Here is a diagram of my network. The nAppliance mISA box had a hardware failure so I had to put in a spare server in its place. So, in the diagram where you see mISA 1200 there is now a IBM server running ISA 2006 on Windows 2003 sp2. I have everything working OK except the Web Listener for the mIAG portal. I can see HTTPS packets getting to the public IP of the ISA box but they dont get forwarded to the 192.168.1.0 network. Not one packet.
In ISA Server Management I can run Test Rule it checks out ok and I see https packets flying.
I have two public IPs on the external interface because we are using two certificates. This same setup was working on the mISA box but for some reason I cant get it to work on this temporary server.
Check your networks for the correct IP ranges mentioned in the ISA console
Check for any relevant alerts
Make sure you have NAT relationship between ISA external and ISA's IAG connected network
Since you are using two IPs with two certs and if you are using two web listeners then make sure they are pointing to their resp IPs under networks tab in web listener
Try to take a network trace on the public and the IAG connected NIC on ISA to identify issues
< Message edited by inderjeet -- 7.Jan.2009 2:22:58 PM >
OK this officail got real wierd after a reboot. The web listener now works and I can get to the Portal on the mIAG box but:
VPN client no longer worked Site-to-site VPN no longer worked Remote Desktop to the ISA Server no longer worked RPC no longer worked (Remote Management etc.)
This forced me to go to the console of the ISA server and restart the MS Firewall service and BOOM ... everything is working again. Like everything mIAG, VPNS, Remote Desktop, RPC.
"07/01/2009 20:51:46 - The Web Proxy filter failed to bind its socket to 62.81.208.12 port 80. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure. The failure is due to error: Only one usage of each socket address (protocol/network address/port) is normally permitted."
The .12 address is the second address on the WAN interface. Its the address for the portal. So from this error message I can see I did the right thing by restarting the MS Firewall Service but what is the long term fix?
Do you have IIS running on the machine? If yes, you have to release the port 80......
Also, type NETSTAT -ano on the command prompt to see if you have an entry as 0.0.0.0:80
If you does then there is a conflict of port 80 with an application such as IIS
If you have IIS, stop all websites in it and turn on one by one, then whenever u start a website, run the above command each time and see which website is in conflict
Also there were two more messages in the analysis that I didnt notice at first that had to do with RPC:
Strict RPC compliance is enforced in the access rule vpn, which allows traffic to or from the Local Host network. This message can be safely ignored if this is your intention. To allow non-strict RPC traffic, expand the Firewall Policy node, right-click the rule vpn, click Configure RPC protocol, and clear the Enforce strict RPC compliance check box.
There was another one like this for another rule, but I dont know what to make of it.
OK first of all I want to give big Thanks to inderjeet for helping me on this one. We ran the best practice tool on this box and tried several things, but what ultimately I did was put in new hardware. The one thing I think that may have been a problem was I had two listeners on one IP. One was a test listener I had forgotten about.
I imported everything into the new server and there were NO issues after rebooting the new box.
Again without Inderjeet I might still be pounding my head on the table.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Web Listener Wont pass packets on to internal interface 
Web Listener Wont pass packets on to internal interface - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread