Re: Is this a 3-Leg Perimeter scenario?
- From: v-crinal@xxxxxxxxxxxxxxxxxxxx ("Crina Li")
- Date: Wed, 08 Feb 2006 08:49:58 GMT
Hi Richard,
Thanks for your update.
Regarding your concern of maintaining logs of web browsing activities, you
could still get the ISA log which maintains logs of web browsing activities
even the Firewall Client is disabled. If you do want to enable the Firewall
Client, you can do the following steps:
1. Add 10.0.0.x entry to the Internal network object. You can expand
Configuration->Networks on ISA 2004 console and then double click Internal
and then add the range on Addresses tab.
2. Install the Firewall Client. You should not have this issue.
If you do want to enable the Web Proxy, it is also feasible. You can do the
following steps: (You don't need to do the following steps when you are not
using IE to access the FTP. For example, if you are using third-party
software to access FTP, then you do not need to do the step 1)
1. Navigate to Configuration->Networks on ISA 2004 console, double click
the Internal Objects, go to the Web Browser tab, enable the "Bypass proxy
for Web servers in this network" option. Or you could click Add and add the
10.0.0.0-10.0.0.255 address.
2. Enable Web proxy in IE.
In addition, we do not recommend you to add the third NIC on SBS because
changing the whole network topology will be a complex project.
The reason why everything could work in ISA 2000 is that ISA 2004 has
increased its security level and it will deny traffic which is not
synchronized.
I am appreciated your time and look forward to hearing from you.
Best regards,
Crina Li (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Richard Cass" <richardcass_AT_NO_SPAM_micronav.co.uk>
| | Subject: Re: Is this a 3-Leg Perimeter scenario?
| Date: Tue, 7 Feb 2006 14:27:01 -0000
| | Newsgroups: microsoft.public.windows.server.sbs
||
| Crina,
|
| I did try your suggestions and was successful.
|
| This is what I did.
|
| Removed any mention of the 10.0.0.x subnet from the ISA 2004 configuration
|
| From command prompt, added the persistentroute using: route add 10.0.0.0
| mask 255.255.255.0 192.168.16.9 1 on the client computer
|
| Disabled the ISA firewall client on the LAN client by opening the
configure
| option and unticking the check box. Added the SBS internal IP address as
the
| Gateway in the LAN client network properties, and unchecked the proxy
| setting in the IE connections properties.
|
| That allowed me to browse to 10.0.0.11/ftp as desired. Great!
|
| But I feel uncertain that I want to have these settings disabled for
other
| times, as I want to maintain logs of web browsing activities etc.
|
| As I mentioned originally, the only setting that I had to do when
running
| under ISA 2000 was to add the persistent route as above to the SBS server
| only. Why does this not work with ISA 2004?
|
| Will the best option be to add a 3rd network card and configure it that
way
| with the SmootWall still performing it's duty as a firewall to the ftp
| server, and leave LAN clients as 'normal'?
|
| Thank you for your patience on this matter.
|
| Richard
|
|
| ""Crina Li"" <v-crinal@xxxxxxxxxxxxxxxxxxxx> wrote in message
| news:QJxyG8XIGHA.3152@xxxxxxxxxxxxxxxxxxxxxxxx
| > Hi Richard,
| >
| > Thanks for your update.
| >
| > I have received your e-mail with the Visio drawing and logs. And the
| > previous suggestion I have provided is based on these drawing and logs.
| > Have you seen my previous reply? For your reference, I included my
| > previous
| > reply as following:
| >
| > ***************************************************************
| > From the network diagram, to access the FTP server from the LAN client,
| > the
| > traffic will NOT be sent to the ISA. The client will know the static
route
| > to send the traffic to the hardware. We can try the following:
| >
| > 1. Add static routes on all LAN client of SBS, you can do so from
command
| > line.
| >
| > route add 10.0.0.0 mask 255.255.255.0 192.168.16.9 1
| >
| > 2. Configure port forwarding on the hardware route. To do so, you can
| > consult the router vendor.
| > 3. Please help me confirm why the SmoothWall Firewall and the FTP Server
| > have the same IP 10.0.0.11. Do you mean the FTP server is hosted on the
| > Linux Firewall?
| > ***************************************************************
| >
| > From the drawing, to access the FTP use 10.0.0.11 from LAN of SBS, you
| > need
| > to control the traffic to not go though ISA but go to SmoothWall
directly.
| > The error you received indicates that the FTP traffic was still sent to
| > the
| > ISA Server instead of the SmoothWall Firewall. In this scenario, the
| > recommended way is bypassing the ISA and let the LAN client directly
send
| > the FTP request to the SmoothWall Firewall. To do that, you should do
the
| > following steps:
| >
| > 1. Create static route on each of the client computers. (As you have
| > done).
| > 2. On the LAN client, disable Firewall client, disable Web Proxy client,
| > enable SecureNAT client. (The default gateway is pointing to the ISA
| > Server's internal interface).
| > 3. Re-configure the Internal Network object on the ISA Server. You DONOT
| > need to add the 10.0.0.x subnet into the Internal object because the
| > 10.0.0.x subnet has its own gateway for internet access. Please remove
the
| > 10.0.0.x entry in the ISA's Internal object and only keep the
192.168.16.x
| > subnet. Moreover, please remove the additional static route on the ISA
| > Server which you made before. (Any static route that tells ISA the
route
| > to
| > the 10.0.0.x network).
| > 4. Re-configure the SmoothWall Firewall to perform port forwarding for
the
| > LAN clients. For detailed steps, please consult the hardware vendor. You
| > need to perform port forwarding for the FTP traffic from 192.168.16.9 to
| > 10.0.0.11.
| > 5. Go to the LAN client, re-access the FTP site via
http://10.0.0.11/ftp,
| > what's the result? Please attach a screenshot.
| > 6. If step 5 failed, can you use the Ftp.exe command-line FTP client
| > program to access the FTP server on the LAN client?
| >
| > In addition, to isolate the problem and for test purpose, please
configure
| > a client to point the default gateway to 192.168.16.9, disable firewall
| > client, disable web proxy, then access the FTP site via
| > http://10.0.0.11/ftp/ (Also use FTP command line). If the problem
| > disappears, this should be a routing issue. If the problem persists, you
| > should configure the Hardware Firewall to perform the port forward for
the
| > FTP site. (forward traffic from 192.168.16.9 to 10.0.0.11)
| >
| > Hope it helps.
| >
| > I am appreciated your time and I look forward to hearing form you.
| >
| > Best regards,
| >
| > Crina Li (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
| > the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
| > doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| >
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| > --------------------
| > | From: "Richard Cass" <richardcass_AT_NO_SPAM_micronav.co.uk>
| > | References: <#P$KSM3GGHA.1760@xxxxxxxxxxxxxxxxxxxx>
| > <yedezm$GGHA.3764@xxxxxxxxxxxxxxxxxxxxx>
| > | Subject: Re: Is this a 3-Leg Perimeter scenario?
| > | Date: Wed, 18 Jan 2006 15:59:26 -0000
| > | Lines: 142
| > | Organization: Micro Nav Ltd
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| > | X-RFC2646: Format=Flowed; Original
| > | Message-ID: <O7d3pgEHGHA.3752@xxxxxxxxxxxxxxxxxxxx>
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: mail.micronav.co.uk 217.207.61.170
| > | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| > | Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:237675
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | Crina,
| > |
| > | Many thanks for your reply.
| > |
| > | 1. I have e-mailed you with a drawing (Visio) as requested.
| > | 2. Upon reading my post, I think I may have mislead you. To access the
| > FTP
| > | Server, you use the 10.0.0.11 from within the SBS environment and the
| > | SmoothWall firewall allows traffic through via the Orange NIC. So I
| > would
| > | type http://10.0.0.11/ftp/ and that takes me to a Linux web page that
| > allows
| > | me to set up users, download files etc. I can access the same FTP
Server
| > | also by the Public Domain IP address, but it still goes via the
| > SmoothWall
| > | firewall (via Red to Orange NICs).
| > | 3. E-mailed as requested.
| > | 4. E-mailed as requested
| > |
| > | Many thanks
| > | Richard
| > |
| > |
| > | ""Crina Li"" <v-crinal@xxxxxxxxxxxxxxxxxxxx> wrote in message
| > | news:yedezm$GGHA.3764@xxxxxxxxxxxxxxxxxxxxxxxx
| > | > Hi Richard,
| > | >
| > | > Thank you for posting in SBS newsgroup.
| > | >
| > | > To narrow down the problem, would you please help me collect the
| > following
| > | > information?
| > | >
| > | > 1. The detailed network diagram. You can refer to the attached
| > example:
| > | >
| > | > You can draw the diagram on Word and then send the file to me at
| > | > v-crinal@xxxxxxxxxxxxxx
| > | >
| > | > 2. You said "I can access the SmoothWall via the 192.168.16.9
address,
| > but
| > | > am unable to access the 10.0.0.11 address for either SmoothWall or
FTP
| > | > Server", where are you accessing 10.0.0.11 from? LAN of SBS,
internet
| > or
| > | > FTP server itself?
| > | > 3. Please help me collect the route print on SBS.
| > | >
| > | > Input "route print > c:\route.txt" in Command Line
| > | >
| > | > and then send the route.txt to me.
| > | >
| > | > 4. Collect Ipconfig/all result form SBS, FTP and the client you are
| > | > accessing 10.0.0.11.
| > | >
| > | > I am appreciated your time to help me collecting the above
| > information.
| > | >
| > | > I look forward to hearing from you.
| > | >
| > | > Best regards,
| > | >
| > | > Crina Li (MSFT)
| > | >
| > | > Microsoft CSS Online Newsgroup Support
| > | >
| > | > Get Secure! - www.microsoft.com/security
| > | >
| > | > =====================================================
| > | > This newsgroup only focuses on SBS technical issues. If you have
| > issues
| > | > regarding other Microsoft products, you'd better post in the
| > corresponding
| > | > newsgroups so that they can be resolved in an efficient and timely
| > manner.
| > | > You can locate the newsgroup here:
| > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | >
| > | > When opening a new thread via the web interface, we recommend you
| > check
| > | > the
| > | > "Notify me of replies" box to receive e-mail notifications when
there
| > are
| > | > any updates in your thread. When responding to posts via your
| > newsreader,
| > | > please "Reply to Group" so that others may learn and benefit from
your
| > | > issue.
| > | >
| > | > Microsoft engineers can only focus on one issue per thread.
Although
| > we
| > | > provide other information for your reference, we recommend you post
| > | > different incidents in different threads to keep the thread clean.
In
| > | > doing
| > | > so, it will ensure your issues are resolved in a timely manner.
| > | >
| > | > For urgent issues, you may want to contact Microsoft CSS directly.
| > Please
| > | > check http://support.microsoft.com for regional support phone
numbers.
| > | >
| > | > Any input or comments in this thread are highly appreciated.
| > | >
| > | > =====================================================
| > | >
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > | > rights.
| > | > --------------------
| > | > | From: "Richard Cass" <richardcass_AT_NO_SPAM_micronav.co.uk>
| > | > | Subject: Is this a 3-Leg Perimeter scenario?
| > | > | Date: Tue, 17 Jan 2006 14:34:03 -0000
| > | > || Newsgroups: microsoft.public.windows.server.sbs
| > | > ||
| > | > | We have recently applied SBS 2003 SP1 and upgraded to ISA 2004.
| > | > | We have a Linux based firewall (SmoothWall) supporting a Linux
based
| > FTP
| > | > server.
| > | > | Setup was like this:
| > | > | SBS2003 with 2 NICs: fixed IP for Internet Connection NIC. The
| > broadband
| > | > modem/router also has a fixed IP .
| > | > | FTP Server: HTTP: http://10.0.0.11 FTP: ftp://10.0.0.11/ of
| > | > ftp://fixed_IP_for_Internet_Connection_IP (same range as SBS IC NIC)
| > | > | SmoothWall firewall: 3 NICs - internal 192.168.16.9:81 (Green)
(same
| > | > range as SBS internal); internal 10.0.0.11:81 (orange)
| > | > | The previous setup utilised the PersistentRoutes TCPIP registry
| > setting
| > | > to allow access to the 10.0.0.11 address, and this worked fine with
| > ISA
| > | > 2000
| > | > | Upon upgrading to ISA 2004, it complained in the Event Log as
| > follows:
| > | > | Event Type: Error
| > | > | Event Source: Microsoft Firewall
| > | > | Event Category: None
| > | > | Event ID: 14147
| > | > | Date: 30.12.2005
| > | > | Time: 15:20:45
| > | > | User: N/A
| > | > | Computer: <computername>
| > | > | Description:
| > | > | ISA Server detected routes through adapter Server Local Area
| > Connection
| > | > that do not correlate with the network element to which this adapter
| > | > belongs. For best practice, the address range of an ISA Server
network
| > | > should match the address ranges routable through the associated
| > network
| > | > adapter as defined in the routing table. Otherwise valid packets
may
| > be
| > | > dropped as spoofed. (This alert may occur momentarily when you
create
| > a
| > | > remote site network. You may safely ignore this message if it does
not
| > | > reoccur.) The address ranges in conflict are:
| > 10.0.1.0-10.255.255.255;.
| > | > | It also had the same error with the Internet Connection NIC in the
| > | > description.
| > | > | I have removed the PersistenRoutes entry, which was set as
| > | > 10.0.0.0,255.0.0.0, just leaving the data as 192.168.16.9,1 (this
was
| > | > there
| > | > previously). I can access the SmoothWall via the 192.168.16.9
address,
| > but
| > | > am unable to access the 10.0.0.11 address for either SmoothWall or
FTP
| > | > Server (as would be expected normally). The Event Log errors have
| > stopped.
| > | > | I do not particularly want to install a 3rd NIC to allow me
access
| > to
| > | > the
| > | > 10.0.0.11 address as the FTP Server has its own firewall and does
not
| > need
| > | > to be behind ISA, but I would appreciate any workaround to allow me
| > this
| > | > access.
| > | > | Thanks in advance,
| > | > | Richard
| > | > |
| > |
| > |
| > |
| >
|
|
|
.
- Follow-Ups:
- Re: Is this a 3-Leg Perimeter scenario?
- From: Richard Cass
- Re: Is this a 3-Leg Perimeter scenario?
- References:
- Re: Is this a 3-Leg Perimeter scenario?
- From: Richard Cass
- Re: Is this a 3-Leg Perimeter scenario?
- Prev by Date: RE: store.exe what is "usual"?
- Next by Date: RE: SBS Client Application Launcher error
- Previous by thread: Re: Is this a 3-Leg Perimeter scenario?
- Next by thread: Re: Is this a 3-Leg Perimeter scenario?
- Index(es):
Relevant Pages
|
Loading
