Re: Why can't internal clients access a published TCP server?

  • From: "Wendell W. Pinegar" <Wendell@xxxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Sat, 15 Dec 2001 16:40:33 -0600

This really seems more like a loopback issue.  Hardware firewalls usually don't 
have a problem with connecting internal clients on port-forwarded addresses via 
a loopback (I can to this on a $115 Linksys router).  I was simply curious why 
ISA Server has this limitation.

I am currently using a internal DNS Server to publish the "internal" address of 
the servers but there are some applications that we use that only use IP 
addresses and hince it would be nicer to simply allow the loopback of a 
connection request from an Internal SecureNAT client instead of separate 
configs for the external and internal connections.

It seems that Microsoft has broken this type of standard firewall feature 
unnecessarily...
  ----- Original Message ----- 
  From: Jim Harrison 
  To: [ISAserver.org Discussion List] 
  Sent: Saturday, December 15, 2001 11:26 AM
  Subject: [isalist] Re: Why can't internal clients access a published TCP 
server?


  http://www.ISAserver.org


  The problem is that your asking ISA to do something it knows is unnecessary; 
something I like to call "isotropic IP bounce".
  What's the point of sending a packet from the living room, through the 
mudroom and out the front door to reach a kitchen that was only a few steps 
away?
  Proper internal name resolution, LDT and LAT configuration and you don't need 
this kind of "functionality".
  Here's an article that'll help you 'round the bend, as it were...  
http://support.microsoft.com/support/kb/articles/Q288/3/96.ASP

  ISA doesn't do anything out of the ordinary where the rules of routing and 
TCP/IP are concerned and will complain loudly when it's asked to.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/authors/harrison/
  Read the book!

    ----- Original Message ----- 
    From: Wendell W. Pinegar 
    To: [ISAserver.org Discussion List] 
    Sent: Saturday, December 15, 2001 02:44
    Subject: [isalist] Why can't internal clients access a published TCP server?


    http://www.ISAserver.org


    We've configured ISA Server with several published TCP ports to internal 
servers.  Connections to the published TCP ports works perfectly fine when 
connecting from clients on the Internet but if I attempt to connect to the IP 
address and TCP port # of the published server from inside the network the 
connection always fails.

    What gives?  Does ISA Server have a problem connecting internal users to 
published TCP ports on it's external interface?

    (Of course I can connect the internal users to the internal address of the 
TCP server and all goes well, but I due to several reasons I would prefer to 
connect them to the published IP address on the Internet).  Anyone have a clue 
what's wrong?

    Thanks!

    Wendell W. Pinegar
    ------------------------------------------------------
    You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
    To unsubscribe send a blank email to $subst('Email.Unsub') 
  ------------------------------------------------------
  You are currently subscribed to this ISAserver.org Discussion List as: 
Wendell@xxxxxxxxxxxxxxx
  To unsubscribe send a blank email to $subst('Email.Unsub') 

Other related posts: