This already works... With Server Publishing, anyway. I have not tried it with just Web Publishing. My www.domain.com site resolves to an external IP (DNS maintained by ISP). That IP is Server Published to an internal box. If an internal client (using FW client or Web Proxy) goes to www.domain.com, it does indeed re-route them to the internal site just like an external client. The only rub, like Jim said, is that it writes an event log saying that there is a conflict in the LAT blah blah blah. However, it does work... I do it all the time. ----- Original Message ----- From: "Jim Harrison" <jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, September 27, 2001 5:19 PM Subject: [isalist] RE: Q: Cannot access published web server from inte rnal network > http://www.ISAserver.org > > > Yes, I understood that, and even once thought that it should happen > "transparently", but after fighting my way through it and learning a bit > about ISA, I came to understand that it just doesn't make sense to ask the > NAT process to "double-NAT" the packet when a direct connection is not only > possible, but more efficient. > > Essentially, the packet travels like this: > 1. the client at 192.168.0.2 gets the external IP for the requested name, > say 123.123.123.123. > 2. the client then proceeds to ask ISA to proxy the request to that IP > address > 3. ISA receives the request and attempts to route the request to the NAT > editor, who then realizes that the original source IP and the new > destination IP are in both the LAT. At this point the ISA logic asks "why > are we even trying to do this?" and drops the communication while making an > event log entry. > > It's an effect I like to refer to as "isotropic IP bounce" (with a smirk) > and it's just doesn't make sense in the grand scheme of things. > > Jim Harrison > MCP(2K), A+, Network+, PCG > > > ----- Original Message ----- > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Thursday, September 27, 2001 16:58 > Subject: [isalist] RE: Q: Cannot access published web server from inte rnal > network > > > http://www.ISAserver.org > > > Hi Jim, > > I think what Andrew is attempting is as follows (I can see his logic, > and wouldn't mind replicating :) > > + External user connects to http://my.web.site > - Resolves to ISA external IP address > - ISA proxies the request, and passes data back to external user > > He wants to do the same, except substituting external with internal, > giving one url for one address - it seems logical to do it this way, as > you don't have to manage two DNS servers, and attempt to keep the > mappings current and up to date. > > > -----Original Message----- > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > > Sent: Thursday, 27 September 2001 23:55 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Q: Cannot access published web server from inte > > rnal network > > > > > > http://www.ISAserver.org > > > > > > You want to translate www.externalname.com to an internal IP, > > but you don't > > want to provide name resolution with that capability? > > Ok, you have to take the freeway to work, but you have to > > ride your kid's > > tricycle and you have to maintain the speed limit. > > > > Reality check, here; no host connects to another by using > > names. That's > > strictly for us dumb humans that can't remember a 32-bit number. > > Speaking of which, do you think IPv6 is going to make it any easier? > > Every TCP/IP connection that one host makes to another is through IP > > addresses and, if they're on the same routed subnet, MAC addresses. > > FQDN (DNS) resolution services allows hosts to talk to each > > other *_ in > > spite of _* the "friendly names" we use. > > > > Two choices; stop trying to "beat the system" and > > 1. set up an internal DNS solution > > or > > 2. quit trying to connect internally using an external name > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub')