I am trying to figure out if this will work in my scenario.
I have a Nokia Checkpoint controlled by a third party. They have set us up a DMZ, in that DMZ we have installed an SMTP Gateway server. Previously the firewall just NAT'd Port 25 and 80 traffic to the internal Exchange server 172.16.100.234 Now we have mail sent to the server in the DMZ with a route statement and then the gateway server forwards the mail to the Exchange server. I have built a server with Windows 2003 and ISA 2000 to publish the Web Access to. This server is sitting in the DMZ, I cannot get web acess to work. I have the Feature Pack and all of the Service Packs loaded. Will ISA 2004 with a single NIC work in this scenario or will 200 work and I jst cant get it setup right.
The ISP colo config for ISA 2000 firewalls could do the same thing. Check out the article on that subject and test it out in your test lab and I think you'll find it works with both ISA 2000 and ISA 2004 firewalls.
I have been having a bear of a time getting this working. Not all of them have been ISA related
Here is what I have, maybe its not a CO-lo config issue.
When I took over the project this was the config (the ip addresses have been changed to protect the innocent)Ceritificate is in place for mail.domain.com Checkpoint Firewall w DMZ set up 66.66.66.160/28 mx record mail.domain.com points to 66.60.66.162. (this is just a route on the firewall, there is no device on this IP) A NAT rule forwards 80,443, and 25 to 172.16.100.234. No problems everything works, mail flows, OWA works fine.
The plan Install a SMTP gateway server running Symantec mail security 4 for scanning incoming mail and adding a disclaimer to outgoing mail. The server is given the address of 66.66.66.162 and configured to forward mail to the Exchange server and exchange server is set up to server as smart host. No problems, EMail goes in and out. OWA of course is now broken (expected effect)The ISA server is built, with Windows 2003 and ISA server 2000 with SP1,2 and feature pack The usual setup of ISA is in place, using the setting from Configuring ISA Server Interface Settings. 66.66.66.166/28 outside NIC with 66.66.66.161 DG no DNS 172.16.98.110/24 no DG internal DNS 172.16.100.240 172.16.100.105
I exported the certificate and imported it into the ISA server. I created hosts file with 66.66.66.162 mail.domain.com 172.16.100.234 server.internaldomain.com
I ran through the OWA wizard and published all the info no problems.
I tried to get to the website via https://66.66.66.162/exchange and I got a certificate message (expected because I cant use mail.domain.com/exchange because of the SMTP gateway, a new certificate is in the works)then I get the 403 Forbidden - The server denies the specified Uniform Resource Locator (URL). Contact the server administrator. (12202) Internet Security and Acceleration Server
The internal Exchange server is using 172.16.100.254 as the default gateway. If I use 172.16.98.110 which is the internal IP of the ISA server, my remote sites cant get into Excange (a problem not assocaited with ISA, but a problem I do not have control over) I tried uninstalling and installing 2004 ISA to make it easier, it has made the problems worse. I have rebuilt the server (the uninstall of ISA didnt work)So now I have a fresh 2003 install with 2000 ISA and the service and feature packs.
Now what. DO I need to maybe use the route add command? I have been working on this for a week
In order to clear the "403 Forbidden - The server denies the specified Uniform Resource Locator (URL). Contact the server administrator. (12202) Internet Security and Acceleration Server" error make sure the exchweb virtual web has anonymous access enabled....
RE: Discussion about the ISP colo configuration article - 15.Apr.2005 2:56:00 PM
Guest
I installed and configured ISA Server 2004 first and it's up and running with the External (10.0.0.32), Internal (192.168.1.32) and Permeter (192.168.2.32) networks netup to theree different networks cards.
Now I would like to add IIS to the box and setup a Web Site. I have installed IIS and followed the instructions for disabling socket pooling for the IIS service by issuing the command "httpcfg set iplisten -i 192.168.2.32" ( I figured I wanted to server my IIS site on the Perimeter NIC address). I have also set the IP address of the web site to "192.168.2.32".
The problem is that when I start the IIS service, I get the following entries in the Event Log:
- Unable to bind to the underlying transport for 0.0.0.0:80. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine. The data field contains the error number.
- Cannot register the URL prefix 'http://192.168.2.32:80/' for site '1'. The site has been deactivated. The data field contains the error number.
I have also tried to create a Microsoft Loopback Adapter with the address 192.168.2.22, but I get the same errors in the Event Log.
RE: Discussion about the ISP colo configuration article - 15.Apr.2005 2:58:00 PM
Guest
I installed and configured ISA Server 2004 first and it's up and running with the External (10.0.0.32), Internal (192.168.1.32) and Permeter (192.168.2.32) networks netup to theree different networks cards.
Now I would like to add IIS to the box and setup a Web Site. I have installed IIS and followed the instructions for disabling socket pooling for the IIS service by issuing the command "httpcfg set iplisten -i 192.168.2.32" ( I figured I wanted to server my IIS site on the Perimeter NIC address). I have also set the IP address of the web site to "192.168.2.32".
The problem is that when I start the IIS service, I get the following entries in the Event Log:
- Unable to bind to the underlying transport for 0.0.0.0:80. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine. The data field contains the error number.
- Cannot register the URL prefix 'http://192.168.2.32:80/' for site '1'. The site has been deactivated. The data field contains the error number.
I have also tried to create a Microsoft Loopback Adapter with the address 192.168.2.22, but I get the same errors in the Event Log.
Hi Tom, I've read through your article 'ISP colo configuration' which is similar as to what I want to do regarding publishing a ftp server, but I'm unsure on a few things as we are already running ISA, and the single nic is set as the Internal Network (not sure if this is my problem, but works ok for OWA rule). I was wondering if you could help me out please, explanation below:
We have the following setup of ISA server, that at the moment is only being used to publish our OWA for exchange 2003, which works great but I would like to publish an ftp server on the corp network using the ISA server:
Internet | Checkpoint FW -- DMZ with ISA Server (single nic config 192.168.69.11, gateway is NIC on CP FW which does the routing. | Corp Network (webmail, ftp server)
The ISA rule base is very small:
1: OWA rule 2: ftp test rule! 3: Default Last Rule
I've tried setting up a server pub rule for ftp but getting dropped on the default rule.
I wanted to ask. For this to work on the existing setup will I have to setup a virtual nic, install IIS/ftp and reconfigure the port mapping as per your article? If the ISA server had two nics (working like a proper FW) would you still need to install IIS/ftp for the ISA server to listen for ftp, or because its in the proper two nic setup it would listen on the external adapter?
Sorry if the explanation is a bit rough. If you would like me to elaborate on anything please ask.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Discussion about the ISP colo configuration article 
Discussion about the ISP colo configuration article - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread