Re: Is this a 3-Leg Perimeter scenario?
- From: "Richard Cass" <richardcass_AT_NO_SPAM_micronav.co.uk>
- Date: Tue, 7 Feb 2006 14:29:28 -0000
Crina,
I did try your suggestions and was successful.
This is what I did.
Removed any mention of the 10.0.0.x subnet from the ISA 2004 configuration
From command prompt, added the persistentroute using: route add 10.0.0.0mask 255.255.255.0 192.168.16.9 1 on the client computer
Disabled the ISA firewall client on the LAN client by opening the configure
option and unticking the check box. Added the SBS internal IP address as the
Gateway in the LAN client network properties, and unchecked the proxy
setting in the IE connections properties.
That allowed me to browse to 10.0.0.11/ftp as desired. Great!
But I feel uncertain that I want to have these settings disabled for other
times, as I want to maintain logs of web browsing activities etc.
As I mentioned originally, the only setting that I had to do when running
under ISA 2000 was to add the persistent route as above to the SBS server
only. Why does this not work with ISA 2004?
Will the best option be to add a 3rd network card and configure it that way
with the SmootWall still performing it's duty as a firewall to the ftp
server, and leave LAN clients as 'normal'?
Thank you for your patience on this matter.
Richard
""Crina Li"" <v-crinal@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:QJxyG8XIGHA.3152@xxxxxxxxxxxxxxxxxxxxxxxx
Hi Richard,
Thanks for your update.
I have received your e-mail with the Visio drawing and logs. And the
previous suggestion I have provided is based on these drawing and logs.
Have you seen my previous reply? For your reference, I included my
previous
reply as following:
***************************************************************
From the network diagram, to access the FTP server from the LAN client,
the
traffic will NOT be sent to the ISA. The client will know the static route
to send the traffic to the hardware. We can try the following:
1. Add static routes on all LAN client of SBS, you can do so from command
line.
route add 10.0.0.0 mask 255.255.255.0 192.168.16.9 1
2. Configure port forwarding on the hardware route. To do so, you can
consult the router vendor.
3. Please help me confirm why the SmoothWall Firewall and the FTP Server
have the same IP 10.0.0.11. Do you mean the FTP server is hosted on the
Linux Firewall?
***************************************************************
From the drawing, to access the FTP use 10.0.0.11 from LAN of SBS, you
need
to control the traffic to not go though ISA but go to SmoothWall directly.
The error you received indicates that the FTP traffic was still sent to
the
ISA Server instead of the SmoothWall Firewall. In this scenario, the
recommended way is bypassing the ISA and let the LAN client directly send
the FTP request to the SmoothWall Firewall. To do that, you should do the
following steps:
1. Create static route on each of the client computers. (As you have
done).
2. On the LAN client, disable Firewall client, disable Web Proxy client,
enable SecureNAT client. (The default gateway is pointing to the ISA
Server's internal interface).
3. Re-configure the Internal Network object on the ISA Server. You DONOT
need to add the 10.0.0.x subnet into the Internal object because the
10.0.0.x subnet has its own gateway for internet access. Please remove the
10.0.0.x entry in the ISA's Internal object and only keep the 192.168.16.x
subnet. Moreover, please remove the additional static route on the ISA
Server which you made before. (Any static route that tells ISA the route
to
the 10.0.0.x network).
4. Re-configure the SmoothWall Firewall to perform port forwarding for the
LAN clients. For detailed steps, please consult the hardware vendor. You
need to perform port forwarding for the FTP traffic from 192.168.16.9 to
10.0.0.11.
5. Go to the LAN client, re-access the FTP site via http://10.0.0.11/ftp,
what's the result? Please attach a screenshot.
6. If step 5 failed, can you use the Ftp.exe command-line FTP client
program to access the FTP server on the LAN client?
In addition, to isolate the problem and for test purpose, please configure
a client to point the default gateway to 192.168.16.9, disable firewall
client, disable web proxy, then access the FTP site via
http://10.0.0.11/ftp/ (Also use FTP command line). If the problem
disappears, this should be a routing issue. If the problem persists, you
should configure the Hardware Firewall to perform the port forward for the
FTP site. (forward traffic from 192.168.16.9 to 10.0.0.11)
Hope it helps.
I am appreciated your time and I look forward to hearing form you.
Best regards,
Crina Li (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check
the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
| From: "Richard Cass" <richardcass_AT_NO_SPAM_micronav.co.uk>
| References: <#P$KSM3GGHA.1760@xxxxxxxxxxxxxxxxxxxx>
<yedezm$GGHA.3764@xxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: Is this a 3-Leg Perimeter scenario?
| Date: Wed, 18 Jan 2006 15:59:26 -0000
| Lines: 142
| Organization: Micro Nav Ltd
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| X-RFC2646: Format=Flowed; Original
| Message-ID: <O7d3pgEHGHA.3752@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: mail.micronav.co.uk 217.207.61.170
| Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:237675
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Crina,
|
| Many thanks for your reply.
|
| 1. I have e-mailed you with a drawing (Visio) as requested.
