connected to the Internal has an IP of 192.168.X.X with NO Gateway. Now the setup works very well for both the users coming from the Internet and the Local LAN users.
1. On the DMZ LAN (Same Subnet as ISA) we have two more servers. Both are Mail (SMTP) Servers that we do not want to move behind the ISA servers. When we try to access our website from those servers it works sometimes and sometimes not. It seems that ISA sometimes will allow the traffic coming from the 81.4.X.X LAN and sometimes NOT (Random).
2. If I try to access our website from the Internal LAN but I am using NATing from Checkpoint with an IP from the same Subnet as ISA (81.4.X.X) then I do not get a request back. The request reaches ISA but it seems that it is not treated as an External Request. The request is accepted by ISA but it will not follow the Web Proxy rule and our website will not be displayed.
I hope that I was clear. Let me know if you need any other information.
You'll have too many paths to the same resource and I'm sure name resolution is causing the problem.
Choose either the ISA Firewall or the CP as the outbound gateway, then create your DNS infrastructure to support the solution. I would choose the ISA Firewall, of course, becuase it's more secure from the HTTP perspective, but just make a choice and go with that.