RE: Q: Cannot access published web server from inte rnal network

• From: "Mark Strangways" <strangconst@xxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 5 Oct 2001 00:18:21 -0400

Yep, you can load up the external nic with IP's (I have heard the max is about 
22-25). It may even
work with differing gateway's but I have no set experience doing that.

HTH's
----- Original Message -----
From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, October 05, 2001 12:16 AM
Subject: [isalist] RE: Q: Cannot access published web server from inte rnal 
network


http://www.ISAserver.org


Question: (haven't done it yet, nor tried, was going to put it on the
"later" list) I've got an IP for the ISA x.y.z.102/252 - can I simply
add the IPs (x.y.z.104/248) to the external NIC on the ISA box?  I'm
fairly sure it will work, just want to be *sure*

--
Anthony Michaud
Network Administrator
Act! Certified Consultant
eLogix Corporation Pty Ltd

In theory, there is no difference between theory and practice. But in
practice, there is.

> -----Original Message-----
> From: Mark Strangways [mailto:strangconst@xxxxxxxx]
> Sent: Friday, 5 October 2001 13:57
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Q: Cannot access published web server from inte
> rnal network
>
>
> http://www.ISAserver.org
>
>
> I have them all behind secureNAT servers, I do have 6 or so
> IP's to play with, but only publish the
> servers that are needed.
>
>
> ----- Original Message -----
> From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Thursday, October 04, 2001 11:52 PM
> Subject: [isalist] RE: Q: Cannot access published web server
> from inte rnal network
>
>
> http://www.ISAserver.org
>
>
> So you're doing server/web publishing to a NAT network or you
> have real
> IP's for your four?
>
> --
> Anthony Michaud
> Network Administrator
> Act! Certified Consultant
> eLogix Corporation Pty Ltd
>
> In theory, there is no difference between theory and practice. But in
> practice, there is.
>
> > -----Original Message-----
> > From: Mark Strangways [mailto:strangconst@xxxxxxxx]
> > Sent: Friday, 5 October 2001 12:41
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Q: Cannot access published web
> server from inte
> > rnal network
> >
> >
> > http://www.ISAserver.org
> >
> >
> > I don't have many exact specifics, but...
> >     - for instance web pub rule blocked out code red by
> > itself, server pub rules were not supposed
> > to.
> >     - I believe you would lose the web acceleration side of
> > ISA server.
> >
> >
> > Perhaps this would make a good article ?
> >
> > I wish I had more specifics, but that's all I got :)
> > I have a 4 server network set-up, it's primary purpose is for
> > a web application, complete with E2K,
> > SQL 2K, etc etc...
> > I elected not to bother with a dmz or trihomed, I figured
> > most of the servers would need to be
> > exposed to the dmz anyways, so why bother.
> > Anyways, it's been running all right so far.
> >
> > regards,
> > Mark
> > ----- Original Message -----
> > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Thursday, October 04, 2001 10:26 PM
> > Subject: [isalist] RE: Q: Cannot access published web server
> > from inte rnal network
> >
> >
> > http://www.ISAserver.org
> >
> >
> > What features can you loose with server publishing?  I'd
> imagine that
> > there may be security issues, but if you've got specifics,
> i wouldn't
> > mind knowing them.
> >
> > I've got an additional set of IP addy's that I'd like to
> use, but have
> > one server to use.  I can't (easily) put the current server in a DMZ
> > situation, as I require MSMQ + SQL + possibly other networked
> > applications (LDAP etc, the machine is a part of the domain).
> >
> > I *might* be able to find another computer, but that still
> > doesn't help
> > - when trialing a DMZ (tri-nic) setup, I wasn't able to successfully
> > configure the ISA to have web access to the real world IP's.
> >
> > --
> > Anthony Michaud
> > Network Administrator
> > Act! Certified Consultant
> > eLogix Corporation Pty Ltd
> >
> > In theory, there is no difference between theory and
> practice. But in
> > practice, there is.
> >
> >
> > > -----Original Message-----
> > > From: Mark Strangways [mailto:strangconst@xxxxxxxx]
> > > Sent: Friday, 5 October 2001 12:20
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Q: Cannot access published web
> > server from inte
> > > rnal network
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > yes, you can but you lose several desirable features of the
> > > web pub. rule.
> > >
> > > ----- Original Message -----
> > > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > Sent: Thursday, October 04, 2001 10:17 PM
> > > Subject: [isalist] RE: Q: Cannot access published web server
> > > from inte rnal network
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > (damn send button got pressed before i'd thought :)
> > >
> > > Its a Web Publishing rule, I wasn't aware that you could do
> > > http through
> > > server publishing?
> > >
> > > --
> > > Anthony Michaud
> > > Network Administrator
> > > Act! Certified Consultant
> > > eLogix Corporation Pty Ltd
> > >
> > > In theory, there is no difference between theory and
> > practice. But in
> > > practice, there is.
> > >
> > >
> > > > -----Original Message-----
> > > > From: Mark Strangways [mailto:strangconst@xxxxxxxx]
> > > > Sent: Friday, 5 October 2001 12:13
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: Q: Cannot access published web
> > > server from inte
> > > > rnal network
> > > >
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > >
> > > > How is it published ? Web rule or server rule ?
> > > >
> > > > ----- Original Message -----
> > > > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
> > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > > Sent: Thursday, October 04, 2001 10:13 PM
> > > > Subject: [isalist] RE: Q: Cannot access published web server
> > > > from inte rnal network
> > > >
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > >
> > > > I published the website, and can access it via the one
> method (ISA
> > > > redirect).  I'm still attempting to get the ISA server
> to pass the
> > > > correct client IP to the website (eg: send 123.456.789.123
> > > instead of
> > > > isa IP address).  Is that even possible?
> > > >
> > > > --
> > > > Anthony Michaud
> > > > Network Administrator
> > > > Act! Certified Consultant
> > > > eLogix Corporation Pty Ltd
> > > >
> > > > In theory, there is no difference between theory and
> > > practice. But in
> > > > practice, there is.
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> > > > > Sent: Friday, 5 October 2001 11:33
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: Q: Cannot access published web
> > > > server from inte
> > > > > rnal network
> > > > >
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > >
> > > > > Which "this"; the workaround or leaving it be?
> > > > >
> > > > >
> > > > > Jim Harrison
> > > > > MCP(2K), A+, Network+, PCG
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
> > > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > > > Sent: Thursday, October 04, 2001 18:21
> > > > > Subject: [isalist] RE: Q: Cannot access published web server
> > > > > from inte rnal
> > > > > network
> > > > >
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > >
> > > > > Hi Guys,
> > > > >
> > > > > I'd like to confirm that this does work - I've now just
> > got to get
> > > > > multiple virtuals working ... *sighs*
> > > > > --
> > > > > Anthony Michaud
> > > > > Network Administrator
> > > > > Act! Certified Consultant
> > > > > eLogix Corporation Pty Ltd
> > > > >
> > > > > In theory, there is no difference between theory and
> > > > practice. But in
> > > > > practice, there is.
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Thor@xxxxxxxxxxxxxxx [mailto:Thor@xxxxxxxxxxxxxxx]
> > > > > > Sent: Friday, 28 September 2001 10:39
> > > > > > To: [ISAserver.org Discussion List]
> > > > > > Subject: [isalist] RE: Q: Cannot access published web
> > > > > server from inte
> > > > > > rnal network
> > > > > >
> > > > > >
> > > > > > http://www.ISAserver.org
> > > > > >
> > > > > >
> > > > > > This already works... With Server Publishing,
> anyway.  I have
> > > > > > not tried it
> > > > > > with just Web Publishing.
> > > > > >
> > > > > > My www.domain.com site resolves to an external IP (DNS
> > > > > > maintained by ISP).
> > > > > > That IP is Server Published to an internal box.  If an
> > > > > internal client
> > > > > > (using FW client or Web Proxy) goes to www.domain.com, it
> > > > > does indeed
> > > > > > re-route them to the internal site just like an external
> > > > > > client.  The only
> > > > > > rub, like Jim said, is that it writes an event log saying
> > > > > > that there is a
> > > > > > conflict in the LAT blah blah blah.  However, it
> does work...
> > > > > > I do it all
> > > > > > the time.
> > > > > >
> > > > > >
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Jim Harrison" <jim@xxxxxxxxxxxx>
> > > > > > To: "[ISAserver.org Discussion List]"
> <isalist@xxxxxxxxxxxxx>
> > > > > > Sent: Thursday, September 27, 2001 5:19 PM
> > > > > > Subject: [isalist] RE: Q: Cannot access published web server
> > > > > > from inte rnal
> > > > > > network
> > > > > >
> > > > > >
> > > > > > > http://www.ISAserver.org
> > > > > > >
> > > > > > >
> > > > > > > Yes, I understood that, and even once thought that it
> > > > > should happen
> > > > > > > "transparently", but after fighting my way through it and
> > > > > > learning a bit
> > > > > > > about ISA, I came to understand that it just doesn't make
> > > > > > sense to ask the
> > > > > > > NAT process to "double-NAT" the packet when a direct
> > > > > > connection is not
> > > > > > only
> > > > > > > possible, but more efficient.
> > > > > > >
> > > > > > > Essentially, the packet travels like this:
> > > > > > > 1. the client at 192.168.0.2 gets the external IP for the
> > > > > > requested name,
> > > > > > > say 123.123.123.123.
> > > > > > > 2. the client then proceeds to ask ISA to proxy
> the request
> > > > > > to that IP
> > > > > > > address
> > > > > > > 3. ISA receives the request and attempts to route the
> > > > > > request to the NAT
> > > > > > > editor, who then realizes that the original source IP
> > > > and the new
> > > > > > > destination IP are in both the LAT.  At this point the ISA
> > > > > > logic asks "why
> > > > > > > are we even trying to do this?" and drops the
> communication
> > > > > > while making
> > > > > > an
> > > > > > > event log entry.
> > > > > > >
> > > > > > > It's an effect I like to refer to as "isotropic IP bounce"
> > > > > > (with a smirk)
> > > > > > > and it's just doesn't make sense in the grand scheme
> > > of things.
> > > > > > >
> > > > > > > Jim Harrison
> > > > > > > MCP(2K), A+, Network+, PCG
> > > > > > >
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
> > > > > > > To: "[ISAserver.org Discussion List]"
> > <isalist@xxxxxxxxxxxxx>
> > > > > > > Sent: Thursday, September 27, 2001 16:58
> > > > > > > Subject: [isalist] RE: Q: Cannot access published web
> > > > > > server from inte
> > > > > > rnal
> > > > > > > network
> > > > > > >
> > > > > > >
> > > > > > > http://www.ISAserver.org
> > > > > > >
> > > > > > >
> > > > > > > Hi Jim,
> > > > > > >
> > > > > > > I think what Andrew is attempting is as follows (I can see
> > > > > > his logic,
> > > > > > > and wouldn't mind replicating :)
> > > > > > >
> > > > > > > + External user connects to http://my.web.site
> > > > > > >   - Resolves to ISA external IP address
> > > > > > >   - ISA proxies the request, and passes data back to
> > > > external user
> > > > > > >
> > > > > > > He wants to do the same, except substituting external
> > > > > with internal,
> > > > > > > giving one url for one address - it seems logical to do it
> > > > > > this way, as
> > > > > > > you don't have to manage two DNS servers, and attempt
> > > > to keep the
> > > > > > > mappings current and up to date.
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> > > > > > > > Sent: Thursday, 27 September 2001 23:55
> > > > > > > > To: [ISAserver.org Discussion List]
> > > > > > > > Subject: [isalist] RE: Q: Cannot access published web
> > > > > > server from inte
> > > > > > > > rnal network
> > > > > > > >
> > > > > > > >
> > > > > > > > http://www.ISAserver.org
> > > > > > > >
> > > > > > > >
> > > > > > > > You want to translate www.externalname.com to an
> > > internal IP,
> > > > > > > > but you don't
> > > > > > > > want to provide name resolution with that capability?
> > > > > > > > Ok, you have to take the freeway to work, but
> you have to
> > > > > > > > ride your kid's
> > > > > > > > tricycle and you have to maintain the speed limit.
> > > > > > > >
> > > > > > > > Reality check, here; no host connects to
> another by using
> > > > > > > > names.  That's
> > > > > > > > strictly for us dumb humans that can't remember a
> > > > 32-bit number.
> > > > > > > > Speaking of which, do you think IPv6 is going to make it
> > > > > > any easier?
> > > > > > > > Every TCP/IP connection that one host makes to
> another is
> > > > > > through IP
> > > > > > > > addresses and, if they're on the same routed subnet, MAC
> > > > > > addresses.
> > > > > > > > FQDN (DNS) resolution services allows hosts to
> > talk to each
> > > > > > > > other *_ in
> > > > > > > > spite of _* the "friendly names" we use.
> > > > > > > >
> > > > > > > > Two choices; stop trying to "beat the system" and
> > > > > > > >     1. set up an internal DNS solution
> > > > > > > > or
> > > > > > > >     2. quit trying to connect internally using an
> > > > external name
> > > > > > >
> > > > > > >
> > > > > > > ------------------------------------------------------
> > > > > > > You are currently subscribed to this ISAserver.org
> > > > > > Discussion List as:
> > > > > > > jim@xxxxxxxxxxxx
> > > > > > > To unsubscribe send a blank email to
> > > > > > $subst('Email.Unsub')
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ------------------------------------------------------
> > > > > > > You are currently subscribed to this ISAserver.org
> > > > > > Discussion List as:
> > > > > > thor@xxxxxxxxxxxxxxx
> > > > > > > To unsubscribe send a blank email to
> > > > > > $subst('Email.Unsub')
> > > > > >
> > > > > > ------------------------------------------------------
> > > > > > You are currently subscribed to this ISAserver.org
> Discussion
> > > > > > List as: anthonym@xxxxxxxxxxxxxx
> > > > > > To unsubscribe send a blank email to
> > > > > > $subst('Email.Unsub')
> > > > > >
> > > > >
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org
> > > > Discussion List as:
> > > > > jim@xxxxxxxxxxxx
> > > > > To unsubscribe send a blank email to
> > > > > $subst('Email.Unsub')
> > > > >
> > > > >
> > > > >
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org Discussion
> > > > > List as: anthonym@xxxxxxxxxxxxxx
> > > > > To unsubscribe send a blank email to
> > > > > $subst('Email.Unsub')
> > > > >
> > > >
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion
> > > > List as: strangconst@xxxxxxxx
> > > > To unsubscribe send a blank email to
> > > > $subst('Email.Unsub')
> > > >
> > > >
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion
> > > > List as: anthonym@xxxxxxxxxxxxxx
> > > > To unsubscribe send a blank email to
> > > > $subst('Email.Unsub')
> > > >
> > >
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as: strangconst@xxxxxxxx
> > > To unsubscribe send a blank email to
> > > $subst('Email.Unsub')
> > >
> > >
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as: anthonym@xxxxxxxxxxxxxx
> > > To unsubscribe send a blank email to
> > > $subst('Email.Unsub')
> > >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: strangconst@xxxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: anthonym@xxxxxxxxxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: strangconst@xxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: anthonym@xxxxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
strangconst@xxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Re: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network
• » RE: Q: Cannot access published web server from inte rnal network

1. Home
2. isalist
3. Archive
4. 10-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---