Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ISA 2004 Publishing Multiple Websites

Posted on 2004-10-18
4
Medium Priority
?
1,237 Views
Last Modified: 2013-11-16
I'm new to ISA 2004, and need to publish multiple websites behind it.  I have run through the publish wizards, and for some reason I'm not able to get to either website from outside of my network.  Current setup looks like:

 - ISA sits behind existing firewall as part of private network (not the best scenario, but..)
 - Existing firewall is NATing all incoming HTTP and HTTPS traffic to ISA
 - Used ISA publishing wizards to publish websites (one is Exchange 2003 w/ OWA and Moble Sync, etc.  Have turned off Forms authentication, and have published both the web site for OWA and the mail server itself).  Second server listens on port 80 as well.  This one requires orginal header to function correctly (server.domain.com).
 - Internal DNS has been configured, and both sites work fine behind our firewall.  External DNS has been setup, and traffic gets to external firewall and then to ISA.

Any ideas, suggestions, etc. would be greatly appreciated.

Thanks,
Todd
0
Comment
Question by:toddnoe
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 1

Author Comment

by:toddnoe
ID: 12381789
Anybody?
0
 
LVL 3

Accepted Solution

by:
thaller earned 2000 total points
ID: 12414185
What browser error is reported?  (404, etc?)  Can you post snippets from the log files for the firewall?  If ICMP is allowed through the existing firewall and permitted on the ISA server, can you ping the address(es) of the external IPs?  Can you verify with netdiag that HTTP requests are hitting the adapter?  What is the addressing scheme of the private network and your network?  Can I throw any more rapid-fire questions at you?  ;)
0
 
LVL 1

Author Comment

by:toddnoe
ID: 12476020
Sorry for the delay - I almost lost hope.

Internal is Class C.  Nic1 on ISA is .2, Nic2 is .14.  Pinging the external ip will always get a response - all sites are the same public ip.  Public router kicks all http requests to firewall, which then kicks them to ISA, which is then supposed to route based on published server rules.

Snippet of Log File: (Ip's changed to protect the innocent...like it does much good, though - ha ha)

Original Client IP,Server Name,Transport,Result Code,Error Information,Log Time,Destination IP,Destination Port,Protocol,Action,Rule,Client IP,Source Network,Destination Network

68.126.XXX.XXX,SERVER1,TCP,0xc004000d FWX_E_POLICY_RULES_DENIED,0x0,11/2/2004 10:10,192.168.XXX.2,80,HTTP,Denied Connection,Default rule,68.126.XXX.XXX,External,Local Host

68.126.XXX.XXX,SERVER1,TCP,0xc004000d FWX_E_POLICY_RULES_DENIED,0x0,11/2/2004 10:10,192.168.XXX.2,80,HTTP,Denied Connection,Default rule,68.126.XXX.XXX,External,Local Host

68.126.XXX.XXX,SERVER1,TCP,0xc004000d FWX_E_POLICY_RULES_DENIED,0x0,11/2/2004 10:10,192.168.XXX.2,80,HTTP,Denied Connection,Default rule,68.126.XXX.XXX,External,Local Host

I just saw something - I'm thinking that incoming requests are hitting .2 instead of .14.  I'm going to redirect to .14 and cross my fingers.  Looks like the default rule (block everything) is killing incoming requests on .2, and sites are published on .14.
0
 
LVL 1

Author Comment

by:toddnoe
ID: 12477961
Alright, got that all figured out...  incoming requests were hitting .2 instead of .14 - made the firewall kick all http traffic to .14.  Also had to create a rule that allowed all external http traffic to certain machines (ASSumed that when you published a site, the rules were already created...).    A couple tweaks here and there...2 of 3 are working now.  Just have to get OWA and ISA to play nice now.

Thanks for your help, thaller.  You got me back on track and pointed in the right direction.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question