Re: Problem with 2nd IP address - Repost

From: Iain Kirk (iain.kirk_at_nospamz-uk.com)
Date: 06/29/04

• Next message: Peter: "Domain controller on the DMZ"
• Previous message: Spiro: "Static NAT on ISA 2000"
• In reply to: Jim Harrison [MSFT]: "Re: Problem with 2nd IP address - Repost"
• Messages sorted by: [ date ] [ thread ]

Date: Tue, 29 Jun 2004 09:24:03 +0100

Jim Thanks for your response, please see below:

"Jim Harrison [MSFT]" <jmharr@online.microsoft.com> wrote in message
news:OAV1DZZXEHA.4032@TK2MSFTNGP11.phx.gbl...
> You've gone through a few iterations of mail...
> IIUC, you're trying to publish two different RDP servers through ISA?

> Q1 - Exactly how did you define the:
> - protocol definition
Created a definition called 'Terminal Services' on port TCP 3389 direction
Inbound, no secondaries.

> - publishing rules
Created TS Rule1 with a local address of 192.168.0.5 and selected external
address of x.x.x.3, mapped to server protocol Terminal Services and applies
to any request.
Created TS Rule2 with a local address of 192.168.0.6 and selected external
address of x.x.x.4, mapped to server protocol Terminal Services and applies
to any request.
After testing found TS Rule1 worked and 2 didn't so swapped the external
addresses round so TS Rule2 had x.x.x.3 and then TS Rule2 worked and 1
didn't.

> Q2 - Are the internal hosts SecureNAT clients to ISA?
Yes

> Q3 - where are you testing from; internal or external to ISA?
The above is the scenario when testing from external, when testing from
internal I am unable to reach either using the external IP addresses (but
both using internal).

> Q4 - what is found in the ISA IPEXT and FWEXT logs for your tests?
Nothing in either logs for the time periods tested.

> Advice: quit testing with "ping"; it's more confusing than helpful for
testing publishing rules.
On a side note jim why would pining not work?

Thanks for you help,

Iain

>
> --
> Jim Harrison [ISASE]
> Read the help, books and articles!
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> "Iain Kirk" <iain.kirk@nospamz-uk.com> wrote in message
news:Ovh6hWRXEHA.128@TK2MSFTNGP10.phx.gbl...
> Lefteris, Jim
>
> Thanks for your responses, would you have any idea how i can move forward
> with this issue?
>
> Iain
>
> "Jim Harrison [MSFT]" <jmharr@online.microsoft.com> wrote in message
> news:uc6OCPLXEHA.3012@tk2msftngp13.phx.gbl...
> > Sorry, ISAInfo doesn't analyze, it just gathers.
> > There are way too many variations on the ISA theme for a mere script to
> try sorting out.
> > Bear in mind; the script is nearly 5000 lines long as it is...
> >
> > --
> > Jim Harrison [ISASE]
> > Read the help, books and articles!
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
> > "Lefteris Vladimiros (MCT)" <notvalid@antispam.com> wrote in message
> news:eG$H3cIXEHA.2816@TK2MSFTNGP11.phx.gbl...
> > If I remeber correctly, if there are any errors found there are noted
with
> > **
> >
> > --
> > Lefteris Vladimiros
> > Microsoft Certified Trainer
> > MCSA, MCSE: Security
> > MCSA: Messaging
> >
> > New Horizons Athens
> > -----
> > Post a reply to the newsgroups so that others may benefit from the
> > discussion
> > -----
> > "Iain Kirk" <iain.removeme@z-uk.com> wrote in message
> > news:uZji2vtWEHA.556@tk2msftngp13.phx.gbl...
> > > Lefteris
> > >
> > > Thank you once again for your response, i have run isainfo.vbe. I
have
> > had
> > > a good study of it but am unable to find anything wrong, is there
> > something
> > > in particular I should be looking for?
> > >
> > > Iain
> > >
> > > "Lefteris Vladimiros (MCT)" <notvalid@antispam.com> wrote in message
> > > news:uvXr5JlWEHA.3012@tk2msftngp13.phx.gbl...
> > > > Ok that is good to know ;-)
> > > >
> > > > What method did you use to publish the RDP servers?
> > > > The correct method to use would be to create a protocol definition
for
> > RDP
> > > > Server (there isn't one included by default), using
> > > > TCP incoming 3389
> > > > as the required information
> > > >
> > > > Then use 2 separate Server Publishing rules and publish the required
> > > > services for each set of internal/external ip combo, as desired.
> > > >
> > > > If this is what you already have implemented, use a tool called
> > > isainfo.vbs
> > > > (not sure if I remember the name correctly) that you will find in
> > > > www.isatools.org
> > > > This very handy tool will analyse the ISA server's configuration,
and
> by
> > > > reading the logs you might find something is not configured as
> supposed.
> > > >
> > > > Hope this helps,
> > > > Lefteris
> > > >
> > > > --
> > > > Lefteris Vladimiros
> > > > Microsoft Certified Trainer
> > > > MCSA, MCSE: Security
> > > > MCSA: Messaging
> > > >
> > > > New Horizons Athens
> > > > -----
> > > > Post a reply to the newsgroups so that others may benefit from the
> > > > discussion
> > > > -----
> > > > "Iain Kirk" <iain.kirk@nospamz-uk.com> wrote in message
> > > > news:en7dBldWEHA.1468@TK2MSFTNGP10.phx.gbl...
> > > > > Lefteris
> > > > >
> > > > > Thank you for your response i am not using dns at all for this
> > situation
> > > > > only testing with ip addresses. But if my IP address or subnet
was
> > > > mistyped
> > > > > I wouldn't be able to ping from the inside would I?
> > > > >
> > > > > Just confirmed the IP address and subnet are correct.
> > > > >
> > > > > Thanks
> > > > > Iain
> > > > >
> > > > > "Lefteris Vladimiros (MCT)" <notvalid@antispam.com> wrote in
message
> > > > > news:%23bk8DXXWEHA.1128@TK2MSFTNGP10.phx.gbl...
> > > > > > If you can ping x.x.x.3 from an external network and can't do
that
> > for
> > > > > > x.x.x.4 then sounds like you have misconfigured the external
> > > > interface...
> > > > > > check for ip/subnet misstypes
> > > > > >
> > > > > > are you pinging/connecting through dns names or ip addresses?
test
> > > using
> > > > > ip
> > > > > > and dns as this might relate to a dns resolution issue.
> > > > > >
> > > > > > Generally having 2 external ips and having 2 internal machines,
> > > running
> > > > > the
> > > > > > same services (such as RDP), published through these 2 external
> ips
> > > > > should
> > > > > > work fine.
> > > > > > --
> > > > > > Lefteris Vladimiros
> > > > > > Microsoft Certified Trainer
> > > > > > MCSA, MCSE: Security
> > > > > > MCSA: Messaging
> > > > > >
> > > > > > New Horizons Athens
> > > > > > -----
> > > > > > Note: Do not send me a direct email reply cause this is a fake
> > address
> > > > > > Post a reply to the newsgroups so that others may benefit from
the
> > > > > > discussion
> > > > > > -----
> > > > > > "Iain Kirk" <iain.kirk@nospamz-uk.com> wrote in message
> > > > > > news:OTQwLxTWEHA.584@TK2MSFTNGP09.phx.gbl...
> > > > > > > Hmm thought the problem was solved, actually just got past
first
> > > > hurdle.
> > > > > > >
> > > > > > > I have assigned a second IP address to the external interface,
> > this
> > > > > > doesn't
> > > > > > > have any affect on the internal users (thankfully means i can
> > carry
> > > on
> > > > > > > testing). I want to publish 2 servers, both having terminal
> > > > > > services/remote
> > > > > > > desktop and another application on each server. At the moment
> one
> > > of
> > > > > the
> > > > > > > servers has the TS published via my main public IP address
> > (x.x.x.3)
> > > > to
> > > > > > its
> > > > > > > private IP of 192.168.0.5, I have another public IP address of
> > > x.x.x.4
> > > > > > which
> > > > > > > I have assigned as a secondary to my external interface.
> > > > > > >
> > > > > > > Problem: I have tried publishing the second server
(192.168.0.6)
> > TS
> > > to
> > > > > > > x.x.x.4 but am unable to connect, also I am not able to ping
> > x.x.x.4
> > > > > from
> > > > > > > anywhere externally but am from anywhere on my LAN. The user
> who
> > > > needs
> > > > > > > access to x.x.x.4 externally has a static public ip address
and
> I
> > > have
> > > > > > tried
> > > > > > > adding a route to his static IP but when i did the 'route add'
i
> > was
> > > > > > unable
> > > > > > > to tell it to use the x.x.x.4 interface.
> > > > > > >
> > > > > > > Any help would be great.
> > > > > > >
> > > > > > > Iain
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
> >
>
>
>

• Next message: Peter: "Domain controller on the DMZ"
• Previous message: Spiro: "Static NAT on ISA 2000"
• In reply to: Jim Harrison [MSFT]: "Re: Problem with 2nd IP address - Repost"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint