RE: ISA 2004 help please
- From: v-crinal@xxxxxxxxxxxxxxxxxxxx ("Crina Li")
- Date: Mon, 18 Sep 2006 08:43:42 GMT
Hi Jim,
Thanks for your update.
I will look forward to your test result.
Thanks for your time.
Best regards,
Crina Li (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: ISA 2004 help please
| thread-index: AcbYyECw/PZTzlzcTLy0++CcoWjhLg==
| X-WBNR-Posting-Host: 24.171.121.150
| From: =?Utf-8?B?SmltIE11c3N1bG1hbg==?=
<JimMussulman@xxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <8FA245E6-63C3-4215-8D68-730FA1CE7B8B@xxxxxxxxxxxxx>
<e6J4x6I2GHA.4464@xxxxxxxxxxxxxxxxxxxxx>
| Subject: RE: ISA 2004 help please
| Date: Fri, 15 Sep 2006 06:10:01 -0700
| Lines: 146
| Message-ID: <B84C616B-E718-4117-80B5-FE8BD0D3E646@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:297796
| NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Answers to your questions in order:
| 1. Yes, I do want internal clients behind the ISA firewall to access
these
| assets. They were able to do so with the same client setup prior to
moving
| from ISA 2000 to ISA 2004.
|
| 2. Yes, I added a persistant route with the route add -p command line
| command in the format you show, with the gateway portion of the command
set
| to 192.168.16.1. (This is the exact same setting that I used with the ISA
| 2000 firewall and did not have any problem conneting.) When I did that, I
get
| a message in the event log - Event ID 14147 which says: "ISA Server
detected
| routes through adapter Server Local Area Connection that do not correlate
| with the network element to which this adapter belongs. For best
practice,
| the address range of an ISA Server network should match the address
ranges
| routable through the associated network adapter as defined in the routing
| table. Otherwise valid packets may be dropped as spoofed. (This alert may
| occur momentarily when you create a remote site network. You may safely
| ignore this message if it does not reoccur.) The address ranges in
conflict
| are: 172.xxx.xxx.101-172.xxx.xxx.101;192.168.16.0-192.168.16.0;. "
|
| 3. I have not set a static route on the lan clients, for I did not have
to
| do so with the previous firewall. One of the applications is a telnet
client
| that points to an address in the 172 range shown above.
|
| Thank you for your response. I will try your recommendations and report
back.
| Jim
|
| ""Crina Li"" wrote:
|
| > Hi Jim,
| >
| > Thank you for posting in SBS newsgroup.
| >
| > To narrow down the problem, would you please help me collect the
detailed
| > network diagram? Do you mean you want to access these resources from
| > internal client of SBS with ISA 2004?
| >
| > Do you mean you have added PersistentRoute on the SBS via Route Add
*.*.*.*
| > MASK 255.0.0.0 *.*.*.* -p? If the issue still occurs, please try the
| > following information:
| >
| > 1. Create static route on each of the client computers.
| > 2. On the LAN client, disable Firewall client, disable Web Proxy
client,
| > enable SecureNAT client. (The default gateway is pointing to the ISA
| > Server's internal interface).
| >
| > I appreciate your time and look forward to hearing from you.
| >
| > Best regards,
| >
| > Crina Li (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| >
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| > --------------------
| > | Thread-Topic: ISA 2004 help please
| > | thread-index: AcbYCmcnX1yygId7RgKl/tAosRihBA==
| > | X-WBNR-Posting-Host: 24.171.121.150
| > | From: =?Utf-8?B?SmltIE11c3N1bG1hbg==?=
| > <JimMussulman@xxxxxxxxxxxxxxxxxxxxxxxxx>
| > | Subject: ISA 2004 help please
| > | Date: Thu, 14 Sep 2006 07:31:01 -0700
| > | Lines: 29
| > | Message-ID: <8FA245E6-63C3-4215-8D68-730FA1CE7B8B@xxxxxxxxxxxxx>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | Path: TK2MSFTNGXA01.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:297514
| > | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | We have been using SBS 2000 with ISA firewall to connect to some
hospital
| > | assets (Xray images, etc.) from SBS. We are a doctors office in a
medical
| > | office complex that has our own internet access and network. I
recently
| > | replaced the server and OS to SBS 2003 Premium and cannot reach those
| > assets.
| > | I created a new domain and added the users rather than migrating.
| > |
| > | Here is the scenario:
| > | The hospital is using 192.168.16.1 as the gateway from our network to
the
| > | assets that are setup on a VLAN. On the old server, I set up a
persistant
| > | route to the IP's of those assets, and was able to connect with no
| > problem.
| > | The internal IP range for my server was 192.168.16.0 through
| > 192.168.16.255.
| > |
| > | When I set up the new server, I applied the persistant routing to the
| > server
| > | using the route add command and configured networks and policies to
| > access
| > | those assets as I had done on the old machine. I began to get
messages
| > that
| > | there was a route that was not valid and the ISA server would treat
it as
| > | possible spoofing. Originally I used an edge template, for that was
the
| > | configuration used on the old server. I could not connect, so I
changed
| > the
| > | template to a perimeter and identified the IP of 192.168.16.1 as the
| > | perimeter IP. I also changed the IP range for the SBS to 192.168.16.2
and
| > | above (thinking that the 16.1 address would be outside the internal
| > network
| > | range). I set up policies and I still cannot connect to those
assets. I
| > | would really appreciate any configuration help so the doctors can see
the
| > | Xrays.
| > |
| > | Thanks in advance.
| > | Jim Mussulman
| > |
| > |
| > |
| >
| >
|
.
- References:
- RE: ISA 2004 help please
- From: "Crina Li"
- RE: ISA 2004 help please
- From: Jim Mussulman
- RE: ISA 2004 help please
- Prev by Date: RE: ISA 2004 REPORT FAILURE
- Next by Date: RE: Tracing source of remote logons
- Previous by thread: Re: ISA 2004 help please
- Next by thread: RE: Group Policy Problems
- Index(es):
Relevant Pages
|
