• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

PERIMETER TO INTERNAL

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> DMZ >> PERIMETER TO INTERNAL Page: [1]
Login
Message << Older Topic   Newer Topic >>
PERIMETER TO INTERNAL - 28.Oct.2009 1:27:42 PM   
ModernAge

 

Posts: 37
Joined: 30.Jan.2008
Status: offline
I'm having some weird behavior that may have a simple solution.

I have a 3-leg perimeter configured however my DMZ uses public addresses. The necessary network rules were configured to support this however I'm trying to figure out how to get traffic from a host on the perimeter network to a host on the internal network.

This is for an Exchange Edge Transport. All facets of the Edge Transport are working with the correct rules in place however the SMTP traffic sitting on the Edge Transport destined for delivery to the Hub Transport on the Internal network is not going anywhere.

What I'm trying to do is have the Edge Transport identify the Hub Transport by it's public address and have it allowed in via a publishing rule that redirects port 25 to the privately addressed Hub Transport. I know the Hub Transport works because my listening rule will allow mail to go directly to the Hub Transport from the external network with no problems. If I try to add Perimeter Network as a "listen from" on that rule, the connection gets reset and I get 10061 in the SMTP Send log on the Edge Transport.

Do I need a network rule in ISA that properly determines how traffic gets sent to the Internal network from the Perimeter network by chance or is this just not possible? Exchange docs don't help as I suppose they think everyone will use a privately addressed DMZ which does not seem to be a requirement. I would change it but my OCS deployment requires a public IP without translation on the Perimeter.

Lastly, the only thing I notice specifically in ISA is that SMTP traffic that originates from the External network is properly routed through the listener on the Private segment as I can verify source and destination IP addresses in the logs. On the flip side, SMTP traffic initiating from the Perimeter never really seems to be handled by the listener because the log entries on ISA show public addresses for source and destination as opposed to my first example. I can provide more info if clarification is needed.

Thanks,

Dave
Post #: 1
RE: PERIMETER TO INTERNAL - 28.Oct.2009 1:39:49 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
So what network relationship do you have between perimeter and internal?

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to ModernAge)
Post #: 2
RE: PERIMETER TO INTERNAL - 28.Oct.2009 1:42:04 PM   
ModernAge

 

Posts: 37
Joined: 30.Jan.2008
Status: offline
the only one is the default...it indicates Internal to Perimeter which of course is NAT.

(in reply to Jason Jones)
Post #: 3
RE: PERIMETER TO INTERNAL - 28.Oct.2009 1:44:32 PM   
ModernAge

 

Posts: 37
Joined: 30.Jan.2008
Status: offline
...and that rule is working properly because the EdgeSync connections are initiated by the Hub Transport and they all work fine.

I also have an access rule that allows SMTP traffic sent to the Edge Transport to properly pass through from the External interface so the only problem is getting the SMTP traffic from the public addressed Perimeter to the privately addressed Internal and the Edge deployment should be fully functional.

(in reply to ModernAge)
Post #: 4
RE: PERIMETER TO INTERNAL - 28.Oct.2009 1:56:04 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
A NAT relationship is unidirectional; hence you need a network rule from Perimeter to Internal to pass traffic. This would normally be a route relationship.

Some reading:

http://technet.microsoft.com/en-us/library/cc302676.aspx
http://technet.microsoft.com/en-us/library/cc302656.aspx#IntraDomainCommunicationFromPerimeterNetworksNeeded
http://blogs.technet.com/isablog/archive/2008/06/24/server-publishing-with-isa-server-2004-2006-and-route-relationship-between-networks.aspx
http://blogs.isaserver.org/shinder/2006/11/29/route-relationships-server-publishing-rules-and-port-stealing/

Cheers

JJ

< Message edited by Jason Jones -- 28.Oct.2009 1:58:37 PM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to ModernAge)
Post #: 5
RE: PERIMETER TO INTERNAL - 28.Oct.2009 1:59:20 PM   
ModernAge

 

Posts: 37
Joined: 30.Jan.2008
Status: offline
ok...so would this route look like? Perimeter to Internal "Route"? Even though you can't route traffic from public address to private address?

Maybe I'm still confused. I know if my DMZ was privately addressed a route would do the trick but the addresses are public.

(in reply to Jason Jones)
Post #: 6
RE: PERIMETER TO INTERNAL - 28.Oct.2009 2:04:05 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Try it...

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to ModernAge)
Post #: 7
RE: PERIMETER TO INTERNAL - 28.Oct.2009 2:10:48 PM   
ModernAge

 

Posts: 37
Joined: 30.Jan.2008
Status: offline
no dice...same behavior

(in reply to Jason Jones)
Post #: 8
RE: PERIMETER TO INTERNAL - 28.Oct.2009 2:12:04 PM   
ModernAge

 

Posts: 37
Joined: 30.Jan.2008
Status: offline
from Perimter
to Internal
Relationship "Route"

correct? Does the order of the rules matter for this case?

(in reply to ModernAge)
Post #: 9
RE: PERIMETER TO INTERNAL - 28.Oct.2009 2:18:44 PM   
ModernAge

 

Posts: 37
Joined: 30.Jan.2008
Status: offline
would an access rule or publishing rule be used or both? I thought access rules were used for outbound access or access between routeable networks. To cross the bridge from public to private with "port forwarding", per se, I was under the impression a publishing rule was required.

I definitely don't mind being wrong if I can learn what is a correct method for this type of application.

(in reply to ModernAge)
Post #: 10
RE: PERIMETER TO INTERNAL - 28.Oct.2009 2:44:28 PM   
ModernAge

 

Posts: 37
Joined: 30.Jan.2008
Status: offline
ok...I got it to work but I had to cheat (at least it seems that way).

I removed that route you asked for and I edited the listening rule. When I looked at the listener, I noticed realistically the Perimeter is only listening on the one IP bound to the Perimeter interface on the ISA server so I put an entry in the hosts file on the Edge Transport that claimed the public IP for the internal Hub Transport was the aforementioned address.

I refreshed the DNS cache on the Edge Transport and forced Exchange to process the queue...the messages went through.

I'm thinking that once I move all domains to route through the Edge transport, I'll change the public DNS to show my hub transport as using the IP on that Perimeter ISA interface. My ISA server itself actually does zone transfer of the internal representations of my domains as the publishing rules appear to like that setup better and I maintain public DNS at the registrar. The ISA server is listed as the DNS server for the Perimeter network machines and if the host is not resolvable from one of the internal zones, obviously forwarding takes place. I think I noticed it is recommended you run a separate DNS on your Perimeter network.

< Message edited by ModernAge -- 28.Oct.2009 3:05:54 PM >

(in reply to ModernAge)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> DMZ >> PERIMETER TO INTERNAL Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts