RE: Q: Cannot access published web server from inte rnal network

  • From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 5 Oct 2001 13:52:52 +1000

So you're doing server/web publishing to a NAT network or you have real
IP's for your four?

--
Anthony Michaud
Network Administrator
Act! Certified Consultant
eLogix Corporation Pty Ltd
 
In theory, there is no difference between theory and practice. But in
practice, there is.

> -----Original Message-----
> From: Mark Strangways [mailto:strangconst@xxxxxxxx]
> Sent: Friday, 5 October 2001 12:41
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Q: Cannot access published web server from inte
> rnal network
> 
> 
> http://www.ISAserver.org
> 
> 
> I don't have many exact specifics, but...
>     - for instance web pub rule blocked out code red by 
> itself, server pub rules were not supposed
> to.
>     - I believe you would lose the web acceleration side of 
> ISA server.
> 
> 
> Perhaps this would make a good article ?
> 
> I wish I had more specifics, but that's all I got :)
> I have a 4 server network set-up, it's primary purpose is for 
> a web application, complete with E2K,
> SQL 2K, etc etc...
> I elected not to bother with a dmz or trihomed, I figured 
> most of the servers would need to be
> exposed to the dmz anyways, so why bother.
> Anyways, it's been running all right so far.
> 
> regards,
> Mark
> ----- Original Message -----
> From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Thursday, October 04, 2001 10:26 PM
> Subject: [isalist] RE: Q: Cannot access published web server 
> from inte rnal network
> 
> 
> http://www.ISAserver.org
> 
> 
> What features can you loose with server publishing?  I'd imagine that
> there may be security issues, but if you've got specifics, i wouldn't
> mind knowing them.
> 
> I've got an additional set of IP addy's that I'd like to use, but have
> one server to use.  I can't (easily) put the current server in a DMZ
> situation, as I require MSMQ + SQL + possibly other networked
> applications (LDAP etc, the machine is a part of the domain).
> 
> I *might* be able to find another computer, but that still 
> doesn't help
> - when trialing a DMZ (tri-nic) setup, I wasn't able to successfully
> configure the ISA to have web access to the real world IP's.
> 
> --
> Anthony Michaud
> Network Administrator
> Act! Certified Consultant
> eLogix Corporation Pty Ltd
> 
> In theory, there is no difference between theory and practice. But in
> practice, there is.
> 
> 
> > -----Original Message-----
> > From: Mark Strangways [mailto:strangconst@xxxxxxxx]
> > Sent: Friday, 5 October 2001 12:20
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Q: Cannot access published web 
> server from inte
> > rnal network
> >
> >
> > http://www.ISAserver.org
> >
> >
> > yes, you can but you lose several desirable features of the
> > web pub. rule.
> >
> > ----- Original Message -----
> > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Thursday, October 04, 2001 10:17 PM
> > Subject: [isalist] RE: Q: Cannot access published web server
> > from inte rnal network
> >
> >
> > http://www.ISAserver.org
> >
> >
> > (damn send button got pressed before i'd thought :)
> >
> > Its a Web Publishing rule, I wasn't aware that you could do
> > http through
> > server publishing?
> >
> > --
> > Anthony Michaud
> > Network Administrator
> > Act! Certified Consultant
> > eLogix Corporation Pty Ltd
> >
> > In theory, there is no difference between theory and 
> practice. But in
> > practice, there is.
> >
> >
> > > -----Original Message-----
> > > From: Mark Strangways [mailto:strangconst@xxxxxxxx]
> > > Sent: Friday, 5 October 2001 12:13
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Q: Cannot access published web
> > server from inte
> > > rnal network
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > How is it published ? Web rule or server rule ?
> > >
> > > ----- Original Message -----
> > > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > Sent: Thursday, October 04, 2001 10:13 PM
> > > Subject: [isalist] RE: Q: Cannot access published web server
> > > from inte rnal network
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > I published the website, and can access it via the one method (ISA
> > > redirect).  I'm still attempting to get the ISA server to pass the
> > > correct client IP to the website (eg: send 123.456.789.123
> > instead of
> > > isa IP address).  Is that even possible?
> > >
> > > --
> > > Anthony Michaud
> > > Network Administrator
> > > Act! Certified Consultant
> > > eLogix Corporation Pty Ltd
> > >
> > > In theory, there is no difference between theory and
> > practice. But in
> > > practice, there is.
> > >
> > >
> > > > -----Original Message-----
> > > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> > > > Sent: Friday, 5 October 2001 11:33
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: Q: Cannot access published web
> > > server from inte
> > > > rnal network
> > > >
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > >
> > > > Which "this"; the workaround or leaving it be?
> > > >
> > > >
> > > > Jim Harrison
> > > > MCP(2K), A+, Network+, PCG
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
> > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > > Sent: Thursday, October 04, 2001 18:21
> > > > Subject: [isalist] RE: Q: Cannot access published web server
> > > > from inte rnal
> > > > network
> > > >
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > >
> > > > Hi Guys,
> > > >
> > > > I'd like to confirm that this does work - I've now just 
> got to get
> > > > multiple virtuals working ... *sighs*
> > > > --
> > > > Anthony Michaud
> > > > Network Administrator
> > > > Act! Certified Consultant
> > > > eLogix Corporation Pty Ltd
> > > >
> > > > In theory, there is no difference between theory and
> > > practice. But in
> > > > practice, there is.
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Thor@xxxxxxxxxxxxxxx [mailto:Thor@xxxxxxxxxxxxxxx]
> > > > > Sent: Friday, 28 September 2001 10:39
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: Q: Cannot access published web
> > > > server from inte
> > > > > rnal network
> > > > >
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > >
> > > > > This already works... With Server Publishing, anyway.  I have
> > > > > not tried it
> > > > > with just Web Publishing.
> > > > >
> > > > > My www.domain.com site resolves to an external IP (DNS
> > > > > maintained by ISP).
> > > > > That IP is Server Published to an internal box.  If an
> > > > internal client
> > > > > (using FW client or Web Proxy) goes to www.domain.com, it
> > > > does indeed
> > > > > re-route them to the internal site just like an external
> > > > > client.  The only
> > > > > rub, like Jim said, is that it writes an event log saying
> > > > > that there is a
> > > > > conflict in the LAT blah blah blah.  However, it does work...
> > > > > I do it all
> > > > > the time.
> > > > >
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Jim Harrison" <jim@xxxxxxxxxxxx>
> > > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > > > Sent: Thursday, September 27, 2001 5:19 PM
> > > > > Subject: [isalist] RE: Q: Cannot access published web server
> > > > > from inte rnal
> > > > > network
> > > > >
> > > > >
> > > > > > http://www.ISAserver.org
> > > > > >
> > > > > >
> > > > > > Yes, I understood that, and even once thought that it
> > > > should happen
> > > > > > "transparently", but after fighting my way through it and
> > > > > learning a bit
> > > > > > about ISA, I came to understand that it just doesn't make
> > > > > sense to ask the
> > > > > > NAT process to "double-NAT" the packet when a direct
> > > > > connection is not
> > > > > only
> > > > > > possible, but more efficient.
> > > > > >
> > > > > > Essentially, the packet travels like this:
> > > > > > 1. the client at 192.168.0.2 gets the external IP for the
> > > > > requested name,
> > > > > > say 123.123.123.123.
> > > > > > 2. the client then proceeds to ask ISA to proxy the request
> > > > > to that IP
> > > > > > address
> > > > > > 3. ISA receives the request and attempts to route the
> > > > > request to the NAT
> > > > > > editor, who then realizes that the original source IP
> > > and the new
> > > > > > destination IP are in both the LAT.  At this point the ISA
> > > > > logic asks "why
> > > > > > are we even trying to do this?" and drops the communication
> > > > > while making
> > > > > an
> > > > > > event log entry.
> > > > > >
> > > > > > It's an effect I like to refer to as "isotropic IP bounce"
> > > > > (with a smirk)
> > > > > > and it's just doesn't make sense in the grand scheme
> > of things.
> > > > > >
> > > > > > Jim Harrison
> > > > > > MCP(2K), A+, Network+, PCG
> > > > > >
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
> > > > > > To: "[ISAserver.org Discussion List]" 
> <isalist@xxxxxxxxxxxxx>
> > > > > > Sent: Thursday, September 27, 2001 16:58
> > > > > > Subject: [isalist] RE: Q: Cannot access published web
> > > > > server from inte
> > > > > rnal
> > > > > > network
> > > > > >
> > > > > >
> > > > > > http://www.ISAserver.org
> > > > > >
> > > > > >
> > > > > > Hi Jim,
> > > > > >
> > > > > > I think what Andrew is attempting is as follows (I can see
> > > > > his logic,
> > > > > > and wouldn't mind replicating :)
> > > > > >
> > > > > > + External user connects to http://my.web.site
> > > > > >   - Resolves to ISA external IP address
> > > > > >   - ISA proxies the request, and passes data back to
> > > external user
> > > > > >
> > > > > > He wants to do the same, except substituting external
> > > > with internal,
> > > > > > giving one url for one address - it seems logical to do it
> > > > > this way, as
> > > > > > you don't have to manage two DNS servers, and attempt
> > > to keep the
> > > > > > mappings current and up to date.
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> > > > > > > Sent: Thursday, 27 September 2001 23:55
> > > > > > > To: [ISAserver.org Discussion List]
> > > > > > > Subject: [isalist] RE: Q: Cannot access published web
> > > > > server from inte
> > > > > > > rnal network
> > > > > > >
> > > > > > >
> > > > > > > http://www.ISAserver.org
> > > > > > >
> > > > > > >
> > > > > > > You want to translate www.externalname.com to an
> > internal IP,
> > > > > > > but you don't
> > > > > > > want to provide name resolution with that capability?
> > > > > > > Ok, you have to take the freeway to work, but you have to
> > > > > > > ride your kid's
> > > > > > > tricycle and you have to maintain the speed limit.
> > > > > > >
> > > > > > > Reality check, here; no host connects to another by using
> > > > > > > names.  That's
> > > > > > > strictly for us dumb humans that can't remember a
> > > 32-bit number.
> > > > > > > Speaking of which, do you think IPv6 is going to make it
> > > > > any easier?
> > > > > > > Every TCP/IP connection that one host makes to another is
> > > > > through IP
> > > > > > > addresses and, if they're on the same routed subnet, MAC
> > > > > addresses.
> > > > > > > FQDN (DNS) resolution services allows hosts to 
> talk to each
> > > > > > > other *_ in
> > > > > > > spite of _* the "friendly names" we use.
> > > > > > >
> > > > > > > Two choices; stop trying to "beat the system" and
> > > > > > >     1. set up an internal DNS solution
> > > > > > > or
> > > > > > >     2. quit trying to connect internally using an
> > > external name
> > > > > >
> > > > > >
> > > > > > ------------------------------------------------------
> > > > > > You are currently subscribed to this ISAserver.org
> > > > > Discussion List as:
> > > > > > jim@xxxxxxxxxxxx
> > > > > > To unsubscribe send a blank email to
> > > > > $subst('Email.Unsub')
> > > > > >
> > > > > >
> > > > > >
> > > > > > ------------------------------------------------------
> > > > > > You are currently subscribed to this ISAserver.org
> > > > > Discussion List as:
> > > > > thor@xxxxxxxxxxxxxxx
> > > > > > To unsubscribe send a blank email to
> > > > > $subst('Email.Unsub')
> > > > >
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org Discussion
> > > > > List as: anthonym@xxxxxxxxxxxxxx
> > > > > To unsubscribe send a blank email to
> > > > > $subst('Email.Unsub')
> > > > >
> > > >
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org
> > > Discussion List as:
> > > > jim@xxxxxxxxxxxx
> > > > To unsubscribe send a blank email to
> > > > $subst('Email.Unsub')
> > > >
> > > >
> > > >
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion
> > > > List as: anthonym@xxxxxxxxxxxxxx
> > > > To unsubscribe send a blank email to
> > > > $subst('Email.Unsub')
> > > >
> > >
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as: strangconst@xxxxxxxx
> > > To unsubscribe send a blank email to
> > > $subst('Email.Unsub')
> > >
> > >
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as: anthonym@xxxxxxxxxxxxxx
> > > To unsubscribe send a blank email to
> > > $subst('Email.Unsub')
> > >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: strangconst@xxxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: anthonym@xxxxxxxxxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> 
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: strangconst@xxxxxxxx
> To unsubscribe send a blank email to 
> $subst('Email.Unsub')
> 
> 
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: anthonym@xxxxxxxxxxxxxx
> To unsubscribe send a blank email to 
> $subst('Email.Unsub')
> 


Other related posts: