Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

ISA / DMZ problems

Posted on 2006-07-02
7
1,315 Views
Last Modified: 2013-11-16
I have the following configuration:  (new to ISA)

SBS2003 with ISA 2004 (domain with 50 workstations).  External NIC  of ISA/SBS server is 192.168.1.100, connected to gig switch.  Also connected to the gig switch is a SQL server(192.168.1.103 & default gateway 192.168.1.1) and a Web Server (192.168.1.106 & default gateway 192.168.1.1) on a workgroup, and a Symantec 460 firewall(192.168.1.1) (provides a redundant internet connection...cable connection for web access and a T with static IP for RWW/Intranet).

The external NIC of the webserver (192.168.0.106)is connected to a symantec 360 with static IP for external website.

One question...why is ISA blocking traffic on the DMZ?  I cannot ping from the web server to the sql server unless I set up access rules in the ISA server to allow it.
I also cannot set up an ODBC connection for the SQL server on the web server without allowing SQL traffic through ISA...but both servers are outside of ISA in DMZ...so why?  But even with access rules allowing everything that showed as denied in the log while trying to create a connection to SQL, (I can connect), but I get a "SQLState: 28000 error 18456 Login failed for user..."
but...
If I move the SQL server to one of the 360 symantec ports and change the IP and gateway to this firewall, I can create a SQL connection, so it's got to be a firewall problem...but I can't figure it out.

I also need to get MSMQ service to pass through ISA to/from an internal database server to the webserver.

what is the consensus for puting a webserver and SQL server all inside ISA on the domain and publish the web server...instead of using a DMZ?  I've read several articles debating both.

As it is now...I can access the web server from outside...im just getting an internal server error because the SQL server connection problem.  And RWW is working fine, and when cable goes down...the redundant firewall switches over to the T so internal surfing sitll works.  I can remote desktop to all servers from internal LAN.

              T connection             Cable connection
                    |                         |
            Gig Switch                   |
            |              |                 |                  
360 symantec       460 symantec (redundant connection for outbound)
(192.168.0.1)        (192.168.1.1)
     |                                      |
Web Server external            gig switch
(192.1668.0.106)            /             |                 \
                         web server      SQL server         SBS/ISA Server
                   (192.168.1.106)   (192.168.1.103)   (192.168.1.100)

thanks...I hope I've explained this clearly enough.


             



0
Comment
Question by:cjstudioguy
  • 3
  • 3
7 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 130 total points
ID: 17029198
Two ways to go.

Personally, I'd bring everything inside and put a second NIC in the SBS server. ISA is a word-class application-layer firewall and would breeze that configuration, then connect the outside world through the 2nd NIC

Alternative would be to create a VPN between the 360 & 460  
0
 

Author Comment

by:cjstudioguy
ID: 17031081
thanks for the input...One last question about your first suggestion...Currently, the symantec has 2 WAN connections (for redundancy...cable is set to "on" and the T set to backup).  We use the T for inbound RWW traffic (and for hosting our new website as soon as it's configured and finished)...we have 2 different static IP's...but I can't figure out how to route these 2 public IP's (one for RWW and the other for the website)  using just one symantec box.  Does ISA support redundant internet connections?  If so, then I could just eliminate the Symantec.  

Ideally I want all office surfing traffic to go over our cable connection...leaving the bandwith for website and RWW on the T.  Only when the cable connection goes down (every couple of weeks), does the symantec switch over to the T.

My other thought was to add a 3rd NIC to the SBS/ISA server...1 for internal LAN, 1 for web IP and 1 for RWW IP...but it seems SBS doesn't support 3 NIC?  at least

Thanks again!
0
 

Author Comment

by:cjstudioguy
ID: 17049439
My external firewall appliance (symnatec 460) can only handle 2 static IP's and I need 3...so I am using 2 symantec firewalls.  I finally got it all working through ISA leaving the web and sql servers in the DMZ.  Now I just have to figure out how to set up a split DNS so I can access the site from the inside as well as outside.   any further suggestions on this would be welcome...thanks.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17049920
Sorry for not coming back to you sooner, I am in the middle of an audit at work and this is taking most of my evening time.

In what sense are you requiring split-dns? ie from where?
0
 

Author Comment

by:cjstudioguy
ID: 17070044
once development is done on the webserver/site, I will have the domain name redirected to our static IP address and change the URL in the site's settings to the external IP instead of the internal one.  Once it's set to external IP, I am no longer able to access the site from inside the network because of some "loop" of going out through ISA and back in and ISA doesn't allow it.  I've seen some info on isaserver.org about needing to set up a split DNS for this scenario...but dont know much more about it yet.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17083747
Is your internal dns name the same as your external dns name?
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question