RE: Q: Cannot access published web server from inte rnal network

• From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 5 Oct 2001 17:16:04 +1000

*grumbles*  Its Friday, so its not going to work.

Plus the fact that I've got to build a Commerce Server before COB (got
notification @ 15:00!!)

I guess thats why we've got weekends - to be able to manage all the
overtime :/

I'll have a play on monday & report back then :)

--
Anthony Michaud
Network Administrator
Act! Certified Consultant
eLogix Corporation Pty Ltd
 
In theory, there is no difference between theory and practice. But in
practice, there is.

> -----Original Message-----
> From: Mark Strangways [mailto:strangconst@xxxxxxxx]
> Sent: Friday, 5 October 2001 14:18
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Q: Cannot access published web server from inte
> rnal network
> 
> 
> http://www.ISAserver.org
> 
> 
> Yep, you can load up the external nic with IP's (I have heard 
> the max is about 22-25). It may even
> work with differing gateway's but I have no set experience doing that.
> 
> HTH's
> ----- Original Message -----
> From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Friday, October 05, 2001 12:16 AM
> Subject: [isalist] RE: Q: Cannot access published web server 
> from inte rnal network
> 
> 
> http://www.ISAserver.org
> 
> 
> Question: (haven't done it yet, nor tried, was going to put it on the
> "later" list) I've got an IP for the ISA x.y.z.102/252 - can I simply
> add the IPs (x.y.z.104/248) to the external NIC on the ISA box?  I'm
> fairly sure it will work, just want to be *sure*
> 
> --
> Anthony Michaud
> Network Administrator
> Act! Certified Consultant
> eLogix Corporation Pty Ltd
> 
> In theory, there is no difference between theory and practice. But in
> practice, there is.
> 
> > -----Original Message-----
> > From: Mark Strangways [mailto:strangconst@xxxxxxxx]
> > Sent: Friday, 5 October 2001 13:57
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Q: Cannot access published web 
> server from inte
> > rnal network
> >
> >
> > http://www.ISAserver.org
> >
> >
> > I have them all behind secureNAT servers, I do have 6 or so
> > IP's to play with, but only publish the
> > servers that are needed.
> >
> >
> > ----- Original Message -----
> > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Thursday, October 04, 2001 11:52 PM
> > Subject: [isalist] RE: Q: Cannot access published web server
> > from inte rnal network
> >
> >
> > http://www.ISAserver.org
> >
> >
> > So you're doing server/web publishing to a NAT network or you
> > have real
> > IP's for your four?
> >
> > --
> > Anthony Michaud
> > Network Administrator
> > Act! Certified Consultant
> > eLogix Corporation Pty Ltd
> >
> > In theory, there is no difference between theory and 
> practice. But in
> > practice, there is.
> >
> > > -----Original Message-----
> > > From: Mark Strangways [mailto:strangconst@xxxxxxxx]
> > > Sent: Friday, 5 October 2001 12:41
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Q: Cannot access published web
> > server from inte
> > > rnal network
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > I don't have many exact specifics, but...
> > >     - for instance web pub rule blocked out code red by
> > > itself, server pub rules were not supposed
> > > to.
> > >     - I believe you would lose the web acceleration side of
> > > ISA server.
> > >
> > >
> > > Perhaps this would make a good article ?
> > >
> > > I wish I had more specifics, but that's all I got :)
> > > I have a 4 server network set-up, it's primary purpose is for
> > > a web application, complete with E2K,
> > > SQL 2K, etc etc...
> > > I elected not to bother with a dmz or trihomed, I figured
> > > most of the servers would need to be
> > > exposed to the dmz anyways, so why bother.
> > > Anyways, it's been running all right so far.
> > >
> > > regards,
> > > Mark
> > > ----- Original Message -----
> > > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > Sent: Thursday, October 04, 2001 10:26 PM
> > > Subject: [isalist] RE: Q: Cannot access published web server
> > > from inte rnal network
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > What features can you loose with server publishing?  I'd
> > imagine that
> > > there may be security issues, but if you've got specifics,
> > i wouldn't
> > > mind knowing them.
> > >
> > > I've got an additional set of IP addy's that I'd like to
> > use, but have
> > > one server to use.  I can't (easily) put the current 
> server in a DMZ
> > > situation, as I require MSMQ + SQL + possibly other networked
> > > applications (LDAP etc, the machine is a part of the domain).
> > >
> > > I *might* be able to find another computer, but that still
> > > doesn't help
> > > - when trialing a DMZ (tri-nic) setup, I wasn't able to 
> successfully
> > > configure the ISA to have web access to the real world IP's.
> > >
> > > --
> > > Anthony Michaud
> > > Network Administrator
> > > Act! Certified Consultant
> > > eLogix Corporation Pty Ltd
> > >
> > > In theory, there is no difference between theory and
> > practice. But in
> > > practice, there is.
> > >
> > >
> > > > -----Original Message-----
> > > > From: Mark Strangways [mailto:strangconst@xxxxxxxx]
> > > > Sent: Friday, 5 October 2001 12:20
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: Q: Cannot access published web
> > > server from inte
> > > > rnal network
> > > >
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > >
> > > > yes, you can but you lose several desirable features of the
> > > > web pub. rule.
> > > >
> > > > ----- Original Message -----
> > > > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
> > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > > Sent: Thursday, October 04, 2001 10:17 PM
> > > > Subject: [isalist] RE: Q: Cannot access published web server
> > > > from inte rnal network
> > > >
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > >
> > > > (damn send button got pressed before i'd thought :)
> > > >
> > > > Its a Web Publishing rule, I wasn't aware that you could do
> > > > http through
> > > > server publishing?
> > > >
> > > > --
> > > > Anthony Michaud
> > > > Network Administrator
> > > > Act! Certified Consultant
> > > > eLogix Corporation Pty Ltd
> > > >
> > > > In theory, there is no difference between theory and
> > > practice. But in
> > > > practice, there is.
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Mark Strangways [mailto:strangconst@xxxxxxxx]
> > > > > Sent: Friday, 5 October 2001 12:13
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: Q: Cannot access published web
> > > > server from inte
> > > > > rnal network
> > > > >
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > >
> > > > > How is it published ? Web rule or server rule ?
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
> > > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > > > Sent: Thursday, October 04, 2001 10:13 PM
> > > > > Subject: [isalist] RE: Q: Cannot access published web server
> > > > > from inte rnal network
> > > > >
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > >
> > > > > I published the website, and can access it via the one
> > method (ISA
> > > > > redirect).  I'm still attempting to get the ISA server
> > to pass the
> > > > > correct client IP to the website (eg: send 123.456.789.123
> > > > instead of
> > > > > isa IP address).  Is that even possible?
> > > > >
> > > > > --
> > > > > Anthony Michaud
> > > > > Network Administrator
> > > > > Act! Certified Consultant
> > > > > eLogix Corporation Pty Ltd
> > > > >
> > > > > In theory, there is no difference between theory and
> > > > practice. But in
> > > > > practice, there is.
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> > > > > > Sent: Friday, 5 October 2001 11:33
> > > > > > To: [ISAserver.org Discussion List]
> > > > > > Subject: [isalist] RE: Q: Cannot access published web
> > > > > server from inte
> > > > > > rnal network
> > > > > >
> > > > > >
> > > > > > http://www.ISAserver.org
> > > > > >
> > > > > >
> > > > > > Which "this"; the workaround or leaving it be?
> > > > > >
> > > > > >
> > > > > > Jim Harrison
> > > > > > MCP(2K), A+, Network+, PCG
> > > > > >
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
> > > > > > To: "[ISAserver.org Discussion List]" 
> <isalist@xxxxxxxxxxxxx>
> > > > > > Sent: Thursday, October 04, 2001 18:21
> > > > > > Subject: [isalist] RE: Q: Cannot access published web server
> > > > > > from inte rnal
> > > > > > network
> > > > > >
> > > > > >
> > > > > > http://www.ISAserver.org
> > > > > >
> > > > > >
> > > > > > Hi Guys,
> > > > > >
> > > > > > I'd like to confirm that this does work - I've now just
> > > got to get
> > > > > > multiple virtuals working ... *sighs*
> > > > > > --
> > > > > > Anthony Michaud
> > > > > > Network Administrator
> > > > > > Act! Certified Consultant
> > > > > > eLogix Corporation Pty Ltd
> > > > > >
> > > > > > In theory, there is no difference between theory and
> > > > > practice. But in
> > > > > > practice, there is.
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Thor@xxxxxxxxxxxxxxx [mailto:Thor@xxxxxxxxxxxxxxx]
> > > > > > > Sent: Friday, 28 September 2001 10:39
> > > > > > > To: [ISAserver.org Discussion List]
> > > > > > > Subject: [isalist] RE: Q: Cannot access published web
> > > > > > server from inte
> > > > > > > rnal network
> > > > > > >
> > > > > > >
> > > > > > > http://www.ISAserver.org
> > > > > > >
> > > > > > >
> > > > > > > This already works... With Server Publishing,
> > anyway.  I have
> > > > > > > not tried it
> > > > > > > with just Web Publishing.
> > > > > > >
> > > > > > > My www.domain.com site resolves to an external IP (DNS
> > > > > > > maintained by ISP).
> > > > > > > That IP is Server Published to an internal box.  If an
> > > > > > internal client
> > > > > > > (using FW client or Web Proxy) goes to www.domain.com, it
> > > > > > does indeed
> > > > > > > re-route them to the internal site just like an external
> > > > > > > client.  The only
> > > > > > > rub, like Jim said, is that it writes an event log saying
> > > > > > > that there is a
> > > > > > > conflict in the LAT blah blah blah.  However, it
> > does work...
> > > > > > > I do it all
> > > > > > > the time.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > From: "Jim Harrison" <jim@xxxxxxxxxxxx>
> > > > > > > To: "[ISAserver.org Discussion List]"
> > <isalist@xxxxxxxxxxxxx>
> > > > > > > Sent: Thursday, September 27, 2001 5:19 PM
> > > > > > > Subject: [isalist] RE: Q: Cannot access published 
> web server
> > > > > > > from inte rnal
> > > > > > > network
> > > > > > >
> > > > > > >
> > > > > > > > http://www.ISAserver.org
> > > > > > > >
> > > > > > > >
> > > > > > > > Yes, I understood that, and even once thought that it
> > > > > > should happen
> > > > > > > > "transparently", but after fighting my way 
> through it and
> > > > > > > learning a bit
> > > > > > > > about ISA, I came to understand that it just 
> doesn't make
> > > > > > > sense to ask the
> > > > > > > > NAT process to "double-NAT" the packet when a direct
> > > > > > > connection is not
> > > > > > > only
> > > > > > > > possible, but more efficient.
> > > > > > > >
> > > > > > > > Essentially, the packet travels like this:
> > > > > > > > 1. the client at 192.168.0.2 gets the external 
> IP for the
> > > > > > > requested name,
> > > > > > > > say 123.123.123.123.
> > > > > > > > 2. the client then proceeds to ask ISA to proxy
> > the request
> > > > > > > to that IP
> > > > > > > > address
> > > > > > > > 3. ISA receives the request and attempts to route the
> > > > > > > request to the NAT
> > > > > > > > editor, who then realizes that the original source IP
> > > > > and the new
> > > > > > > > destination IP are in both the LAT.  At this 
> point the ISA
> > > > > > > logic asks "why
> > > > > > > > are we even trying to do this?" and drops the
> > communication
> > > > > > > while making
> > > > > > > an
> > > > > > > > event log entry.
> > > > > > > >
> > > > > > > > It's an effect I like to refer to as "isotropic 
> IP bounce"
> > > > > > > (with a smirk)
> > > > > > > > and it's just doesn't make sense in the grand scheme
> > > > of things.
> > > > > > > >
> > > > > > > > Jim Harrison
> > > > > > > > MCP(2K), A+, Network+, PCG
> > > > > > > >
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
> > > > > > > > To: "[ISAserver.org Discussion List]"
> > > <isalist@xxxxxxxxxxxxx>
> > > > > > > > Sent: Thursday, September 27, 2001 16:58
> > > > > > > > Subject: [isalist] RE: Q: Cannot access published web
> > > > > > > server from inte
> > > > > > > rnal
> > > > > > > > network
> > > > > > > >
> > > > > > > >
> > > > > > > > http://www.ISAserver.org
> > > > > > > >
> > > > > > > >
> > > > > > > > Hi Jim,
> > > > > > > >
> > > > > > > > I think what Andrew is attempting is as follows 
> (I can see
> > > > > > > his logic,
> > > > > > > > and wouldn't mind replicating :)
> > > > > > > >
> > > > > > > > + External user connects to http://my.web.site
> > > > > > > >   - Resolves to ISA external IP address
> > > > > > > >   - ISA proxies the request, and passes data back to
> > > > > external user
> > > > > > > >
> > > > > > > > He wants to do the same, except substituting external
> > > > > > with internal,
> > > > > > > > giving one url for one address - it seems 
> logical to do it
> > > > > > > this way, as
> > > > > > > > you don't have to manage two DNS servers, and attempt
> > > > > to keep the
> > > > > > > > mappings current and up to date.
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> > > > > > > > > Sent: Thursday, 27 September 2001 23:55
> > > > > > > > > To: [ISAserver.org Discussion List]
> > > > > > > > > Subject: [isalist] RE: Q: Cannot access published web
> > > > > > > server from inte
> > > > > > > > > rnal network
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > http://www.ISAserver.org
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > You want to translate www.externalname.com to an
> > > > internal IP,
> > > > > > > > > but you don't
> > > > > > > > > want to provide name resolution with that capability?
> > > > > > > > > Ok, you have to take the freeway to work, but
> > you have to
> > > > > > > > > ride your kid's
> > > > > > > > > tricycle and you have to maintain the speed limit.
> > > > > > > > >
> > > > > > > > > Reality check, here; no host connects to
> > another by using
> > > > > > > > > names.  That's
> > > > > > > > > strictly for us dumb humans that can't remember a
> > > > > 32-bit number.
> > > > > > > > > Speaking of which, do you think IPv6 is going 
> to make it
> > > > > > > any easier?
> > > > > > > > > Every TCP/IP connection that one host makes to
> > another is
> > > > > > > through IP
> > > > > > > > > addresses and, if they're on the same routed 
> subnet, MAC
> > > > > > > addresses.
> > > > > > > > > FQDN (DNS) resolution services allows hosts to
> > > talk to each
> > > > > > > > > other *_ in
> > > > > > > > > spite of _* the "friendly names" we use.
> > > > > > > > >
> > > > > > > > > Two choices; stop trying to "beat the system" and
> > > > > > > > >     1. set up an internal DNS solution
> > > > > > > > > or
> > > > > > > > >     2. quit trying to connect internally using an
> > > > > external name
> > > > > > > >
> > > > > > > >
> > > > > > > > ------------------------------------------------------
> > > > > > > > You are currently subscribed to this ISAserver.org
> > > > > > > Discussion List as:
> > > > > > > > jim@xxxxxxxxxxxx
> > > > > > > > To unsubscribe send a blank email to
> > > > > > > $subst('Email.Unsub')
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > ------------------------------------------------------
> > > > > > > > You are currently subscribed to this ISAserver.org
> > > > > > > Discussion List as:
> > > > > > > thor@xxxxxxxxxxxxxxx
> > > > > > > > To unsubscribe send a blank email to
> > > > > > > $subst('Email.Unsub')
> > > > > > >
> > > > > > > ------------------------------------------------------
> > > > > > > You are currently subscribed to this ISAserver.org
> > Discussion
> > > > > > > List as: anthonym@xxxxxxxxxxxxxx
> > > > > > > To unsubscribe send a blank email to
> > > > > > > $subst('Email.Unsub')
> > > > > > >
> > > > > >
> > > > > > ------------------------------------------------------
> > > > > > You are currently subscribed to this ISAserver.org
> > > > > Discussion List as:
> > > > > > jim@xxxxxxxxxxxx
> > > > > > To unsubscribe send a blank email to
> > > > > > $subst('Email.Unsub')
> > > > > >
> > > > > >
> > > > > >
> > > > > > ------------------------------------------------------
> > > > > > You are currently subscribed to this ISAserver.org 
> Discussion
> > > > > > List as: anthonym@xxxxxxxxxxxxxx
> > > > > > To unsubscribe send a blank email to
> > > > > > $subst('Email.Unsub')
> > > > > >
> > > > >
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org Discussion
> > > > > List as: strangconst@xxxxxxxx
> > > > > To unsubscribe send a blank email to
> > > > > $subst('Email.Unsub')
> > > > >
> > > > >
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org Discussion
> > > > > List as: anthonym@xxxxxxxxxxxxxx
> > > > > To unsubscribe send a blank email to
> > > > > $subst('Email.Unsub')
> > > > >
> > > >
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion
> > > > List as: strangconst@xxxxxxxx
> > > > To unsubscribe send a blank email to
> > > > $subst('Email.Unsub')
> > > >
> > > >
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion
> > > > List as: anthonym@xxxxxxxxxxxxxx
> > > > To unsubscribe send a blank email to
> > > > $subst('Email.Unsub')
> > > >
> > >
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as: strangconst@xxxxxxxx
> > > To unsubscribe send a blank email to
> > > $subst('Email.Unsub')
> > >
> > >
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as: anthonym@xxxxxxxxxxxxxx
> > > To unsubscribe send a blank email to
> > > $subst('Email.Unsub')
> > >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: strangconst@xxxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: anthonym@xxxxxxxxxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> 
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: strangconst@xxxxxxxx
> To unsubscribe send a blank email to 
> $subst('Email.Unsub')
> 
> 
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: anthonym@xxxxxxxxxxxxxx
> To unsubscribe send a blank email to 
> $subst('Email.Unsub')
> 

• » Re: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription