• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion about article on Intradomain Communications through the ISA Firewall

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> RE: Discussion about article on Intradomain Communications through the ISA Firewall Page: <<   < prev  1 2 [3]
Login
Message << Older Topic   Newer Topic >>
RE: Discussion about article on Intradomain Communicati... - 25.Jul.2005 11:36:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by jbarsodi:
How does this install change if you're using a back to back firewall config vs. 3 interfaces on a single firewall?

Hi John,

Should be no difference, as long as you have a ROUTE relationship between the DMZ's ISA firewall Network and the ISA firewall Network where the authentication servers are located.

HTH,
Tom

(in reply to tshinder)
Post #: 41
RE: Discussion about article on Intradomain Communicati... - 14.Sep.2005 2:04:00 PM   
jbarsodi

 

Posts: 114
Joined: 10.Aug.2001
From: Sparks, NV
Status: offline
Hello Tom, question regarding this article and the Front-end backend article. Both you state to set this key. How will this impact the other servers in my environment? i.e. SQL boxes, file servers? Do I need to set this key on them too? Would it be easier to use the RPC filter to control the communication from the front end box/member server to my Domain controllers and back end email server?

Thanks for any advice!

quote:
You need to add a DWORD value named TCP/IP Port and set the value to the port you want to use. YouĂll need to carry out this procedure on each of the domain controllers in your domain.

Perform the following steps on each of the domain controllers in your domain to change the RPC replication port to 50000:

1. Click Start and click Run. In the Open text box enter Regedit and click OK.
2. Go to the following Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\

3. Click the Edit menu and point to New. Click DWORD Value.
4. Rename the entry from New Value #1 to TCP/IP Port, then double click the entry.
5. In the Edit DWORD Value dialog box, select the Decimal option. Enter 50000 in the Value data text box. Click OK.
6. Restart the domain controller.

and again here:

quote:
If you want access to features requiring Remote Procedure Calls, such as authentication or implicit logon, but do not want to open the wide range of ports above 1024, you can configure your domain controllers, global catalog servers, and all other back-end servers to use a single known port for all RPC traffic.

In order to authenticate clients, the registry key must be set on all servers the front-end server may contact via RPC (for example, your global catalog server). This can be any port not already in use. In the following example we will set the following registry key to a specific port, such as 1600:

HKEY_LOCAL_MACHINE\CurrentControlSet\Services\NTDS\Parameters

Registry Value: TCP/IP Port Value Type: REG_DWORD Value Data: (available port)

We will configure the back-end Exchange Server to use TCP port 1600 for RPC connections.

Perform the following steps to create the Registry value on the back-end Exchange Server:

1. Click Start and then click Run.
2. In the Run dialog box, enter regedit in the Open text box and click OK.
3. In the Registry Editor, navigate to:

HKEY_LOCAL_MACHINE\CurrentControlSet\Services\NTDS\Parameters

4. Click Edit, point to New and click DWORD Value.
5. Change the name of New Value #1 to TCP/IP Port and press ENTER.
6. Double click the TCP/IP Port value.
7. In the Edit DWORD Value dialog box, select the Decimal option. In the Value data text box, enter 1600. Click OK.
8. Close the Registry Editor.


(in reply to tshinder)
Post #: 42
RE: Discussion about article on Intradomain Communicati... - 16.Oct.2006 3:37:15 AM   
Stoneink

 

Posts: 8
Joined: 1.Sep.2004
From: Sydney
Status: offline
Hi Tom
I've been trying to get this to work, but I think I must have made a stupid mistake because Pings from the DMZ server to the Domain Controller do not work.


On trying to join the DMZ server to the network I get

"DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain  #internalnetworkname#
The query was for the SRV record for _ldap._tcp.dc._msdcs.#internalnetworkname#
The following domain controllers were identified by the query:
#dcname#.#internalnetworkname#
Common causes of this error include :
Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running."

Also, none of the connections shown in the sample trace log http://www.isaserver.org/img/upl/Image29251094813190921.gif show up for me, leading me to further belief that there is a problem routing from 192.168.2.x (DMZ) to 192.168.0.x (Internal)


Given that the DNS is resolving the correct name of the domain controller, it would seem to be a routing issue... unfortunately I can't work out why or what I need to do to resolve it.

Thanks



Network relationships 
DMZ <-> Internal (Route)
DMZ -> External (NAT)
Internal -> External (NAT)


ISA Server
Internal NIC  IP:192.168.0.200, no gateway, DNS = 192.168.0.200 (self)
DMZ NIC IP: 192.168.2.2, no gateway, no DNS
External NIC IP: 192.168.1.3, gateway = 192.168.1.1, no DNS
(192.168.1.1 is the local IP of the ADSL modem)

DMZ Server
192.168.2.5
DNS & Gateway 192.168.2.2 (ISA Server)

DC Server
192.168.0.1, no gateway, DNS = 127.0.0.1


Edit:
Ok, just added an additional network rule :-
DMZ Member Server -> Internal (NAT)
and pings resolve, joining the domain works etc etc

Obviously I misunderstood things. I thought Route network rules were bi-directional so that the   DMZ <-> Internal (Route)   rule I already had should have (in my understanding) allowed traffic both to & from the DMZ to the Internal network (provided it adhered to the Firewall policy access rules I have configured)... seems that that belief was wrong.


Is there a consequence to the new NAT rule which I haven't thought of, that will cause me problems?

< Message edited by Stoneink -- 16.Oct.2006 7:41:09 PM >

(in reply to tshinder)
Post #: 43
RE: Discussion about article on Intradomain Communicati... - 20.Jan.2007 9:39:32 PM   
bhavin78

 

Posts: 433
Joined: 18.Jul.2005
From: USA
Status: offline
Hi Tom,
I have couple of questions.

1) I want to create two DMZ one will have server not member of domain but still requires to talk with SQL.
FTP Server which will require to copy files to internal network
  What access rule I need for webserver to access data from SQL and
2) DMZ with servers which are member of domain [Exchange (not front end, it is the only exchange server], TS Server]
MY ISA is a domain member (is it secure or I should change it?)
I have started working on #1 but
When I try to access  website (ASP and ASP.net site) .
I get error
HTTP Error 403.1 - Forbidden: Execute access is denied.
Internet Information Services (IIS)
1433 is allowed from DMZ-Internal



I create a simple website with .htm page and I dont have any problem opening this site from any network.

< Message edited by bhavin78 -- 20.Jan.2007 10:04:13 PM >

(in reply to Stoneink)
Post #: 44
RE: Discussion about article on Intradomain Communicati... - 19.Mar.2008 5:28:43 PM   
thejamie

 

Posts: 1
Joined: 19.Mar.2008
Status: offline
Tom,

I would like to use your column's idea for an intradomain by substituting a router for the computer as the "DMZ Member Server".  Is this possible?  I have listed the detail below:

I log into my home network which is wireless and on an IP separate from the domain behind the ISA 2004 firewall.  The wireless is secured with only a NAT.  The users all have personal firewalls for protection.  The network is connected to a different IP and your column suggested to me that there may be an easier method of logging into my domain.  Currently I login by creating a VPN to the domain and then accessing by RDP to the servers when needed.

In my case, there is no server in what would be the DMZ.  There is only my machine and the others in the home who are behind the wireless router - which is on 192.168.1.0 (Gateway 192.168.1.1).

Jamie

(in reply to tshinder)
Post #: 45

Page:   <<   < prev  1 2 [3] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> RE: Discussion about article on Intradomain Communications through the ISA Firewall Page: <<   < prev  1 2 [3]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts