Now now you two! Personal attacks are always welcome, especially when they involve women! P.S Tom. My documentation is coming along, ive been busy trying to score a new job and fixing other peoples broken exchange boxes. Ill let you in on the next draft, when I get a chance. Greg -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Thursday, August 15, 2002 10:53 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: RES: Re: RES: Re: RES: Re: LAN accessing DMZ http://www.ISAserver.org ... Honey, tell Debi that Tom's being mean to me ...! ;-) Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison http://jalojash.org/isatools Read the books! ----- Original Message ----- From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, August 14, 2002 5:10 PM Subject: [isalist] Re: RES: Re: RES: Re: RES: Re: LAN accessing DMZ http://www.ISAserver.org Sure Jim, the next thing you'll be telling us is that we shouldn't loop back through the external interface of the ISA Server to access published internal network resources. :-) Tom Thomas W Shinder www.isaserver.org/shinder -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Wednesday, August 14, 2002 3:14 PM To: [ISAserver.org Discussion List] Cc: [ISAserver.org Discussion List] Subject: [isalist] Re: RES: Re: RES: Re: RES: Re: LAN accessing DMZ http://www.ISAserver.org That's not what I said to do. You can't use adjacent IPs for the external and DMZ interfaces. Go back over the choices I gave you; they're the only choices you have. check out: http://isaserver.org/pages/articles.asp?art=37 and http://support.microsoft.com/support/kb/articles/Q164/0/15.asp Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison http://jalojash.org/isatools Read the books! ----- Original Message ----- From: "Alex Decarli" <decarli@xxxxxxxxxxxxx> To: "Jim Harrison" <jim@xxxxxxxxxxxx> Cc: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, August 14, 2002 9:04 AM Subject: RES: [isalist] Re: RES: Re: RES: Re: RES: Re: LAN accessing DMZ sorry, you've reason. The mask's 224. I tryed now. made the following steps: 1. ISA WEB nic is 200.xxx.xxx.10 2. ISA DMZ nic is 200.xxx.xxx.11 3. WebServer nic is 200.xxx.xxx.12 Isa ping Webserver. I created ip packet rule http 80 port, this computer on perimeter network 200.xxx.xxx.12 (web server), remote computers ALL. re-started the isa services and didn't worked ! any idea ? Alex -----Mensagem original----- De: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Enviada em: quarta-feira, 14 de agosto de 2002 12:36 Para: Alex Decarli Cc: [ISAserver.org Discussion List] Assunto: Re: [isalist] Re: RES: Re: RES: Re: RES: Re: LAN accessing DMZ Alex, that netmask (.192) and your claimed IP range don't quite agree. You should have an IP range between .1 and .62 with that mask. Still, it's doable. Since it's netmask-dependent, you have these choices: DMZ Mask = .240 Ext range = .1 to .14 DMZ range = .17 to .30 DMZ mask = 248 Ext range = .1 to .23 DMZ range = .25 to .30 Assign the first IP in the DMZ range to the DMZ NIC and use the remainder for the DMZ hosts Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison http://jalojash.org/isatools Read the books! ----- Original Message ----- From: Alex Decarli To: jim@xxxxxxxxxxxx Sent: Wednesday, August 14, 2002 7:59 AM Subject: RES: [isalist] Re: RES: Re: RES: Re: RES: Re: LAN accessing DMZ ok, Now I understood this concept. another question: How can I to configure my cards ? for example: My Internet Card is: 200.206.32.10 (My range's .10 at .32) My DMZ Card is: .11 (For example) My Internal is: 10.x.x.x My WebServer is 200.206.32.12 How you it advises to me to do ? Thank you my Guru ! [Decarli] -----Mensagem original----- De: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Enviada em: quarta-feira, 14 de agosto de 2002 11:02 Para: [ISAserver.org Discussion List] Assunto: [isalist] Re: RES: Re: RES: Re: RES: Re: LAN accessing DMZ http://www.ISAserver.org That's true; RRAS will provide "basic" DHCP services if not configured otherwise. Your DMZ has to be a subnet of the external interface, and those IP's just don't fit the bill. Take a look at: http://isaserver.org/pages/articles.asp?art=37 for details. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison http://jalojash.org/isatools Read the books! ----- Original Message ----- From: Alex Decarli To: [ISAserver.org Discussion List] Sent: Wednesday, August 14, 2002 6:44 AM Subject: [isalist] RES: Re: RES: Re: RES: Re: LAN accessing DMZ http://www.ISAserver.org the "0"is only to indentificate the subnet. DHCP Server isn't installed on ISA Computer. But, I've VPN support enabled in ISA. I think the RRAS provide DHCP Funcionatily. Also, OWA with SSL.(could it be the problem ?). My external ip address is 200.206.32.10 , mask 255.255.255.192 (only web card in ISA). In my DNS Server , I've a "A" record that appoint to isa Server, like www.mysite.com Isa server has a DMZ card, 192.168.0.1 , mask 255.255.255.0. Web Server has 192.168.0.10 , mask 255.255.255.0. ISA ping the web Server. Alex Decarli -----Mensagem original----- De: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Enviada em: quarta-feira, 14 de agosto de 2002 10:34 Para: [ISAserver.org Discussion List] Assunto: [isalist] Re: RES: Re: RES: Re: LAN accessing DMZ http://www.ISAserver.org No, I said "DHCP Server", not DHCP filter. You have the DHCP server service running on the ISA. Unless ISA is providing DHCP services to the internal network, remove it. No address ending in "0" is a valid host IP, but since you didn't provide your external IP and Netmask, I can't tell if 192.168.0.x is a subnet of your external network. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison http://jalojash.org/isatools Read the books! ----- Original Message ----- From: Alex Decarli To: [ISAserver.org Discussion List] Sent: Wednesday, August 14, 2002 4:15 AM Subject: [isalist] RES: Re: RES: Re: LAN accessing DMZ http://www.ISAserver.org no, only LAT nic (10.1.1.0) reference is in LAT. DHCP filter has deleted. 192.168.0.0 isn't a valid external address. maybe is it ? -----Mensagem original----- De: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Enviada em: terça-feira, 13 de agosto de 2002 18:51 Para: [ISAserver.org Discussion List] Assunto: [isalist] Re: RES: Re: LAN accessing DMZ http://www.ISAserver.org That entry has nothng to do with the error you're seeing; it's the DHCP server service on the ISA trying to detect "rogue" DHCP servers. Is the DMZ range in the LAT? Third-leg DMZ must be a subnet of the ISA external IP. It doesn't look as if that's the case. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison http://jalojash.org/isatools Read the books! ----- Original Message ----- From: Alex Decarli To: [ISAserver.org Discussion List] Sent: Tuesday, August 13, 2002 2:31 PM Subject: [isalist] RES: Re: LAN accessing DMZ http://www.ISAserver.org ISA std, sp1 , 3 nics, DMZ nic: 192.168.0.1 WEB nic: xxx.xxx.xxx LAT nic: 10.1.1.4 Web server that wil be published is 192.168.0.10 (isa ping ok), defaut gateway of Web server is 192.168.0.1 (ISA DMZ nic) After to do the steps in Q313562 article (How to: Publish a Web Server on a Perimeter Network) and I can't to access my Web Server from Internet. The Web Browser shows "403 - Forbidden. Isa server denies ... " I opened IPxxxlog.txt and saw the following events: Time IP Source Mask Protocol Source Port target Port Action (time) 127.0.0.1 255.255.255.255 Udp 68 67 BLOCKED all steps in article is ok. Thank you JIM (again) Alex Decarli -----Mensagem original----- De: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Enviada em: terça-feira, 13 de agosto de 2002 17:47 Para: [ISAserver.org Discussion List] Assunto: [isalist] Re: LAN accessing DMZ http://www.ISAserver.org ISA rules should apply to DMZ requests as well. What is your configuration? Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison http://jalojash.org/isatools Read the books! ----- Original Message ----- From: Alex Decarli To: [ISAserver.org Discussion List] Sent: Tuesday, August 13, 2002 6:57 AM Subject: [isalist] LAN accessing DMZ http://www.ISAserver.org How can I to allow machines in LAT to access DMZ environment ? ISA Server's denied my requisitions. Thanks Alex Decarli ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: decarli@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: decarli@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: decarli@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: decarli@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gmulholland@xxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')