• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion about part 2 of article series on creating a wireless DMZ

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> RE: Discussion about part 2 of article series on creating a wireless DMZ Page: <<   < prev  1 [2] 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Discussion about part 2 of article series on creat... - 4.Apr.2006 10:34:10 PM   
PCC

 

Posts: 199
Joined: 13.Nov.2001
From: Michigan
Status: offline
I went back through all the articles I could find related to DHCP and the articles related to DHCP Relay and I have gone through everything related to DHCP in Tom's ISA Server 2004 book and I still can't get this to work.  Actually I can't get any DHCP communication to work through ISA.  Which is pretty frustrating because this shouldn't be so darn difficult to implement.

My logging shows....

Destination IP: 255.255.255.255
Destination Port: 67
Protocol: DHCP (request)
Action: Denied Connection
Result Code: 0xc004000d FWX_E_POLICY_RULES_DENIED
Rule: (the rule field is blank)
Client IP: 0.0.0.0
Destination Network: Local Host

I also get the same error regardless if it is a VPN client connecting or a wireless client on my anonymous WAP network trying to pull an address.

I have looked through every thread I could find on these forums and there are a lot of other people who were having this same problem but I never saw an answer posted anywhere.  If anyone knows how to resolve this issue I would greatly appreciate it if they would post the necessary steps that need to be taken.

Thanks.

< Message edited by PCC -- 4.Apr.2006 10:51:12 PM >

(in reply to PCC)
Post #: 21
RE: Discussion about part 2 of article series on creat... - 5.Apr.2006 5:31:54 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi guys,

You know, I often think its a real shame that they put WAPs on NAT devices, because it confuses the issue more than it needs to be.

In most business environments, they use dedicated WAPs, that don't have NAT devices connected to them. This allows the WAP to act as a traditional network bridge device -- bridging layer 2 network infrastructures. Then when the wireless clients connect, they are subject to firewall policies on a separate device. The network would also have its own DNS, DHCP, WINS, etc service behind the firewall.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to PCC)
Post #: 22
RE: Discussion about part 2 of article series on creat... - 5.Apr.2006 6:03:20 PM   
PCC

 

Posts: 199
Joined: 13.Nov.2001
From: Michigan
Status: offline
Thanks for replying Tom.  I did forget to mention that even if I connect a CAT5 cable to a computer and plug it into the switch I'm using for my wireless network I can't get an IP address from DHCP running on the ISA server or an internal server if I try to relay it.  ISA denies the connection for a DHCP request regardless where it is coming from.  As I said earlier....it even denies them from my VPN clients.  This is very frustrating to say the least.  It should be a slam dunk setup....in my opinion.

Please let me know if you think of anything that might help straighten this out.

Thanks,
Pete

< Message edited by PCC -- 5.Apr.2006 6:05:53 PM >

(in reply to tshinder)
Post #: 23
RE: Discussion about part 2 of article series on creat... - 5.Apr.2006 8:25:38 PM   
PCC

 

Posts: 199
Joined: 13.Nov.2001
From: Michigan
Status: offline
Well, after banging my head against the wall for a couple of days I have finally figured it all out.

My ISP changed our DNS forwarder addresses a while ago and I was trying to use the old addresses because I was looking at outdated documentation.  So I can now use the DNS forwarders to serve DNS to my WAP clients.  And the DHCP server on my ISA server is now serving IP addresses and gateway information to my WAP clients.  It turns out that DHCP wasn't working for one very simple reason (which always seems to be the case).  Somewhere in my firewall rules something was messing it up because of the order they were in.  I moved the DHCP Request and Reply rules to the top and everything works great now.

I have been doing this long enough that I should know enough that if I'm having a problem one of the first things I should do is move the problem rule to the top and see if it still fails.  For whatever reason I didn't think of that until now.  But the good thing is that it's all working now.

Pete

(in reply to tshinder)
Post #: 24
RE: Discussion about part 2 of article series on creat... - 16.Apr.2006 4:20:20 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Pete,

GREAT! Good to hear you got things working and thanks for the follow up!

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to PCC)
Post #: 25
RE: Discussion about part 2 of article series on creat... - 8.Nov.2006 11:44:29 AM   
habibalby

 

Posts: 144
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
hi,

I went through this articl, but I'm having one problem into allowing users to connect from External (Internet) to the ISA VPN Server.

I have made all the necessary things that require to make a VPN Server, but whenever I'm trying to connect to this setup, I have an Error: 721.

Is there any thing that require more settings to be done?

Thanks,

Habibalby

(in reply to tshinder)
Post #: 26
RE: Discussion about part 2 of article series on creat... - 9.Nov.2006 10:43:04 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
How are IP addresses assigned to the clients?

Also, are the accounts being given dial-up permissions?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to habibalby)
Post #: 27
RE: Discussion about part 2 of article series on creat... - 10.Nov.2006 2:49:46 AM   
habibalby

 

Posts: 144
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
hello tshinder,
The IP Addresses are assigned by the DHCP Server which is on the ISA itself.

Yes, the account it does have a Dial-in Permission and I have tried also through the Policy, it is the same.

When I connect a P.C into the External Subnet of ISA Server, I can connect perfectly witout any problem. But whenever I try to connect from outside, I'm facing this problem.

I have made sure that the Static Nat in the ADSL router is correct and all my rules.

P.S: I have configured RRAS on another server to Accept incoming VPN connection with, I can establish the connection perfectly without any problem.

http://forums.isaserver.org/VPN_Configuration_Behind_ADSL_NAT_to_ISA_Server/m_2002031614/tm.htm

Any idea?

Thanks,

Habibalby

(in reply to tshinder)
Post #: 28
RE: Discussion about part 2 of article series on creat... - 18.Apr.2007 8:22:17 AM   
mojorisin

 

Posts: 9
Joined: 28.Mar.2007
Status: offline
I know this was all done a while ago but I have just followed the 2 articles for installing this setup myself minus the rules for exchange

I have ISA 2004 setup with 3 NIC's one internal one external and one DMZ

the DMZ NIC has a static address of 192.168.1.1 and i have configured DNS on the ISA server as per the instructions also created the rules for DNS access and internet access on the DMZ

I then plugged in a Linksys wireless router that i had to act as the wireless connection i switched on the DHCP server on it and configured it with the range 192.168.1.3 to 192.168.1.15

When i then connect a client to the wireless router it is assigned an address of 192.168.1.3. and the default gateway is 192.168.1.1 and DNS is 192.168.1.1

but when i open up internet explorer and try and browse to the web it doesnt find any pages

What am i doing wrong getting to the tearing my hair out stage now


Regards

Mojo


*BUMP*

Anyone ?? please help going mad here ....lol

< Message edited by mojorisin -- 20.Apr.2007 12:45:45 PM >

(in reply to habibalby)
Post #: 29
RE: Discussion about part 2 of article series on creat... - 21.Apr.2007 12:01:15 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Use a WAP, not a Wireless NAT device.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mojorisin)
Post #: 30
RE: Discussion about part 2 of article series on creat... - 24.Apr.2007 5:02:43 AM   
mojorisin

 

Posts: 9
Joined: 28.Mar.2007
Status: offline
quote:

ORIGINAL: tshinder

Use a WAP, not a Wireless NAT device.

HTH,
Tom


Hi Tom

Thanks very much for the reply tried a WAP and hey presto 2 weeks of headbanging gone in an instant

Is it not possible to use a router and just make it as basic as possible to only act as a WAP ?

Do you know if it is now possible that i can get my DMZ clients to go through the Surfcontrol filter on the ISA server so that we can block and monitor site access ? Or will this compromise the ISA in anyway ?

Thanks for the help great site you have

Cheers
Mojo

(in reply to tshinder)
Post #: 31
RE: Discussion about part 2 of article series on creat... - 24.Apr.2007 1:56:20 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mojo,

Some NAT devices can be configured to act only as WAPs. I have a cheapo Belkin NAT device that allows it to be configured for WAP only.

What is the problem with getting the DMZ hosts to use SurfControl. I thought that all connections through the ISA Firewall would be exposed to SurfControl filtering.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mojorisin)
Post #: 32
RE: Discussion about part 2 of article series on creat... - 25.Apr.2007 1:34:44 PM   
mojorisin

 

Posts: 9
Joined: 28.Mar.2007
Status: offline
quote:

ORIGINAL: tshinder

Hi Mojo,

Some NAT devices can be configured to act only as WAPs. I have a cheapo Belkin NAT device that allows it to be configured for WAP only.

What is the problem with getting the DMZ hosts to use SurfControl. I thought that all connections through the ISA Firewall would be exposed to SurfControl filtering.

HTH,
Tom


Surfcontrol only monitors the domain users not the DMZ clients not sure if i can get it to monitor them aswell (would be handy then i can set rules to restrict certain sites and bandwidth)

After setting up the wireless AP and getting it working i have had to change it to a newer model as it didnt support WPA so i got a netgear WG602v3 and although it has dhcp on it it looks to the network dhcp server and doesnt seem to have a built in one like the old 3com one i was using where i just setup up a range to hand out myself

Is it possible to setup dhcp on the isa server to only service requests from the DMZ clients ?

thanks for your help much apprecieated

Mojo

(in reply to tshinder)
Post #: 33
RE: Discussion about part 2 of article series on creat... - 25.Apr.2007 2:02:24 PM   
PCC

 

Posts: 199
Joined: 13.Nov.2001
From: Michigan
Status: offline
Yes you can set up DHCP on the ISA server.  You just need to make sure you only bind it to the NIC for the DMZ you want it to serve.

(in reply to mojorisin)
Post #: 34
RE: Discussion about part 2 of article series on creat... - 26.Apr.2007 5:50:04 AM   
mojorisin

 

Posts: 9
Joined: 28.Mar.2007
Status: offline
quote:

ORIGINAL: PCC

Yes you can set up DHCP on the ISA server.  You just need to make sure you only bind it to the NIC for the DMZ you want it to serve.


Do you know what the best way to configure this is ?

ie Install DHCP then what ?

Also would this give the internal IP's or can i specify a 192.168.x.x range like i had setup on the old 3com WAP ?

(in reply to PCC)
Post #: 35
RE: Discussion about part 2 of article series on creat... - 26.Apr.2007 9:42:28 AM   
PCC

 

Posts: 199
Joined: 13.Nov.2001
From: Michigan
Status: offline
After you install DHCP on the ISA server you need to set it up to hand out addresses with a different IP range than you are using on your internal network (whatever the range is being used on the NIC for that network segment on the ISA server).  You will also probably want to set the scope or server options for the "Router" and "DNS Servers".  Once you get the server set up you need to right click on it and select the properties option from the menu.  Then select the advanced tab.  On the advanced tab you will see a "Bindings" button.  Click on the bindings button and only check the box for the NIC that is on the network segment you want to server address to.

Note: You can also set up a DNS server on the ISA server to serve only your wireless network.  You do it in basically the same way.  Set it up and only allow it to listen on the NIC you want to serve.

HTH

< Message edited by PCC -- 26.Apr.2007 9:44:45 AM >

(in reply to mojorisin)
Post #: 36
RE: Discussion about part 2 of article series on creat... - 26.Apr.2007 12:37:28 PM   
mojorisin

 

Posts: 9
Joined: 28.Mar.2007
Status: offline
quote:

ORIGINAL: PCC

After you install DHCP on the ISA server you need to set it up to hand out addresses with a different IP range than you are using on your internal network (whatever the range is being used on the NIC for that network segment on the ISA server).  You will also probably want to set the scope or server options for the "Router" and "DNS Servers".  Once you get the server set up you need to right click on it and select the properties option from the menu.  Then select the advanced tab.  On the advanced tab you will see a "Bindings" button.  Click on the bindings button and only check the box for the NIC that is on the network segment you want to server address to.

Note: You can also set up a DNS server on the ISA server to serve only your wireless network.  You do it in basically the same way.  Set it up and only allow it to listen on the NIC you want to serve.

HTH



thanks for that one other thing what would the rule setup be to allow the traffic through isa ?

many thanks

(in reply to PCC)
Post #: 37
RE: Discussion about part 2 of article series on creat... - 26.Apr.2007 12:59:51 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
I've done articles on this site, and its in the book, on how to make the ISA Firewall a DHCP server. Also done articles, which are on this site, on how to allow DMZ hosts to use a DHCP server on the Internal network.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mojorisin)
Post #: 38
RE: Discussion about part 2 of article series on creat... - 26.Apr.2007 1:07:22 PM   
PCC

 

Posts: 199
Joined: 13.Nov.2001
From: Michigan
Status: offline
Like Tom said, there are articles on this site that he has done.  Just search the site and you will find them.  That's how I learned to set it up.

(in reply to tshinder)
Post #: 39
RE: Discussion about part 2 of article series on creat... - 27.Apr.2007 5:55:29 AM   
mojorisin

 

Posts: 9
Joined: 28.Mar.2007
Status: offline
quote:

ORIGINAL: PCC

Like Tom said, there are articles on this site that he has done.  Just search the site and you will find them.  That's how I learned to set it up.



All working and its even being filtered through Surf control so i am happy

Thanks fot the help

cheers
Mojo

(in reply to PCC)
Post #: 40

Page:   <<   < prev  1 [2] 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> RE: Discussion about part 2 of article series on creating a wireless DMZ Page: <<   < prev  1 [2] 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts