• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Back to Back

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> Back to Back Page: [1]
Message << Older Topic   Newer Topic >>
Back to Back - 14.Jun.2001 12:04:00 AM   


Posts: 12
Joined: 13.Jun.2001
From: ny,ny,usa
Status: offline
Posted the following in DMZ board also.

Have ISA server with published E2k server, and everything working well.
Want to integrate E2k Front End (OWA and for SMTP connector) in back-to-back network, and having great difficulty.
-I put only the private network in the Internal ISA LAT.
-I put the OWA IP and the external nic of the Internal ISA in the External ISA.
-I opened all ports on the Internal ISA server (testing purposes).
-Default gateway of external nic of Internal ISA points to internal nic of External ISA.
-Default gateway of internal nic of External ISA points to external nic of Internal ISA.
-I have internal DNS (AD integrated).
-Internal DNS server forwards to ISP's DNS
-DNS for external nics of both ISA servers point to ISP's DNS
-DNS of E2k Front End server on perimeter network points to internal DNS server
-Default Gateway of E2k Front End is internal nic of External ISA
-On E2k Front End, I have added route to private network, via the external nic on Internal ISA.

It is not working. And I have absolutely no idea where to go from here.

Does Tom's book cover DNS, Default Gateways, LAT, etc for Back-to-back? If so, I'm headed to Barnes and Noble tonight.

Thanks in advance for any help.

Post #: 1
RE: Back to Back - 14.Jun.2001 1:11:00 AM   


Posts: 803
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline
You shouldn't have to do very much if you had E2K published through ISA already. If so all you would need to do would be create a backend E2K box and turn the current one into frontend. What is the specific problem. Can you route out? Can you route in? Is there name resolution? Are there errors in either the E2K, or ISA box event log?


(in reply to erocanas)
Post #: 2
RE: Back to Back - 14.Jun.2001 3:58:00 AM   


Posts: 12
Joined: 13.Jun.2001
From: ny,ny,usa
Status: offline
Thanks John.

Exchange services on E2k Front End server will not even start (SA can't see Active Directory). Furthermore, logging in with cached info (can not see domain controllers to authenticate).

Apparently, even though I opened all ports, the perimeter network servers can not access the internal network.

After reading other posts, I gather I must publish all services (DNS, authentication, global catalog, kerboros, rpc, netlogon), or create a VPN from the perimeter to the internal network.

Microsoft clearly states in just about all their Front End/Back End literature, that appropriate ports must be opened on the internal firewall.

So why do I have to publish? Why won't the traffic be routed to the internal network?

Does Tom's book cover these specifics? If not, are there any references anyone can point me to?

Again, thanks in advance.

(in reply to erocanas)
Post #: 3
RE: Back to Back - 15.Jun.2001 4:03:00 PM   


Posts: 12
Joined: 13.Jun.2001
From: ny,ny,usa
Status: offline
Copying post from DMZ.........

posted 15 June 2001 00:52

Originally posted by tshinder:
Hi Erocanas,
We ran out of time before we could go over the specifics of how to configure intradomain communications between a server on the DMZ and on the internal network. We'll have a tutorial on this in the next few weeks, or include it in our upcoming "ISA Server Experts Journal" which will be available sometime in the near future.

However, you might check out: http://support.microsoft.com/support/kb/articles/Q179/4/42.ASP

to help with configuring the publishing rules. However, the best way might be to configure a VPN between the server on the DMZ and the internal network.



I've got my second 'external' server prepped and ready, just waiting for those answers .. it's great to know we'll soon be enlightened!

Also, I'm interested in providing VPN and terminal service access to the internal network in a back-to-back configuration, it's working well with a single firewall and I'd hate to mess it up.

The KB article above begs the question: Do we want to make one or both ISA 'bastion hosts' domain members, in the remote chance that they are compromised?


Tom Smith

Junior Member
Posts: 6
Registered: Jun 2001
posted 15 June 2001 13:36
Another question. How would we create a VPN that would connect before the services (Exchange, Netlogon, etc) start?
Otherwise, if the server rebooted, it would be non-functional.


(in reply to erocanas)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> Back to Back Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts