Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

multiple publicly routable External IP's

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> multiple publicly routable External IP's Page: [1]
Login
Message << Older Topic   Newer Topic >>
multiple publicly routable External IP's - 21.Mar.2008 5:53:07 PM   
tony_b

 

Posts: 5
Joined: 21.Mar.2008
Status: offline 		Hi All,

I am having an issue setting up ISA 2006. I have a 3 leg approach. And almost all is going well, including all LAN/VPN/DMZ routing.

My issue is that I have a range of Public IP's that are in the same subnet range. These Publie IPs need to map directly to DMZ private IPs.

If I add these public IPs to the External Network Interface, how do I setup an address forward? Am I going about this the right way? Is this Possible in ISA?

Any dirction appreciated.

Tony

Post #: 1
RE: multiple publicly routable External IP's - 21.Mar.2008 7:51:37 PM   
gbarnas

 

Posts: 147
Joined: 27.Apr.2005
From: New Jersey
Status: offline 		ISA does not do "Static NAT Translation", which is what you're thinking of. Instead, ISA performs "reverse proxy" by listening for connections on the external interface and making a proxy connection to the appropriate internal / perimiter server.

You should review some of the how-to articles here on publishing servers, and then post back here if you have specific questions.

Glenn

(in reply to tony_b)
Post #: 2
RE: multiple publicly routable External IP's - 22.Mar.2008 6:43:58 AM   
tony_b

 

Posts: 5
Joined: 21.Mar.2008
Status: offline 		Thanks for the reply Glenn,

This is what I feared. Does this mean that I can only have an external port listening and reverse proxying to one internal server? i.e. port 80 on the ISA external interface can not reverse proxy to two differerent DMZ servers, based upon the url in the header on any other method?

Is there no way of assigning the DMZ servers publicly routable IPs, and just have the routing going through the ISA server with some port blocks?

It is looking like I may have to look for an alternative system that can handle the way I need the DMZ machines to be referenced.

Cheers,

Tony


(in reply to gbarnas)
Post #: 3
RE: multiple publicly routable External IP's - 22.Mar.2008 8:23:43 AM   
gbarnas

 

Posts: 147
Joined: 27.Apr.2005
From: New Jersey
Status: offline 		Yes, you can use host header routing. I have a single IP, listening on port 80, and reverse proxying to two internal servers based on the URL. Your problem will be SSL traffic, which can't use host-headers. I also have clients with multiple IPs on the ISA edge server, routing traffic in to several internal and/or Perimiter servers.

You could use public addresses in the DMZ and create rules to permit specific traffic in using a ROUTE relationship, but this is less secure than publishing, and you described your network as having private addresses in the DMZ.

I'd be quite surprised if ISA could not handle what you needed, one way or another.

Glenn

(in reply to tony_b)
Post #: 4
RE: multiple publicly routable External IP's - 22.Mar.2008 1:45:27 PM   
tony_b

 

Posts: 5
Joined: 21.Mar.2008
Status: offline 		Great, I have found that creating a new protocol (opening all the required ports) can be used by multiple published servers, restricting which server is accessed from the destination external IP. Therefore allowing a 1-to-1 mapping on external IPs to Local IP DMZ servers. I was only missing one thing, the address selector on the network settings of the published server. Exactly what I was looking for!

I now have a problem of an ISA published Web server not seeing the correct http host header. The Apache web server hosts different sites based upon host header URL. For some reason the webserver is always dishing out the default site

Tony

(in reply to gbarnas)
Post #: 5
RE: multiple publicly routable External IP's - 22.Mar.2008 7:43:06 PM   
gbarnas

 

Posts: 147
Joined: 27.Apr.2005
From: New Jersey
Status: offline 		I'll let you dig just a bit. ;)  (besides, I can't put my hands on my Apache config until Monday).

Look for the parameter "requests appear to come from" in the rule. They can come from the client or from ISA. You probably want "client" setting. I had to tweak it this way when I published an Apache web server at work.

Glenn

(in reply to tony_b)
Post #: 6
RE: multiple publicly routable External IP's - 24.Mar.2008 6:21:29 AM   
tony_b

 

Posts: 5
Joined: 21.Mar.2008
Status: offline 		I have dug and dug

For the life of me I can not get anything other than the default site to display. I know that the publishing itself is working, if I disable to publishing rule I get an error for the non-default sites rather than the default pages. I have also tried every header option in the rule properties.

The apache server was working before the ISA upgrade from IPChains, and I have changed the NameVirtualHost options to the new internal IP address  in Apache's httpd.conf.

Any help would be appreciated.

Tony

(in reply to gbarnas)
Post #: 7
RE: multiple publicly routable External IP's - 24.Mar.2008 9:03:46 AM   
gbarnas

 

Posts: 147
Joined: 27.Apr.2005
From: New Jersey
Status: offline 		In your publishing rule, on the "To" tab, review the following options:

Checkbox - "Forward the original host header..." - This might be needed if the Apache server is hosting multiple sites.

Radio Buttons - "Requests appear to come from..." - If your page is authenticating, it might need to know the source address rather than the ISA server's address. Some web applications require that.

Our Apache server in Dev needed the checkbox on, as it only had one IP, while the Apache servers in QA and Prod worked fine with it off, as they both had one IP per site.

Glenn

(in reply to tony_b)
Post #: 8
RE: multiple publicly routable External IP's - 24.Mar.2008 11:01:17 AM   
tony_b

 

Posts: 5
Joined: 21.Mar.2008
Status: offline 		Well then, found the problem (or the one that was stopping my host header working). I needed to enable the 'allow client authentication over http' in the listener's advanced authentication properties.

Many thanks for your time Glenn

Tony

(in reply to gbarnas)
Post #: 9
RE: multiple publicly routable External IP's - 25.Mar.2008 6:32:37 AM   
Jason Jones

 

Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		You realise that this means that any authentication requests go clear text - yes?

Hence why it is disabled by default...

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to tony_b)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> multiple publicly routable External IP's Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts