I have been successfully running ISA 2000 since it came out. I upgraded to ISA 2004 recently, and, despite a minor glitch in the upgrade process, everything works smoothly. However, I am in the process of reconfiguring ISA from a dihomed to a trihomed network, and that has given me some headaches. I have read Dr. Shinder's article on configuring a trihomed DMZ; however, my configuration differs in some respects. Let me lay out the scenario and what I have achieved and not achieved below. I'm sure I have overlooked something basic - please have a look and see if you can see what part of the puzzle is missing.
We have a dihomed ISA system that works with the default configuration of internal and external networks. The internal network is defined with the private address range 192.168.1.x and the external network interface is also on a private network with 10.5.14.x. The router is placed at 10.5.14.1 and routes all traffic inwards to a larger organizational unit which has routers and firewalls that get out traffic out to the Internet. We have a Windows 2003 based Exchange 2003 server on the internal network, but we can't route mail through the 10.5.14.x subnet. So I have set up a new subnet with the private address range of 192.168.0.x with a router with an internal address of 192.168.0.1 and a published public address (in the 80.239.x.x range) on the external interface. The ISA server has NICs representing all three internal networks: 10.5.14.3, 192.168.1.3, and 192.168.0.3. The routing table of the router redirects external HTTP requests to the 192.168.0.3 interface on the ISA server.
What I want to do is to route all traffic to the Internet through the 10.5.14.1 router as before. However, I want to publish the web and mail server on the 192.168.0.x network - which has the published external address. Dr. Shinder's article deals with servers on a perimeter network that talk to one another. I am not putting any machines on the 10.5.14.x subnet, but there will be clients on the 192.168.0.x network. These, however, will not be allowed to talk to my ISA server. Therefore, I regard both these subnets as "external" and not protected. They should therefore not be allowed to talk to one another.
With this in mind, I tried several configuration combinations which led nowhere. In the old days, I would have just set up an add route to the computer's routing table, but ISA has to do the work, so I have not done that.
1. I first set up a new external network for the 192.168.0.x subnet under Networks. Later, I added another external network for the external 80.239.x.x interface on the router - I'll explain why in a moment.
2. I did not set up anything new under Network Sets - was this a mistake?
3. Under Network Rules, I set up a rule similar to the default one that was set up by ISA:
Under the Source Networks I put my Internal and my 192.168.0.x subnet. In the Destination Networks, I put the 80.239.x.x subnet. Under Network Relationship, NAT.
Under the Source Networks I put my Internal and my internal subnet. In the Destination Networks, I put the 192.168.0.x subnet.
Under Network Relationship, NAT.
4. Under Firewall Policy, I published the internal 192.168.1.x web server. I defined the ISA 192.168.0.3 interface as the listener.
5. I tested this configuration by starting up my web browser on the ISA server and pointed it to the internal web address of the 192.168.0.1 router. This works fine.
6. I then when to a client on the internal 192.168.1.x subnet and tried to access the router from there. That also works fine. This means traffic is allowed out.
7. Then I went to a machine on another network and tired to access the web server from there. That did not work. I ran a run time log query and got the following:
Log time (time)
Destination IP 192.168.0.3
Destination Port 80
Action Denied Connection
Client IP External Address on router (80.239.x.x)
Client Username (blank)
Source Network 80.239.x.x subnet
Destination Network Local Host
HTTP Method (blank)
This tells me that the router is doing what it is supposed to be doing - sending traffic to the proper ISA interface, but I can't understand why the connection is denied. Because the Rule field is blank, I must assume that this is a network set/ rule issue, but I can't understand where. I have obviously missed something.
Does anyone have any ideas?