I have them all behind secureNAT servers, I do have 6 or so IP's to play with, but only publish the servers that are needed. ----- Original Message ----- From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, October 04, 2001 11:52 PM Subject: [isalist] RE: Q: Cannot access published web server from inte rnal network http://www.ISAserver.org So you're doing server/web publishing to a NAT network or you have real IP's for your four? -- Anthony Michaud Network Administrator Act! Certified Consultant eLogix Corporation Pty Ltd In theory, there is no difference between theory and practice. But in practice, there is. > -----Original Message----- > From: Mark Strangways [mailto:strangconst@xxxxxxxx] > Sent: Friday, 5 October 2001 12:41 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Q: Cannot access published web server from inte > rnal network > > > http://www.ISAserver.org > > > I don't have many exact specifics, but... > - for instance web pub rule blocked out code red by > itself, server pub rules were not supposed > to. > - I believe you would lose the web acceleration side of > ISA server. > > > Perhaps this would make a good article ? > > I wish I had more specifics, but that's all I got :) > I have a 4 server network set-up, it's primary purpose is for > a web application, complete with E2K, > SQL 2K, etc etc... > I elected not to bother with a dmz or trihomed, I figured > most of the servers would need to be > exposed to the dmz anyways, so why bother. > Anyways, it's been running all right so far. > > regards, > Mark > ----- Original Message ----- > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Thursday, October 04, 2001 10:26 PM > Subject: [isalist] RE: Q: Cannot access published web server > from inte rnal network > > > http://www.ISAserver.org > > > What features can you loose with server publishing? I'd imagine that > there may be security issues, but if you've got specifics, i wouldn't > mind knowing them. > > I've got an additional set of IP addy's that I'd like to use, but have > one server to use. I can't (easily) put the current server in a DMZ > situation, as I require MSMQ + SQL + possibly other networked > applications (LDAP etc, the machine is a part of the domain). > > I *might* be able to find another computer, but that still > doesn't help > - when trialing a DMZ (tri-nic) setup, I wasn't able to successfully > configure the ISA to have web access to the real world IP's. > > -- > Anthony Michaud > Network Administrator > Act! Certified Consultant > eLogix Corporation Pty Ltd > > In theory, there is no difference between theory and practice. But in > practice, there is. > > > > -----Original Message----- > > From: Mark Strangways [mailto:strangconst@xxxxxxxx] > > Sent: Friday, 5 October 2001 12:20 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Q: Cannot access published web > server from inte > > rnal network > > > > > > http://www.ISAserver.org > > > > > > yes, you can but you lose several desirable features of the > > web pub. rule. > > > > ----- Original Message ----- > > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Sent: Thursday, October 04, 2001 10:17 PM > > Subject: [isalist] RE: Q: Cannot access published web server > > from inte rnal network > > > > > > http://www.ISAserver.org > > > > > > (damn send button got pressed before i'd thought :) > > > > Its a Web Publishing rule, I wasn't aware that you could do > > http through > > server publishing? > > > > -- > > Anthony Michaud > > Network Administrator > > Act! Certified Consultant > > eLogix Corporation Pty Ltd > > > > In theory, there is no difference between theory and > practice. But in > > practice, there is. > > > > > > > -----Original Message----- > > > From: Mark Strangways [mailto:strangconst@xxxxxxxx] > > > Sent: Friday, 5 October 2001 12:13 > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: Q: Cannot access published web > > server from inte > > > rnal network > > > > > > > > > http://www.ISAserver.org > > > > > > > > > How is it published ? Web rule or server rule ? > > > > > > ----- Original Message ----- > > > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx> > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > > Sent: Thursday, October 04, 2001 10:13 PM > > > Subject: [isalist] RE: Q: Cannot access published web server > > > from inte rnal network > > > > > > > > > http://www.ISAserver.org > > > > > > > > > I published the website, and can access it via the one method (ISA > > > redirect). I'm still attempting to get the ISA server to pass the > > > correct client IP to the website (eg: send 123.456.789.123 > > instead of > > > isa IP address). Is that even possible? > > > > > > -- > > > Anthony Michaud > > > Network Administrator > > > Act! Certified Consultant > > > eLogix Corporation Pty Ltd > > > > > > In theory, there is no difference between theory and > > practice. But in > > > practice, there is. > > > > > > > > > > -----Original Message----- > > > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > > > > Sent: Friday, 5 October 2001 11:33 > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] RE: Q: Cannot access published web > > > server from inte > > > > rnal network > > > > > > > > > > > > http://www.ISAserver.org > > > > > > > > > > > > Which "this"; the workaround or leaving it be? > > > > > > > > > > > > Jim Harrison > > > > MCP(2K), A+, Network+, PCG > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx> > > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > > > Sent: Thursday, October 04, 2001 18:21 > > > > Subject: [isalist] RE: Q: Cannot access published web server > > > > from inte rnal > > > > network > > > > > > > > > > > > http://www.ISAserver.org > > > > > > > > > > > > Hi Guys, > > > > > > > > I'd like to confirm that this does work - I've now just > got to get > > > > multiple virtuals working ... *sighs* > > > > -- > > > > Anthony Michaud > > > > Network Administrator > > > > Act! Certified Consultant > > > > eLogix Corporation Pty Ltd > > > > > > > > In theory, there is no difference between theory and > > > practice. But in > > > > practice, there is. > > > > > > > > > > > > > -----Original Message----- > > > > > From: Thor@xxxxxxxxxxxxxxx [mailto:Thor@xxxxxxxxxxxxxxx] > > > > > Sent: Friday, 28 September 2001 10:39 > > > > > To: [ISAserver.org Discussion List] > > > > > Subject: [isalist] RE: Q: Cannot access published web > > > > server from inte > > > > > rnal network > > > > > > > > > > > > > > > http://www.ISAserver.org > > > > > > > > > > > > > > > This already works... With Server Publishing, anyway. I have > > > > > not tried it > > > > > with just Web Publishing. > > > > > > > > > > My www.domain.com site resolves to an external IP (DNS > > > > > maintained by ISP). > > > > > That IP is Server Published to an internal box. If an > > > > internal client > > > > > (using FW client or Web Proxy) goes to www.domain.com, it > > > > does indeed > > > > > re-route them to the internal site just like an external > > > > > client. The only > > > > > rub, like Jim said, is that it writes an event log saying > > > > > that there is a > > > > > conflict in the LAT blah blah blah. However, it does work... > > > > > I do it all > > > > > the time. > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Jim Harrison" <jim@xxxxxxxxxxxx> > > > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > > > > Sent: Thursday, September 27, 2001 5:19 PM > > > > > Subject: [isalist] RE: Q: Cannot access published web server > > > > > from inte rnal > > > > > network > > > > > > > > > > > > > > > > http://www.ISAserver.org > > > > > > > > > > > > > > > > > > Yes, I understood that, and even once thought that it > > > > should happen > > > > > > "transparently", but after fighting my way through it and > > > > > learning a bit > > > > > > about ISA, I came to understand that it just doesn't make > > > > > sense to ask the > > > > > > NAT process to "double-NAT" the packet when a direct > > > > > connection is not > > > > > only > > > > > > possible, but more efficient. > > > > > > > > > > > > Essentially, the packet travels like this: > > > > > > 1. the client at 192.168.0.2 gets the external IP for the > > > > > requested name, > > > > > > say 123.123.123.123. > > > > > > 2. the client then proceeds to ask ISA to proxy the request > > > > > to that IP > > > > > > address > > > > > > 3. ISA receives the request and attempts to route the > > > > > request to the NAT > > > > > > editor, who then realizes that the original source IP > > > and the new > > > > > > destination IP are in both the LAT. At this point the ISA > > > > > logic asks "why > > > > > > are we even trying to do this?" and drops the communication > > > > > while making > > > > > an > > > > > > event log entry. > > > > > > > > > > > > It's an effect I like to refer to as "isotropic IP bounce" > > > > > (with a smirk) > > > > > > and it's just doesn't make sense in the grand scheme > > of things. > > > > > > > > > > > > Jim Harrison > > > > > > MCP(2K), A+, Network+, PCG > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx> > > > > > > To: "[ISAserver.org Discussion List]" > <isalist@xxxxxxxxxxxxx> > > > > > > Sent: Thursday, September 27, 2001 16:58 > > > > > > Subject: [isalist] RE: Q: Cannot access published web > > > > > server from inte > > > > > rnal > > > > > > network > > > > > > > > > > > > > > > > > > http://www.ISAserver.org > > > > > > > > > > > > > > > > > > Hi Jim, > > > > > > > > > > > > I think what Andrew is attempting is as follows (I can see > > > > > his logic, > > > > > > and wouldn't mind replicating :) > > > > > > > > > > > > + External user connects to http://my.web.site > > > > > > - Resolves to ISA external IP address > > > > > > - ISA proxies the request, and passes data back to > > > external user > > > > > > > > > > > > He wants to do the same, except substituting external > > > > with internal, > > > > > > giving one url for one address - it seems logical to do it > > > > > this way, as > > > > > > you don't have to manage two DNS servers, and attempt > > > to keep the > > > > > > mappings current and up to date. > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > > > > > > > Sent: Thursday, 27 September 2001 23:55 > > > > > > > To: [ISAserver.org Discussion List] > > > > > > > Subject: [isalist] RE: Q: Cannot access published web > > > > > server from inte > > > > > > > rnal network > > > > > > > > > > > > > > > > > > > > > http://www.ISAserver.org > > > > > > > > > > > > > > > > > > > > > You want to translate www.externalname.com to an > > internal IP, > > > > > > > but you don't > > > > > > > want to provide name resolution with that capability? > > > > > > > Ok, you have to take the freeway to work, but you have to > > > > > > > ride your kid's > > > > > > > tricycle and you have to maintain the speed limit. > > > > > > > > > > > > > > Reality check, here; no host connects to another by using > > > > > > > names. That's > > > > > > > strictly for us dumb humans that can't remember a > > > 32-bit number. > > > > > > > Speaking of which, do you think IPv6 is going to make it > > > > > any easier? > > > > > > > Every TCP/IP connection that one host makes to another is > > > > > through IP > > > > > > > addresses and, if they're on the same routed subnet, MAC > > > > > addresses. > > > > > > > FQDN (DNS) resolution services allows hosts to > talk to each > > > > > > > other *_ in > > > > > > > spite of _* the "friendly names" we use. > > > > > > > > > > > > > > Two choices; stop trying to "beat the system" and > > > > > > > 1. set up an internal DNS solution > > > > > > > or > > > > > > > 2. quit trying to connect internally using an > > > external name > > > > > > > > > > > > > > > > > > ------------------------------------------------------ > > > > > > You are currently subscribed to this ISAserver.org > > > > > Discussion List as: > > > > > > jim@xxxxxxxxxxxx > > > > > > To unsubscribe send a blank email to > > > > > $subst('Email.Unsub') > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------ > > > > > > You are currently subscribed to this ISAserver.org > > > > > Discussion List as: > > > > > thor@xxxxxxxxxxxxxxx > > > > > > To unsubscribe send a blank email to > > > > > $subst('Email.Unsub') > > > > > > > > > > ------------------------------------------------------ > > > > > You are currently subscribed to this ISAserver.org Discussion > > > > > List as: anthonym@xxxxxxxxxxxxxx > > > > > To unsubscribe send a blank email to > > > > > $subst('Email.Unsub') > > > > > > > > > > > > > ------------------------------------------------------ > > > > You are currently subscribed to this ISAserver.org > > > Discussion List as: > > > > jim@xxxxxxxxxxxx > > > > To unsubscribe send a blank email to > > > > $subst('Email.Unsub') > > > > > > > > > > > > > > > > ------------------------------------------------------ > > > > You are currently subscribed to this ISAserver.org Discussion > > > > List as: anthonym@xxxxxxxxxxxxxx > > > > To unsubscribe send a blank email to > > > > $subst('Email.Unsub') > > > > > > > > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion > > > List as: strangconst@xxxxxxxx > > > To unsubscribe send a blank email to > > > $subst('Email.Unsub') > > > > > > > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion > > > List as: anthonym@xxxxxxxxxxxxxx > > > To unsubscribe send a blank email to > > > $subst('Email.Unsub') > > > > > > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: strangconst@xxxxxxxx > > To unsubscribe send a blank email to > > $subst('Email.Unsub') > > > > > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: anthonym@xxxxxxxxxxxxxx > > To unsubscribe send a blank email to > > $subst('Email.Unsub') > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: strangconst@xxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: anthonym@xxxxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: strangconst@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')