RE: Problem accessing internal server from inside via ISA 2000
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 19 Aug 2004 10:23:53 -0500
Hi Tim,
"You Need a Split DNS!"
Check for article by that name.
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
-----Original Message-----
From: tim S [mailto:tim724342@xxxxxxxxx]
Sent: Thursday, August 19, 2004 10:21 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Problem accessing internal server from
inside via ISA 2000
http://www.ISAserver.org
Jim,
I would really appreciate if you can clarify the "it isn't
supported" statement. Because if I type www.company.com, which is
published internally behind the firewall, my web browser can
successfully go to the external NIC IP and come in to the webserver and
retrives the pages. But some https sites have problem. Thanks
Jim Harrison <jim@xxxxxxxxxxxx> wrote:
http://www.ISAserver.org
One other point of clarification:
Internal clients should NEVEREVEREVER connect to an ISA
external IP to reach an internal resource.
Stop doing that.
It won't work.
It isn't supported.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
On Wed, 18 Aug 2004 16:32:25 -0500
"Michael Ellis" wrote:
http://www.ISAserver.org
One point of clarification - the client application uses
the IP address of
the public side of the firewall - no DNS is involved in
this case.
Michael Ellis
----- Original Message -----
From: Stephen Herrera
To: [ISAserver.org Discussion List]
Sent: Wednesday, August 18, 2004 2:51 PM
Subject: [isalist] RE: Problem accessing internal server
from inside via ISA
2000
http://www.ISAserver.org
I am pretty sure I understand your problem. I believe it
worked before in
your NT environment because NT did not lean on DNS as
much as Windows 2000.
I have things that get accessed from the inside and
outside like you are
saying but I have DNS entries for my internal clients
that tell them to go
to the local IP address rather than passing outside the
firewall and coming
back in.
Steve
-----Original Message-----
From: Michael Ellis [mailto:isalist@xxxxxxxx]
Sent: Wednesday, August 18, 2004 12:09 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Problem accessing internal server
from inside via ISA
2000
http://www.ISAserver.org
This is a bit long, but bear with me. I will attempt to
provide as much
detail as I can to describe my problem.
I have ISA 2000 running on a Win2K member server. I
recently upgraded my NT
4.0 domain to Win2K3 Active Directory. After the domain
upgrade I found
that incoming VPN sessions to the ISA server failed to
authenticate. I
manually added the ISA server to the RAS group, but this
did not fix the
problem. After much stumbling and bumbling, I finally
installed ISA SP2 and
fixed the authentication problem.
A couple of days after the SP2 installation one of my
users approached me
with a problem. I have a database application running on
a server behind my
ISA firewall. I have published the server, allowing
access only to the
specific port used by this application. From what I can
determine at this
point:
1) External users do not have any problem connecting to
the server from
outside the firewall.
2) Internal users do not have any problem connecting to
the server if they
bypass the firewall (i.e. - use the internal IP address
of the database
server).
3) Internal users who attempt to connect to the server
using the external
"published" address usually fail to connect to the
server, but occasionally
will connect with no problem. In repeated back-to-back
attempts, perhaps
one out of 10 attempts will succeed.
This was not a problem prior to the move to Active
Directory and the
subsequent application of ISA SP2 as a result of the
RRAS authentication
problem. It is also possible that in attempting to
locate and correct the
RRAS problem I inadvertently changed something else that
is causing the
problem.
Using a packet sniffer I captured all traffic between an
internal client,
the ISA server and the internal database server. During
a connection
attempt I see the following sequence of packets:
client -> firewall - MSProxy Client Message: Connect
firewall -> client - MSProxy Server Message: Connect
Ack, use internal port
61370
client -> firewall - TCP [SYN] to port 61370
firewall -> client - TCP [SYN, ACK]
client -> firewall - TCP [ACK]
At this point, for successful connections I see the the
following:
firewall -> server - TCP [SYN] to port 5993 (port # used
by the database
app)
server -> firewall - TCP [SYN, ACK]
firewall -> server - TCP [ACK]
After this, I see the client submit data to the firewall
and I see the
firewall pass the data to the database server. Data from
the server gets
passed back through the firewall to the client, and all
is as it should be.
For those connection attempts that fail, I never see the
firewall open a
connection with the server. The client submits data to
the firewall, but
the firewall does not send it to the server. The client
eventually times
out waiting on a response.
I know this is a lot of information, but it's pretty
straightforward. From
all appearance, the firewall doesn't always route data
to an internal server
from an internal client. Where do I go from here?
Thank you,
Michael Ellis
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking:
http://www.windowsnetworking.com
Leading Network Software Directory:
http://www.serverfiles.com
No.1 Exchange Server Resource Site:
http://www.msexchange.org
Windows Security Resource Site:
http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as:
sherrera@xxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking:
http://www.windowsnetworking.com
Leading Network Software Directory:
http://www.serverfiles.com
No.1 Exchange Server Resource Site:
http://www.msexchange.org
Windows Security Resource Site:
http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as:
isalist@xxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking:
http://www.windowsnetworking.com
Leading Network Software Directory:
http://www.serverfiles.com
No.1 Exchange Server Resource Site:
http://www.msexchange.org
Windows Security Resource Site:
http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as: jim@xxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking:
http://www.windowsnetworking.com
Leading Network Software Directory:
http://www.serverfiles.com
No.1 Exchange Server Resource Site:
http://www.msexchange.org
Windows Security Resource Site:
http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as: tim724342@xxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail
<http://us.rd.yahoo.com/mail_us/taglines/10/*http://promotions.yahoo.com
/new_mail/static/efficiency.html> - Send 10MB messages!
------------------------------------------------------ List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server
Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server
FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------ Other Internet
Software Marketing Sites: World of Windows Networking:
http://www.windowsnetworking.com Leading Network Software Directory:
http://www.serverfiles.com No.1 Exchange Server Resource Site:
http://www.msexchange.org Windows Security Resource Site:
http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------ You are currently
subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to
listadmin@xxxxxxxxxxxxx
Other related posts:
