I'm trying to use web publishing to control access to the cameras. All of the cameras (Panasonic IP Cameras) have built in web servers. I have created an "All Open" access rule to confirm that I can access all of the cameras using IP address and host name.
Next, I disabled the All Open rule and created a web publishing rule to allow access to one camera. The connection to the camera is being initiated from our internal network (10.13.1.0). All of the cameras are on our perimeter network (10.39.1.0).
With the web publishing rule enabled the connection always fails. If I test my settings using the traffic simulator, the traffic is denied with the following error:
Denied Traffic - destination URL host name could not be resolved Rule Name: [Enterprise] Default rule
Looking at the logs, ISA appears to ignore the web publishing rule which is configured as follows:
Name: Publish CAM130 Web Server Action: Allow From: Anywhere To: CAM130 Listener: IP Camera Listener Public Name: All requests Paths: Same as internal Authentication Delegation: No delegation but the client may authenticate directly Users: All Users Schedule: Always Link Translation: none
Listener: Name: IP Camera Listener Networks: All Networks Connections: Enable HTTP connections on port 80 Authentication: None
Is the problem that the connection to the web server is originating from the internal network and thus being ignores? I've been working on this for days now. I have read a large number of forum posts, tried an endless number of configurations but have made zero headway--I would be greatful for any insite.
Thanks -- Steve
< Message edited by SteveV -- 12.Nov.2008 10:11:14 AM >
1 11/13/2008 8:49:42 fff4f353 Firewall service The Firewall service is performing rule evaluation. 2 11/13/2008 8:49:42 fff4f353 Firewall service Protocol: HTTP 3 11/13/2008 8:49:42 fff4f353 Firewall Engine Packet properties: Source IP address: 10.13.1.222 Source array network: Internal Destination IP address: 10.39.1.140 Destination array network: Perimeter 4 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server will check only rules that are associated with the protocol HTTP. 5 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites. 6 11/13/2008 8:49:42 fff4f353 Firewall service source does not match the packet. 7 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the rule [System] Allow HTTP/HTTPS requests from ISA Server to specified sites. 8 11/13/2008 8:49:42 fff4f353 Firewall service source does not match the packet. 9 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the rule [System] Allow MS Firewall Control communication to selected computers. 10 11/13/2008 8:49:42 fff4f353 Firewall service source does not match the packet. 11 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the rule Local Host to Internal. 12 11/13/2008 8:49:42 fff4f353 Firewall service source does not match the packet. 13 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the rule [Enterprise] Default rule. 14 11/13/2008 8:49:42 fff4f353 Firewall service The rule [Enterprise] Default rule matches the packet and may deny it. However, a rule that precedes this rule in the list of policy rules and matches the packet will take precedence and may allow the packet. 15 11/13/2008 8:49:42 fff4f353 Firewall service The rule [Enterprise] Default rule blocked the packet. 16 11/13/2008 8:49:42 fff4f353 Firewall service The Firewall service is performing rule evaluation. 17 11/13/2008 8:49:42 fff4f353 Firewall Engine Packet properties: Source IP address: 10.13.1.222 Source array network: Internal Destination IP address: 10.39.1.140 Destination array network: Perimeter 18 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is looking for an applicable network rule. 19 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the network rule Local Host Access. 20 11/13/2008 8:49:42 fff4f353 Firewall service The source IP address in the packet does not match the source specified in the network rule. 21 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is checking the reverse direction of the network rule Local Host Access. 22 11/13/2008 8:49:42 fff4f353 Firewall service The destination IP address in the packet does not match the source specified in the network rule. 23 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the network rule VPN Clients to Internal Network. 24 11/13/2008 8:49:42 fff4f353 Firewall service The source IP address in the packet does not match the source specified in the network rule. 25 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is checking the reverse direction of the network rule VPN Clients to Internal Network. 26 11/13/2008 8:49:42 fff4f353 Firewall service The destination IP address in the packet does not match the source specified in the network rule. 27 11/13/2008 8:49:42 fff4f353 Firewall service ISA Server is evaluating the network rule Perimeter Configuration. 28 11/13/2008 8:49:42 fff4f353 Firewall service The source and destination in the packet match the source and destination specified in the network rule, which specifies a NAT relationship. 29 11/13/2008 8:49:42 fff4f353 Firewall service The network rule Perimeter Configuration matches the source and destination. A NAT relationship is specified.
[EDIT] One thing that looks odd to me regarding the log entries starts at entry #11 ("ISA Server is evaluating the rule Local Host to Internal"). This rule is above my "Publish CAM130 Web Server" rule in the firewall policy rules list, yet ISA doesn't seem to try to evaluate the "Publish CAM130 Web Server" rule. At least not in a way that's apparent from the log. I have confirmed that the rule is enabled. Moving it above the "Local Host to Internal" rule has no effect and the it still doesn't appear in the log. [/EDIT]
Any other thoughts?
Thanks! -- Steve
< Message edited by SteveV -- 13.Nov.2008 9:19:18 AM >
Guys, I'm dying here. At the risk of being a pain in the ass can anyone point me in the right direction or share some clues as to what might be the problem.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Web publishing to internal server -- connection always fails 
Web publishing to internal server -- connection always ... - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread