Hi Guys, I'd like to confirm that this does work - I've now just got to get multiple virtuals working ... *sighs* -- Anthony Michaud Network Administrator Act! Certified Consultant eLogix Corporation Pty Ltd In theory, there is no difference between theory and practice. But in practice, there is. > -----Original Message----- > From: Thor@xxxxxxxxxxxxxxx [mailto:Thor@xxxxxxxxxxxxxxx] > Sent: Friday, 28 September 2001 10:39 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Q: Cannot access published web server from inte > rnal network > > > http://www.ISAserver.org > > > This already works... With Server Publishing, anyway. I have > not tried it > with just Web Publishing. > > My www.domain.com site resolves to an external IP (DNS > maintained by ISP). > That IP is Server Published to an internal box. If an internal client > (using FW client or Web Proxy) goes to www.domain.com, it does indeed > re-route them to the internal site just like an external > client. The only > rub, like Jim said, is that it writes an event log saying > that there is a > conflict in the LAT blah blah blah. However, it does work... > I do it all > the time. > > > > ----- Original Message ----- > From: "Jim Harrison" <jim@xxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Thursday, September 27, 2001 5:19 PM > Subject: [isalist] RE: Q: Cannot access published web server > from inte rnal > network > > > > http://www.ISAserver.org > > > > > > Yes, I understood that, and even once thought that it should happen > > "transparently", but after fighting my way through it and > learning a bit > > about ISA, I came to understand that it just doesn't make > sense to ask the > > NAT process to "double-NAT" the packet when a direct > connection is not > only > > possible, but more efficient. > > > > Essentially, the packet travels like this: > > 1. the client at 192.168.0.2 gets the external IP for the > requested name, > > say 123.123.123.123. > > 2. the client then proceeds to ask ISA to proxy the request > to that IP > > address > > 3. ISA receives the request and attempts to route the > request to the NAT > > editor, who then realizes that the original source IP and the new > > destination IP are in both the LAT. At this point the ISA > logic asks "why > > are we even trying to do this?" and drops the communication > while making > an > > event log entry. > > > > It's an effect I like to refer to as "isotropic IP bounce" > (with a smirk) > > and it's just doesn't make sense in the grand scheme of things. > > > > Jim Harrison > > MCP(2K), A+, Network+, PCG > > > > > > ----- Original Message ----- > > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Sent: Thursday, September 27, 2001 16:58 > > Subject: [isalist] RE: Q: Cannot access published web > server from inte > rnal > > network > > > > > > http://www.ISAserver.org > > > > > > Hi Jim, > > > > I think what Andrew is attempting is as follows (I can see > his logic, > > and wouldn't mind replicating :) > > > > + External user connects to http://my.web.site > > - Resolves to ISA external IP address > > - ISA proxies the request, and passes data back to external user > > > > He wants to do the same, except substituting external with internal, > > giving one url for one address - it seems logical to do it > this way, as > > you don't have to manage two DNS servers, and attempt to keep the > > mappings current and up to date. > > > > > -----Original Message----- > > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > > > Sent: Thursday, 27 September 2001 23:55 > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: Q: Cannot access published web > server from inte > > > rnal network > > > > > > > > > http://www.ISAserver.org > > > > > > > > > You want to translate www.externalname.com to an internal IP, > > > but you don't > > > want to provide name resolution with that capability? > > > Ok, you have to take the freeway to work, but you have to > > > ride your kid's > > > tricycle and you have to maintain the speed limit. > > > > > > Reality check, here; no host connects to another by using > > > names. That's > > > strictly for us dumb humans that can't remember a 32-bit number. > > > Speaking of which, do you think IPv6 is going to make it > any easier? > > > Every TCP/IP connection that one host makes to another is > through IP > > > addresses and, if they're on the same routed subnet, MAC > addresses. > > > FQDN (DNS) resolution services allows hosts to talk to each > > > other *_ in > > > spite of _* the "friendly names" we use. > > > > > > Two choices; stop trying to "beat the system" and > > > 1. set up an internal DNS solution > > > or > > > 2. quit trying to connect internally using an external name > > > > > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > jim@xxxxxxxxxxxx > > To unsubscribe send a blank email to > $subst('Email.Unsub') > > > > > > > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > thor@xxxxxxxxxxxxxxx > > To unsubscribe send a blank email to > $subst('Email.Unsub') > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: anthonym@xxxxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') >