ISAInfo and simultaneous captures at both sides of ISA. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Dijk, Sebastian van [mailto:sebastian.van.dijk@xxxxxxxxxx] Sent: Wednesday, August 24, 2005 07:38 To: [ISAserver.org Discussion List] Subject: [isalist] RE: configuring multiple ip addresses http://www.ISAserver.org What do you want me to provide you with ? :) Met vriendelijke groet, Sebastian van Dijk Systeembeheer -----Oorspronkelijk bericht----- Van: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Verzonden: woensdag 24 augustus 2005 16:04 Aan: [ISAserver.org Discussion List] Onderwerp: [isalist] RE: configuring multiple ip addresses http://www.ISAserver.org Correct. For the most part, they'll also use the default IP, but I've seen reports of FWClient traffic using non-default IPs and *supposedly*, they weren't using any of the neato-keen firewall client application settings. Since no one who complained ever provided captures or ISAInfo, I wasn't able to go any further. -----Original Message----- From: Dijk, Sebastian van [mailto:sebastian.van.dijk@xxxxxxxxxx] Sent: Wednesday, August 24, 2005 6:59 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: configuring multiple ip addresses http://www.ISAserver.org Hi Jim, Thanks for the answer, but if i understand you right there isn't a clear thing to say about which ip will be used by connections using the firewall client ? Met vriendelijke groet, Sebastian van Dijk -----Oorspronkelijk bericht----- Van: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Verzonden: woensdag 24 augustus 2005 15:34 Aan: [ISAserver.org Discussion List] Onderwerp: [isalist] RE: configuring multiple ip addresses http://www.ISAserver.org By default, all SecureNET and Web Proxy requests will use the default (first-bound) IP. Firewall clients may use other IPs, though. -----Original Message----- From: Dijk, Sebastian van [mailto:sebastian.van.dijk@xxxxxxxxxx] Sent: Wednesday, August 24, 2005 6:29 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: configuring multiple ip addresses http://www.ISAserver.org Anyone here can answer my question ? Met vriendelijke groet, Sebastian van Dijk -----Oorspronkelijk bericht----- Van: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Verzonden: maandag 22 augustus 2005 14:21 Aan: [ISAserver.org Discussion List] Onderwerp: [isalist] RE: configuring multiple ip addresses http://www.ISAserver.org Sorry... I didn't catch the "source address" bit- I understand now... Typically, the default IP is the first one bound, but (depending on the protocol) other available IP's could be used-- L2TP for instance doesn't necessarily care what the default IP is. There was also an issue way back with passive FTP and multiple IP's on the ext interface. You could try blocking outbound traffic on the other IP's, but I'm not sure what that would do to your clients-- we'll have to wait on Tom or Jim to chime in as I do not know if you can control binding of outbound requests with multiple IP's. But the alt-port config with a single IP would work ;) t ----- Original Message ----- From: "Dijk, Sebastian van" <sebastian.van.dijk@xxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, August 22, 2005 4:49 AM Subject: [isalist] RE: configuring multiple ip addresses http://www.ISAserver.org Hi Thor, Thank you for your response, but the problem is not the forwarding to inside hosts. I understand that there are multiple ip addresses or multiple ports necessary to publish services. My question is when I have configured multiple ip addresses on my outside interface, which one is used when a user makes a connection to the outside world. As I have monitored our remote pix, I see multiple ip addresses and that is not what I want. Met vriendelijke groet, Sebastian van Dijk Systeembeheer -----Oorspronkelijk bericht----- Van: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Verzonden: maandag 22 augustus 2005 13:10 Aan: [ISAserver.org Discussion List] Onderwerp: [isalist] RE: configuring multiple ip addresses http://www.ISAserver.org Server publishing on ISA2k works on a port-by-IPAddress basis. You can't publish the same port on the same IPAddress to multiple back-end servers. Since 10.0.1.3 is published to 192.168.120.3, that's the IP you have to hit. You can do a couple of things if you only want 10.0.1.1 to be used: 1) TS client into the ISA box, and from there, TS into the rest of the network. 2) Change the port that Terminal Services binds to on the other internal machines, and create multiple server publishing rules on 10.0.1.1 for the different ports. I.E. 192.168.120.2 listens on 33892, .3 listens on 33893, etc with 10.0.1.1 publishing those ports to the LAN. 3) VPN in and hit them directly. hth t ----- Original Message ----- From: "Dijk, Sebastian van" <sebastian.van.dijk@xxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, August 22, 2005 2:59 AM Subject: [isalist] RE: configuring multiple ip addresses http://www.ISAserver.org Anybody ? -----Oorspronkelijk bericht----- Van: Dijk, Sebastian van Verzonden: vrijdag 19 augustus 2005 9:47 Aan: [ISAserver.org Discussion List] Onderwerp: [isalist] configuring multiple ip addresses http://www.ISAserver.org Hi ! We have isa server 2000 running over here. We have 3 servers on our lan that we want to reach from remote locations. ISA lan interface has ip address 192.168.120.2 ISA wan interface has ip address 10.0.1.1 So I configured a publishing rule for : TCP port 3389 to forward 10.0.1.1 to 192.168.120.1 This works good, now we want to reach the other servers as well : I added a second ip address on the wan interface of the isa server 10.0.1.2 and I configured a publishing rule for TCP port 3389 to forward 10.0.1.2 to 192.168.120.2 I added a third ip address on the wan interface of the isa server 10.0.1.3 and I configured a publishing rule for TCP port 3389 to forward 10.0.1.3 to 192.168.120.3 I added a fourth ip address on the wan interface of the isa server 10.0.1.4 and I configured a publishing rule for TCP port 3389 to forward 10.0.1.4 to 192.168.120.4 This works quite good. However since we have some troubles with reaching another remote location I started monitoring some devices. At 1 device I saw that connections are made with source ip address 10.0.1.3. This is not what I want, I want ONLY 10.0.1.1 to be used for outside connections. Where can I change the nat configuration of ISA server ? Thanks Met vriendelijke groet, Sebastian van Dijk ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: sebastian.van.dijk@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: sebastian.van.dijk@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: sebastian.van.dijk@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: sebastian.van.dijk@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: sebastian.van.dijk@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.