ISA / DMZ problems
Posted on 2006-07-02
I have the following configuration: (new to ISA)
SBS2003 with ISA 2004 (domain with 50 workstations). External NIC of ISA/SBS server is 192.168.1.100, connected to gig switch. Also connected to the gig switch is a SQL server(192.168.1.103 & default gateway 192.168.1.1) and a Web Server (192.168.1.106 & default gateway 192.168.1.1) on a workgroup, and a Symantec 460 firewall(192.168.1.1) (provides a redundant internet connection...cable connection for web access and a T with static IP for RWW/Intranet).
The external NIC of the webserver (192.168.0.106)is connected to a symantec 360 with static IP for external website.
One question...why is ISA blocking traffic on the DMZ? I cannot ping from the web server to the sql server unless I set up access rules in the ISA server to allow it.
I also cannot set up an ODBC connection for the SQL server on the web server without allowing SQL traffic through ISA...but both servers are outside of ISA in DMZ...so why? But even with access rules allowing everything that showed as denied in the log while trying to create a connection to SQL, (I can connect), but I get a "SQLState: 28000 error 18456 Login failed for user..."
If I move the SQL server to one of the 360 symantec ports and change the IP and gateway to this firewall, I can create a SQL connection, so it's got to be a firewall problem...but I can't figure it out.
I also need to get MSMQ service to pass through ISA to/from an internal database server to the webserver.
what is the consensus for puting a webserver and SQL server all inside ISA on the domain and publish the web server...instead of using a DMZ? I've read several articles debating both.
As it is now...I can access the web server from outside...im just getting an internal server error because the SQL server connection problem. And RWW is working fine, and when cable goes down...the redundant firewall switches over to the T so internal surfing sitll works. I can remote desktop to all servers from internal LAN.
T connection Cable connection
Gig Switch |
| | |
360 symantec 460 symantec (redundant connection for outbound)
Web Server external gig switch
(192.1668.0.106) / | \
web server SQL server SBS/ISA Server
(192.168.1.106) (192.168.1.103) (192.168.1.100)
thanks...I hope I've explained this clearly enough.