Re: Is this a 3-Leg Perimeter scenario?
- From: v-crinal@xxxxxxxxxxxxxxxxxxxx ("Crina Li")
- Date: Tue, 21 Feb 2006 02:03:19 GMT
Hi Richard,
Thanks for your update.
The errors actually will occur if the traffics go though ISA and we can
ignore the errors if they do not cause some real effect for the traffic.
It is my pleasure to work with you in this post. If you encounter any
difficulties in the future, please submit the post to the newsgroup. We
are glad to be of the assistance.
Again, thank you for using Microsoft newsgroup. Have a nice day. :)
Best regards,
Crina Li (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Richard Cass" <richardcass_AT_NO_SPAM_micronav.co.uk>
| References: <#P$KSM3GGHA.1760@xxxxxxxxxxxxxxxxxxxx>
<yedezm$GGHA.3764@xxxxxxxxxxxxxxxxxxxxx>
<O7d3pgEHGHA.3752@xxxxxxxxxxxxxxxxxxxx>
<QJxyG8XIGHA.3152@xxxxxxxxxxxxxxxxxxxxx>
<eLdooL$KGHA.1760@xxxxxxxxxxxxxxxxxxxx>
<fD9AnyILGHA.608@xxxxxxxxxxxxxxxxxxxxx>
<ujBY8T6MGHA.1760@xxxxxxxxxxxxxxxxxxxx>
<CXwYddgNGHA.668@xxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: Is this a 3-Leg Perimeter scenario?
| Date: Mon, 20 Feb 2006 11:59:26 -0000
| Lines: 713
| Organization: Micro Nav Ltd
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| Message-ID: <OLtnaUhNGHA.2528@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: mail.micronav.co.uk 217.207.61.170
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:245796
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Crina,
|
| The error message that I refer to (for content, see my first post in this
| thread; it appears twice - one for each network device) appears every
time
| the Firewall service is restarted. It does not prevent me from accessing
the
| FTP server.
|
| As I posted before, I was able to access the FTP server following your
| instructions for changes to the client, but did not really want to have
| these changes on the clients, hence the changes were made to the SBS
| instead.
|
| Many thanks for your help.
|
| Richard
|
| ""Crina Li"" <v-crinal@xxxxxxxxxxxxxxxxxxxx> wrote in message
| news:CXwYddgNGHA.668@xxxxxxxxxxxxxxxxxxxxxxxx
| > Hi Richard,
| >
| > Thanks for your update,
| >
| > As I know, if you configure SBS as you mentioned, the traffic will also
go
| > to ISA firstly but not directly to go to the 192.168.16.9 and ISA will
| > general the error message. Do you mean the error message do not affect
the
| > access to the FTP server? Also would you please help me double confirm
if
| > it will not work after enabling Firewall Client based on the worked
| > suggestion I have provide in the previous reply?
| >
| > I appreciate your time and look forward to hearing from you.
| >
| > Best regards,
| >
| > Crina Li (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
| > the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
| > doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| >
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| > --------------------
| > | From: "Richard Cass" <richardcass_AT_NO_SPAM_micronav.co.uk>
| > | References: <#P$KSM3GGHA.1760@xxxxxxxxxxxxxxxxxxxx>
| > <yedezm$GGHA.3764@xxxxxxxxxxxxxxxxxxxxx>
| > <O7d3pgEHGHA.3752@xxxxxxxxxxxxxxxxxxxx>
| > <QJxyG8XIGHA.3152@xxxxxxxxxxxxxxxxxxxxx>
| > <eLdooL$KGHA.1760@xxxxxxxxxxxxxxxxxxxx>
| > <fD9AnyILGHA.608@xxxxxxxxxxxxxxxxxxxxx>
| > | Subject: Re: Is this a 3-Leg Perimeter scenario?
| > | Date: Fri, 17 Feb 2006 09:31:50 -0000
| > | Lines: 527
| > | Organization: Micro Nav Ltd
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| > | X-RFC2646: Format=Flowed; Original
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| > | Message-ID: <ujBY8T6MGHA.1760@xxxxxxxxxxxxxxxxxxxx>
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: mail.micronav.co.uk 217.207.61.170
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:245240
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | Crina,
| > |
| > | I seem to have fixed the problem, but don't know why, when it appears
to
| > be
| > | the same configuration as I had it originally before upgrading to ISA
| > 2004
| > | using the SBS SP1.
| > |
| > | So the configuration has ended up as:
| > |
| > | No PersisentRoute enrty on the clients; no firewall client disabling;
no
| > IE
| > | configuration.
| > |
| > | PersistentRoute added on the SBS Route Add 10.0.0.0 MASK 255.0.0.0
| > | 192.168.16.9 -p
| > |
| > | 10.0.0.0 - 10.0.0.255 added to the Internal Networks in ISA 2004
| > |
| > | However, as originally, I regularly receive the error message
regarding
| > the
| > | configuration being incorrect (see my first post). I will just have to
| > live
| > | with that.
| > |
| > | Many thanks again for your presistent help on this matter.
| > |
| > | Richard
| > |
| > | ""Crina Li"" <v-crinal@xxxxxxxxxxxxxxxxxxxx> wrote in message
| > | news:fD9AnyILGHA.608@xxxxxxxxxxxxxxxxxxxxxxxx
| > | > Hi Richard,
| > | >
| > | > Thanks for your update.
| > | >
| > | > Regarding your concern of maintaining logs of web browsing
activities,
| > you
| > | > could still get the ISA log which maintains logs of web browsing
| > | > activities
| > | > even the Firewall Client is disabled. If you do want to enable the
| > | > Firewall
| > | > Client, you can do the following steps:
| > | >
| > | > 1. Add 10.0.0.x entry to the Internal network object. You can expand
| > | > Configuration->Networks on ISA 2004 console and then double click
| > Internal
| > | > and then add the range on Addresses tab.
| > | > 2. Install the Firewall Client. You should not have this issue.
| > | >
| > | > If you do want to enable the Web Proxy, it is also feasible. You
can
| > do
| > | > the
| > | > following steps: (You don't need to do the following steps when you
| > are
| > | > not
| > | > using IE to access the FTP. For example, if you are using
third-party
| > | > software to access FTP, then you do not need to do the step 1)
| > | >
| > | > 1. Navigate to Configuration->Networks on ISA 2004 console, double
| > click
| > | > the Internal Objects, go to the Web Browser tab, enable the "Bypass
| > proxy
| > | > for Web servers in this network" option. Or you could click Add and
| > add
| > | > the
| > | > 10.0.0.0-10.0.0.255 address.
| > | > 2. Enable Web proxy in IE.
| > | >
| > | > In addition, we do not recommend you to add the third NIC on SBS
| > because
| > | > changing the whole network topology will be a complex project.
| > | >
| > | > The reason why everything could work in ISA 2000 is that ISA 2004
has
| > | > increased its security level and it will deny traffic which is not
| > | > synchronized.
| > | >
| > | > I am appreciated your time and look forward to hearing from you.
| > | >
| > | > Best regards,
| > | >
| > | > Crina Li (MSFT)
| > | >
| > | > Microsoft CSS Online Newsgroup Support
| > | >
| > | > Get Secure! - www.microsoft.com/security
| > | >
| > | > =====================================================
| > | > This newsgroup only focuses on SBS technical issues. If you have
| > issues
| > | > regarding other Microsoft products, you'd better post in the
| > corresponding
| > | > newsgroups so that they can be resolved in an efficient and timely
| > manner.
| > | > You can locate the newsgroup here:
| > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | >
| > | > When opening a new thread via the web interface, we recommend you
| > check
| > | > the
| > | > "Notify me of replies" box to receive e-mail notifications when
there
| > are
| > | > any updates in your thread. When responding to posts via your
| > newsreader,
| > | > please "Reply to Group" so that others may learn and benefit from
your
| > | > issue.
| > | >
| > | > Microsoft engineers can only focus on one issue per thread.
Although
| > we
| > | > provide other information for your reference, we recommend you post
| > | > different incidents in different threads to keep the thread clean.
In
| > | > doing
| > | > so, it will ensure your issues are resolved in a timely manner.
| > | >
| > | > For urgent issues, you may want to contact Microsoft CSS directly.
| > Please
| > | > check http://support.microsoft.com for regional support phone
numbers.
| > | >
| > | > Any input or comments in this thread are highly appreciated.
| > | >
| > | > =====================================================
| > | >
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > | > rights.
| > | > --------------------
| > | > | From: "Richard Cass" <richardcass_AT_NO_SPAM_micronav.co.uk>
| > | > | | Subject: Re: Is this a 3-Leg Perimeter scenario?
| > | > | Date: Tue, 7 Feb 2006 14:27:01 -0000
| > | > | | Newsgroups: microsoft.public.windows.server.sbs
| > | > ||
| > | > | Crina,
| > | > |
| > | > | I did try your suggestions and was successful.
| > | > |
| > | > | This is what I did.
| > | > |
| > | > | Removed any mention of the 10.0.0.x subnet from the ISA 2004
| > | > configuration
| > | > |
| > | > | From command prompt, added the persistentroute using: route add
| > | > 10.0.0.0
| > | > | mask 255.255.255.0 192.168.16.9 1 on the client computer
| > | > |
| > | > | Disabled the ISA firewall client on the LAN client by opening the
| > | > configure
| > | > | option and unticking the check box. Added the SBS internal IP
| > address
| > as
| > | > the
| > | > | Gateway in the LAN client network properties, and unchecked the
| > proxy
| > | > | setting in the IE connections properties.
| > | > |
| > | > | That allowed me to browse to 10.0.0.11/ftp as desired. Great!
| > | > |
| > | > | But I feel uncertain that I want to have these settings disabled
for
| > | > other
| > | > | times, as I want to maintain logs of web browsing activities etc.
| > | > |
| > | > | As I mentioned originally, the only setting that I had to do when
| > | > running
| > | > | under ISA 2000 was to add the persistent route as above to the SBS
| > | > server
| > | > | only. Why does this not work with ISA 2004?
| > | > |
| > | > | Will the best option be to add a 3rd network card and configure it
| > that
| > | > way
| > | > | with the SmootWall still performing it's duty as a firewall to
the
| > ftp
| > | > | server, and leave LAN clients as 'normal'?
| > | > |
| > | > | Thank you for your patience on this matter.
| > | > |
| > | > | Richard
| > | > |
| > | > |
| > | > | ""Crina Li"" <v-crinal@xxxxxxxxxxxxxxxxxxxx> wrote in message
| > | > | news:QJxyG8XIGHA.3152@xxxxxxxxxxxxxxxxxxxxxxxx
| > | > | > Hi Richard,
| > | > | >
| > | > | > Thanks for your update.
| > | > | >
| > | > | > I have received your e-mail with the Visio drawing and logs.
And
| > the
| > | > | > previous suggestion I have provided is based on these drawing
and
| > | > logs.
| > | > | > Have you seen my previous reply? For your reference, I included
my
| > | > | > previous
| > | > | > reply as following:
| > | > | >
| > | > | > ***************************************************************
| > | > | > From the network diagram, to access the FTP server from the LAN
| > | > client,
| > | > | > the
| > | > | > traffic will NOT be sent to the ISA. The client will know the
| > static
| > | > route
| > | > | > to send the traffic to the hardware. We can try the following:
| > | > | >
| > | > | > 1. Add static routes on all LAN client of SBS, you can do so
from
| > | > command
| > | > | > line.
| > | > | >
| > | > | > route add 10.0.0.0 mask 255.255.255.0 192.168.16.9 1
| > | > | >
| > | > | > 2. Configure port forwarding on the hardware route. To do so,
you
| > can
| > | > | > consult the router vendor.
| > | > | > 3. Please help me confirm why the SmoothWall Firewall and the
FTP
| > | > Server
| > | > | > have the same IP 10.0.0.11. Do you mean the FTP server is
hosted
| > on
| > | > the
| > | > | > Linux Firewall?
| > | > | > ***************************************************************
| > | > | >
| > | > | > From the drawing, to access the FTP use 10.0.0.11 from LAN of
SBS,
| > you
| > | > | > need
| > | > | > to control the traffic to not go though ISA but go to SmoothWall
| > | > directly.
| > | > | > The error you received indicates that the FTP traffic was still
| > sent
| > | > to
| > | > | > the
| > | > | > ISA Server instead of the SmoothWall Firewall. In this
scenario,
| > the
| > | > | > recommended way is bypassing the ISA and let the LAN client
| > directly
| > | > send
| > | > | > the FTP request to the SmoothWall Firewall. To do that, you
should
| > do
| > | > the
| > | > | > following steps:
| > | > | >
| > | > | > 1. Create static route on each of the client computers. (As you
| > have
| > | > | > done).
| > | > | > 2. On the LAN client, disable Firewall client, disable Web Proxy
| > | > client,
| > | > | > enable SecureNAT client. (The default gateway is pointing to
the
| > ISA
| > | > | > Server's internal interface).
| > | > | > 3. Re-configure the Internal Network object on the ISA Server.
You
| > | > DONOT
| > | > | > need to add the 10.0.0.x subnet into the Internal object
because
| > the
| > | > | > 10.0.0.x subnet has its own gateway for internet access. Please
| > remove
| > | > the
| > | > | > 10.0.0.x entry in the ISA's Internal object and only keep the
| > | > 192.168.16.x
| > | > | > subnet. Moreover, please remove the additional static route on
the
| > ISA
| > | > | > Server which you made before. (Any static route that tells ISA
the
| > | > route
| > | > | > to
| > | > | > the 10.0.0.x network).
| > | > | > 4. Re-configure the SmoothWall Firewall to perform port
forwarding
| > for
| > | > the
| > | > | > LAN clients. For detailed steps, please consult the hardware
| > vendor.
| > | > You
| > | > | > need to perform port forwarding for the FTP traffic from
| > 192.168.16.9
| > | > to
| > | > | > 10.0.0.11.
| > | > | > 5. Go to the LAN client, re-access the FTP site via
| > | > http://10.0.0.11/ftp,
| > | > | > what's the result? Please attach a screenshot.
| > | > | > 6. If step 5 failed, can you use the Ftp.exe command-line FTP
| > client
| > | > | > program to access the FTP server on the LAN client?
| > | > | >
| > | > | > In addition, to isolate the problem and for test purpose, please
| > | > configure
| > | > | > a client to point the default gateway to 192.168.16.9, disable
| > | > firewall
| > | > | > client, disable web proxy, then access the FTP site via
| > | > | > http://10.0.0.11/ftp/ (Also use FTP command line). If the
problem
| > | > | > disappears, this should be a routing issue. If the problem
| > persists,
| > | > you
| > | > | > should configure the Hardware Firewall to perform the port
forward
| > for
| > | > the
| > | > | > FTP site. (forward traffic from 192.168.16.9 to 10.0.0.11)
| > | > | >
| > | > | > Hope it helps.
| > | > | >
| > | > | > I am appreciated your time and I look forward to hearing form
you.
| > | > | >
| > | > | > Best regards,
| > | > | >
| > | > | > Crina Li (MSFT)
| > | > | >
| > | > | > Microsoft CSS Online Newsgroup Support
| > | > | >
| > | > | > Get Secure! - www.microsoft.com/security
| > | > | >
| > | > | > =====================================================
| > | > | > This newsgroup only focuses on SBS technical issues. If you have
| > | > issues
| > | > | > regarding other Microsoft products, you'd better post in the
| > | > corresponding
| > | > | > newsgroups so that they can be resolved in an efficient and
timely
| > | > manner.
| > | > | > You can locate the newsgroup here:
| > | > | >
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | > | >
| > | > | > When opening a new thread via the web interface, we recommend
you
| > | > check
| > | > | > the
| > | > | > "Notify me of replies" box to receive e-mail notifications when
| > there
| > | > are
| > | > | > any updates in your thread. When responding to posts via your
| > | > newsreader,
| > | > | > please "Reply to Group" so that others may learn and benefit
from
| > your
| > | > | > issue.
| > | > | >
| > | > | > Microsoft engineers can only focus on one issue per thread.
| > Although
| > | > we
| > | > | > provide other information for your reference, we recommend you
| > post
| > | > | > different incidents in different threads to keep the thread
clean.
| > In
| > | > | > doing
| > | > | > so, it will ensure your issues are resolved in a timely manner.
| > | > | >
| > | > | > For urgent issues, you may want to contact Microsoft CSS
directly.
| > | > Please
| > | > | > check http://support.microsoft.com for regional support phone
| > numbers.
| > | > | >
| > | > | > Any input or comments in this thread are highly appreciated.
| > | > | >
| > | > | > =====================================================
| > | > | >
| > | > | > This posting is provided "AS IS" with no warranties, and
confers
| > no
| > | > | > rights.
| > | > | > --------------------
| > | > | > | From: "Richard Cass" <richardcass_AT_NO_SPAM_micronav.co.uk>
| > | > | > | References: <#P$KSM3GGHA.1760@xxxxxxxxxxxxxxxxxxxx>
| > | > | > <yedezm$GGHA.3764@xxxxxxxxxxxxxxxxxxxxx>
| > | > | > | Subject: Re: Is this a 3-Leg Perimeter scenario?
| > | > | > | Date: Wed, 18 Jan 2006 15:59:26 -0000
| > | > | > | Lines: 142
| > | > | > | Organization: Micro Nav Ltd
| > | > | > | X-Priority: 3
| > | > | > | X-MSMail-Priority: Normal
| > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| > | > | > | X-RFC2646: Format=Flowed; Original
| > | > | > | Message-ID: <O7d3pgEHGHA.3752@xxxxxxxxxxxxxxxxxxxx>
| > | > | > | Newsgroups: microsoft.public.windows.server.sbs
| > | > | > | NNTP-Posting-Host: mail.micronav.co.uk 217.207.61.170
| > | > | > | Path:
| > | > TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| > | > | > | Xref: TK2MSFTNGXA02.phx.gbl
| > | > microsoft.public.windows.server.sbs:237675
| > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | > | > |
| > | > | > | Crina,
| > | > | > |
| > | > | > | Many thanks for your reply.
| > | > | > |
| > | > | > | 1. I have e-mailed you with a drawing (Visio) as requested.
| > | > | > | 2. Upon reading my post, I think I may have mislead you. To
| > access
| > | > the
| > | > | > FTP
| > | > | > | Server, you use the 10.0.0.11 from within the SBS environment
| > and
| > | > the
| > | > | > | SmoothWall firewall allows traffic through via the Orange
NIC.
| > So
| > I
| > | > | > would
| > | > | > | type http://10.0.0.11/ftp/ and that takes me to a Linux web
page
| > | > that
| > | > | > allows
| > | > | > | me to set up users, download files etc. I can access the same
| > FTP
| > | > Server
| > | > | > | also by the Public Domain IP address, but it still goes via
the
| > | > | > SmoothWall
| > | > | > | firewall (via Red to Orange NICs).
| > | > | > | 3. E-mailed as requested.
| > | > | > | 4. E-mailed as requested
| > | > | > |
| > | > | > | Many thanks
| > | > | > | Richard
| > | > | > |
| > | > | > |
| > | > | > | ""Crina Li"" <v-crinal@xxxxxxxxxxxxxxxxxxxx> wrote in message
| > | > | > | news:yedezm$GGHA.3764@xxxxxxxxxxxxxxxxxxxxxxxx
| > | > | > | > Hi Richard,
| > | > | > | >
| > | > | > | > Thank you for posting in SBS newsgroup.
| > | > | > | >
| > | > | > | > To narrow down the problem, would you please help me
collect
| > the
| > | > | > following
| > | > | > | > information?
| > | > | > | >
| > | > | > | > 1. The detailed network diagram. You can refer to the
attached
| > | > | > example:
| > | > | > | >
| > | > | > | > You can draw the diagram on Word and then send the file to
me
| > at
| > | > | > | > v-crinal@xxxxxxxxxxxxxx
| > | > | > | >
| > | > | > | > 2. You said "I can access the SmoothWall via the
192.168.16.9
| > | > address,
| > | > | > but
| > | > | > | > am unable to access the 10.0.0.11 address for either
| > SmoothWall
| > or
| > | > FTP
| > | > | > | > Server", where are you accessing 10.0.0.11 from? LAN of SBS,
| > | > internet
| > | > | > or
| > | > | > | > FTP server itself?
| > | > | > | > 3. Please help me collect the route print on SBS.
| > | > | > | >
| > | > | > | > Input "route print > c:\route.txt" in Command Line
| > | > | > | >
| > | > | > | > and then send the route.txt to me.
| > | > | > | >
| > | > | > | > 4. Collect Ipconfig/all result form SBS, FTP and the client
| > you
| > | > are
| > | > | > | > accessing 10.0.0.11.
| > | > | > | >
| > | > | > | > I am appreciated your time to help me collecting the above
| > | > | > information.
| > | > | > | >
| > | > | > | > I look forward to hearing from you.
| > | > | > | >
| > | > | > | > Best regards,
| > | > | > | >
| > | > | > | > Crina Li (MSFT)
| > | > | > | >
| > | > | > | > Microsoft CSS Online Newsgroup Support
| > | > | > | >
| > | > | > | > Get Secure! - www.microsoft.com/security
| > | > | > | >
| > | > | > | > =====================================================
| > | > | > | > This newsgroup only focuses on SBS technical issues. If you
| > have
| > | > | > issues
| > | > | > | > regarding other Microsoft products, you'd better post in the
| > | > | > corresponding
| > | > | > | > newsgroups so that they can be resolved in an efficient and
| > timely
| > | > | > manner.
| > | > | > | > You can locate the newsgroup here:
| > | > | > | >
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | > | > | >
| > | > | > | > When opening a new thread via the web interface, we
recommend
| > you
| > | > | > check
| > | > | > | > the
| > | > | > | > "Notify me of replies" box to receive e-mail notifications
| > when
| > | > there
| > | > | > are
| > | > | > | > any updates in your thread. When responding to posts via
your
| > | > | > newsreader,
| > | > | > | > please "Reply to Group" so that others may learn and benefit
| > from
| > | > your
| > | > | > | > issue.
| > | > | > | >
| > | > | > | > Microsoft engineers can only focus on one issue per thread.
| > | > Although
| > | > | > we
| > | > | > | > provide other information for your reference, we recommend
you
| > | > post
| > | > | > | > different incidents in different threads to keep the thread
| > clean.
| > | > In
| > | > | > | > doing
| > | > | > | > so, it will ensure your issues are resolved in a timely
| > manner.
| > | > | > | >
| > | > | > | > For urgent issues, you may want to contact Microsoft CSS
| > directly.
| > | > | > Please
| > | > | > | > check http://support.microsoft.com for regional support
phone
| > | > numbers.
| > | > | > | >
| > | > | > | > Any input or comments in this thread are highly appreciated.
| > | > | > | >
| > | > | > | > =====================================================
| > | > | > | >
| > | > | > | > This posting is provided "AS IS" with no warranties, and
| > confers
| > | > no
| > | > | > | > rights.
| > | > | > | > --------------------
| > | > | > | > | From: "Richard Cass"
<richardcass_AT_NO_SPAM_micronav.co.uk>
| > | > | > | > | Subject: Is this a 3-Leg Perimeter scenario?
| > | > | > | > | Date: Tue, 17 Jan 2006 14:34:03 -0000
| > | > | > | > || Newsgroups: microsoft.public.windows.server.sbs
| > | > | > | > ||
| > | > | > | > | We have recently applied SBS 2003 SP1 and upgraded to ISA
| > 2004.
| > | > | > | > | We have a Linux based firewall (SmoothWall) supporting a
| > Linux
| > | > based
| > | > | > FTP
| > | > | > | > server.
| > | > | > | > | Setup was like this:
| > | > | > | > | SBS2003 with 2 NICs: fixed IP for Internet Connection
NIC.
| > The
| > | > | > broadband
| > | > | > | > modem/router also has a fixed IP .
| > | > | > | > | FTP Server: HTTP: http://10.0.0.11 FTP: ftp://10.0.0.11/
of
| > | > | > | > ftp://fixed_IP_for_Internet_Connection_IP (same range as
SBS
| > IC
| > | > NIC)
| > | > | > | > | SmoothWall firewall: 3 NICs - internal 192.168.16.9:81
| > (Green)
| > | > (same
| > | > | > | > range as SBS internal); internal 10.0.0.11:81 (orange)
| > | > | > | > | The previous setup utilised the PersistentRoutes TCPIP
| > registry
| > | > | > setting
| > | > | > | > to allow access to the 10.0.0.11 address, and this worked
fine
| > | > with
| > | > | > ISA
| > | > | > | > 2000
| > | > | > | > | Upon upgrading to ISA 2004, it complained in the Event
Log
| > as
| > | > | > follows:
| > | > | > | > | Event Type: Error
| > | > | > | > | Event Source: Microsoft Firewall
| > | > | > | > | Event Category: None
| > | > | > | > | Event ID: 14147
| > | > | > | > | Date: 30.12.2005
| > | > | > | > | Time: 15:20:45
| > | > | > | > | User: N/A
| > | > | > | > | Computer: <computername>
| > | > | > | > | Description:
| > | > | > | > | ISA Server detected routes through adapter Server Local
Area
| > | > | > Connection
| > | > | > | > that do not correlate with the network element to which this
| > | > adapter
| > | > | > | > belongs. For best practice, the address range of an ISA
Server
| > | > network
| > | > | > | > should match the address ranges routable through the
| > associated
| > | > | > network
| > | > | > | > adapter as defined in the routing table. Otherwise valid
| > packets
| > | > may
| > | > | > be
| > | > | > | > dropped as spoofed. (This alert may occur momentarily when
you
| > | > create
| > | > | > a
| > | > | > | > remote site network. You may safely ignore this message if
it
| > does
| > | > not
| > | > | > | > reoccur.) The address ranges in conflict are:
| > | > | > 10.0.1.0-10.255.255.255;.
| > | > | > | > | It also had the same error with the Internet Connection
NIC
| > in
| > | > the
| > | > | > | > description.
| > | > | > | > | I have removed the PersistenRoutes entry, which was set as
| > | > | > | > 10.0.0.0,255.0.0.0, just leaving the data as 192.168.16.9,1
| > (this
| > | > was
| > | > | > | > there
| > | > | > | > previously). I can access the SmoothWall via the
192.168.16.9
| > | > address,
| > | > | > but
| > | > | > | > am unable to access the 10.0.0.11 address for either
| > SmoothWall
| > or
| > | > FTP
| > | > | > | > Server (as would be expected normally). The Event Log errors
| > have
| > | > | > stopped.
| > | > | > | > | I do not particularly want to install a 3rd NIC to allow
me
| > | > access
| > | > | > to
| > | > | > | > the
| > | > | > | > 10.0.0.11 address as the FTP Server has its own firewall and
| > does
| > | > not
| > | > | > need
| > | > | > | > to be behind ISA, but I would appreciate any workaround to
| > allow
| > | > me
| > | > | > this
| > | > | > | > access.
| > | > | > | > | Thanks in advance,
| > | > | > | > | Richard
| > | > | > | > |
| > | > | > |
| > | > | > |
| > | > | > |
| > | > | >
| > | > |
| > | > |
| > | > |
| > | >
| > |
| > |
| > |
| >
|
|
|
.
- References:
- Re: Is this a 3-Leg Perimeter scenario?
- From: Richard Cass
- Re: Is this a 3-Leg Perimeter scenario?
- From: "Crina Li"
- Re: Is this a 3-Leg Perimeter scenario?
- From: Richard Cass
- Re: Is this a 3-Leg Perimeter scenario?
- From: "Crina Li"
- Re: Is this a 3-Leg Perimeter scenario?
- From: Richard Cass
- Re: Is this a 3-Leg Perimeter scenario?
- Prev by Date: RE: Exchange and pop 3 server
- Next by Date: Re: Fax service, error 32092 and 0x4000802 on SOME incoming faxes
- Previous by thread: Re: Is this a 3-Leg Perimeter scenario?
- Next by thread: Re: Is this a 3-Leg Perimeter scenario?
- Index(es):
Relevant Pages
|
Loading
