• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Configure ISA for *non VPN* Trust?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Configure ISA for *non VPN* Trust? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Configure ISA for *non VPN* Trust? - 28.Oct.2004 11:48:00 PM   
grinn253

 

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline
Hello all,

I've read:
How to Configure a Firewall for Domains and Trusts from MS KB.
also: Publishing Servers on a ISA Server 2004 Firewall Public Address DMZ Segment (v1.01)

Our ISA setup looks like:

Internal 192.168.125.0/24
DMZ 128.208.125.0/26
External 128.208.125.85/26

The DMZ machines are SecureNAT clients (ISA being the default gateway). I created new computer objects to the DCs that the trust will be connecting to. Afterwards set a route relationship from my DMZ segment to the newly created computer objects. (in accordance to the 2nd article above)

Without ISA, our 2 domains trust each other fine (they trust us). When I SecureNAT my DC (which is in charge of the trust), the trust does not establish.

I believe that the route relationship indeed routes (and not NATs) from my DC to their machine. So that my DMZ IP is what is used to connect and not ISAs external IP. Verified by netstat on the remote pc.

I opened up the ports indicated from the 1st link above. As i understand, all were outgoing, are any incoming needed? I'm a little confused with what RPC ports are/need to be opened. Will port 135 dynamically open the correct >1024 incoming ports?

Logging shows successful 138, 139 connections to the trusting domain, however when the trusting machine replies back with traffic on ports >1024 I recieve the following:
quote:
0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED
I didn't create any publishing rules(IIRC 2nd article said not to) only using Firewall Policy.
Thanks for any help.
Edgardo

[ October 29, 2004, 12:08 AM: Message edited by: grinn253 ]
Post #: 1
RE: Configure ISA for *non VPN* Trust? - 1.Nov.2004 2:22:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Edgardo,

Check out:

http://www.isaserver.org/articles/2004perimeterdomain.html

HTH,
Tom

(in reply to grinn253)
Post #: 2
RE: Configure ISA for *non VPN* Trust? - 1.Nov.2004 10:27:00 PM   
grinn253

 

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline
quote:
Originally posted by tshinder:
Check out:

http://www.isaserver.org/articles/2004perimeterdomain.html

Thanks, I saw that article as well. Our intradomain communications are performing fine. My question is about creating a trust with an external domain, over the internet (not a directly attatched DMZ.)

Even allowing all protocols & creating a route relationship to the destination still results in:
quote:
0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED
This is the last server/machine we need to be fully ISA'ed [Roll Eyes] , a little more assistance would be great! Let me know if more detail is needed.

Thanks,
Edgardo

[ November 01, 2004, 10:28 PM: Message edited by: grinn253 ]

(in reply to grinn253)
Post #: 3
RE: Configure ISA for *non VPN* Trust? - 2.Nov.2004 7:41:00 AM   
grinn253

 

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline
Hello,

Another question, is it possible to setup other 'listeners' besides those for HTTP & FTP?

As i mentioned in another posting, other domains/subnets will map to our drives via: \\servername\sharename

How can we listen for netbios/cifs from certain domains?

Thanks,
Edgardo

(I may post this question in its own thread in the future.)

(in reply to grinn253)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Configure ISA for *non VPN* Trust? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts