• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Back to Back

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> DMZ >> Back to Back Page: [1]
Login
Message << Older Topic   Newer Topic >>
Back to Back - 13.Jun.2001 11:10:00 PM   
erocanas

 

Posts: 12
Joined: 13.Jun.2001
From: ny,ny,usa
Status: offline
Have ISA server with published E2k server, and everything working well.
Want to integrate E2k Front End (OWA and for SMTP connector) in back-to-back network, and having great difficulty.

-I put only the private network in the Internal ISA LAT.
-I put the OWA IP and the external nic of the Internal ISA in the External ISA.
-I opened all ports on the Internal ISA server (testing purposes).
-Default gateway of external nic of Internal ISA points to internal nic of External ISA.
-Default gateway of internal nic of External ISA points to external nic of Internal ISA.
-I have internal DNS (AD integrated).
-Internal DNS server forwards to ISP's DNS
-DNS for external nics of both ISA servers point to ISP's DNS
-DNS of E2k Front End server on perimeter network points to internal DNS server
-Default Gateway of E2k Front End is internal nic of External ISA
-On E2k Front End, I have added route to private network, via the external nic on Internal ISA.

It is not working. And I have absolutely no idea where to go from here.

Does Tom's book cover DNS, Default Gateways, LAT, etc for Back-to-back? If so, I'm headed to Barnes and Noble tonight.

Thanks in advance for any help.

Post #: 1
RE: Back to Back - 14.Jun.2001 3:23:00 AM   
jrossman

 

Posts: 48
Joined: 12.Jun.2001
From: Beaverton, OR, US
Status: offline
Pages 595 -599 back to back. Pages 84,86, 525,165 , 617 , 225-227 , 213 240-241 , 616-17, 819 DNS. Very good book and I am only like three quarters through it.

(in reply to erocanas)
Post #: 2
RE: Back to Back - 14.Jun.2001 4:03:00 AM   
erocanas

 

Posts: 12
Joined: 13.Jun.2001
From: ny,ny,usa
Status: offline
I am posting this in General Issues as well. I hope that is okay.

Exchange services on E2k Front End server will not even start (SA can't see Active Directory). Furthermore, logging in with cached info (can not see domain controllers to authenticate).

Apparently, even though I opened all ports, the perimeter network servers can not access the internal network.

After reading other posts, I gather I must publish all services (DNS, authentication, global catalog, kerboros, rpc, netlogon), or create a VPN from the perimeter to the internal network.

Microsoft clearly states in just about all their Front End/Back End literature, that appropriate ports must be opened on the internal firewall.

So why do I have to publish? Why won't the traffic be routed to the internal network?

Does Tom's book cover these specifics? If not, are there any references anyone can point me to?

Again, thanks in advance.


(in reply to erocanas)
Post #: 3
RE: Back to Back - 14.Jun.2001 6:47:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by jrossman:
Pages 595 -599 back to back. Pages 84,86, 525,165 , 617 , 225-227 , 213 240-241 , 616-17, 819 DNS. Very good book and I am only like three quarters through it.

Hi J,

Thanks for the kind words about the book!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here


(in reply to erocanas)
Post #: 4
RE: Back to Back - 14.Jun.2001 6:50:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by erocanas:
I am posting this in General Issues as well. I hope that is okay.

Exchange services on E2k Front End server will not even start (SA can't see Active Directory). Furthermore, logging in with cached info (can not see domain controllers to authenticate).

Apparently, even though I opened all ports, the perimeter network servers can not access the internal network.

After reading other posts, I gather I must publish all services (DNS, authentication, global catalog, kerboros, rpc, netlogon), or create a VPN from the perimeter to the internal network.

Microsoft clearly states in just about all their Front End/Back End literature, that appropriate ports must be opened on the internal firewall.

So why do I have to publish? Why won't the traffic be routed to the internal network?

Does Tom's book cover these specifics? If not, are there any references anyone can point me to?

Again, thanks in advance.


Hi Erocanas,

We ran out of time before we could go over the specifics of how to configure intradomain communications between a server on the DMZ and on the internal network. We'll have a tutorial on this in the next few weeks, or include it in our upcoming "ISA Server Experts Journal" which will be available sometime in the near future.

However, you might check out:
http://support.microsoft.com/support/kb/articles/Q179/4/42.ASP

to help with configuring the publishing rules. However, the best way might be to configure a VPN between the server on the DMZ and the internal network.

HTH,
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here


(in reply to erocanas)
Post #: 5
RE: Back to Back - 15.Jun.2001 12:28:00 AM   
erocanas

 

Posts: 12
Joined: 13.Jun.2001
From: ny,ny,usa
Status: offline
Okay, but why shouldn't the traffic be routed?

For example, if I open TCP, UDP 53, and the DMZ server is pointed to DNS server on the internal network, why can't it resolve names?

The IP log shows that the request is allowed, but the server does not get answer.


(in reply to erocanas)
Post #: 6
RE: Back to Back - 15.Jun.2001 12:52:00 AM   
oslob

 

Posts: 7
Joined: 15.Jun.2001
From: Tamuning, GU, Guam
Status: offline
quote:
Originally posted by tshinder:
Hi Erocanas,

We ran out of time before we could go over the specifics of how to configure intradomain communications between a server on the DMZ and on the internal network. We'll have a tutorial on this in the next few weeks, or include it in our upcoming "ISA Server Experts Journal" which will be available sometime in the near future.

However, you might check out:
http://support.microsoft.com/support/kb/articles/Q179/4/42.ASP

to help with configuring the publishing rules. However, the best way might be to configure a VPN between the server on the DMZ and the internal network.

HTH,
Tom


I've got my second 'external' server prepped and ready, just waiting for those answers .. it's great to know we'll soon be enlightened!

Also, I'm interested in providing VPN and terminal service access to the internal network in a back-to-back configuration, it's working well with a single firewall and I'd hate to mess it up.

The KB article above begs the question: Do we want to make one or both ISA 'bastion hosts' domain members, in the remote chance that they are compromised?

tia,

Tom Smith


(in reply to erocanas)
Post #: 7
RE: Back to Back - 15.Jun.2001 1:36:00 PM   
erocanas

 

Posts: 12
Joined: 13.Jun.2001
From: ny,ny,usa
Status: offline
Another question. How would we create a VPN that would connect before the services (Exchange, Netlogon, etc) start?

Otherwise, if the server rebooted, it would be non-functional.


(in reply to erocanas)
Post #: 8
RE: Back to Back - 15.Jun.2001 7:14:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by erocanas:
Okay, but why shouldn't the traffic be routed?

For example, if I open TCP, UDP 53, and the DMZ server is pointed to DNS server on the internal network, why can't it resolve names?

The IP log shows that the request is allowed, but the server does not get answer.


Hi Erocanas,

The traffic cannot be routed from a public to a private network, since it has to be translated. Therefore, you have to public resources on the internal network that you want external network resources to access.

HTH,
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here


(in reply to erocanas)
Post #: 9
RE: Back to Back - 15.Jun.2001 7:16:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by erocanas:
Another question. How would we create a VPN that would connect before the services (Exchange, Netlogon, etc) start?

Otherwise, if the server rebooted, it would be non-functional.


That's a good question. There are some Q articles on configuring the services startup order. I don't have them with me, but perhaps someone here has them easily available?

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here


(in reply to erocanas)
Post #: 10
RE: Back to Back - 15.Jun.2001 8:12:00 PM   
erocanas

 

Posts: 12
Joined: 13.Jun.2001
From: ny,ny,usa
Status: offline
Tom, how the heck did you figure out to VPN in? It does work. However, I did have to restart netlogon, and all the exchange services.

I suppose a script to execute in RUN registry to restart all services will work.

However I will try to create service that VPN's in, and is a dependency for all other services. Unless someone can think of a more simple and obvious way to fix this?


Now, the tough question: Won't having a VPN connection to internal network at all times, create a security risk?????????



(in reply to erocanas)
Post #: 11
RE: Back to Back - 21.Jun.2001 5:09:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by erocanas:
Tom, how the heck did you figure out to VPN in? It does work. However, I did have to restart netlogon, and all the exchange services.

I suppose a script to execute in RUN registry to restart all services will work.

However I will try to create service that VPN's in, and is a dependency for all other services. Unless someone can think of a more simple and obvious way to fix this?


Now, the tough question: Won't having a VPN connection to internal network at all times, create a security risk?????????


Hi erocanas,

How did I figure it out? Trial and error. I've discovered the power of trial and error over and over again. I almost don't even think about what I'm doing now. I just try a bunch of things and do them over and over and document what I had done so that when something works, I know what it was.

Its the scientific method applied to network admin

I don't believe having an open VPN connection represents much of a security hole, as no other machine can use the VPN. However, if someone compromises the machine, they may be able to exploit the open ports. Its always a balance between security and functionality.

HTH,
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here


(in reply to erocanas)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> DMZ >> Back to Back Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts