• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Web sites in a perimeter

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> Web sites in a perimeter Page: [1]
Login
Message << Older Topic   Newer Topic >>
Web sites in a perimeter - 7.Mar.2012 5:19:50 PM   
Stevenrlong

 

Posts: 57
Joined: 26.Oct.2002
From: San Francisco
Status: offline
I have a three legged TMG with an Internal network, and external network and a perimeter network all on separate network interfaces. Very normal.

I have servers in the perimeter network and layer 3 works to all these servers; Exchange mailboxes are accessible using Outlook everything works EXCEPT webservers!

Whatís wrong?

Users located on the Internal can access resources Exterior web sites but can't access servers located in the perimeter.

Using the FWC it doesnít work
Not using the FWC it doesnít work

It looks like TMG tries to send all HTTP out no matter if I tell it on the internal interface to bypass TMG

But I donít really want to bypass TMG right? I need TMG to ďrouteĒ the http traffic request from Internal clients through the perimeter Interface just like it does when a trace or a ping (remember Layer 3 works).

I understand that in a TMG that has only and Internal and an External how to configure the Internal Network to handle local servers, but what settings do I place on the perimeter network config in TMG so a three legged TMG understands how to forward all HTTP traffic from the Internal and through the perimeter to reach the web servers?

I don't need to publish them do I?

Thanks for responding

< Message edited by Stevenrlong -- 7.Mar.2012 5:22:14 PM >
Post #: 1
RE: Web sites in a perimeter - 8.Mar.2012 9:59:31 AM   
SDoMASTER

 

Posts: 34
Joined: 5.Nov.2007
Status: offline
To pass HTTP/S traffic through TMG you must publish all your sites. In listener you can define where and what must be published! :)

(in reply to Stevenrlong)
Post #: 2
RE: Web sites in a perimeter - 8.Mar.2012 6:00:46 PM   
Stevenrlong

 

Posts: 57
Joined: 26.Oct.2002
From: San Francisco
Status: offline
Really?
Iím using TMG to control access as an internal-backend firewall/router between two subnet in the same domain.

Layer 3 works fine right now with only inter-domain rules.
Exchange, AD, DNS, everyting works except webservers.

When a client trys to access a webserver located on the perimeter network the client recieves a timeout 100060.

The TMG is on the user side and the webservers are in a separate subnet in a different building connected over a 50MB Ethernet MAN supplied by AT&T.

All Iím doing is removing a router and replacing the router with a server using the same IP adresses as the router had.

The TMG is not on the same subnet as the resources

If what your saying is true and I need to publish internally then I would need a TMG on the other side of the perimeter and assign 25 IP address to the interface is that true?

(in reply to SDoMASTER)
Post #: 3
RE: Web sites in a perimeter - 9.Mar.2012 5:53:00 AM   
SDoMASTER

 

Posts: 34
Joined: 5.Nov.2007
Status: offline
Why you must configure 25 IP addresses on same NIC? I don't know in what you host your web applications, but I think you can deal this with web servers? There is no need to set 25 different IP's... and if you didn't believe me, try to publish one site and if this work - this is the right way :) Other thing you must pay attention - Internal <-> DMZ must be set on Routing, because if you set to NAT, you may have some troubles, if your servers are part of same domain etc.

(in reply to Stevenrlong)
Post #: 4
RE: Web sites in a perimeter - 9.Mar.2012 6:10:16 AM   
Stevenrlong

 

Posts: 57
Joined: 26.Oct.2002
From: San Francisco
Status: offline
Thanks,
It's just that the TMG is located on the client side of the wire so I saw it as more of an access control than of publishing internal websites that in most cases are just for inside use.

When I create a web publishing rule for external access I assign it to the external network (NIC) and it uses an IP for each webserver correct?

So,now your saying that I need to publish my internal webservers the same way but this time its between two different perimeter networks.

Each internal webserver located in a resource perimeter network has/needs its own IP and internal DNS settings so don't I need to create a "listener" for each and assign it to an interface?

Thanks,
Its 3:08 AM in San Francisco and this has me so worried I can't sleep

(in reply to SDoMASTER)
Post #: 5
RE: Web sites in a perimeter - 15.Mar.2012 4:02:32 AM   
RaviAuto

 

Posts: 20
Joined: 27.Feb.2012
Status: offline
I think you are right now, i will follow your thoughts......

_____________________________

used honda accord | used honda civic

(in reply to SDoMASTER)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> Web sites in a perimeter Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts