?
Solved

Publish Multiple RPD from ISA 2004 - Getting Unidentified IP Traffic Error

Posted on 2006-05-16
37
Medium Priority
?
785 Views
Last Modified: 2013-11-16
I followed the below article on Publishing Servers with ISA Firewall (2004), great article - but I am having troubles making it work.
http://www.isaserver.org/articles/2004pubts.html

Here is my setup
My ISA Server (2004, Standard) is behind a NAT; The NAT forwards to an Private IP address.
Web publishing works perfectly; I am currently publishing 5 different Web Servers.

I now need to allow those servers to be administered remotely, but my server has only 1 external IP, so publishing RDP under
different ports should work in my scenario.

The problem I am having is my firewall port in ISA is not being reconigized.
Under monitoring | logging | my request appears with my destination IP and Port, and the Protocol says Unidentified IP Traffic.
Then the action is denied under the default rule.

I have setup the firewall port as described here:
go to firewall policy | and setup a server publishing rule |
On the traffic page I selected RDP |  I have assigned another port (9950) in the firewall ports section

Any assistance will be appreciated.
TIA
0
Comment
Question by:gspronych
  • 19
  • 18
37 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16692868
I would do this differently to the article

Take this scenario.

Your one outside IP address on your router is 1.1.1.1
Your internal IP address on your router is 192.168.1.1

Your external ISA IP is 192.168.1.2
Your inside ISA IP is    10.0.0.1

web server 1 - 10.0.0.11
web server 2 - 10.0.0.12
web server 3 - 10.0.0.13
etc

Option 1
Leave all web servers running rdp on port 3389 (which is the default)
On your external firewall/router, forward TCP ports 3389,3390,3391,3392,3393 to 192.168.1.1 (the isa server)


Open the ISA gui.
select firewall policy
use the toolbox (on the right) to create 4 new protocols
TCP - incoming - 3390, TCP - incoming - 3391. keep going and make for 3392 & 3393. Give them names such as rdp - 3390, rdp - 3391 etc

right-click firewall policy and select publish a server as per Tom's document.
give it a name such as rdp to web server 2
select the protocol rdp - 3390. Click on ports
leave the firewall ports exactly as they are (publish using defaults). Change the published server port from 3390 to 3389.
in the destination put in the internal IP of web server 2 (our example 10.10.10.12)

make another publish rule, select rdp - 3391 and repeat for each web server.
save the policy

on your remote client (using our example)
rdp 1.1.1.1:3390   - web server 2
rdp 1.1.1.1:3391   - web server 3
etc





0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16692880
PS Obviously web server 1 will be the de facto rdp protocol using the predefined port 3389
0
 
LVL 3

Author Comment

by:gspronych
ID: 16693694
Hi Keith

Awesome example, that is very close to what I want to do.

external firewall / NAT IP is 1.1.1.1
inside ISA IP is    10.0.0.1

My websites DNS A records point to 1.1.1.1
My NAT redirects requests for 1.1.1.1 to 10.0.0.1 on my internal network to be processed by ISA

Web Servers
web server 1 - 10.0.0.11
web server 2 - 10.0.0.12
web server 3 - 10.0.0.13
etc

I have followed your recommendations but I am still having troubles.
Here is the situation

I have setup protocols as you recommended.
When I setup a firewall policy 'web server 1', I am using protocol 'rdp - 3390'.
When I assign the TO tab to 10.0.0.11, I still get an error on the montiroring | logging
Port: 3390, Unidentified IP Traffic, Denied under default rule

When I assign the TO tab to 10.0.0.1 I also get the same error.
BUT, if I goto the TRAFFIC tab and Ports... and leave ports on the defaults, the protocol shows in my log.
Port: 3390, RDP 3390

Do I have something else misconfigured?
It seems very straight forward.

Thanks for your assistance
Gary
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16693817
basically you are doing this:

Traffic is arriving at 1.1.1.1 on port 3390 and being forwarded (by your external router) to ISA.
ISA says haha! Here come traffic on port 3390. Goodee :)
I have a published server called rdp - 3390
My ports section says forward this to port 3389 but at the IP address of web server 2

Traffic is arriving at 1.1.1.1 on port 3391 and being forwarded (by your external router) to ISA.
ISA says haha! Here come traffic on port 3391. Goodee :)
I have a published server called rdp - 3391
My ports section says forward this to port 3389 but at the IP address of web server 3

etc
If you look in the ports section of each published server (you should have five now, one per web server).
the first section says to publish to the firewall either the default protocol rule (which is what we want) or an alternative port. We want the publishing to be as we have made them. 3389 published to the normal rdp port of 3389. rdp - 3390 published to its own 3390, rdp - 3391 publishes to its own 3391. exactly as we have created them in the new protocols.

The second section 9server) says do I push this protocol to the internal server on its default port or change it for something different? We wan t ALL of our five rules to forward on 3389 because this is what the web servers are ALL listening on. So, in essence we have:


client 1.1.1.1               ---   1.1.1.1 router 192.168.1.1--192.168.1.2 on port 3389  ** ISA ** 10.0.0.1 port 3389---   10.0.0.10 web server 1 (no change)
client 1.1.1.1:3390       ---   1.1.1.1 router 192.168.1.1--192.168.1.2 on port 3390  ** ISA **10.0.0.1 port 3389 ---   10.0.0.11 web server 2
client 1.1.1.1:3391       ---   1.1.1.1 router 192.168.1.1--192.168.1.2 on port 3391  ** ISA **10.0.0.1 port 3389 ---   10.0.0.12 web server 3
client 1.1.1.1:3392       ---   1.1.1.1 router 192.168.1.1--192.168.1.2 on port 3392  ** ISA **10.0.0.1 port 3389 ---   10.0.0.13 web server 4
etc etc


0
 
LVL 3

Author Comment

by:gspronych
ID: 16694128
Hi Keith

I understand what we are trying to accomplish, but something is not working.

The protocol I created only seems to work when the ISA firewall policy points to the ISA server.
When I point the policy to the IP any of my webservers... 1, 2, 3... etc the request appears as unidentified IP traffic?


0
 
LVL 3

Author Comment

by:gspronych
ID: 16694170
Also, when I change the Published Server Port to anything but default, it also appears as unidentified.
Even thought the Destination port is correct in the log.

I have even set the protocol port to publish on the same port to make sure it is not somehow getting the wrong value.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16694257
Lets do a walkthrough of the 3390 traffic.

open the protocols and double click the rdp - 3390 definition
all this should show is tcp   port 3390   inbound
If it shows anything different, edit the protocol accordingly.

Now double click the publishing rule you have for the server that is to be contacted when the ISA receives traffic over port 3390.
name should be what ever you have called it.
Action should be allow
Traffic should be rdp-3390 (as per our protocol above)
clicking on ports should show everything at default except server ports which should have 3389 in the box
FROM should be anywhere
TO should be the internal IP address of the web server you want to pick
Networks should have EXTERNAL only ticked.
Schedule should be always.


make sure you have clicked the yellow Apply button as well at the top of the screen.... :)
Now try it again from an outside work station.

PS Sometimes I hate ISA even though I am an MCT for it.
0
 
LVL 3

Author Comment

by:gspronych
ID: 16694528
I would love to be an MCT in my specialization... but it will never happen at the rate I am going at. ;)

I am RDP'd into our data center on the other side of the country (logically) where I am making the changes, and I am testing them locally.
I have been clicking apply after every group of changes I make then test them... a real pain.

I have my settings exactly how you have described, and I still have the problem I described.

Let me clarify my situation since I think I have found a potential problem.

My ISA, and my web servers (1,2,3 etc) are running in a virtualized environment hosted on the same server.
My ISA server can ping my web servers, but my web servers cannot ping my ISA server.

My web server ISA publishing is working correctly, but RDP does not work at all.
Should it matter if there is no 2-way communication? Web publishing works, so why shouldn't other protocols?

I didn't create the environment... I have been assigned to fix someone elses problem.
The web servers are to be virtual labs for our product, and the intention is to give them limited network access.

Thanks for your insight
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16694760
You will not be able to test the RDP local to the ISA, this has to come from the external intrface  ie through the internet (it won't work from the isa server directly...
0
 
LVL 3

Author Comment

by:gspronych
ID: 16694807
I don't intent to test connecting from the ISA server.

I was wondering if there is a problem with my configuration.

My ISA server has external and internal access, which is a virtual server on the same server as my web servers.
My web servers only have access to the host server, and the virtual servers it contains.

I am trying to look at any other potiental problem since my configuration 'should' work.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16696711
Agreed, it should.

I am wondring if some other form of lockdown is being used on the box as two way communication should be fine also.

What other rules are in place on the ISA besdies the ones we have put in?
0
 
LVL 3

Author Comment

by:gspronych
ID: 16702129
My network configuration is set to 'Back Firewall' if that makes any difference.

for rules,
1 | server publish rule | the RDP connection I am trying to configure
2 | web publish rule | is an HTTP protocol from an HTTP listener to my virtual lab
3 | server publish rule |  protocol - RDP | from - internal | to my internal adapater (allows me to RDP the server instead of the activeX control)
4 | last rule | deny all traffic, all networks

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16702401
Back firewall simply means that their is another firewall between the ISA and the internet. Edge firewall is when ISA is directly connected to the Internet and no other firewall is in place. Front is the converse of back obviously.The templates set the defaults of some of the registry keys and configuration settings.

Would you humour me for a minute or two?

in the gui, click on the firewall policy.
You will see a line of icons along the top of the window. the last icon should be the system policy. Clicking on it one will show the additional (hidden) system policy rules. Clicking it again rehides them.

There are rules in here about allowing remote management from the ISA itself.

I am using ISA2006 at the moment so I can't remove it to reinstall ISA2004 but on 2006 it is rule 3 (allow terminal services from or to ISA). You may need to add the addresses etc into these two rules.
0
 
LVL 3

Author Comment

by:gspronych
ID: 16704278
Hi Keith

I set the rule to allow from Anywhere, I also tried 'all networks'.
Still no change.

At this point I am considering building a new Virtual Server, since these steps should work on a base install.

Would you see any benifit from using Enterprise version instead of Standard?
We are a Gold partner and have licenses avialable for each.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16706174
I would love to say yes but it will make no odds. There is also no point in adding more levels of complexity when we are not able to get the basics functioning. A re-install/new install may operate straightaway. I use vmware rather than virtual server but I am planning to install ISA this evening on the vmware platform to see if I can emulate your problem.
0
 
LVL 3

Author Comment

by:gspronych
ID: 16709855
Doing more testing I found this interesting.

I used my allow internal RDP to the ISA server rule.
I changed to the TO to my webservers, but it would connect me with the ISA server, not with the server I specified.

Changing ports still caused the Unidentified IP Traffic error.

If I add Anywhere to the 'allow remote maangement from selected computers using TS', I could connect to the ISA server externally not the specified server as well.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16710916
lol, another step forward....

Not the answer but once you have rdp'ed onto the ISA, can you rdp from the ISA to the web servers?
0
 
LVL 3

Author Comment

by:gspronych
ID: 16712048
Yes, once connected to the ISA server, it is possible to RDP to the webservers.

However, that is not my desired outcome.
Potiental clients will be connecting to our web servers so I do not want them to RDP to the ISA server, then RDP to their web server.

When they are done with our webservers we simply discard the undo disks and we have a new web server again; having them connect through our ISA server would be a security risk.
I am having enough trouble to get ISA to work how I want the first time...

Would it help to create an Access Rule for those protocols?
I have been playing around with them to see if it will make any difference.

Regards
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16712258
Doing this as an access rule means that you bypass the main security of the ISA. You are, in effect, simply pushing those packets to an internal IP address and acting like a simple layer 3 router; not an application layer firewall.

I am home now so will be having my grub shortly. After this, I will see if I can reproduce your scenario.
0
 
LVL 3

Author Comment

by:gspronych
ID: 16720859
Keith

Is there anyway to disable the last default rule?
My ISA is essentially a back firewall so I really do not need the additional firewall protection.

I only need ISA to route traffic to the correct HTTP/RDP address.
Do you have any advice how I can accomplish this?

TIA
0
 
LVL 3

Author Comment

by:gspronych
ID: 16721776
OK, HUGE break through.

The web server IPs where missing on the config | networks | internal setting
HUGE oversight, I apologize.

If I have my external adapter added to my internal network here is my log:
(internally)
log shows my RDP rule - RDP 2112 (dest port 3389)
It shows Initiated connection
And works
(externally)
idenitified ip traffic

If I do not have my external adapter added to my internal network here is my log:
(same messages internally and externally)
log shows my RDP rule - RDP 2112 (dest port 3389)
It shows Initiated connection RDP 2112
Then the next line has denied connection | protocol RDP
And I can no longer RDP from my ISA server to my web servers with the same error

Do you have any advice at this point?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16722512
I'm bushed to be honest. Its 12.10 here (just checked my mail before going to bed). I'll read this properly in the morning and respond rather than rushing it.

Cheers Keith.

PS, yes, that will make a difference. Thanks for the update as I had never seen the scenario not work before.
PPS. I was unable to recreate your issue.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16728822
Ok. the external adaptor address should not be on the internal LAT. In effect you are saying the outside is trusted.

So apart from the ones we have created, where is the bog standard rdp (port 3389) being directed to? What is the intrnal IP address of the web server?

On your client, you are just opening a connection to the IP address, you are not using a port number?

for example, 1.1.1.1:3391, you are just using the external IP address 1.1.1.1?



0
 
LVL 3

Author Comment

by:gspronych
ID: 16743398
Currently, the standard port (3389) is consumed by the ISA server itself.
I can RDP externally to the ISA server since I added anywhere to the 'allow remote management from selected computers'
I will want to change the port so clients do not try to connect to the standard port

I setup a protocol I called RDP - 2112 to accept on 2112 and publish to 3389
I created an access rule to allow RDP terminal services and my custom protocol RDP - 2112

when I bring up RDC I connect with 1.1.1.1:2112
log shows my RDP rule - RDP 2112 (dest port 3389)
It shows Initiated connection RDP 2112
Then the next line has denied connection | protocol RDP

This is where I am at today.
Cheers
0
 
LVL 3

Author Comment

by:gspronych
ID: 16743464
BTW

This is the error in the ISA logs
FWX_E_UNREACHABLE_ADDRESS

I can no longer ping the webservers from the ISA server either, also denied.

The web servers are still up and running, I can RDP from another server in the network.
0
 
LVL 3

Author Comment

by:gspronych
ID: 16744138
I didn't think this would be an issue since the web servers are accessable from the 1.x IPs, but it seems to be.

my actual internal ips are 192.168.1.X
my lab webserver ips are 192.168.2.x

I changed my RDP 2112 to point to another IP in the 1.x, and it works externally.
But once I change it to point to my webservers 2.x RDP denies the connection.

Does this help?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16744348
OK, the custome rule does not need terminal services as well; it just needs.
You do not need a custom rule at all. Just publish a server using the custom protocol and change the PORTS setting to make sure the received traffic is forwarded from ISA on 3389 as we have discussed.
Does ISA server have a route to get to the 192.168.2.0 network?
0
 
LVL 3

Author Comment

by:gspronych
ID: 16744471
I am reading up on articles on isaserver.org as we speak, and I am thinking the same thing; there may be a routing issue.
I am looking at this article right now
http://www.isaserver.org/articles/2004netinnet.html

Unfortunately my routing knowledge is limited
here is my routes table; I do have an entry for 192.168.2.0, but I have no idea if it is correct.
I do know before I added the webservers to the Internal Network I was able to access them.

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.1     192.168.2.45     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.1.0    255.255.255.0     192.168.1.44     192.168.1.44     20
     192.168.1.44  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.1.255  255.255.255.255     192.168.1.44     192.168.1.44     20
      192.168.2.0    255.255.255.0     192.168.2.45     192.168.2.45     20
     192.168.2.45  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.2.255  255.255.255.255     192.168.2.45     192.168.2.45     20
        224.0.0.0        240.0.0.0     192.168.1.44     192.168.1.44     20
        224.0.0.0        240.0.0.0     192.168.2.45     192.168.2.45     20
  255.255.255.255  255.255.255.255     192.168.1.44     192.168.1.44      1
  255.255.255.255  255.255.255.255     192.168.2.45     192.168.2.45      1
Default Gateway:       192.168.2.1
===========================================================================
Persistent Routes:
  None

Thanks
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 16744621
Thats interesting. The routing table sstates that you have two network cards installed.

One at 192.168.2.45
Second at 192.168.1.44

If you are using ISA as a firewall, then one of these cards must be external and the other must be internal.
If you are using the box as a Proxy server then both cards are internal but you can't have both in the ISA server.

If this is accurate then ISA can route to both the 192.168.1.0 and the 192.168.2.0 subnets directly because it has an interface card attached to each. In fact, the default gateway is pointing to the 192.168.2.0 network. The default gateway on ISA MUST be on the external NIC, not on the internal NIC. The internal NIC MUST not have a default gateways set.

So, if we follow this through based on this....

192.168.2.0 is your external network and 192.168.1.0 is your internal network.

The 192.168.2.0 and any other external systems can only get to the 192.168.1.0 machines if you have a service published

All of your external traffic is coming in through the 192.168.2.0 subnet from the Internet to the ISA server 192.168.2.45 address on port whatever

Now we hit a problem in our scenario.
<<<<  my lab webserver ips are 192.168.2.x >>>>

This suggests that your lab webservers are 'external' to ISA, not internal. That being the case, you cannot publish (in ISA) servers that are already external to it.

Does that make sense or have I missed something here?














0
 
LVL 3

Author Comment

by:gspronych
ID: 16746051
WoW, you are good. 8)

Your description does make sense, and does describe why I cannot make it work.
But I have set my lab IP range as internal on the networks tab?

Here is the scenario
1.x is our hosting environment
2.x is our lab environment

The person who deployed this server wanted it on both networks.
BUT, they wanted all traffic to be routed via the 2.x network so not to interfere with hosting traffic.

So what you are saying is my external connection cannot be used for internal and external traffic.
I should be using ISA as a proxy server, and should not have a default gateway.

How do I change the configuration so it is only a proxy server?
Thanks
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16746226
What you have ended up with basically is using ISA as a router, not a firewall.

Open configuration - networks
Click on network rules (at the bottom)
For local host access, have you got local host - All networks - route?
0
 
LVL 3

Author Comment

by:gspronych
ID: 16746287
No problem, ISA is a back firewall in my scenario... I only need it as a routing server.

for Network Rules I have

1. Local host access | route | local host |all networks
2. VPN Clients to Internal network | route | VPN Clients and Quarantined VPN | internal
3. Internet Access | NAT | Internal and VPN | external

What do I need to change?
Thanks
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16748762
I need to have a think on this as I am not convinvd in my own mind that we 'can' just make a change.
0
 
LVL 3

Author Comment

by:gspronych
ID: 16760604
Hi Kieth

Any thoughts on which way will work?
TIA
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16762258
I am trying it here as we speak (I have just got in from work). As I run ISA2006 now as standard, I have to reload images etc to get back to your scenario with 2004....

I know I make statements but it helps me to think :)

1. You currently have a firewall scenario but have put the external interface address range into the internal LAT. You are now routing between the two diiferent areas even though they are opposite sides of the ISA. This is why publishing will not work properly and everything was denied. ISA expexts to pass everything THROUGH its filters (external to internal). because the external addresses are now seen as internal, ISA doesn't feel that it is passing traffic through the filters, it is simply passing traffic from internal to internal.

2. In concept you are happy to do this because really you just want to route between the two subnets. However, you need ISA (working really) as you want to be able to contact each web server individually.

3. The end result required is to get to each of the web servers to administrate them but to keep the real web servers and the lab servers seperate.

I will post shortly with a set of options that we can discuss.






0
 
LVL 3

Author Comment

by:gspronych
ID: 16772714
I appreciate all your help Keith, here is what I did based on your guidance.

Since I cannot forward on the external adapter, I created an additional virtual adapter on the ISA server in the 11.x

I changed my virtual servers to use the same 11.x, added the adapter to the Internal adapter in ISA.

Just like magic... everything works as you described.

Thanks for ALL of your help.
Gary
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16774460
Thats a great solution Gary, nice one as this was a tricky little blighter. Your idea has taught me something there as well.

Best regards
Keith
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 18 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question