Web publishing to internal server -- connection always fails (Full Version)

All Forums >> [ISA 2006 Publishing] >> Web Publishing



Message


SteveV -> Web publishing to internal server -- connection always fails (12.Nov.2008 10:09:00 AM)

I have ISA 2006 setup in a 3-leg perimeter config.  I'm trying to use ISA to restrict access to IP cameras installed on a seperate lan segment--full details on what I'm trying to do are available in this post: http://forums.isaserver.org/Restricting_multiple_VLAN_access_by_AD_Group%3f/m_2002075825/tm.htm
 
I'm trying to use web publishing to control access to the cameras.  All of the cameras (Panasonic IP Cameras) have built in web servers.  I have created an "All Open" access rule to confirm that I can access all of the cameras using IP address and host name.
 
Next, I disabled the All Open rule and created a web publishing rule to allow access to one camera. The connection to the camera is being initiated from our internal network (10.13.1.0).  All of the cameras are on our perimeter network (10.39.1.0).
 
With the web publishing rule enabled the connection always fails.  If I test my settings using the traffic simulator, the traffic is denied with the following error:

Denied Traffic - destination URL host name could not be resolved 
Rule Name: [Enterprise] Default rule


Looking at the logs, ISA appears to ignore the web publishing rule which is configured as follows:
 
Name: Publish CAM130 Web Server
Action: Allow
From: Anywhere
To: CAM130
Listener: IP Camera Listener
Public Name: All requests
Paths: Same as internal
Authentication Delegation: No delegation but the client may authenticate directly
Users: All Users
Schedule: Always
Link Translation: none


Listener:
Name: IP Camera Listener
Networks: All Networks
Connections: Enable HTTP connections on port 80
Authentication: None

 
Is the problem that the connection to the web server is originating from the internal network and thus being ignores?  I've been working on this for days now.  I have read a large number of forum posts, tried an endless number of configurations but have made zero headway--I would be greatful for any insite.
 
Thanks -- Steve




Jason Jones -> RE: Web publishing to internal server -- connection always fails (12.Nov.2008 6:19:28 PM)

Hi Steve,

In the 'To:' tab, have you defined the camera IP address (second input field) in addition to the "CAM130" internal server name?

I would also configure the listener to reference "Internal" if that is where you client connection is initiating from, as opposed to All Networks...

Cheers

JJ




SteveV -> RE: Web publishing to internal server -- connection always fails (13.Nov.2008 9:00:27 AM)

Hi Jason,

I tried what you suggested but alas, no joy.

Here's what the diag log looks like:

1 11/13/2008 8:49:42 fff4f353 Firewall service The Firewall service is performing rule evaluation.
2 11/13/2008 8:49:42 fff4f353 Firewall service Protocol: HTTP
3 11/13/2008 8:49:42 fff4f353 Firewall Engine Packet properties: Source IP address: 10.13.1.222 Source array network: Internal Destination IP address: 10.39.1.140 Destination array network: Perimeter
4 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server will check only rules that are associated with the protocol HTTP.
5 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites.
6 11/13/2008 8:49:42 fff4f353 Firewall service source does not match the packet.
7 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the rule [System] Allow HTTP/HTTPS requests from ISA Server to specified sites.
8 11/13/2008 8:49:42 fff4f353 Firewall service source does not match the packet.
9 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the rule [System] Allow MS Firewall Control communication to selected computers.
10 11/13/2008 8:49:42 fff4f353 Firewall service source does not match the packet.
11 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the rule Local Host to Internal.
12 11/13/2008 8:49:42 fff4f353 Firewall service source does not match the packet.
13 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the rule [Enterprise] Default rule.
14 11/13/2008 8:49:42 fff4f353 Firewall service The rule [Enterprise] Default rule matches the packet and may deny it. However, a rule that precedes this rule in the list of policy rules and matches the packet will take precedence and may allow the packet.
15 11/13/2008 8:49:42 fff4f353 Firewall service The rule [Enterprise] Default rule blocked the packet.
16 11/13/2008 8:49:42 fff4f353 Firewall service The Firewall service is performing rule evaluation.
17 11/13/2008 8:49:42 fff4f353 Firewall Engine Packet properties: Source IP address: 10.13.1.222 Source array network: Internal Destination IP address: 10.39.1.140 Destination array network: Perimeter
18 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is looking for an applicable network rule.
19 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the network rule Local Host Access.
20 11/13/2008 8:49:42 fff4f353 Firewall service The source IP address in the packet does not match the source specified in the network rule.
21 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is checking the reverse direction of the network rule Local Host Access.
22 11/13/2008 8:49:42 fff4f353 Firewall service The destination IP address in the packet does not match the source specified in the network rule.
23 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the network rule VPN Clients to Internal Network.
24 11/13/2008 8:49:42 fff4f353 Firewall service The source IP address in the packet does not match the source specified in the network rule.
25 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is checking the reverse direction of the network rule VPN Clients to Internal Network.
26 11/13/2008 8:49:42 fff4f353 Firewall service The destination IP address in the packet does not match the source specified in the network rule.
27 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the network rule Perimeter Configuration.
28 11/13/2008 8:49:42 fff4f353 Firewall service The source and destination in the packet match the source and destination specified in the network rule, which specifies a NAT relationship.
29 11/13/2008 8:49:42 fff4f353 Firewall service The network rule Perimeter Configuration matches the source and destination. A NAT relationship is specified.

[EDIT]
One thing that looks odd to me regarding the log entries starts at entry #11 ("ISA Server is evaluating the rule Local Host to Internal").  This rule is above my "Publish CAM130 Web Server" rule in the firewall policy rules list, yet ISA doesn't seem to try to evaluate the  "Publish CAM130 Web Server" rule.  At least not in a way that's apparent from the log.  I have confirmed that the rule is enabled.  Moving it above the "Local Host to Internal" rule has no effect and the it still doesn't appear in the log.
[/EDIT]

Any other thoughts?

Thanks! -- Steve




SteveV -> RE: Web publishing to internal server -- connection always fails (14.Nov.2008 3:58:41 PM)

Guys, I'm dying here.  At the risk of being a pain in the ass can anyone point me in the right direction or share some clues as to what might be the problem.

Thanks! -- Steve




Page: [1]