Re: ISA 2006 and Listeners Part 2!


AndyJ wrote:
Phillip Windell wrote:
"AndyJ" <andyjones99@xxxxxxxxxxxxx> wrote in message
news:1166138444.957406.272720@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The weird thing here is that the destination IP address for the denied
packet is for the primary IP address on the same NIC as opposed to the
websites IP address that is detailed in the web publishing rule.

1. For the External Users the Public Name of the Site needs to resolve to
the correct IP# you are attempting to use.

2. For the ISA and any Internal users the Site needs to resolve to the
Internal Private IP# of the Web Server that the Site is bound to. It sounds
to me like this is the part that is failing and it is resolving somehow to
the "other" External IP# on the ISA. That may be why it is comming up as the
Destination, when the Destination is supposed to be the Internal private IP#
of the Web Server.

3. When resolution works properly you will use the same Common Name/Public
Name for the Site all the way through the Publishing Rule from beginning to
end.

4. The pattern of DNS should be:
A. All machines use only the internal AD/DNS (*ALL* machines)
B. No machine should ever use any other DNS
C. The AD/DNS machine (typically the DCs) will use the ISP's DNS in the
Forwarders
List within the Config of the DNS Service. Optionally, you can
leave the Forwarders
List blank and let the AD/DNS use RootHints.
D. Create an Anonymous Access Rule for outbound DNS that allows only the
AD/DNS
machines to make outbound DNS Queries. This should be limited to
the AD/DNS
machines to weed out machines on the LAN with "rougue" DNS entries
that could
create just the kind of problem we are seeing here.
E. On the AD/DNS create a new Standard Zone for your Public Names. It
should not
allow Dynamic Updates. Create the Hosts records in it for all
entities that use one of your
Public Names. Use the correct IP# for the machine. Internal
machines use the actual
private internal IP# while machines outside on the public segment
will use the public IP#.
You have to include all that is relevant to your Public Name even
though you ISP is
already doing that. You will use your own DNS for this,...the rest
of the World will use
your ISP's DNS.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

You know its amazing what a bit of sleep can do!!! I thought I had
everything set up as per your post, I did in fact, apart from one key
thing, I was still port forwarding to the OWA/EAS listener from my
Draytek Vigor. I changed that to forward to the new Web listener IP
address and bingo all works!

So, thanks to you for prompting me to double check and all is working
now. Early evening for me tonight.

Have a good one

AJ

OK spoke too soon. I can only port forward to a specific IP address
when I changed port forwarding for HTTP and HTTPS to forward to the new
listener IP it worked for my website but broke my OWA/EAS access. So
how about I just port forward HTTP to the web listener that does not
require authentication and HTTPS to the listener IP that does. This way
my mail services which I need to authenticate before using should work
as they use HTTPS. I will get a problem though when I want to publish a
web site that is secured using SSL but does not require clients to
authenticate.

Any pointers how I can get over this one?

Thanks

AJ

.

Relevant Pages

  • Re: ISA 2006 and Listeners Part 2!
    ... All machines use only the internal AD/DNS ... No machine should ever use any other DNS ... The AD/DNS machine will use the ISP's DNS in the ... Microsoft Internet Security & Acceleration Server: ...
    (microsoft.public.isa.configuration)
  • Re: Domain Controller list test failed
    ... Pablo, you MUST remove any external DNS addresses FROM ALL OF YOUR MACHINES. ... If you would like efficient Internet access, follow my previous post on how ...
    (microsoft.public.win2000.dns)
  • Re: DHCP problem
    ... It sounds like the Linksys may be allocating the client machines a DNS ... I would configure the DHCP to hand out the DNS server ... Internet addresses. ...
    (microsoft.public.windows.server.general)
  • Re: ssh only with internet connection?
    ... >My network has two machines A and B and hardware router with NAT to get ... >to the Internet via ADSL. ... Box A is configured as a DNS server, ... >connection is down, ssh stops working. ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Ping does not resolve, nslookup does, DNS queries end up externall
    ... Never ever ever allow Client machines to ever even "know" an external DNS ... All machines on the LAN uses only the internal AD/DNS and ...
    (microsoft.public.windows.server.networking)