• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Trihomed server publishing in ISA 2004

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> Trihomed server publishing in ISA 2004 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Trihomed server publishing in ISA 2004 - 29.Sep.2004 3:15:00 PM   
perryhs

 

Posts: 16
Joined: 28.Feb.2002
From: Norway
Status: offline
I have been successfully running ISA 2000 since it came out. I upgraded to ISA 2004 recently, and, despite a minor glitch in the upgrade process, everything works smoothly. However, I am in the process of reconfiguring ISA from a dihomed to a trihomed network, and that has given me some headaches. I have read Dr. Shinder's article on configuring a trihomed DMZ; however, my configuration differs in some respects. Let me lay out the scenario and what I have achieved and not achieved below. I'm sure I have overlooked something basic - please have a look and see if you can see what part of the puzzle is missing.

Scenario:

We have a dihomed ISA system that works with the default configuration of internal and external networks. The internal network is defined with the private address range 192.168.1.x and the external network interface is also on a private network with 10.5.14.x. The router is placed at 10.5.14.1 and routes all traffic inwards to a larger organizational unit which has routers and firewalls that get out traffic out to the Internet. We have a Windows 2003 based Exchange 2003 server on the internal network, but we can't route mail through the 10.5.14.x subnet. So I have set up a new subnet with the private address range of 192.168.0.x with a router with an internal address of 192.168.0.1 and a published public address (in the 80.239.x.x range) on the external interface. The ISA server has NICs representing all three internal networks: 10.5.14.3, 192.168.1.3, and 192.168.0.3. The routing table of the router redirects external HTTP requests to the 192.168.0.3 interface on the ISA server.

Goal:

What I want to do is to route all traffic to the Internet through the 10.5.14.1 router as before. However, I want to publish the web and mail server on the 192.168.0.x network - which has the published external address. Dr. Shinder's article deals with servers on a perimeter network that talk to one another. I am not putting any machines on the 10.5.14.x subnet, but there will be clients on the 192.168.0.x network. These, however, will not be allowed to talk to my ISA server. Therefore, I regard both these subnets as "external" and not protected. They should therefore not be allowed to talk to one another.

Attempted configuration:

With this in mind, I tried several configuration combinations which led nowhere. In the old days, I would have just set up an add route to the computer's routing table, but ISA has to do the work, so I have not done that.

1. I first set up a new external network for the 192.168.0.x subnet under Networks. Later, I added another external network for the external 80.239.x.x interface on the router - I'll explain why in a moment.

2. I did not set up anything new under Network Sets - was this a mistake?

3. Under Network Rules, I set up a rule similar to the default one that was set up by ISA:

Under the Source Networks I put my Internal and my 192.168.0.x subnet. In the Destination Networks, I put the 80.239.x.x subnet. Under Network Relationship, NAT.
In addition:
Under the Source Networks I put my Internal and my internal subnet. In the Destination Networks, I put the 192.168.0.x subnet.
Under Network Relationship, NAT.

4. Under Firewall Policy, I published the internal 192.168.1.x web server. I defined the ISA 192.168.0.3 interface as the listener.

5. I tested this configuration by starting up my web browser on the ISA server and pointed it to the internal web address of the 192.168.0.1 router. This works fine.

6. I then when to a client on the internal 192.168.1.x subnet and tried to access the router from there. That also works fine. This means traffic is allowed out.

7. Then I went to a machine on another network and tired to access the web server from there. That did not work. I ran a run time log query and got the following:

Log time (time)
Destination IP 192.168.0.3
Destination Port 80
Protocol HTTP
Action Denied Connection
Rule (blank)
Client IP External Address on router (80.239.x.x)
Client Username (blank)
Source Network 80.239.x.x subnet
Destination Network Local Host
HTTP Method (blank)
URL (blank)

This tells me that the router is doing what it is supposed to be doing - sending traffic to the proper ISA interface, but I can't understand why the connection is denied. Because the Rule field is blank, I must assume that this is a network set/ rule issue, but I can't understand where. I have obviously missed something.

Does anyone have any ideas?
Post #: 1
RE: Trihomed server publishing in ISA 2004 - 30.Sep.2004 1:35:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Phs,

Do you have a network diagram to go with this? I'm having a hard time picturing what is happening here.

Thanks!
Tom

(in reply to perryhs)
Post #: 2
RE: Trihomed server publishing in ISA 2004 - 4.Oct.2004 12:36:00 PM   
perryhs

 

Posts: 16
Joined: 28.Feb.2002
From: Norway
Status: offline
Sorry not to get back to you on this sooner, as I am under immense pressure to produce immediate results. I reconfigured the network and put in another ISA server on the other subnet. It works fine now with the standard configuration using the publishing wizards. Trihomed may be fun to try at some future point, but for now it's results that count...

(in reply to perryhs)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> Trihomed server publishing in ISA 2004 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts