Solved

ISA / DMZ problems

Posted on 2006-07-02
7
1,335 Views
Last Modified: 2013-11-16
I have the following configuration:  (new to ISA)

SBS2003 with ISA 2004 (domain with 50 workstations).  External NIC  of ISA/SBS server is 192.168.1.100, connected to gig switch.  Also connected to the gig switch is a SQL server(192.168.1.103 & default gateway 192.168.1.1) and a Web Server (192.168.1.106 & default gateway 192.168.1.1) on a workgroup, and a Symantec 460 firewall(192.168.1.1) (provides a redundant internet connection...cable connection for web access and a T with static IP for RWW/Intranet).

The external NIC of the webserver (192.168.0.106)is connected to a symantec 360 with static IP for external website.

One question...why is ISA blocking traffic on the DMZ?  I cannot ping from the web server to the sql server unless I set up access rules in the ISA server to allow it.
I also cannot set up an ODBC connection for the SQL server on the web server without allowing SQL traffic through ISA...but both servers are outside of ISA in DMZ...so why?  But even with access rules allowing everything that showed as denied in the log while trying to create a connection to SQL, (I can connect), but I get a "SQLState: 28000 error 18456 Login failed for user..."
but...
If I move the SQL server to one of the 360 symantec ports and change the IP and gateway to this firewall, I can create a SQL connection, so it's got to be a firewall problem...but I can't figure it out.

I also need to get MSMQ service to pass through ISA to/from an internal database server to the webserver.

what is the consensus for puting a webserver and SQL server all inside ISA on the domain and publish the web server...instead of using a DMZ?  I've read several articles debating both.

As it is now...I can access the web server from outside...im just getting an internal server error because the SQL server connection problem.  And RWW is working fine, and when cable goes down...the redundant firewall switches over to the T so internal surfing sitll works.  I can remote desktop to all servers from internal LAN.

              T connection             Cable connection
                    |                         |
            Gig Switch                   |
            |              |                 |                  
360 symantec       460 symantec (redundant connection for outbound)
(192.168.0.1)        (192.168.1.1)
     |                                      |
Web Server external            gig switch
(192.1668.0.106)            /             |                 \
                         web server      SQL server         SBS/ISA Server
                   (192.168.1.106)   (192.168.1.103)   (192.168.1.100)

thanks...I hope I've explained this clearly enough.


             



0
Comment
Question by:cjstudioguy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 130 total points
ID: 17029198
Two ways to go.

Personally, I'd bring everything inside and put a second NIC in the SBS server. ISA is a word-class application-layer firewall and would breeze that configuration, then connect the outside world through the 2nd NIC

Alternative would be to create a VPN between the 360 & 460  
0
 

Author Comment

by:cjstudioguy
ID: 17031081
thanks for the input...One last question about your first suggestion...Currently, the symantec has 2 WAN connections (for redundancy...cable is set to "on" and the T set to backup).  We use the T for inbound RWW traffic (and for hosting our new website as soon as it's configured and finished)...we have 2 different static IP's...but I can't figure out how to route these 2 public IP's (one for RWW and the other for the website)  using just one symantec box.  Does ISA support redundant internet connections?  If so, then I could just eliminate the Symantec.  

Ideally I want all office surfing traffic to go over our cable connection...leaving the bandwith for website and RWW on the T.  Only when the cable connection goes down (every couple of weeks), does the symantec switch over to the T.

My other thought was to add a 3rd NIC to the SBS/ISA server...1 for internal LAN, 1 for web IP and 1 for RWW IP...but it seems SBS doesn't support 3 NIC?  at least

Thanks again!
0
 

Author Comment

by:cjstudioguy
ID: 17049439
My external firewall appliance (symnatec 460) can only handle 2 static IP's and I need 3...so I am using 2 symantec firewalls.  I finally got it all working through ISA leaving the web and sql servers in the DMZ.  Now I just have to figure out how to set up a split DNS so I can access the site from the inside as well as outside.   any further suggestions on this would be welcome...thanks.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17049920
Sorry for not coming back to you sooner, I am in the middle of an audit at work and this is taking most of my evening time.

In what sense are you requiring split-dns? ie from where?
0
 

Author Comment

by:cjstudioguy
ID: 17070044
once development is done on the webserver/site, I will have the domain name redirected to our static IP address and change the URL in the site's settings to the external IP instead of the internal one.  Once it's set to external IP, I am no longer able to access the site from inside the network because of some "loop" of going out through ISA and back in and ISA doesn't allow it.  I've seen some info on isaserver.org about needing to set up a split DNS for this scenario...but dont know much more about it yet.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17083747
Is your internal dns name the same as your external dns name?
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question