Solved

Isa 2004 frontend and backend scenario

Posted on 2006-06-28
19
529 Views
Last Modified: 2013-11-16
I've got isa 2004 as the front end server running standard edition ( direct access to the web) and isa 2004 backend. these machines can communicate with each other as i can ping both. but i cannot get the backend server to browse the web. after which i will need to set up access rules to allow internal (domain members) to browse the web.

I tried setting up and access rules to allow outbound http, https and ftp access to external on the backend and on the front end i done the same. no luck. any suggestions please?
0
Comment
Question by:kiddkapurcjw
  • 9
  • 7
  • 2
  • +1
19 Comments
 
LVL 26

Expert Comment

by:Leon Fester
ID: 16999282
Use the monitoring tool in ISA.

IT's the best way to see what rules are being applied to your traffic. I'm guessing that you haven't specified allow incoming traffic from your backend server. By default no traffic is allowed to pass through the ISA server, and the default rule is deny all.

In ISA Server Management Console,
Click on 'Monitoring'
Click 'Logging' TAB
Start the default trace and try browsing from your backend server. Once you know what traffic is being blocked and by what rule...you can then create the neccessary rules to allow your browsing.

0
 

Author Comment

by:kiddkapurcjw
ID: 16999324
i am getting unidentified ip traffic closed. It does not say what rule.

 Scenario  

      internet

           ¦
 
 ISA 2004 FRONTEND (workgroup)

       
           ¦         ----DMZ


ISA 2004 BACKEND (domain member)

           ¦

INTERNAL NETWORK

if i try to browse the internet from the backend server i get the message unidentified ip traffice denied default rule.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 16999374
Are you specifying your FE-Server as a proxy? Is your FE-Server set as the default gateway on BE-Server?

What port is the unidentified traffic being reported on? 8080? You'll need to create a new protocol for that port.
Call it transparent http or whatever, assign port 8080 outbound.

Front end server needs to have a rule for traffic coming from the internal network.

Have you applied the edge firewall template on the network setup?
If YES, then there will only be 1 rule, stating deny all.

Create a rule:
protocol: http/https/transparent http(this is the protocol created earlier)
from: Internal(alternatively, specify the IP address of the NIC where the BE Server connects)
to: external
Action: Allow
0
 

Author Comment

by:kiddkapurcjw
ID: 16999510
The frontend server has got the front end template applied and the backend has got the backend template applied. Is this incorrect?
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 16999633
No problem with those templates. Check that your perimeter network has the correct IP settings for the connections in the DMZ.

The FE template, creates a perimeter network that should be defined as the IP's in the DMZ.
Your network is currently...
  internet

           ¦
 x.x.x.x(public IP)
 ISA 2004 FRONTEND (workgroup)
192.168.1.2
       
           ¦         ----DMZ

192.168.1.1
ISA 2004 BACKEND (domain member)
10.0.0.1
           ¦
10.0.0.x
INTERNAL NETWORK

I've added my a dummy set of IP's, however this is what should be defined in each network configuration.
Internal network: 10.0.0.0
Perimeter Network: 192.168.1.0
External network: by default is any public address that you may have on your machine.

Re-apply the networking templates and double check the IP settings. Try allowing unrestricted access in the wizard, and see what happens in the monitoring tool when you try to browse.
0
 
LVL 7

Expert Comment

by:Kumar_Jayant123
ID: 16999712
Hi,

Have you tries web chaning?

You can configure Web Chaning from the Network tab.

Mention the IP address of the Front End ISA server in the Upstream Server and allow Web Traffic from Internal to External.

Hope this helps
Kumar
0
 

Author Comment

by:kiddkapurcjw
ID: 17000398
Hello,

The network adapters on the FE and BE firewall have being configured correctly. on the front end server i have also added the internal network address range and this still does not work. Machines sitting on the perimeter network can browse the web. ( i have created thatn new protocol definition that you ask me to and a new access rule) when i browse from the perimeter networked machine i can see in the monitor that it is using the new rule.

I wonder. the FE is in the workgroup and the BE is a domain server member. Could this be a problem?
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 17000472
'I wonder. the FE is in the workgroup and the BE is a domain server member. Could this be a problem?'

No this should not be the issue. Your firewall does not care where it is located, it is the traffic that is of most concern to the firewall.

'When i browse from the perimeter networked machine i can see in the monitor that it is using the new rule.'
- when do you see this? when you try to access the Internet from the BE server? or when some machine in your DMZ tries to access the Internet?

You should now concentrate on the BE server. Check the monitoring tool there and see what is happening to traffic.
N.B. BE server should have its' default gateway pointing to NIC(in DMZ) of FE server.
N.B. Only 1 default gateway per machine.
0
 

Author Comment

by:kiddkapurcjw
ID: 17001615
The error message that i get is Denied connection rule default souce local host destination perimeter. this seems to be a rule but i cannot figure out what rule as i have allowed http port 80 and 8080 and https out bound.Similar to the rule on the FE. But this does not seem to work.

If i disable the fW service i can connect to the net ok from the BE, but whilst it is running i am having no joy. Any ideas guys?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 7

Expert Comment

by:Kumar_Jayant123
ID: 17001847
Have you tries web chaning?
0
 

Author Comment

by:kiddkapurcjw
ID: 17002236
Web chaining will not work if i cannot get the BE server to browse the net.
0
 
LVL 1

Expert Comment

by:george183
ID: 17006448
What order are the rules listed in?  The most restrictive rule must be at the bottom as rules are applied to web requests from the top downward.  If you have a "deny" rule (so to speak) before the "allow" rule, the allow all rule will never get used.
0
 

Author Comment

by:kiddkapurcjw
ID: 17007153
The Web access rule is at the top on both the isa box
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 17007369
Check if the following rule exists, otherwise create it.
Action: Allow
Protocols: All Outbound
From: Internal, Localhost
To: External

You need to specify the localhost in your rules as well.

Check the properties of your Internal Network, under the configuration section.
Enable the Web proxy client.

Test it again
0
 

Author Comment

by:kiddkapurcjw
ID: 17007630
i have that rule configured. and web proxy enabled. I know this is a brain buster guys, but i am greatful for all your help
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 500 total points
ID: 17007768
Ooops, um, forgot to say...the above rule needs to exist on the BE server...

Last resort is create an access rule with ALL Networks/(Localhost) in both the to: and from: field in the rule.

Test if you can browse then...You can always add/remove the unneccessary connections later, but at least you can test if traffic is passing correctly between the two servers.

Post back with the results of the monitoring tool again...maybe we've missed something in there. I know you've posted it earlier, but you've made some changes since, so lets get some new information. :)
0
 

Author Comment

by:kiddkapurcjw
ID: 17008063
Hey i did as you mentioned and walah. Then i remove accordingly and tested. it seem that all that was need was to add the perimeter network to the destinations list.

Now all I need to do is to get the internal machines to browse the web, then i am home free.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 17008183
Excellent!

The client setup should be as easy as either changing their default gateway to point to the Internal NIC of the ISA server, or alternatively, configure the browser to use the ISA server as a proxy, set the IP address(of the NIC on the Internal Network) port 8080.
0
 

Author Comment

by:kiddkapurcjw
ID: 17008840
thank you very much
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now