Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Isa 2004 frontend and backend scenario

Posted on 2006-06-28
19
Medium Priority
?
546 Views
Last Modified: 2013-11-16
I've got isa 2004 as the front end server running standard edition ( direct access to the web) and isa 2004 backend. these machines can communicate with each other as i can ping both. but i cannot get the backend server to browse the web. after which i will need to set up access rules to allow internal (domain members) to browse the web.

I tried setting up and access rules to allow outbound http, https and ftp access to external on the backend and on the front end i done the same. no luck. any suggestions please?
0
Comment
Question by:kiddkapurcjw
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
  • 2
  • +1
19 Comments
 
LVL 26

Expert Comment

by:Leon Fester
ID: 16999282
Use the monitoring tool in ISA.

IT's the best way to see what rules are being applied to your traffic. I'm guessing that you haven't specified allow incoming traffic from your backend server. By default no traffic is allowed to pass through the ISA server, and the default rule is deny all.

In ISA Server Management Console,
Click on 'Monitoring'
Click 'Logging' TAB
Start the default trace and try browsing from your backend server. Once you know what traffic is being blocked and by what rule...you can then create the neccessary rules to allow your browsing.

0
 

Author Comment

by:kiddkapurcjw
ID: 16999324
i am getting unidentified ip traffic closed. It does not say what rule.

 Scenario  

      internet

           ¦
 
 ISA 2004 FRONTEND (workgroup)

       
           ¦         ----DMZ


ISA 2004 BACKEND (domain member)

           ¦

INTERNAL NETWORK

if i try to browse the internet from the backend server i get the message unidentified ip traffice denied default rule.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 16999374
Are you specifying your FE-Server as a proxy? Is your FE-Server set as the default gateway on BE-Server?

What port is the unidentified traffic being reported on? 8080? You'll need to create a new protocol for that port.
Call it transparent http or whatever, assign port 8080 outbound.

Front end server needs to have a rule for traffic coming from the internal network.

Have you applied the edge firewall template on the network setup?
If YES, then there will only be 1 rule, stating deny all.

Create a rule:
protocol: http/https/transparent http(this is the protocol created earlier)
from: Internal(alternatively, specify the IP address of the NIC where the BE Server connects)
to: external
Action: Allow
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:kiddkapurcjw
ID: 16999510
The frontend server has got the front end template applied and the backend has got the backend template applied. Is this incorrect?
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 16999633
No problem with those templates. Check that your perimeter network has the correct IP settings for the connections in the DMZ.

The FE template, creates a perimeter network that should be defined as the IP's in the DMZ.
Your network is currently...
  internet

           ¦
 x.x.x.x(public IP)
 ISA 2004 FRONTEND (workgroup)
192.168.1.2
       
           ¦         ----DMZ

192.168.1.1
ISA 2004 BACKEND (domain member)
10.0.0.1
           ¦
10.0.0.x
INTERNAL NETWORK

I've added my a dummy set of IP's, however this is what should be defined in each network configuration.
Internal network: 10.0.0.0
Perimeter Network: 192.168.1.0
External network: by default is any public address that you may have on your machine.

Re-apply the networking templates and double check the IP settings. Try allowing unrestricted access in the wizard, and see what happens in the monitoring tool when you try to browse.
0
 
LVL 7

Expert Comment

by:Kumar_Jayant123
ID: 16999712
Hi,

Have you tries web chaning?

You can configure Web Chaning from the Network tab.

Mention the IP address of the Front End ISA server in the Upstream Server and allow Web Traffic from Internal to External.

Hope this helps
Kumar
0
 

Author Comment

by:kiddkapurcjw
ID: 17000398
Hello,

The network adapters on the FE and BE firewall have being configured correctly. on the front end server i have also added the internal network address range and this still does not work. Machines sitting on the perimeter network can browse the web. ( i have created thatn new protocol definition that you ask me to and a new access rule) when i browse from the perimeter networked machine i can see in the monitor that it is using the new rule.

I wonder. the FE is in the workgroup and the BE is a domain server member. Could this be a problem?
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 17000472
'I wonder. the FE is in the workgroup and the BE is a domain server member. Could this be a problem?'

No this should not be the issue. Your firewall does not care where it is located, it is the traffic that is of most concern to the firewall.

'When i browse from the perimeter networked machine i can see in the monitor that it is using the new rule.'
- when do you see this? when you try to access the Internet from the BE server? or when some machine in your DMZ tries to access the Internet?

You should now concentrate on the BE server. Check the monitoring tool there and see what is happening to traffic.
N.B. BE server should have its' default gateway pointing to NIC(in DMZ) of FE server.
N.B. Only 1 default gateway per machine.
0
 

Author Comment

by:kiddkapurcjw
ID: 17001615
The error message that i get is Denied connection rule default souce local host destination perimeter. this seems to be a rule but i cannot figure out what rule as i have allowed http port 80 and 8080 and https out bound.Similar to the rule on the FE. But this does not seem to work.

If i disable the fW service i can connect to the net ok from the BE, but whilst it is running i am having no joy. Any ideas guys?
0
 
LVL 7

Expert Comment

by:Kumar_Jayant123
ID: 17001847
Have you tries web chaning?
0
 

Author Comment

by:kiddkapurcjw
ID: 17002236
Web chaining will not work if i cannot get the BE server to browse the net.
0
 
LVL 1

Expert Comment

by:David George
ID: 17006448
What order are the rules listed in?  The most restrictive rule must be at the bottom as rules are applied to web requests from the top downward.  If you have a "deny" rule (so to speak) before the "allow" rule, the allow all rule will never get used.
0
 

Author Comment

by:kiddkapurcjw
ID: 17007153
The Web access rule is at the top on both the isa box
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 17007369
Check if the following rule exists, otherwise create it.
Action: Allow
Protocols: All Outbound
From: Internal, Localhost
To: External

You need to specify the localhost in your rules as well.

Check the properties of your Internal Network, under the configuration section.
Enable the Web proxy client.

Test it again
0
 

Author Comment

by:kiddkapurcjw
ID: 17007630
i have that rule configured. and web proxy enabled. I know this is a brain buster guys, but i am greatful for all your help
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 2000 total points
ID: 17007768
Ooops, um, forgot to say...the above rule needs to exist on the BE server...

Last resort is create an access rule with ALL Networks/(Localhost) in both the to: and from: field in the rule.

Test if you can browse then...You can always add/remove the unneccessary connections later, but at least you can test if traffic is passing correctly between the two servers.

Post back with the results of the monitoring tool again...maybe we've missed something in there. I know you've posted it earlier, but you've made some changes since, so lets get some new information. :)
0
 

Author Comment

by:kiddkapurcjw
ID: 17008063
Hey i did as you mentioned and walah. Then i remove accordingly and tested. it seem that all that was need was to add the perimeter network to the destinations list.

Now all I need to do is to get the internal machines to browse the web, then i am home free.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 17008183
Excellent!

The client setup should be as easy as either changing their default gateway to point to the Internal NIC of the ISA server, or alternatively, configure the browser to use the ISA server as a proxy, set the IP address(of the NIC on the Internal Network) port 8080.
0
 

Author Comment

by:kiddkapurcjw
ID: 17008840
thank you very much
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question