RE: Problem accessing internal server from inside via ISA 2000
- From: "Michael Ellis" <isalist@xxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 31 Aug 2004 12:04:31 -0500
Can you or someone else on the list provide information or a pointer to a
resource with information about setting up an internal Win 2K3 DNS server to
provide alternate addresses for certain host names? I already have an
internal server working for the domain name "hsv.pesa.com". This resolves
all internal names and forwards everything else to our ISP's DNS servers.
Our public domain is "pesa.com". How do I make my local DNS server provide
an internal address for "mail.pesa.com" while allowing the external DNS
server to resolve everything else at pesa.com?
I looked at Tom's article on split DNS and that seems to cover the situation
where you use the same domain name both internally and externally. The
solution provided in that article requires two separate DNS servers. Since
I do not use the same domain name in both places the article would not seem
to apply to my situation.
Thanks,
Michael Ellis
----- Original Message -----
From: Stephen Herrera
To: [ISAserver.org Discussion List]
Sent: Wednesday, August 18, 2004 2:51 PM
Subject: [isalist] RE: Problem accessing internal server from inside via ISA
2000
http://www.ISAserver.org
I am pretty sure I understand your problem. I believe it worked before in
your NT environment because NT did not lean on DNS as much as Windows 2000.
I have things that get accessed from the inside and outside like you are
saying but I have DNS entries for my internal clients that tell them to go
to the local IP address rather than passing outside the firewall and coming
back in.
Steve
-----Original Message-----
From: Michael Ellis [mailto:isalist@xxxxxxxx]
Sent: Wednesday, August 18, 2004 12:09 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Problem accessing internal server from inside via ISA
2000
http://www.ISAserver.org
This is a bit long, but bear with me. I will attempt to provide as much
detail as I can to describe my problem.
I have ISA 2000 running on a Win2K member server. I recently upgraded my NT
4.0 domain to Win2K3 Active Directory. After the domain upgrade I found
that incoming VPN sessions to the ISA server failed to authenticate. I
manually added the ISA server to the RAS group, but this did not fix the
problem. After much stumbling and bumbling, I finally installed ISA SP2 and
fixed the authentication problem.
A couple of days after the SP2 installation one of my users approached me
with a problem. I have a database application running on a server behind my
ISA firewall. I have published the server, allowing access only to the
specific port used by this application. From what I can determine at this
point:
1) External users do not have any problem connecting to the server from
outside the firewall.
2) Internal users do not have any problem connecting to the server if they
bypass the firewall (i.e. - use the internal IP address of the database
server).
3) Internal users who attempt to connect to the server using the external
"published" address usually fail to connect to the server, but occasionally
will connect with no problem. In repeated back-to-back attempts, perhaps
one out of 10 attempts will succeed.
This was not a problem prior to the move to Active Directory and the
subsequent application of ISA SP2 as a result of the RRAS authentication
problem. It is also possible that in attempting to locate and correct the
RRAS problem I inadvertently changed something else that is causing the
problem.
Using a packet sniffer I captured all traffic between an internal client,
the ISA server and the internal database server. During a connection
attempt I see the following sequence of packets:
client -> firewall - MSProxy Client Message: Connect
firewall -> client - MSProxy Server Message: Connect Ack, use internal port
61370
client -> firewall - TCP [SYN] to port 61370
firewall -> client - TCP [SYN, ACK]
client -> firewall - TCP [ACK]
At this point, for successful connections I see the the following:
firewall -> server - TCP [SYN] to port 5993 (port # used by the database
app)
server -> firewall - TCP [SYN, ACK]
firewall -> server - TCP [ACK]
After this, I see the client submit data to the firewall and I see the
firewall pass the data to the database server. Data from the server gets
passed back through the firewall to the client, and all is as it should be.
For those connection attempts that fail, I never see the firewall open a
connection with the server. The client submits data to the firewall, but
the firewall does not send it to the server. The client eventually times
out waiting on a response.
I know this is a lot of information, but it's pretty straightforward. From
all appearance, the firewall doesn't always route data to an internal server
from an internal client. Where do I go from here?
Thank you,
Michael Ellis
Other related posts:
