Publishing On Interfaces Other Than External?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Has anyone ever gotten Server Publishing to work on any interface other than
External? We have no problem getting it to work on the External
interface, but we have NOT had any luck getting Server Publishing to work on
any other network interface. We do have separate ethernet adapters in the
ISA Server 2006, and the subnets defined on those adapters correspond
exactly to the address range defined in separate Network objects in ISA (one
ISA Network per adapter port).

When we publish a server, if we select a Network other than External in the
server publishing rule's Networks tab, and then publish to an IP address on
that Network interface, then Server Publishing enters into a strange
quazi-working state. Incoming packets to the interface with the published
IP show up in the ISA monitor as being destined to the correct IP, so
clearly the published IP is being translated to the hidden server's IP by
something. But the rule is showing in Monitor as:

1) Having no Network Rule

2) Failing on the Default firewall rule.

We do define an NAT Network relationship in ISA between the hidden machine
and the Subnet from which the incoming traffic is coming.

When we examine traffic on a sniffer, it doesn't get past the firewall on
the interface with the incoming traffic, so the problem is not a routing
issue behind the firewall.

We have started two tickets with Microsoft over the last nine months on this
issue, and both times we end up getting passed to a senior tech who tells us
that the way to get it to work is to publish on the External interface. :)
I can configure ISA as a routing firewall all day long, and at this point I
can make a simple access rule dance on the head of a pin and do anything I
want to do. Publishing rules still aggravate me and just don't seem to
function in a rational way I can understand unless I publish to the External
interface. There appears to be functionality on the Networks tab of the
server publishing dialog to let publishing work on interfaces besides the
External interface. Can someone with experience making this work tell me
how you did it?

--
Will


.

Relevant Pages

  • VPN Issue-Cannot access any resources when connected
    ... I have a few ISA questions hoping you all can help with. ... crossover to the pix dmz interface and another nic to the local area network. ... Once connected I cannot access any resources on the internal network. ... Network Destination Netmask Gateway Interface Metric ...
    (microsoft.public.isa.vpn)
  • Re: Multiple external interfaces
    ... And run somehow everything through a single ISA box per ... your network to go through a different network provider. ... but then you will need to protect that default outgoing route ... location to use one interface and offload all user Internet ...
    (microsoft.public.isa)
  • Re: Back firewall wont pass traffic...
    ... Thank you very much for responding. ... the ISA treats your other interface as external. ... Do I still need to have the DMZ network set up with a new network ...
    (microsoft.public.isa)
  • Re: Alert Configuration Error, please explain.
    ... I plugged the external ISA interface into this switch. ... ranges that are not defined in the array-level network ... The following IP address ranges will be dropped as spoofed: ...
    (microsoft.public.isa)
  • Re: Separating Networks
    ... Internet Explorer), it's as simple as adding a new interface on the ISA ... their browsers to point to the newly installed network interface/IP. ...
    (microsoft.public.isa)