| 2. Upon reading my post, I think I may have mislead you. To access the
FTP
| Server, you use the 10.0.0.11 from within the SBS environment and the
| SmoothWall firewall allows traffic through via the Orange NIC. So I
would
| type http://10.0.0.11/ftp/ and that takes me to a Linux web page that
allows
| me to set up users, download files etc. I can access the same FTP Server
| also by the Public Domain IP address, but it still goes via the
SmoothWall
| firewall (via Red to Orange NICs).
| 3. E-mailed as requested.
| 4. E-mailed as requested
|
| Many thanks
| Richard
|
|
| ""Crina Li"" <v-crinal@xxxxxxxxxxxxxxxxxxxx> wrote in message
| news:yedezm$GGHA.3764@xxxxxxxxxxxxxxxxxxxxxxxx
| > Hi Richard,
| >
| > Thank you for posting in SBS newsgroup.
| >
| > To narrow down the problem, would you please help me collect the
following
| > information?
| >
| > 1. The detailed network diagram. You can refer to the attached
example:
| >
| > You can draw the diagram on Word and then send the file to me at
| > v-crinal@xxxxxxxxxxxxxx
| >
| > 2. You said "I can access the SmoothWall via the 192.168.16.9 address,
but
| > am unable to access the 10.0.0.11 address for either SmoothWall or FTP
| > Server", where are you accessing 10.0.0.11 from? LAN of SBS, internet
or
| > FTP server itself?
| > 3. Please help me collect the route print on SBS.
| >
| > Input "route print > c:\route.txt" in Command Line
| >
| > and then send the route.txt to me.
| >
| > 4. Collect Ipconfig/all result form SBS, FTP and the client you are
| > accessing 10.0.0.11.
| >
| > I am appreciated your time to help me collecting the above
information.
| >
| > I look forward to hearing from you.
| >
| > Best regards,
| >
| > Crina Li (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have
issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you
check
| > the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although
we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
| > doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| >
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| > --------------------
| > | From: "Richard Cass" <richardcass_AT_NO_SPAM_micronav.co.uk>
| > | Subject: Is this a 3-Leg Perimeter scenario?
| > | Date: Tue, 17 Jan 2006 14:34:03 -0000
| > || Newsgroups: microsoft.public.windows.server.sbs
| > ||
| > | We have recently applied SBS 2003 SP1 and upgraded to ISA 2004.
| > | We have a Linux based firewall (SmoothWall) supporting a Linux based
FTP
| > server.
| > | Setup was like this:
| > | SBS2003 with 2 NICs: fixed IP for Internet Connection NIC. The
broadband
| > modem/router also has a fixed IP .
| > | FTP Server: HTTP: http://10.0.0.11 FTP: ftp://10.0.0.11/ of
| > ftp://fixed_IP_for_Internet_Connection_IP (same range as SBS IC NIC)
| > | SmoothWall firewall: 3 NICs - internal 192.168.16.9:81 (Green) (same
| > range as SBS internal); internal 10.0.0.11:81 (orange)
| > | The previous setup utilised the PersistentRoutes TCPIP registry
setting
| > to allow access to the 10.0.0.11 address, and this worked fine with
ISA
| > 2000
| > | Upon upgrading to ISA 2004, it complained in the Event Log as
follows:
| > | Event Type: Error
| > | Event Source: Microsoft Firewall
| > | Event Category: None
| > | Event ID: 14147
| > | Date: 30.12.2005
| > | Time: 15:20:45
| > | User: N/A
| > | Computer: <computername>
| > | Description:
| > | ISA Server detected routes through adapter Server Local Area
Connection
| > that do not correlate with the network element to which this adapter
| > belongs. For best practice, the address range of an ISA Server network
| > should match the address ranges routable through the associated
network
| > adapter as defined in the routing table. Otherwise valid packets may
be
| > dropped as spoofed. (This alert may occur momentarily when you create
a
| > remote site network. You may safely ignore this message if it does not
| > reoccur.) The address ranges in conflict are:
10.0.1.0-10.255.255.255;.
| > | It also had the same error with the Internet Connection NIC in the
| > description.
| > | I have removed the PersistenRoutes entry, which was set as
| > 10.0.0.0,255.0.0.0, just leaving the data as 192.168.16.9,1 (this was
| > there
| > previously). I can access the SmoothWall via the 192.168.16.9 address,
but
| > am unable to access the 10.0.0.11 address for either SmoothWall or FTP
| > Server (as would be expected normally). The Event Log errors have
stopped.
| > | I do not particularly want to install a 3rd NIC to allow me access
to
| > the
| > 10.0.0.11 address as the FTP Server has its own firewall and does not
need
| > to be behind ISA, but I would appreciate any workaround to allow me
this
| > access.
| > | Thanks in advance,
| > | Richard
| > |
|
|
|
.
- Prev by Date: Re: Is this a 3-Leg Perimeter scenario?
- Next by Date: Re: Sharepoint - "Cannot connect to the configuration database"
- Previous by thread: Re: Is this a 3-Leg Perimeter scenario?
- Next by thread: Logging all Incoming & Outgoing messages in Exchange
- Index(es):
Relevant Pages
|
|
