• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Web publishing to internal server -- connection always fails

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Web publishing to internal server -- connection always fails Page: [1]
Login
Message << Older Topic   Newer Topic >>
Web publishing to internal server -- connection always ... - 12.Nov.2008 10:09:00 AM   
SteveV

 

Posts: 8
Joined: 23.Oct.2008
Status: offline
I have ISA 2006 setup in a 3-leg perimeter config.  I'm trying to use ISA to restrict access to IP cameras installed on a seperate lan segment--full details on what I'm trying to do are available in this post: http://forums.isaserver.org/Restricting_multiple_VLAN_access_by_AD_Group%3f/m_2002075825/tm.htm
 
I'm trying to use web publishing to control access to the cameras.  All of the cameras (Panasonic IP Cameras) have built in web servers.  I have created an "All Open" access rule to confirm that I can access all of the cameras using IP address and host name.
 
Next, I disabled the All Open rule and created a web publishing rule to allow access to one camera. The connection to the camera is being initiated from our internal network (10.13.1.0).  All of the cameras are on our perimeter network (10.39.1.0).
 
With the web publishing rule enabled the connection always fails.  If I test my settings using the traffic simulator, the traffic is denied with the following error:

Denied Traffic - destination URL host name could not be resolved 
Rule Name: [Enterprise] Default rule


Looking at the logs, ISA appears to ignore the web publishing rule which is configured as follows:
 
Name: Publish CAM130 Web Server
Action: Allow
From: Anywhere
To: CAM130
Listener: IP Camera Listener
Public Name: All requests
Paths: Same as internal
Authentication Delegation: No delegation but the client may authenticate directly
Users: All Users
Schedule: Always
Link Translation: none


Listener:
Name: IP Camera Listener
Networks: All Networks
Connections: Enable HTTP connections on port 80
Authentication: None

 
Is the problem that the connection to the web server is originating from the internal network and thus being ignores?  I've been working on this for days now.  I have read a large number of forum posts, tried an endless number of configurations but have made zero headway--I would be greatful for any insite.
 
Thanks -- Steve


< Message edited by SteveV -- 12.Nov.2008 10:11:14 AM >
Post #: 1
RE: Web publishing to internal server -- connection alw... - 12.Nov.2008 6:19:28 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Hi Steve,

In the 'To:' tab, have you defined the camera IP address (second input field) in addition to the "CAM130" internal server name?

I would also configure the listener to reference "Internal" if that is where you client connection is initiating from, as opposed to All Networks...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to SteveV)
Post #: 2
RE: Web publishing to internal server -- connection alw... - 13.Nov.2008 9:00:27 AM   
SteveV

 

Posts: 8
Joined: 23.Oct.2008
Status: offline
Hi Jason,

I tried what you suggested but alas, no joy.

Here's what the diag log looks like:

1 11/13/2008 8:49:42 fff4f353 Firewall service The Firewall service is performing rule evaluation.
2 11/13/2008 8:49:42 fff4f353 Firewall service Protocol: HTTP
3 11/13/2008 8:49:42 fff4f353 Firewall Engine Packet properties: Source IP address: 10.13.1.222 Source array network: Internal Destination IP address: 10.39.1.140 Destination array network: Perimeter
4 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server will check only rules that are associated with the protocol HTTP.
5 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites.
6 11/13/2008 8:49:42 fff4f353 Firewall service source does not match the packet.
7 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the rule [System] Allow HTTP/HTTPS requests from ISA Server to specified sites.
8 11/13/2008 8:49:42 fff4f353 Firewall service source does not match the packet.
9 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the rule [System] Allow MS Firewall Control communication to selected computers.
10 11/13/2008 8:49:42 fff4f353 Firewall service source does not match the packet.
11 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the rule Local Host to Internal.
12 11/13/2008 8:49:42 fff4f353 Firewall service source does not match the packet.
13 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the rule [Enterprise] Default rule.
14 11/13/2008 8:49:42 fff4f353 Firewall service The rule [Enterprise] Default rule matches the packet and may deny it. However, a rule that precedes this rule in the list of policy rules and matches the packet will take precedence and may allow the packet.
15 11/13/2008 8:49:42 fff4f353 Firewall service The rule [Enterprise] Default rule blocked the packet.
16 11/13/2008 8:49:42 fff4f353 Firewall service The Firewall service is performing rule evaluation.
17 11/13/2008 8:49:42 fff4f353 Firewall Engine Packet properties: Source IP address: 10.13.1.222 Source array network: Internal Destination IP address: 10.39.1.140 Destination array network: Perimeter
18 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is looking for an applicable network rule.
19 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the network rule Local Host Access.
20 11/13/2008 8:49:42 fff4f353 Firewall service The source IP address in the packet does not match the source specified in the network rule.
21 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is checking the reverse direction of the network rule Local Host Access.
22 11/13/2008 8:49:42 fff4f353 Firewall service The destination IP address in the packet does not match the source specified in the network rule.
23 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the network rule VPN Clients to Internal Network.
24 11/13/2008 8:49:42 fff4f353 Firewall service The source IP address in the packet does not match the source specified in the network rule.
25 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is checking the reverse direction of the network rule VPN Clients to Internal Network.
26 11/13/2008 8:49:42 fff4f353 Firewall service The destination IP address in the packet does not match the source specified in the network rule.
27 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the network rule Perimeter Configuration.
28 11/13/2008 8:49:42 fff4f353 Firewall service The source and destination in the packet match the source and destination specified in the network rule, which specifies a NAT relationship.
29 11/13/2008 8:49:42 fff4f353 Firewall service The network rule Perimeter Configuration matches the source and destination. A NAT relationship is specified.

[EDIT]
One thing that looks odd to me regarding the log entries starts at entry #11 ("ISA Server is evaluating the rule Local Host to Internal").  This rule is above my "Publish CAM130 Web Server" rule in the firewall policy rules list, yet ISA doesn't seem to try to evaluate the  "Publish CAM130 Web Server" rule.  At least not in a way that's apparent from the log.  I have confirmed that the rule is enabled.  Moving it above the "Local Host to Internal" rule has no effect and the it still doesn't appear in the log.
[/EDIT]

Any other thoughts?

Thanks! -- Steve

< Message edited by SteveV -- 13.Nov.2008 9:19:18 AM >

(in reply to Jason Jones)
Post #: 3
RE: Web publishing to internal server -- connection alw... - 14.Nov.2008 3:58:41 PM   
SteveV

 

Posts: 8
Joined: 23.Oct.2008
Status: offline
Guys, I'm dying here.  At the risk of being a pain in the ass can anyone point me in the right direction or share some clues as to what might be the problem.

Thanks! -- Steve

(in reply to SteveV)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Web publishing to internal server -- connection always fails Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts