One other point of clarification: Internal clients should NEVEREVEREVER connect to an ISA external IP to reach an internal resource. Stop doing that. It won't work. It isn't supported. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Wed, 18 Aug 2004 16:32:25 -0500 "Michael Ellis" <isalist@xxxxxxxx> wrote: http://www.ISAserver.org One point of clarification - the client application uses the IP address of the public side of the firewall - no DNS is involved in this case. Michael Ellis ----- Original Message ----- From: Stephen Herrera To: [ISAserver.org Discussion List] Sent: Wednesday, August 18, 2004 2:51 PM Subject: [isalist] RE: Problem accessing internal server from inside via ISA 2000 http://www.ISAserver.org I am pretty sure I understand your problem. I believe it worked before in your NT environment because NT did not lean on DNS as much as Windows 2000. I have things that get accessed from the inside and outside like you are saying but I have DNS entries for my internal clients that tell them to go to the local IP address rather than passing outside the firewall and coming back in. Steve -----Original Message----- From: Michael Ellis [mailto:isalist@xxxxxxxx] Sent: Wednesday, August 18, 2004 12:09 PM To: [ISAserver.org Discussion List] Subject: [isalist] Problem accessing internal server from inside via ISA 2000 http://www.ISAserver.org This is a bit long, but bear with me. I will attempt to provide as much detail as I can to describe my problem. I have ISA 2000 running on a Win2K member server. I recently upgraded my NT 4.0 domain to Win2K3 Active Directory. After the domain upgrade I found that incoming VPN sessions to the ISA server failed to authenticate. I manually added the ISA server to the RAS group, but this did not fix the problem. After much stumbling and bumbling, I finally installed ISA SP2 and fixed the authentication problem. A couple of days after the SP2 installation one of my users approached me with a problem. I have a database application running on a server behind my ISA firewall. I have published the server, allowing access only to the specific port used by this application. From what I can determine at this point: 1) External users do not have any problem connecting to the server from outside the firewall. 2) Internal users do not have any problem connecting to the server if they bypass the firewall (i.e. - use the internal IP address of the database server). 3) Internal users who attempt to connect to the server using the external "published" address usually fail to connect to the server, but occasionally will connect with no problem. In repeated back-to-back attempts, perhaps one out of 10 attempts will succeed. This was not a problem prior to the move to Active Directory and the subsequent application of ISA SP2 as a result of the RRAS authentication problem. It is also possible that in attempting to locate and correct the RRAS problem I inadvertently changed something else that is causing the problem. Using a packet sniffer I captured all traffic between an internal client, the ISA server and the internal database server. During a connection attempt I see the following sequence of packets: client -> firewall - MSProxy Client Message: Connect firewall -> client - MSProxy Server Message: Connect Ack, use internal port 61370 client -> firewall - TCP [SYN] to port 61370 firewall -> client - TCP [SYN, ACK] client -> firewall - TCP [ACK] At this point, for successful connections I see the the following: firewall -> server - TCP [SYN] to port 5993 (port # used by the database app) server -> firewall - TCP [SYN, ACK] firewall -> server - TCP [ACK] After this, I see the client submit data to the firewall and I see the firewall pass the data to the database server. Data from the server gets passed back through the firewall to the client, and all is as it should be. For those connection attempts that fail, I never see the firewall open a connection with the server. The client submits data to the firewall, but the firewall does not send it to the server. The client eventually times out waiting on a response. I know this is a lot of information, but it's pretty straightforward. From all appearance, the firewall doesn't always route data to an internal server from an internal client. Where do I go from here? Thank you, Michael Ellis ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: sherrera@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: isalist@xxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx