Welcome to ISAserver.org

Web publishing rule created

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Web publishing rule created

Page: [1]

Message

<< Older Topic Newer Topic >>

Web publishing rule created - 5.Aug.2009 6:38:18 AM

ezeki

Posts: 33
Joined: 14.Sep.2006
Status: offline

Guys I have my ISA server which has 3 interfaces

int1 "N3 DMZ"
int2 "internet DMZ"
int3 "local LAN"

The isa server is a back firewall which sits behind a cisco ASA for int1 and int2. I have web publishing rules setup and working on int2 and users are able to access resources from the internet without any issues. I have now been tasked with making resources available from int1, the requests come from a 10.X.X.X address as source which are NATed to a 192.168.250.X address on int1.

I am seeing the following errors:-

0x0 ERROR_SUCCESS
0xc004000d FWX_E_POLICY_RULES_DENIED

Thanks in advance

Post #: 1

Featured Links*

RE: Web publishing rule created - 5.Aug.2009 3:27:19 PM

yeskaygee1

Posts: 51
Joined: 5.Dec.2008
From: Washington, DC
Status: offline

Which is your external interface. What interface has the default gateway. Also what is your network configuration on the listener publishing servers in N3 DMZ.

If "internet DMZ" is your external interface and you are publishing servers in the DMZ network (same as external int nw) it is not a good setup.

You might also need to check how the routing is in your ISA server. I believe the traffic is not hitting the correct interface.

Regards,
Karthigeyan

(in reply to ezeki)

Post #: 2

RE: Web publishing rule created - 6.Aug.2009 7:26:26 AM

ezeki

Posts: 33
Joined: 14.Sep.2006
Status: offline

External interface is int2 "INTERNET DMZ"

Listener configuration is using external with ip 192.168.250.x (this is an ip on int1, N3 DMZ)

The default gateway is configured on int2.

You say this is not a good setup, I am not sure that it is not possible to publish servers on multiple networks?

I thought the issues maybe based around the requests coming from machines on the N3 network where source address is 10.x.x.x which is a reserved internal range?

Hope this makes sense as I am in a position where users are needing to hit a site ASAP

Thanks in adavance

(in reply to yeskaygee1)

Post #: 3

RE: Web publishing rule created - 6.Aug.2009 8:07:33 AM

yeskaygee1

Posts: 51
Joined: 5.Dec.2008
From: Washington, DC
Status: offline

Customer requirement may supercede any infrastructure design, provided sufficient risk analysis are done.

When you have multiple NIC interface on ISA, the reverse proxying accepts the traffic coming on one interface and passes the same to another interface. In your case the traffic hits on int2 (or int1) and again goes through the same interface for the published webserver. ISA will identify the traffic as spoofed one and may block the traffic.

You can check the article below for disabling spoofing in ISA

http://support.microsoft.com/kb/838114

Also the traffic coming to int1 for N3 DMZ will have the return traffic going through int2, since that is the default gateway. Unless your ASA does a source NAT for the incoming traffic to int1 and you have the route in ISA for the NAT IP back to ASA, it would not take a desired path.

That's why I meant the design is complicated in your setup.

Regards,
Karthigeyan

< Message edited by yeskaygee1 -- 6.Aug.2009 8:21:46 AM >

(in reply to ezeki)

Post #: 4

RE: Web publishing rule created - 11.Aug.2009 5:49:45 AM

ezeki

Posts: 33
Joined: 14.Sep.2006
Status: offline

I have managed to get the N3 users hitting the ISA by adding a static route for the 10.0.0.0 address to route out of int1 (DMZ N3)

The users now see an ISA error:

Error Code 403 forbidden. ISA server is configured to block http requests that require authentication (12250)

The site which is being hit does not require authentication so I am not sure why I am getting the above error!

The ISA logging shows:-

CLIENT DESTINATION PROTOCOL ACTION
10.x.x.x 192.168.250.x http Failed connection attempt

I am also not sure why the source network and destination network in logging are blank, is this because ISA is not sure about the network 10.0.0.0?

Thanks in advance

(in reply to yeskaygee1)

Post #: 5

RE: Web publishing rule created - 11.Aug.2009 6:43:50 AM

ezeki

Posts: 33
Joined: 14.Sep.2006
Status: offline

I have just deleted the firewall policy rule and tested... the client machine connecting sees the same ISA error as my previous post!

ISA server is doing something outside FW policy rules.

Thanks

(in reply to ezeki)

Post #: 6

RE: Web publishing rule created - 11.Aug.2009 8:07:07 AM

yeskaygee1

Posts: 51
Joined: 5.Dec.2008
From: Washington, DC
Status: offline

Go to the listener properties --> Authentication Tab ---> Advanced

The option "Client Authentication Over HTTP" should be checked / selected.

Once selected pls check for the access.

Regards,
Karthigeyan

(in reply to ezeki)

Post #: 7

RE: Web publishing rule created - 11.Aug.2009 9:24:21 AM

ezeki

Posts: 33
Joined: 14.Sep.2006
Status: offline

has no effect.

(in reply to yeskaygee1)

Post #: 8

RE: Web publishing rule created - 11.Aug.2009 9:37:13 AM

yeskaygee1

Posts: 51
Joined: 5.Dec.2008
From: Washington, DC
Status: offline

Can you provide the settings on your listener - http / https, what kind of authentication, do you use any certs etc. Also what kind os authentication you use in the publishing rules.

Regards

(in reply to ezeki)

Post #: 9

RE: Web publishing rule created - 12.Aug.2009 6:00:45 AM

ezeki

Posts: 33
Joined: 14.Sep.2006
Status: offline

I have setup a temp ISA server with 1 external interface and 1 internal with the exact web publishing rule and it works!

There must be something around the original ISA having 3 interfaces which is causing me this issue.

Anyone with any ideas?

(in reply to yeskaygee1)

Post #: 10