Re: Why can't internal clients access a published TCP server?
- From: "Wendell W. Pinegar" <Wendell@xxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sat, 15 Dec 2001 17:30:36 -0600
MessageSteve,
The applications in question are limited to connecting directly to IP addresses
(no host names are allowed) so the applications have to be configured
independelty for internal and external clients. Simply allowing the lookback
of a published port would provide a very simple solution (just like any other
hardware Internet firewall).
Of course this would mean that looped back traffic would hit the network 2
times (ouch) but I would be willing do to this in limited form in a few
specialized cases... but this dosen't look like it's going to happen with ISA
Server so we'll simply have more admin overhead for this app.
Thanks!
----- Original Message -----
From: Steve Moffat
To: [ISAserver.org Discussion List]
Sent: Saturday, December 15, 2001 4:44 PM
Subject: [isalist] Re: Why can't internal clients access a published TCP
server?
http://www.ISAserver.org
This may be a dumbass question, but, why would anyone want to access an
internal server via the internet side of ISA.
Steve
Steve Moffat
Senior Support Analyst
Optimum Computer Solutions
Tel : +44(0)141 570 1283
Fax :+44(0)141 584 9479
Mobile : 07711 074 605
http://www.optimum.mine.nu
steve@xxxxxxxxxxxxxxx
-----Original Message-----
From: Wendell W. Pinegar [mailto:Wendell@xxxxxxxxxxxxxxx]
Sent: 15 December 2001 22:41
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Why can't internal clients access a published TCP
server?
http://www.ISAserver.org
This really seems more like a loopback issue. Hardware firewalls usually
don't have a problem with connecting internal clients on port-forwarded
addresses via a loopback (I can to this on a $115 Linksys router). I was
simply curious why ISA Server has this limitation.
I am currently using a internal DNS Server to publish the "internal"
address of the servers but there are some applications that we use that only
use IP addresses and hince it would be nicer to simply allow the loopback of a
connection request from an Internal SecureNAT client instead of separate
configs for the external and internal connections.
It seems that Microsoft has broken this type of standard firewall feature
unnecessarily...
----- Original Message -----
From: Jim Harrison
To: [ISAserver.org Discussion List]
Sent: Saturday, December 15, 2001 11:26 AM
Subject: [isalist] Re: Why can't internal clients access a published TCP
server?
http://www.ISAserver.org
The problem is that your asking ISA to do something it knows is
unnecessary; something I like to call "isotropic IP bounce".
What's the point of sending a packet from the living room, through the
mudroom and out the front door to reach a kitchen that was only a few steps
away?
Proper internal name resolution, LDT and LAT configuration and you don't
need this kind of "functionality".
Here's an article that'll help you 'round the bend, as it were...
http://support.microsoft.com/support/kb/articles/Q288/3/96.ASP
ISA doesn't do anything out of the ordinary where the rules of routing
and TCP/IP are concerned and will complain loudly when it's asked to.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the book!
----- Original Message -----
From: Wendell W. Pinegar
To: [ISAserver.org Discussion List]
Sent: Saturday, December 15, 2001 02:44
Subject: [isalist] Why can't internal clients access a published TCP
server?
http://www.ISAserver.org
We've configured ISA Server with several published TCP ports to
internal servers. Connections to the published TCP ports works perfectly fine
when connecting from clients on the Internet but if I attempt to connect to the
IP address and TCP port # of the published server from inside the network the
connection always fails.
What gives? Does ISA Server have a problem connecting internal users
to published TCP ports on it's external interface?
(Of course I can connect the internal users to the internal address of
the TCP server and all goes well, but I due to several reasons I would prefer
to connect them to the published IP address on the Internet). Anyone have a
clue what's wrong?
Thanks!
Wendell W. Pinegar
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
Wendell@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
steve@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
Wendell@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
