Solved

ISA / DMZ problems

Posted on 2006-07-02
7
1,304 Views
Last Modified: 2013-11-16
I have the following configuration:  (new to ISA)

SBS2003 with ISA 2004 (domain with 50 workstations).  External NIC  of ISA/SBS server is 192.168.1.100, connected to gig switch.  Also connected to the gig switch is a SQL server(192.168.1.103 & default gateway 192.168.1.1) and a Web Server (192.168.1.106 & default gateway 192.168.1.1) on a workgroup, and a Symantec 460 firewall(192.168.1.1) (provides a redundant internet connection...cable connection for web access and a T with static IP for RWW/Intranet).

The external NIC of the webserver (192.168.0.106)is connected to a symantec 360 with static IP for external website.

One question...why is ISA blocking traffic on the DMZ?  I cannot ping from the web server to the sql server unless I set up access rules in the ISA server to allow it.
I also cannot set up an ODBC connection for the SQL server on the web server without allowing SQL traffic through ISA...but both servers are outside of ISA in DMZ...so why?  But even with access rules allowing everything that showed as denied in the log while trying to create a connection to SQL, (I can connect), but I get a "SQLState: 28000 error 18456 Login failed for user..."
but...
If I move the SQL server to one of the 360 symantec ports and change the IP and gateway to this firewall, I can create a SQL connection, so it's got to be a firewall problem...but I can't figure it out.

I also need to get MSMQ service to pass through ISA to/from an internal database server to the webserver.

what is the consensus for puting a webserver and SQL server all inside ISA on the domain and publish the web server...instead of using a DMZ?  I've read several articles debating both.

As it is now...I can access the web server from outside...im just getting an internal server error because the SQL server connection problem.  And RWW is working fine, and when cable goes down...the redundant firewall switches over to the T so internal surfing sitll works.  I can remote desktop to all servers from internal LAN.

              T connection             Cable connection
                    |                         |
            Gig Switch                   |
            |              |                 |                  
360 symantec       460 symantec (redundant connection for outbound)
(192.168.0.1)        (192.168.1.1)
     |                                      |
Web Server external            gig switch
(192.1668.0.106)            /             |                 \
                         web server      SQL server         SBS/ISA Server
                   (192.168.1.106)   (192.168.1.103)   (192.168.1.100)

thanks...I hope I've explained this clearly enough.


             



0
Comment
Question by:cjstudioguy
  • 3
  • 3
7 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 130 total points
ID: 17029198
Two ways to go.

Personally, I'd bring everything inside and put a second NIC in the SBS server. ISA is a word-class application-layer firewall and would breeze that configuration, then connect the outside world through the 2nd NIC

Alternative would be to create a VPN between the 360 & 460  
0
 

Author Comment

by:cjstudioguy
ID: 17031081
thanks for the input...One last question about your first suggestion...Currently, the symantec has 2 WAN connections (for redundancy...cable is set to "on" and the T set to backup).  We use the T for inbound RWW traffic (and for hosting our new website as soon as it's configured and finished)...we have 2 different static IP's...but I can't figure out how to route these 2 public IP's (one for RWW and the other for the website)  using just one symantec box.  Does ISA support redundant internet connections?  If so, then I could just eliminate the Symantec.  

Ideally I want all office surfing traffic to go over our cable connection...leaving the bandwith for website and RWW on the T.  Only when the cable connection goes down (every couple of weeks), does the symantec switch over to the T.

My other thought was to add a 3rd NIC to the SBS/ISA server...1 for internal LAN, 1 for web IP and 1 for RWW IP...but it seems SBS doesn't support 3 NIC?  at least

Thanks again!
0
 

Author Comment

by:cjstudioguy
ID: 17049439
My external firewall appliance (symnatec 460) can only handle 2 static IP's and I need 3...so I am using 2 symantec firewalls.  I finally got it all working through ISA leaving the web and sql servers in the DMZ.  Now I just have to figure out how to set up a split DNS so I can access the site from the inside as well as outside.   any further suggestions on this would be welcome...thanks.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17049920
Sorry for not coming back to you sooner, I am in the middle of an audit at work and this is taking most of my evening time.

In what sense are you requiring split-dns? ie from where?
0
 

Author Comment

by:cjstudioguy
ID: 17070044
once development is done on the webserver/site, I will have the domain name redirected to our static IP address and change the URL in the site's settings to the external IP instead of the internal one.  Once it's set to external IP, I am no longer able to access the site from inside the network because of some "loop" of going out through ISA and back in and ISA doesn't allow it.  I've seen some info on isaserver.org about needing to set up a split DNS for this scenario...but dont know much more about it yet.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17083747
Is your internal dns name the same as your external dns name?
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Opening Port 80 10 59
Firewall vs WYSIWYG editor 5 73
palo alto VM series in AWS 3 77
Sonicwall SOHO Firewall port access 5 77
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This video discusses moving either the default database or any database to a new volume.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now