?
Solved

Tri-Homed ISA Server - running Exchange and DNS on DMZ

Posted on 2003-02-25
17
Medium Priority
?
793 Views
Last Modified: 2012-06-27
I am having trouble allowing DNS and smtp to pass on my DMZ.

ISA = tri-homed intergrated
first nic external to isp 200.200.200.1
second nic perimeter network 200.200.200.2
third nic internal 192.168.10.1

My exchange and DNS are running on the same box.

I am not sure if the perimeter server should have a gateway designated
I am not sure if the second nic should be a isp assigned IP
I am not sure if the second nic should have a gateway designated.
I am not sure if I should include the second nic in the LAT

I have created an allow rule for all protocals
I have created an allow rule for all IP packets

The proxy service is working fine for my internal clients all 192.168.10.x clients can hit any web site they want.

The problem is the perimeter network setup.


THANKS
0
Comment
Question by:David_Letterman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
  • 2
  • +1
17 Comments
 
LVL 1

Expert Comment

by:schmutzboy
ID: 8018446
Just to verify - are you having trouble getting DNS and SMTP out from the DMZ to the ISP, or to (or even behind) the ISA box?

Also, if the ISP and DMZ are on the same subnet, are they physically separated?

is it like this:

Internet
    |
Router
    |
SWITCH --- DMZ
    |                 |
ISA ---------
    |
LAN

or like this:

Internet
    |
Router
    |
ISA --- DMZ
    |
LAN
0
 

Author Comment

by:David_Letterman
ID: 8018702
Internet
    |
 Router
    |
   ISA---DMZ (dns, exchange)
    |
Intenal LAN


ISA is one machine (isp provided IP),
DNS and exchange on second machine (isp provided IP)

Router is wide open (no blocked ports)



0
 
LVL 1

Expert Comment

by:schmutzboy
ID: 8018833
OK - in this setup, you need to have IP routing and packet filtering turned on.

Configure the LAT to include the private subnet. The LAT should not include any other addresses.

In ISA management, add an IP packet filter for the Exchange server.  The filter type should be "predefined" and choose SMTP.

Remote computer should be Any Computer (or a specific computer, if access is limited to specific computers).

Do another packet filter for DNS requests.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 1

Expert Comment

by:schmutzboy
ID: 8018914
OK - in this setup, you need to have IP routing and packet filtering turned on.

Configure the LAT to include the private subnet. The LAT should not include any other addresses.

In ISA management, add an IP packet filter for the Exchange server.  The filter type should be "predefined" and choose SMTP.

Remote computer should be Any Computer (or a specific computer, if access is limited to specific computers).

Do another packet filter for DNS requests.
0
 

Author Comment

by:David_Letterman
ID: 8019041
I have tried adding SMTP and DNS filters.... I have aslo (just for testing) ALLOWED ALL IP UDP traffic... and I am still having DNS issues.

When I move the DNS/Exchnge server from behind the ISA server SMTP/DNS work fine.

I am not sure if I need a gateway on the DNS/Exchange box when it is behind the ISA server... also not sure if the nic on the ISA needs to be ISP provided
(the nic directly connected to the DMZ) and does the nic need a gateway ?

0
 
LVL 1

Expert Comment

by:schmutzboy
ID: 8019168
If I remember correctly, Nic2 must NOT have a gateway - it will screw up the routing tables.  (try it both ways, but I'm almost certain this is true.)

The interfaces on the perimeter network, including the ISA's perimiter interface, must have public (ISP assigned) addresses.

On the other hand, the DNS/Exchange box MUST have a gateway - set it to 200.200.200.1 (IP address of ISA nic facing perimiter network)  If it works when plugged directly into the ISP subnet, then it has the gateway set for the ISP router - but it won't be able to reach that address when plugged into the perimeter net, because they are physically separated.  This is most likely your root issue.


Also, are you sure you have IP routing turned on?
 From the ISA help:
-------------
To enable IP routing

In the console tree of ISA Management, right-click IP Packet Filters and then click Properties.
Where?

Internet Security and Acceleration Server
Servers and Arrays
Name
Access Policy
IP Packet Filters
On the General tab, click Enable packet filtering.
Click Enable IP routing.
-------------
0
 

Author Comment

by:David_Letterman
ID: 8019205
Yes IP routing is on

I have tried all of the above config's (with and without gateways)

0
 
LVL 1

Expert Comment

by:schmutzboy
ID: 8019367
To sum up as I understand it:

Internet
   |
ISP Router (200.200.200.254/24)
   |
(NIC1)
  ISA(NIC2)---(PERIM1)DNS/Exchg
(NIC3)
   |
(LANHOST)

Where:
NIC1
  IP 200.200.200.1/24
  GW 200.200.200.254
NIC2
  IP 200.200.200.2/24
  GW <blank>
NIC3
  IP 192.168.10.1
  GW <blank>
Perim1
  IP 200.200.200.3/24
  GW 200.200.200.2
Lanhost
  IP 192.168.10.x
  GW 192.168.10.1

------
Can you please make a matrix that states success on pings?

For example:

ISA box can successfully ping Internet, LAN, but not DNS
DNS cannot ping LAN or internet, but can ping ISA box.
Internet can ping ISA but not DNS
LAN can ping...
etc.
------
Also, please clarify the problem hosts - are you trying to query the DNS of the server in the DMZ from the LAN, or from the internet to the DMZ, or from the DMZ to the Internet?  Can you telnet to the SMTP port of the DMZ host from the LAN?  From the internet?
0
 
LVL 13

Expert Comment

by:kdearing
ID: 8020105
I believe the main problem is your IP scheme.

The external NIC and the DMZ (preimeter) NIC MUST be on separate subnets.

This should fix it:

On the Exchange/DNS server -
IP address 192.168.11.2
Gateway 192.168.11.1

On the ISA Server -
NIC2 IP address 192.168.11.1
Open ISA and expand 'Publishing'
Right-click 'Server Publishing Rules'
Select 'Secure Mail Server'
Go through the wizard using 192.168.11.2 as your mail server ip address
Set up a protocol rule allowing DNS

Make sure you configure the DNS Server to use a Forwarder for domains that is it not authoritative.
Also, there must be a publicly available DNS MX record pointing to the external nic of the ISA server.

Let me know if this helps.
0
 
LVL 3

Expert Comment

by:Ycore
ID: 8020302
I agree with kdearing.  Your isp network and your perimeter network are on the same subnet, so your routing is all screwy.  Choose a different subnet for your perimiter network, and it should work.


Ycore
0
 

Author Comment

by:David_Letterman
ID: 8026777
I have the DNS listed with internic as 200.200.200.x
How can I change my DNS to 192.168.1.x ????/

Where will the 200.200.200.x be ?

Are you suggesting I add a second IP to me external nic ?
0
 
LVL 1

Expert Comment

by:schmutzboy
ID: 8026935
Actually, what they said is partially true - The address space of the DMZ must be on a different subnet than the public subnet.  I apologize, I just glazed over that part of it without thinking hard enough.  However, the DMZ *MUST* be publicly addressable... so no 192.168.x.x numbers.  

Say your subnet is 200.200.200.0/24
You must split the subnet again, so you have network 1 as 200.200.200.0/25 and network 2 as 200.200.200.128/25.

Network 1 would be on the public side of the ISA box, and network 2 would be on the DMZ.  (Actually, whatever address contains the ISP router/gateway address, that part must be on the public interface)

It would then look like this:

Internet
  |
ISP Router (200.200.200.1/24) <----- note subnet mask
  |
(NIC1)
 ISA(NIC2)---(PERIM1)DNS/Exchg
(NIC3)
  |
(LANHOST)

Where:
NIC1
 IP 200.200.200.2/25 <----- note subnet mask
 GW 200.200.200.1
NIC2
 IP 200.200.200.129/25 <----- note address and mask
 GW <blank>
NIC3
 IP 192.168.10.1
 GW <blank>
Perim1
 IP 200.200.200.130/25 <----- note address and mask
 GW 200.200.200.129  <----- note gateway is Nic2
Lanhost
 IP 192.168.10.x
 GW 192.168.10.1

If you need help splitting up different a different number of assigned addresses, tell us how many you have been assigned.
0
 

Author Comment

by:David_Letterman
ID: 8030774
I am working with the comments above.... I will update this question as soon as I make changes.

Thanks for the comments so far.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 8031106
I disagree with schmutzboy.

So does Microsoft and Cisco.

Your DMZ should be private IP addresses. They must be a different subnet from your internal network, but still private.

Standard 'Best Practice' is that public IP addresses should be outside the firewall.

Your external DNS MX record is pointing to the outside interface of the ISA Server. Ths ISA Server will redirect SMTP traffic to the specified IP address. As you can see, With ISA redirecting traffic, there is absolutely no reason to have a public IP on the mail server.

Check out this tutorial:

http://www.isaserver.org/tutorials/Publishing_A_Mail_Server_With_ISA_Server.html

Especially the sections marked:
"External IP Addresses"
and
"Running The Secure Mail Server Publishing Wizard"

Or, better yet, here is the installation guide from Microsoft:

http://www.microsoft.com/isaserver/techinfo/deployment/2000/wp_installationguide.doc
See page 51+

Let me know what happens.
0
 
LVL 1

Accepted Solution

by:
schmutzboy earned 2000 total points
ID: 8034737
kdearing is only half right, but his (her?) response does not address the original question.

Respectfully, Cisco has nothing to do with Microsoft or ISA server.

The original question dealt with a three-homed ISA server, with a DMZ interface.  The last post deals specifically with locating *ALL* hosts in the private address space and mapping public addresses using NAT to a host on the private net.

It's not my place to tell someone how to structure their network and force them to do NAT - some situations require NAT to not be present, and I don't know the original poster's intent for wanting to include a DMZ.  So, assuming they know what they want to do, and that they know the pros and cons of NAT, I choose simply to answer the question as posed instead of getting into a semi-religious argument over the state of the structure of a network.

Dealing with three-homed "perimiter" networks, please see below for support for my suggestions:

http://support.microsoft.com/default.aspx?scid=kb;en-us;313562

As you can see, both public and private addresses are supported, but for a three-homed scenario, private addresses in the DMZ can only occur if the ISA server itself is behind a NAT box.

Sorry for any confusion, but there is indeed (to borrow a line from the Perl documentors) more than one way to do things.
0
 

Author Comment

by:David_Letterman
ID: 8074158
FYI -

I changed the exchange server to an internal IP.
I added the external IP of the exchange server to the ISA servers first nic.
Example:
Nic#1 200.200.200.1/24 (second IP 200.200.200.2)
Nic#2 192.168.x.x (exchange server 192.168.x.x)

The MX record now points to the second logical interface on the first nic on my ISA server.

I also asked my ISP to host DNS (mainly to take that element out of the equation)

I then used the Config. secure mail wizard to add the approp. filters.

Email, DNS and packet filtering are all wrking 100% !!!




0
 

Author Comment

by:David_Letterman
ID: 8232940
I would like to thank ALL the submitted comments !

Although the answer was not perfectly clear... the comments and help are GREATLY apprec.


Experts-exchange is a very valuable tool !


Again THANKS TO ALL !!!
0

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Make the most of your online learning experience.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question