Re: HTTP trouble in 2004
From: Mark Renoden [MSFT] (markreno_at_online.microsoft.com)
Date: 03/06/05
- Next message: Sergio Fonseca [MVP]: "Re: Isa server with 3 inernet connection"
- Previous message: Sergio Fonseca [MVP]: "Re: Corrupted User Profiles"
- In reply to: Perry Rutter: "Re: HTTP trouble in 2004"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 7 Mar 2005 07:56:15 +1100
Hi Perry
You're not going to need the rules that allow traffic from External to
Internal. When an Internal client requests something, it'll use one of the
Internal to External rules and responses from External will be recognised as
such and allowed.
I think the easiest way to get things going here will be to create a rule
that allows all protocols from Internal to Localhost. In this way, all DNS
lookups, authentication traffic etc will be permitted.
You're going to want to untick the property on the external NICs TCP/IP
configuration that registers the interface in DNS.
You should configure the DNS service to only respond to requests on the
internal interface.
Do you have forwarders configured on your DNS server to your ISP for
external name resolution? If not, how does this server resolve external
names?
I think if you're going to have two separate servers after you've done your
testing, it might be better to jump forward to that point right now. It'll
be much simpler to set up and get working.
HTH
-- Mark Renoden [MSFT] Windows Platform Support Team Email: markreno@online.microsoft.com Please note you'll need to strip ".online" from my email address to email me; I'll post a response back to the group. This posting is provided "AS IS" with no warranties, and confers no rights. "Perry Rutter" <prutter@lutzcpa.com> wrote in message news:OwNiwpMIFHA.1176@TK2MSFTNGP12.phx.gbl... > Hi Mark, > > Here are the firewall policies that I have defined. They are just HTTP > and > PING for now. > > Ping in ALLOW PING protool from EXTERNAL to INTERNAL > > Ping out ALLOW PING protocol from INTERNAL to EXTERNAL > > HTTP in ALLOW HTTP and HTTPS from EXTERNAL to INTERNAL > > HTTP out ALLOW HTTP and HTTPS from INTERNAL to EXTERNAL > > These are for ALL USERS and I also have the same type of filters for both > PING and HTTP to and from the LOCAL HOST adn INTERNAL. Any other help > that > you or anyone can provide is greatly appreciated. I've been looking on > ISAserver.org and no luck there either. Thanks for the replies. > > > "Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message > news:%233kdR$GIFHA.608@TK2MSFTNGP10.phx.gbl... >> Hi Perry >> >> You can use the Logging tab under Monitoring to start a query and watch >> which rules fire when you attempt a ping. If you've got the default Deny >> rule last and you get all the way past your other rules, you know there's >> something about those rules which prevent them from being validated and >> allowing the connection. >> >> HTH >> -- >> Mark Renoden [MSFT] >> Windows Platform Support Team >> Email: markreno@online.microsoft.com >> >> Please note you'll need to strip ".online" from my email address to email >> me; I'll post a response back to the group. >> >> This posting is provided "AS IS" with no warranties, and confers no > rights. >> >> "Perry Rutter" <prutter@lutzcpa.com> wrote in message >> news:ehqsg0EIFHA.236@TK2MSFTNGP14.phx.gbl... >> > Mark, >> > >> > I made the access policies and still no good. I get an error code > 11002: >> > host not found message. The gateway could not find an authorative DNS >> > server or the website you are trying to reach. The funny part that I >> > don't >> > understand is why can't I ping the public address of the DC. I have a >> > rule >> > setupfor ping and still can't. Any ideas? >> > >> > Perry >> > >> > "Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message >> > news:eq%23vYCEIFHA.2744@tk2msftngp13.phx.gbl... >> >> Hi Perry >> >> >> >> I think you're going to need to set up access policies between "Local >> > Host" >> >> and "Internal" so that the machine can function as a DC. I realise >> >> you've >> >> probably done this to minimise the hardware cost but it's probably > better >> >> separating the DC role from the ISA Server role. >> >> >> >> HTH >> >> -- >> >> Mark Renoden [MSFT] >> >> Windows Platform Support Team >> >> Email: markreno@online.microsoft.com >> >> >> >> Please note you'll need to strip ".online" from my email address to > email >> >> me; I'll post a response back to the group. >> >> >> >> This posting is provided "AS IS" with no warranties, and confers no >> > rights. >> >> >> >> "Perry Rutter" <prutter@lutzcpa.com> wrote in message >> >> news:uQEK%23eDIFHA.3612@TK2MSFTNGP09.phx.gbl... >> >> >I appear to be an ISA dummy and have a small problem. I'm setting up > a >> >> > small test network with a DC and a workstation. I have ISA 2004 >> > installed >> >> > on this DC with 2 nics (int = 192.168.2.2 and ext = 216.?.?.?). The >> >> > external >> >> > nic is connected to my DMZ. Everything appears to be setup > correctly, >> > i >> >> > think. I was having a DNS isue that prevented my workstaion from >> > joining >> >> > the domain but that is fixed. I have the DC as the DNS server and > the >> > ISA >> >> > server. My nics are setup with teh DC being the DNS server and my >> >> > IE >> >> > poits >> >> > to the proxy setting of the DC. As it stands now the error i get is >> > Error >> >> > Code 502. Proxy error and I can't get any internet traffic. I have >> >> > teh >> >> > rules setup and they are setup from the ISA getting started guide. > Can >> >> > anyone get me pointed in the right direction? Thanks. >> >> > >> >> > Perry >> >> > >> >> > >> >> >> >> >> > >> > >> >> > >
- Next message: Sergio Fonseca [MVP]: "Re: Isa server with 3 inernet connection"
- Previous message: Sergio Fonseca [MVP]: "Re: Corrupted User Profiles"
- In reply to: Perry Rutter: "Re: HTTP trouble in 2004"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
