Publishing new server in separate subnet (Full Version)

All Forums >> [ISA Server 2000 General] >> Server Publishing


NBSysAdmin -> Publishing new server in separate subnet (27.Sep.2007 10:48:49 AM)

Good morning. We have a single ISA 2000 server running on Server 2003 Standard SP2.

Until very recently (today), we used the standard FTP server publishing rule to publish a single FTP server, referenced via URL and IP access from the outside world, that habitated the same subnet as our ISA server (192.168.1.x, class C standard).

We recently decided to move our FTP software to a new server on a separate subnet, connected via a Cisco VLAN. This is not a new topology to us and everything flows fine back and forth over it. The second subnet is 192.168.10.x, class C standard.

After changing the pointer on the FTP server publishing rule from the 192.168.1 address to the 192.168.10 address and stopping/starting the MS Firewall service, we are unable to access the FTP server via the ISA server / Internet. The server operates just fine when accessed via the internal LAN (both subnets).

Is there anything we've missed? I've even re-added the new IP after using the Find button and entering the internal host name for the server -  this returns the correct internal IP of the new server. The new server can be resolved correctly via our internal Active Directory-hosted DNS zones (obviously not used for IP-based routing, but felt it might be pertinent to state) and it can be pinged successfully from the ISA server. A tracert shows that the packets are taking the correct path between the two servers. As far as we can tell, everything should work.

If anyone has any suggestions, I'd appreciate them. Thank you!

NBSysAdmin -> RE: Publishing new server in separate subnet (11.Oct.2007 9:59:14 AM)

We're now at a point where the FTP server publishing rule will not allow connections to our internal FTP server. I've traced the data flow (firewall to ISA external interface IP, ISA server pub rule from same external IP to internal FTP server IP - same subnet as previous server), nothing seems to get through. We're gertting "Connection terminated" in IE 6.

Suggestions are greatly appreciated!

AHIT -> RE: Publishing new server in separate subnet (23.Oct.2007 2:43:30 AM)

Sorry for the late reply on this thrad.
Long time no visit!

So you cna ping the 'new' FTP server from the ISA server itself?
This at leat confirms the OS itself has network connectivity to the other server.
Of interest, is the IP range (192.168.10.x) in the ISA Local Address Table (LAT)
This could be confusing ISA into thinking it's not an internal server?

NBSysAdmin -> RE: Publishing new server in separate subnet (23.Oct.2007 7:54:45 AM)

Good morning and thank you for getting back to me!

Yes, the second subnet is in the LAT. Pinging the second subnet-hosted server from the ISA server is not an issue. Accessing file shares on the second subnet from the ISA server is not an issue.

I'm using the standard FTP Server publishing rule in ISA 2000, which I believe allows for either PORT or PASV connections, correct? If not, which type of connection does it allow? It's been a while (over 3 years) since we had to worry about it (before our documentation was really up-to-date), and I'm fairly certain we were using PASV connections to the FTP server.

Your input is greatly appreciated. Thanks!

Page: [1]