Solved

ISA 2004 - Can't browse the webpage hosted in internal web server network

Posted on 2006-11-01
11
360 Views
Last Modified: 2010-03-18
Hello, I have the following question. Let me first of all inform you of my home network set up.

My Network consists of the following:

Cable Modem
Router - 172.16.1.1
Primary Domain Controller Server - 192.168.0.3
Web Server - 192.168.0.4
Exchange Server - 192.168.0.5
ISA 2004 Server - 192.168.0.1
                     
I have two subnets connected to my ISA server (2 nic cards)
Nic 1 - Internal private subnet IP address - IP 192.168.0.1
Nic 2 - External connection to the internet form the ISA server 2004 - IP 172.16.1.2
Nic 2 - points to the default gateway which is the router - 172.16.1.1

Now the quesiton, everything works just fine on my network, I have told ISA 2004 to allow ports such as 80, DNS, IMAP etc... so I can browse the web, send/receive emails no problems. Except, im hosting my personal webpage on my webserver that resolves to a domain name, the problem is that I cannot view my website anymore after setting up the ISA 2004 server, for example if I type in the domain name www.mydomain.com it no longer resolves to my Primary Domain Controller where im also running the DNS service.

I did a tracert to my external DNS and it seems to hang up at the router. I have tried setting the router to a DMZ with no help, I have also forwarded the DNS ports on the router to my external Nic card in the ISA - 172.16.1.2 with no help. Im stuck here.... im not sure if I should open up any other ports on my ISA server to make this work? can anyone be of assistance?
0
Comment
Question by:Turbopp
  • 4
  • 3
11 Comments
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17856939
So you are on a 192.168.0.x address and trying to get onto the web server at 192.168.0.5 through it's external domain name?  Presumably whatever you are using as DNS from that client is returning the external address so ISA would have to take the traffic and send it back out on the same interface?  Not impossible but might be easier if you just run a seperate primary DNS zone internally for your external domain name and point your client PC at your internal DNS server using a www A record with your internal address?

Is that about right or have I misunderstood?

Steve
0
 

Author Comment

by:Turbopp
ID: 17857276
Hi the answers to your questions:

So you are on a 192.168.0.x address and trying to get onto the web server at 192.168.0.5 through it's external domain name?

 - Yes I am on a 192.168.0.x address, the webserver is at 192.168.0.4

Presumably whatever you are using as DNS from that client is returning the external address so ISA would have to take the traffic and send it back out on the same interface?

 - The DNS service is installed on my Primary Domain Controller and is returning the external IP address. So for some reason it gets stuck at my router... when I do the tracert of the external dns. At first I taught its the router, but I set the router to DMZ and I also told it to forward all the ports to the external nic of the ISA server.. but still no go.

Not impossible but might be easier if you just run a seperate primary DNS zone internally for your external domain name and point your client PC at your internal DNS server using a www A record with your internal address?

 - well that might work internally only, but outside users still will not be able to view my site right?
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17857310
Outside users may be working anyway.  Many routers won't allow access to the external interface from outside, effectviely you want some loopback in the router.  The easiest way is to resolve to the internal address inside.

Does it work from outisde or not?  My email is in my EE profile if you want to send me an IP or domain name I can try it from here if you want - or post it here if not a problem
0
 

Author Comment

by:Turbopp
ID: 17857670
Hi I will give you a feedback on this issue tonight, im at work now so I cant try it... but just to recap on what you said

currently my DNS resolves the domain name to the external IP which is like for eg: 10.25.26.145
so you are saying to resolve it to the internal like for example 192.168.0.4 correct?

but just to let you know, I can succesfully ping from the client machine both the external ip address of the second nic and the ip address of the router, so technically speaking it should be allowing access to the external interafce without any problems, but I will try it tonight. Thanks
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 43

Expert Comment

by:Steve Knight
ID: 17857914
Not necessarily - the router may respond to PING from inside on external interface but not route traffic through it's firewall back in through a port forward rule.

Steve
0
 

Author Comment

by:Turbopp
ID: 17868244
Hi i tried what you suggesed but it did not work, however I fugured what the issue was... in ISA there is an option in the Policy section to Publish a Web server and that is all i had to do so im up and running. Im sorry but i cannot accept your answers as it did not address Publishing the webserver in ISA. Thank you for your help anyway.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17868720
I am qukite aware of web publishing through ISA but that would be irrelevant if dns correctly gave the internal address of the server which would therefore not go anywhere near ISA.   I think you have found an alternative method but it is unfair to dismiss the method suggested.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 19468804
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now