• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

BOOK Network behind a Network p.340

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> BOOK Network behind a Network p.340 Page: [1]
Login
Message << Older Topic   Newer Topic >>
BOOK Network behind a Network p.340 - 12.Jan.2005 8:44:00 PM   
jbrown04

 

Posts: 8
Joined: 23.Dec.2004
Status: offline
I am an ISA newbie and this is my scenario. My organization purchased an ISA server to Reverse Proxy our Exchange and web servers. The ISA server's External interface is in the DMZ off a PIX with the Internal interface on our server subnet. Our Exchange server is on the same subnet as the Internal interface (the 'on subnet' network). Multiple subnets are behind the Internal interface. No other workstations or servers internal to ISA will be passing traffic through ISA. All subnets have a route entry on the ISA server and are defined as part of the Internal Network (capital N).
My problem is when I configure Exchange as a SecureNAT client to publish OWA and SMTP, all internal Outlook clients stop working. I have read other posts on the message boards and have found the following solutions:
1. Place a layer 3 device between Exchange and ISA.
2. Define Subnet network objects and create access rules allowing traffic to and from each Subnet.
3. ISA 2004 book p. 340 - install firewall client on Exchange and configure with a default gateway other than ISA.

Will installing the firewall client on Exchange work if all other workstations do not have it installed, and will not be using ISA as a gateway? Has anyone had a similar problem and found any of these solutions to work? Any input would be appreciated.
(Obviously a solution would be to use ISA for all the computers on our network, but this is not politically possible at this time)

Thanks.
Post #: 1
RE: BOOK Network behind a Network p.340 - 12.Jan.2005 9:01:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi J,

If you could post the output from the ipconfig /all and route print commands on the Exchange server, it would help us to troubleshoot the problem.

Bill

(in reply to jbrown04)
Post #: 2
RE: BOOK Network behind a Network p.340 - 12.Jan.2005 9:41:00 PM   
jbrown04

 

Posts: 8
Joined: 23.Dec.2004
Status: offline
Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC7760 Gigabit Server Adapter
Physical Address. . . . . . . . . : 00-0B-CD-4D-DF-31
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : XXX.XXX.183.222
Subnet Mask . . . . . . . . . . . : 255.255.255.128
Default Gateway . . . . . . . . . : XXX.XXX.183.254
DNS Servers . . . . . . . . . . . : XXX.XXX.183.207
XXX.XXX.183.216
Primary WINS Server . . . . . . . : XXX.XXX.183.207
Secondary WINS Server . . . . . . : XXX.XXX.183.200

C:\Documents and Settings\>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 0b cd 4d df 31 ...... HP NC7760 Gigabit Server Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 XXX.XXX.183.254 XXX.XXX.183.222 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
XXX.XXX.183.128 255.255.255.128 XXX.XXX.183.222 XXX.XXX.183.222 1
XXX.XXX.183.222 255.255.255.255 127.0.0.1 127.0.0.1 1
XXX.XXX.255.255 255.255.255.255 XXX.XXX.183.222 XXX.XXX.183.222 1
224.0.0.0 240.0.0.0 XXX.XXX.183.222 XXX.XXX.183.222 1
255.255.255.255 255.255.255.255 XXX.XXX.183.222 XXX.XXX.183.222 1
Default Gateway: XXX.XXX.183.254
===========================================================================
Persistent Routes:
None

The internal ISA IP is xxx.xxx.183.196. I had to move Exchange back to using the router as a gateway for now xxx.xxx.183.254.

Thanks,

James

(in reply to jbrown04)
Post #: 3
RE: BOOK Network behind a Network p.340 - 12.Jan.2005 9:46:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by jbrown04:
I am an ISA newbie and this is my scenario. My organization purchased an ISA server to Reverse Proxy our Exchange and web servers. The ISA server's External interface is in the DMZ off a PIX with the Internal interface on our server subnet. Our Exchange server is on the same subnet as the Internal interface (the 'on subnet' network). Multiple subnets are behind the Internal interface. No other workstations or servers internal to ISA will be passing traffic through ISA. All subnets have a route entry on the ISA server and are defined as part of the Internal Network (capital N).
My problem is when I configure Exchange as a SecureNAT client to publish OWA and SMTP, all internal Outlook clients stop working. I have read other posts on the message boards and have found the following solutions:
1. Place a layer 3 device between Exchange and ISA.
2. Define Subnet network objects and create access rules allowing traffic to and from each Subnet.
3. ISA 2004 book p. 340 - install firewall client on Exchange and configure with a default gateway other than ISA.

Will installing the firewall client on Exchange work if all other workstations do not have it installed, and will not be using ISA as a gateway? Has anyone had a similar problem and found any of these solutions to work? Any input would be appreciated.
(Obviously a solution would be to use ISA for all the computers on our network, but this is not politically possible at this time)

Thanks.

Hi James,

Do you have a network diagram? If you have multiple networks located behind the default Internal interface of the ISA firewall, then there has to be a layer 3 aware device controlling routing between all those networks. You can configure the default gateway on those devices to use the layer 3 device to simplify things, depending on your setup. But a picture of your design will determine the best and easiest way to go.

HTH,
Tom

(in reply to jbrown04)
Post #: 4
RE: BOOK Network behind a Network p.340 - 12.Jan.2005 11:25:00 PM   
jbrown04

 

Posts: 8
Joined: 23.Dec.2004
Status: offline
Here is a diagram of the network. The internal interface of the ISA server and Exchange interface are on the same subnet/VLAN.

Thanks,

James


(in reply to jbrown04)
Post #: 5
RE: BOOK Network behind a Network p.340 - 13.Jan.2005 5:28:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi James,

Just a few quick points to check:

1. The ISA firewall's default gateway should be the inside interface of your PIX; the other interface should not have a default gateway.
2. The ISA firewall should have static routes to subnets 2, 3, and 4.
3. The Exchange server's default gateway should be the inside interface of the ISA firewall.
4. The Exchange server should have the same static routes to subnets 2, 3, and 4 as the ISA firewall, since you don't have a router in between them, and you don't want the ISA firewall to mediate this traffic.

HTH,

Bill

(in reply to jbrown04)
Post #: 6
RE: BOOK Network behind a Network p.340 - 13.Jan.2005 5:36:00 PM   
jbrown04

 

Posts: 8
Joined: 23.Dec.2004
Status: offline
Thanks for the help Bill. Everything is in place except the static routes on Exchange. I will add those and test.

James

(in reply to jbrown04)
Post #: 7
RE: BOOK Network behind a Network p.340 - 15.Jan.2005 7:49:00 AM   
jbrown04

 

Posts: 8
Joined: 23.Dec.2004
Status: offline
Adding the static routes to Exchange solved the problem. Thanks again.

James

(in reply to jbrown04)
Post #: 8
RE: BOOK Network behind a Network p.340 - 15.Jan.2005 7:52:00 AM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi James,

No problem, and thanks for the follow-up.

Bill

(in reply to jbrown04)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> BOOK Network behind a Network p.340 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts