Solved

ISA / DMZ problems

Posted on 2006-07-02
7
1,325 Views
Last Modified: 2013-11-16
I have the following configuration:  (new to ISA)

SBS2003 with ISA 2004 (domain with 50 workstations).  External NIC  of ISA/SBS server is 192.168.1.100, connected to gig switch.  Also connected to the gig switch is a SQL server(192.168.1.103 & default gateway 192.168.1.1) and a Web Server (192.168.1.106 & default gateway 192.168.1.1) on a workgroup, and a Symantec 460 firewall(192.168.1.1) (provides a redundant internet connection...cable connection for web access and a T with static IP for RWW/Intranet).

The external NIC of the webserver (192.168.0.106)is connected to a symantec 360 with static IP for external website.

One question...why is ISA blocking traffic on the DMZ?  I cannot ping from the web server to the sql server unless I set up access rules in the ISA server to allow it.
I also cannot set up an ODBC connection for the SQL server on the web server without allowing SQL traffic through ISA...but both servers are outside of ISA in DMZ...so why?  But even with access rules allowing everything that showed as denied in the log while trying to create a connection to SQL, (I can connect), but I get a "SQLState: 28000 error 18456 Login failed for user..."
but...
If I move the SQL server to one of the 360 symantec ports and change the IP and gateway to this firewall, I can create a SQL connection, so it's got to be a firewall problem...but I can't figure it out.

I also need to get MSMQ service to pass through ISA to/from an internal database server to the webserver.

what is the consensus for puting a webserver and SQL server all inside ISA on the domain and publish the web server...instead of using a DMZ?  I've read several articles debating both.

As it is now...I can access the web server from outside...im just getting an internal server error because the SQL server connection problem.  And RWW is working fine, and when cable goes down...the redundant firewall switches over to the T so internal surfing sitll works.  I can remote desktop to all servers from internal LAN.

              T connection             Cable connection
                    |                         |
            Gig Switch                   |
            |              |                 |                  
360 symantec       460 symantec (redundant connection for outbound)
(192.168.0.1)        (192.168.1.1)
     |                                      |
Web Server external            gig switch
(192.1668.0.106)            /             |                 \
                         web server      SQL server         SBS/ISA Server
                   (192.168.1.106)   (192.168.1.103)   (192.168.1.100)

thanks...I hope I've explained this clearly enough.


             



0
Comment
Question by:cjstudioguy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 130 total points
ID: 17029198
Two ways to go.

Personally, I'd bring everything inside and put a second NIC in the SBS server. ISA is a word-class application-layer firewall and would breeze that configuration, then connect the outside world through the 2nd NIC

Alternative would be to create a VPN between the 360 & 460  
0
 

Author Comment

by:cjstudioguy
ID: 17031081
thanks for the input...One last question about your first suggestion...Currently, the symantec has 2 WAN connections (for redundancy...cable is set to "on" and the T set to backup).  We use the T for inbound RWW traffic (and for hosting our new website as soon as it's configured and finished)...we have 2 different static IP's...but I can't figure out how to route these 2 public IP's (one for RWW and the other for the website)  using just one symantec box.  Does ISA support redundant internet connections?  If so, then I could just eliminate the Symantec.  

Ideally I want all office surfing traffic to go over our cable connection...leaving the bandwith for website and RWW on the T.  Only when the cable connection goes down (every couple of weeks), does the symantec switch over to the T.

My other thought was to add a 3rd NIC to the SBS/ISA server...1 for internal LAN, 1 for web IP and 1 for RWW IP...but it seems SBS doesn't support 3 NIC?  at least

Thanks again!
0
 

Author Comment

by:cjstudioguy
ID: 17049439
My external firewall appliance (symnatec 460) can only handle 2 static IP's and I need 3...so I am using 2 symantec firewalls.  I finally got it all working through ISA leaving the web and sql servers in the DMZ.  Now I just have to figure out how to set up a split DNS so I can access the site from the inside as well as outside.   any further suggestions on this would be welcome...thanks.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17049920
Sorry for not coming back to you sooner, I am in the middle of an audit at work and this is taking most of my evening time.

In what sense are you requiring split-dns? ie from where?
0
 

Author Comment

by:cjstudioguy
ID: 17070044
once development is done on the webserver/site, I will have the domain name redirected to our static IP address and change the URL in the site's settings to the external IP instead of the internal one.  Once it's set to external IP, I am no longer able to access the site from inside the network because of some "loop" of going out through ISA and back in and ISA doesn't allow it.  I've seen some info on isaserver.org about needing to set up a split DNS for this scenario...but dont know much more about it yet.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17083747
Is your internal dns name the same as your external dns name?
0

Featured Post

Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Netgear WMS5316 Guest SSiD 1 90
Cisco ASA 5512 LAN Config 16 131
Access shared drive during VPN session 9 121
Watchguard XTM 2 100
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question