David_Letterman
asked on
Tri-Homed ISA Server - running Exchange and DNS on DMZ
I am having trouble allowing DNS and smtp to pass on my DMZ.
ISA = tri-homed intergrated
first nic external to isp 200.200.200.1
second nic perimeter network 200.200.200.2
third nic internal 192.168.10.1
My exchange and DNS are running on the same box.
I am not sure if the perimeter server should have a gateway designated
I am not sure if the second nic should be a isp assigned IP
I am not sure if the second nic should have a gateway designated.
I am not sure if I should include the second nic in the LAT
I have created an allow rule for all protocals
I have created an allow rule for all IP packets
The proxy service is working fine for my internal clients all 192.168.10.x clients can hit any web site they want.
The problem is the perimeter network setup.
THANKS
ISA = tri-homed intergrated
first nic external to isp 200.200.200.1
second nic perimeter network 200.200.200.2
third nic internal 192.168.10.1
My exchange and DNS are running on the same box.
I am not sure if the perimeter server should have a gateway designated
I am not sure if the second nic should be a isp assigned IP
I am not sure if the second nic should have a gateway designated.
I am not sure if I should include the second nic in the LAT
I have created an allow rule for all protocals
I have created an allow rule for all IP packets
The proxy service is working fine for my internal clients all 192.168.10.x clients can hit any web site they want.
The problem is the perimeter network setup.
THANKS
ASKER
Internet
|
Router
|
ISA---DMZ (dns, exchange)
|
Intenal LAN
ISA is one machine (isp provided IP),
DNS and exchange on second machine (isp provided IP)
Router is wide open (no blocked ports)
|
Router
|
ISA---DMZ (dns, exchange)
|
Intenal LAN
ISA is one machine (isp provided IP),
DNS and exchange on second machine (isp provided IP)
Router is wide open (no blocked ports)
OK - in this setup, you need to have IP routing and packet filtering turned on.
Configure the LAT to include the private subnet. The LAT should not include any other addresses.
In ISA management, add an IP packet filter for the Exchange server. The filter type should be "predefined" and choose SMTP.
Remote computer should be Any Computer (or a specific computer, if access is limited to specific computers).
Do another packet filter for DNS requests.
Configure the LAT to include the private subnet. The LAT should not include any other addresses.
In ISA management, add an IP packet filter for the Exchange server. The filter type should be "predefined" and choose SMTP.
Remote computer should be Any Computer (or a specific computer, if access is limited to specific computers).
Do another packet filter for DNS requests.
OK - in this setup, you need to have IP routing and packet filtering turned on.
Configure the LAT to include the private subnet. The LAT should not include any other addresses.
In ISA management, add an IP packet filter for the Exchange server. The filter type should be "predefined" and choose SMTP.
Remote computer should be Any Computer (or a specific computer, if access is limited to specific computers).
Do another packet filter for DNS requests.
Configure the LAT to include the private subnet. The LAT should not include any other addresses.
In ISA management, add an IP packet filter for the Exchange server. The filter type should be "predefined" and choose SMTP.
Remote computer should be Any Computer (or a specific computer, if access is limited to specific computers).
Do another packet filter for DNS requests.
ASKER
I have tried adding SMTP and DNS filters.... I have aslo (just for testing) ALLOWED ALL IP UDP traffic... and I am still having DNS issues.
When I move the DNS/Exchnge server from behind the ISA server SMTP/DNS work fine.
I am not sure if I need a gateway on the DNS/Exchange box when it is behind the ISA server... also not sure if the nic on the ISA needs to be ISP provided
(the nic directly connected to the DMZ) and does the nic need a gateway ?
When I move the DNS/Exchnge server from behind the ISA server SMTP/DNS work fine.
I am not sure if I need a gateway on the DNS/Exchange box when it is behind the ISA server... also not sure if the nic on the ISA needs to be ISP provided
(the nic directly connected to the DMZ) and does the nic need a gateway ?
If I remember correctly, Nic2 must NOT have a gateway - it will screw up the routing tables. (try it both ways, but I'm almost certain this is true.)
The interfaces on the perimeter network, including the ISA's perimiter interface, must have public (ISP assigned) addresses.
On the other hand, the DNS/Exchange box MUST have a gateway - set it to 200.200.200.1 (IP address of ISA nic facing perimiter network) If it works when plugged directly into the ISP subnet, then it has the gateway set for the ISP router - but it won't be able to reach that address when plugged into the perimeter net, because they are physically separated. This is most likely your root issue.
Also, are you sure you have IP routing turned on?
From the ISA help:
-------------
To enable IP routing
In the console tree of ISA Management, right-click IP Packet Filters and then click Properties.
Where?
Internet Security and Acceleration Server
Servers and Arrays
Name
Access Policy
IP Packet Filters
On the General tab, click Enable packet filtering.
Click Enable IP routing.
-------------
The interfaces on the perimeter network, including the ISA's perimiter interface, must have public (ISP assigned) addresses.
On the other hand, the DNS/Exchange box MUST have a gateway - set it to 200.200.200.1 (IP address of ISA nic facing perimiter network) If it works when plugged directly into the ISP subnet, then it has the gateway set for the ISP router - but it won't be able to reach that address when plugged into the perimeter net, because they are physically separated. This is most likely your root issue.
Also, are you sure you have IP routing turned on?
From the ISA help:
-------------
To enable IP routing
In the console tree of ISA Management, right-click IP Packet Filters and then click Properties.
Where?
Internet Security and Acceleration Server
Servers and Arrays
Name
Access Policy
IP Packet Filters
On the General tab, click Enable packet filtering.
Click Enable IP routing.
-------------
ASKER
Yes IP routing is on
I have tried all of the above config's (with and without gateways)
I have tried all of the above config's (with and without gateways)
To sum up as I understand it:
Internet
|
ISP Router (200.200.200.254/24)
|
(NIC1)
ISA(NIC2)---(PERIM1)DNS/Ex
(NIC3)
|
(LANHOST)
Where:
NIC1
IP 200.200.200.1/24
GW 200.200.200.254
NIC2
IP 200.200.200.2/24
GW <blank>
NIC3
IP 192.168.10.1
GW <blank>
Perim1
IP 200.200.200.3/24
GW 200.200.200.2
Lanhost
IP 192.168.10.x
GW 192.168.10.1
------
Can you please make a matrix that states success on pings?
For example:
ISA box can successfully ping Internet, LAN, but not DNS
DNS cannot ping LAN or internet, but can ping ISA box.
Internet can ping ISA but not DNS
LAN can ping...
etc.
------
Also, please clarify the problem hosts - are you trying to query the DNS of the server in the DMZ from the LAN, or from the internet to the DMZ, or from the DMZ to the Internet? Can you telnet to the SMTP port of the DMZ host from the LAN? From the internet?
Internet
|
ISP Router (200.200.200.254/24)
|
(NIC1)
ISA(NIC2)---(PERIM1)DNS/Ex
(NIC3)
|
(LANHOST)
Where:
NIC1
IP 200.200.200.1/24
GW 200.200.200.254
NIC2
IP 200.200.200.2/24
GW <blank>
NIC3
IP 192.168.10.1
GW <blank>
Perim1
IP 200.200.200.3/24
GW 200.200.200.2
Lanhost
IP 192.168.10.x
GW 192.168.10.1
------
Can you please make a matrix that states success on pings?
For example:
ISA box can successfully ping Internet, LAN, but not DNS
DNS cannot ping LAN or internet, but can ping ISA box.
Internet can ping ISA but not DNS
LAN can ping...
etc.
------
Also, please clarify the problem hosts - are you trying to query the DNS of the server in the DMZ from the LAN, or from the internet to the DMZ, or from the DMZ to the Internet? Can you telnet to the SMTP port of the DMZ host from the LAN? From the internet?
I believe the main problem is your IP scheme.
The external NIC and the DMZ (preimeter) NIC MUST be on separate subnets.
This should fix it:
On the Exchange/DNS server -
IP address 192.168.11.2
Gateway 192.168.11.1
On the ISA Server -
NIC2 IP address 192.168.11.1
Open ISA and expand 'Publishing'
Right-click 'Server Publishing Rules'
Select 'Secure Mail Server'
Go through the wizard using 192.168.11.2 as your mail server ip address
Set up a protocol rule allowing DNS
Make sure you configure the DNS Server to use a Forwarder for domains that is it not authoritative.
Also, there must be a publicly available DNS MX record pointing to the external nic of the ISA server.
Let me know if this helps.
The external NIC and the DMZ (preimeter) NIC MUST be on separate subnets.
This should fix it:
On the Exchange/DNS server -
IP address 192.168.11.2
Gateway 192.168.11.1
On the ISA Server -
NIC2 IP address 192.168.11.1
Open ISA and expand 'Publishing'
Right-click 'Server Publishing Rules'
Select 'Secure Mail Server'
Go through the wizard using 192.168.11.2 as your mail server ip address
Set up a protocol rule allowing DNS
Make sure you configure the DNS Server to use a Forwarder for domains that is it not authoritative.
Also, there must be a publicly available DNS MX record pointing to the external nic of the ISA server.
Let me know if this helps.
I agree with kdearing. Your isp network and your perimeter network are on the same subnet, so your routing is all screwy. Choose a different subnet for your perimiter network, and it should work.
Ycore
Ycore
ASKER
I have the DNS listed with internic as 200.200.200.x
How can I change my DNS to 192.168.1.x ????/
Where will the 200.200.200.x be ?
Are you suggesting I add a second IP to me external nic ?
How can I change my DNS to 192.168.1.x ????/
Where will the 200.200.200.x be ?
Are you suggesting I add a second IP to me external nic ?
Actually, what they said is partially true - The address space of the DMZ must be on a different subnet than the public subnet. I apologize, I just glazed over that part of it without thinking hard enough. However, the DMZ *MUST* be publicly addressable... so no 192.168.x.x numbers.
Say your subnet is 200.200.200.0/24
You must split the subnet again, so you have network 1 as 200.200.200.0/25 and network 2 as 200.200.200.128/25.
Network 1 would be on the public side of the ISA box, and network 2 would be on the DMZ. (Actually, whatever address contains the ISP router/gateway address, that part must be on the public interface)
It would then look like this:
Internet
|
ISP Router (200.200.200.1/24) <----- note subnet mask
|
(NIC1)
ISA(NIC2)---(PERIM1)DNS/Ex
(NIC3)
|
(LANHOST)
Where:
NIC1
IP 200.200.200.2/25 <----- note subnet mask
GW 200.200.200.1
NIC2
IP 200.200.200.129/25 <----- note address and mask
GW <blank>
NIC3
IP 192.168.10.1
GW <blank>
Perim1
IP 200.200.200.130/25 <----- note address and mask
GW 200.200.200.129 <----- note gateway is Nic2
Lanhost
IP 192.168.10.x
GW 192.168.10.1
If you need help splitting up different a different number of assigned addresses, tell us how many you have been assigned.
Say your subnet is 200.200.200.0/24
You must split the subnet again, so you have network 1 as 200.200.200.0/25 and network 2 as 200.200.200.128/25.
Network 1 would be on the public side of the ISA box, and network 2 would be on the DMZ. (Actually, whatever address contains the ISP router/gateway address, that part must be on the public interface)
It would then look like this:
Internet
|
ISP Router (200.200.200.1/24) <----- note subnet mask
|
(NIC1)
ISA(NIC2)---(PERIM1)DNS/Ex
(NIC3)
|
(LANHOST)
Where:
NIC1
IP 200.200.200.2/25 <----- note subnet mask
GW 200.200.200.1
NIC2
IP 200.200.200.129/25 <----- note address and mask
GW <blank>
NIC3
IP 192.168.10.1
GW <blank>
Perim1
IP 200.200.200.130/25 <----- note address and mask
GW 200.200.200.129 <----- note gateway is Nic2
Lanhost
IP 192.168.10.x
GW 192.168.10.1
If you need help splitting up different a different number of assigned addresses, tell us how many you have been assigned.
ASKER
I am working with the comments above.... I will update this question as soon as I make changes.
Thanks for the comments so far.
Thanks for the comments so far.
I disagree with schmutzboy.
So does Microsoft and Cisco.
Your DMZ should be private IP addresses. They must be a different subnet from your internal network, but still private.
Standard 'Best Practice' is that public IP addresses should be outside the firewall.
Your external DNS MX record is pointing to the outside interface of the ISA Server. Ths ISA Server will redirect SMTP traffic to the specified IP address. As you can see, With ISA redirecting traffic, there is absolutely no reason to have a public IP on the mail server.
Check out this tutorial:
http://www.isaserver.org/tutorials/Publishing_A_Mail_Server_With_ISA_Server.html
Especially the sections marked:
"External IP Addresses"
and
"Running The Secure Mail Server Publishing Wizard"
Or, better yet, here is the installation guide from Microsoft:
http://www.microsoft.com/isaserver/techinfo/deployment/2000/wp_installationguide.doc
See page 51+
Let me know what happens.
So does Microsoft and Cisco.
Your DMZ should be private IP addresses. They must be a different subnet from your internal network, but still private.
Standard 'Best Practice' is that public IP addresses should be outside the firewall.
Your external DNS MX record is pointing to the outside interface of the ISA Server. Ths ISA Server will redirect SMTP traffic to the specified IP address. As you can see, With ISA redirecting traffic, there is absolutely no reason to have a public IP on the mail server.
Check out this tutorial:
http://www.isaserver.org/tutorials/Publishing_A_Mail_Server_With_ISA_Server.html
Especially the sections marked:
"External IP Addresses"
and
"Running The Secure Mail Server Publishing Wizard"
Or, better yet, here is the installation guide from Microsoft:
http://www.microsoft.com/isaserver/techinfo/deployment/2000/wp_installationguide.doc
See page 51+
Let me know what happens.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
FYI -
I changed the exchange server to an internal IP.
I added the external IP of the exchange server to the ISA servers first nic.
Example:
Nic#1 200.200.200.1/24 (second IP 200.200.200.2)
Nic#2 192.168.x.x (exchange server 192.168.x.x)
The MX record now points to the second logical interface on the first nic on my ISA server.
I also asked my ISP to host DNS (mainly to take that element out of the equation)
I then used the Config. secure mail wizard to add the approp. filters.
Email, DNS and packet filtering are all wrking 100% !!!
I changed the exchange server to an internal IP.
I added the external IP of the exchange server to the ISA servers first nic.
Example:
Nic#1 200.200.200.1/24 (second IP 200.200.200.2)
Nic#2 192.168.x.x (exchange server 192.168.x.x)
The MX record now points to the second logical interface on the first nic on my ISA server.
I also asked my ISP to host DNS (mainly to take that element out of the equation)
I then used the Config. secure mail wizard to add the approp. filters.
Email, DNS and packet filtering are all wrking 100% !!!
ASKER
I would like to thank ALL the submitted comments !
Although the answer was not perfectly clear... the comments and help are GREATLY apprec.
Experts-exchange is a very valuable tool !
Again THANKS TO ALL !!!
Although the answer was not perfectly clear... the comments and help are GREATLY apprec.
Experts-exchange is a very valuable tool !
Again THANKS TO ALL !!!
Also, if the ISP and DMZ are on the same subnet, are they physically separated?
is it like this:
Internet
|
Router
|
SWITCH --- DMZ
| |
ISA ---------
|
LAN
or like this:
Internet
|
Router
|
ISA --- DMZ
|
LAN