• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Internal network can hit web on DMZ but not other services

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> Internal network can hit web on DMZ but not other services Page: [1]
Login
Message << Older Topic   Newer Topic >>
Internal network can hit web on DMZ but not other services - 18.Apr.2008 11:58:14 AM   
pingcrosby

 

Posts: 17
Joined: 8.Apr.2005
Status: offline
I can hit a web server sat on my DMZ when i publish a web server rule but using just a server rule i cannot hit MQSeries sat on the same DMZ host.


a) I have a network set up in the configuration detailed in ...http://forums.isaserver.org/m.aspx?m=2002065647&mpage=1&key=
(sorry for not posting the network config in this thread)

Everything (networking) wise seems to be working ok. 
...........
1) From the internal network i can hit my DMZ web server via NAT, using a "publish web server  rule"

2) From the internal network i can hit my External web servers via the Web Proxy, using an "access rule"

3) From the internal network I am unable to hit a MQSeries service sat on the DMZ, via NAT, using a "publish server" rule.

---------

4) I have created to "protocol definitions" - MQ (inbound) on Port 1414 and MQ (outbound) on Port 1414.

The "publish web server" NAT rule requires an inbound port. Telnetting from the internal lan to the DMZ via the ISA box internal interface i get a denied connection.

c:\InternalNetworkHostClient>telnet 168.185.7.120 1414


The monitor log shows...
Original Client IP Client Agent Authenticated Client Service Referring Server Destination Host Name Transport HTTP Method MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Cache Information Error Information Log Time Client IP Destination IP Destination Port Protocol URL Action Rule Result Code HTTP Status Code Client Username Source Network Destination Network Server Name Log Record Type
168.185.11.125    -  TCP - -      -    18/04/2008 15:38:01 1658 0 0 0 0x0 0x0 18/04/2008 16:38:01 168.185.11.125 168.185.7.120 1414 MQ(Out) - Denied Connection [Enterprise] Default rule 0xc004000d FWX_E_POLICY_RULES_DENIED   Internal Local Host W0KTV5KL Firewall
168.185.11.125    -  TCP - -      -    18/04/2008 15:38:03 1658 0 0 0 0x0 0x0 18/04/2008 16:38:03 168.185.11.125 168.185.7.120 1414 MQ(Out) - Denied Connection [Enterprise] Default rule 0xc004000d FWX_E_POLICY_RULES_DENIED   Internal Local Host W0KTV5KL Firewall
168.185.11.125    -  TCP - -      -    18/04/2008 15:38:09 1658 0 0 0 0x0 0x0 18/04/2008 16:38:09 168.185.11.125 168.185.7.120 1414 MQ(Out) - Denied Connection [Enterprise] Default rule 0xc004000d FWX_E_POLICY_RULES_DENIED   Internal Local Host W0KTV5KL Firewall




Can somebody give me any pointers?

*) Am i correct in assuming that a "access rule" is effectively a routed or NAT'd connection and a "publish rule" is only NAT

Thanks

Steve

PS.. Logged onto the ISA host I can successfully and ISA uses the publish rule i created.  So i do not think i am missing any additional protocol definitions
c:\ISAHost\telnet 172.16.0.3 1414
.

The log for the localhost test looks like

In this log i can see that my "server publishing rule" is being invoked for the inbound 1414 MQ traffic.  Note that the log shows MQ(out) but the rule uses MQ(in) ((ISA would not let me use an outbound port definition when i was creating the rule))

Original Client IP Client Agent Authenticated Client Service Referring Server Destination Host Name Transport HTTP Method MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Cache Information Error Information Log Time Client IP Destination IP Destination Port Protocol URL Action Rule Result Code HTTP Status Code Client Username Source Network Destination Network Server Name Log Record Type
172.16.0.1    -  TCP - -      -    18/04/2008 15:52:07 1334 0 0 0 0x0 0x0 18/04/2008 16:52:07 172.16.0.1 172.16.0.3 1414 MQ(Out) - Initiated Connection Publish :: Allow access to MQSeries from internal 0x0    Local Host DMZ W0KTV5KL Firewall


Post #: 1
RE: Internal network can hit web on DMZ but not other s... - 18.Apr.2008 2:50:29 PM   
pingcrosby

 

Posts: 17
Joined: 8.Apr.2005
Status: offline
Some additional fwengmon details..

Creation Objects:
ID      Protocol  Source                Destination             One-Shot
--      --------  ------                -----------             --------
11 TCP(6)   0.0.0.0:0             172.16.0.1:53         No  
10 UDP(17)   0.0.0.0:0             172.16.0.1:53         No  
37 TCP(6)   0.0.0.0:0             172.16.0.3:1414       No  
1 TCP(6)   0.0.0.0:0             168.185.7.120:1745    No  
2 TCP(6)   0.0.0.0:0             168.185.7.120:8080    No  
9 TCP(6)   0.0.0.0:0             192.168.210.254:53    No  
8 UDP(17)   0.0.0.0:0             192.168.210.254:53    No  
7 Creations.
Active Sessions:
                Source /              Destination /  
ID      Protocol  Source Proxy          Dest. Proxy             2-way   Timeout
--      --------  -----------           ------------            -----   -------
12 UDP(17)   172.16.0.2:1026       172.16.0.1:53         Yes  Yes 
   172.16.0.1:1054        
38 UDP(17)   172.16.0.3:1034       172.16.0.1:53         Yes  Yes 
   172.16.0.1:1054        
13 UDP(17)   168.185.7.120:1071    168.185.7.120:53      Yes  Yes 
  172.16.0.2:1026       
67 TCP(6)   168.185.7.120:1128    168.185.11.125:139    Yes  Yes 
39 UDP(17)   168.185.7.120:2344    168.185.7.120:53      Yes  Yes 
  172.16.0.3:1034       
7 TCP(6)   168.185.11.125:2408   168.185.7.120:3389    Yes  Yes 
6 Connections.


Thanks

Some additional information from an alert i have just spotted

 

Alert Information 
Description: ISA Server detected routes through the network adapter WAN that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 192.168.0.0-192.168.209.255,192.168.211.0-192.168.255.255;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.
The routing table for network adapter LAN Internal (corp lan) includes IP address ranges that are not defined in the array network Internal to which it is bound. As a result, when packets go in/out via this network adapter and they are from/sent to the IP address ranges listed below they will be considered spoofed and will be dropped. To resolve this issue, add the missing IP address ranges to the array network. 
The following IP address ranges will be dropped as spoofed:
External:192.168.0.0-192.168.209.255,192.168.211.0-192.168.255.255;DMZ:172.16.1.0-172.16.255.254;
ISA Server detected routes through the network adapter DMZ that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 172.16.1.0-172.16.255.254;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.




< Message edited by pingcrosby -- 18.Apr.2008 3:09:56 PM >

(in reply to pingcrosby)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> Internal network can hit web on DMZ but not other services Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts