Re: Isa Server 2006
- From: "Phillip Windell" <philwindell@xxxxxxxxxxx>
- Date: Sun, 25 Nov 2007 12:16:44 -0600
"Phillip Windell" <philwindell@xxxxxxxxxxx> wrote in message
news:uVNrYqGKIHA.5400@xxxxxxxxxxxxxxxxxxxxxxx
First get rid of the second Nic on the other two servers. ISA should be
the only one with two nics. All other machines should have one nic and be
on the 192.168.1.x segment.
"Datagenese [Geral]" <info@xxxxxxxxxxxxx> wrote in message
news:uUXaaQxJIHA.4584@xxxxxxxxxxxxxxxxxxxxxxx
Ok
That was my first try.
But how can i do NAT on the router, to pass the port 80 or 3389 to other
machine that is not the ISA SERVER??
I didn't see this reply for quite a while. Looks like you sent it to my
personal adress instead of the group.
NATing the traffic is the last thing to worry about here,...first you have
to get the topology fixed.
You left out some important details, so I will have to improvise. Mainly
you left out the second IP# for the DSL box (they always have two). The
internal side is always a RFC Private Address,..the external is always
Public. Since "192.169" is not an RFC Private address I am forced to assume
that is the public side.
You have two choices:
1. Get rid of the DSL box and physically replace it with the ISA
OR
2. Run the DSL box "back-to-back" with the ISA which creates a Back-to-back
DMZ (which to me is needless complexity and pointless).
--------------------------------------------------------------------------
Option #1 - Replace DSL box with the ISA
2003 Server - DC
IP# 192.168.1.1
Mask 255.255.255.0
DFG 192.168.1.5
DNS & WINS 192.168.1.1
2003 Server - Other
IP# 192.168.1.60
Mask 255.255.255.0
DFG 192.168.1.5
DNS & WINS 192.168.1.1
2003 Server - ISA, Internal Nic
Must be first in the binding order
IP# 192.168.1.5
Mask 255.255.255.0
DFG *NONE*
DNS & WINS 192.168.1.1
2003 Server - ISA, External Nic
IP# 192.169.100.254
Mask 255.255.255.0
DFG <whatever ISP says>
DNS & WINS *NONE*, and disable auto registration
All DNS points to the DC only
The DC has the ISP's DNS listed in the Forwarders list
ISA must "anonymously" allow the DC to make outbound DNS queries.
-------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------
Option #2 - Keep DSL box, build a Back-to-Back DMZ
2003 Server - DC
IP# 192.168.1.1
Mask 255.255.255.0
DFG 192.168.1.5
DNS & WINS 192.168.1.1
2003 Server - Other
IP# 192.168.1.60
Mask 255.255.255.0
DFG 192.168.1.5
DNS & WINS 192.168.1.1
2003 Server - ISA, Internal Nic
Must be first in the binding order
IP# 192.168.1.5
Mask 255.255.255.0
DFG *NONE*
DNS & WINS 192.168.1.1
2003 Server - ISA, External Nic
IP# 192.169.100.254
Mask 255.255.255.0
DFG 172.30.1.2 (the DMZ segment)
DNS & WINS *NONE*, and disable auto registration
DSL box - Internal Nic
IP# 172.30.1.1 (the DMZ segment)
Mask 255.255.255.0
DFG *NONE*
DSL box - External Nic
IP# 192.169.100.254
Mask 255.255.255.0
DFG <whatever ISP says>
All DNS points to the DC only
The DC has the ISP's DNS listed in the Forwarders list
ISA (and the DSL box) must "anonymously" allow the DC to make outbound DNS
queries.
-------------------------------------------------------------------------------------------------
Now the ISA has to present the IIS and the RDP to its external interface.
1. IIS,..requires a Web Publishing Rule. Follow the Wizard.
2. RDP requires a Non-Web Server Publishing Rule. Use the "RDP
(Server)" Protocol and follow the Wizard.
If you keep the DSL box then it must do a Reverse NAT for 80 and 389 back to
the ISA's External IP#. Most of these boxes call it "port forwarding" but
that is bogus,..there is no such thing,...the true term for it is Reverse
NAT or Static NAT. The IP#s (Layer3) is the focus of the "action" not the
Ports (Layer4).
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------
.
- References:
- Isa Server 2006
- From: Datagenese [Geral]
- Re: Isa Server 2006
- From: Phillip Windell
- Isa Server 2006
- Prev by Date: Re: Proxy Authorization Question
- Next by Date: Re: Proxy Authorization Question
- Previous by thread: Re: Isa Server 2006
- Next by thread: Error: The HTTP message includes an unsupported header......
- Index(es):
Relevant Pages
|
