Solved

ISA SERVER 2006 & Multiple IP Addresses

Posted on 2007-11-26
28
637 Views
Last Modified: 2010-04-21
I have an ISA Server 2006 Standard server protecting roughly 5 servers and 15 workstations.  The server has two interfaces, one for the private network and one for Internet connectivity.  My ISP has assigned me 8 continuous addresses within the same subnet.  Initially I was running RRAS with the first two addresses bound to the Internet adapter and the other six configured in an address pool within RRAS.  I then set up reservations to take a couple of the Internet addresses and point them to private addresses allowing sessions.  I then ran a firewall on the private host and allowed exceptions accordingly.  Now I'm running ISA and have bound all 8 addresses to the Internet facing adapter but I want to know how I can open non-web related ports to a specific listening Internet IP to go to different internal hosts.  The best example I can give, though not limited, is if I wanted 3 of my machines to be accessible from the Internet via remote desktop without changing the listening port on the host, how can I tell ISA to direct TCP 3389 traffic to IP address 5 and route it to one server on the private network and to direct TCP 3389 traffic coming inbound to IP address 6 to yet a different server on the private network?

I'm not sure if I made that clear enough.  

Maybe I'm looking for sound reference to accomplish the equivalent of port forwarding in ISA server but with the consideration that I have 8 Internet IP's rather than just doing this with one as most homes or small businesses would normally be configured.

Any help is greatly appreciated.
0
Comment
Question by:ModernAge
  • 11
  • 10
  • 7
28 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20352743
By using three different IP addresses.

When you publish the server you will select the TS (RDP) protocol and then select to listen on the external interface. At the bottom of 'that screen' you will see the addresses button - from here, you can select which of your ip addresses this rule applies to.

Once done, publish the exact same aghain but this time choose a different ip address/internal host ip combination. repeat for up to the number of ips you have on the external nic.

0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20352744
You need to create Server Rules.  These allow you to specify an IP address and port that you listen on, and the server and port that you are publishing.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20352759
Botton line dave, the part to remember is that you can only have one ip/port combination. if you have two ip's then you can have the port twice as they are both differentiated.

Keith
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20352816
0
 
LVL 1

Author Comment

by:ModernAge
ID: 20352872
I know what has to be done...I suppose I'm a bit confused where in the interface I accomplish this.  The other wizards such as publishing the web and mail server worked fine though it appears those wizard tasks were clearly tailored to get the right questions answered to accomplish the task at hand....obviously this is more generalized.  Can I put someone through the pain of walking me through it somewhat?  Am I correct to have all IP addresses bound to the physical adapter like I do?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20352914
No, if you do not specify the specific IP adress to use then ISA listens on ALL of the ip addresses assigned to the external interface.

For this yoiu need to specify though as you want tp split the traffic by IP address.
If you have created the first rdp rule, go in and edit it. Goto the FROM tab and you will see you have selected the external interface. Look down the screen window and you will see the addresses button. Click here and you will see the screen to select which IP to bind to this rule.
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20352958
Basically, you are going to create one server rule for each IP address that you listen on.

In each case, you will select a server that you publish, a protocol to publish and then a network and IP address that you listen on.

That's basically it :)
0
 
LVL 1

Author Comment

by:ModernAge
ID: 20353051
fyi...this is ISA 2006 Standard...

If I click the From tab I get two options on the screen as follows...

This rule applies to traffic from these sources...(Anywhere) is in this box

Exceptions...(blank)

I do have a networks tab though that indicates as follows...

Selected networks for this listener

The first item is External and was defaulted to <All IP Addresses>

If I click External and click the Address button at the bottom it brings up the External Network Listener IP Selection.  It gives me three options.  If I choose the last one it gives me the ability to select one or more addresses to listen on for this rule.

Is this where you are going with this?  If so, I think I understand now.  Basically I could copy this rule and simply change the external listening port and the internal port that the request should be directed to...is this correct?

My last question was if I was to bind all IP addresses to the physical adapter in the server unlike the way RRAS behaved.  I think you meant to say I did that part correctly however needed to implement the correct rules with unique IP/port combinations to make sure I don't cross up directed communication.
0
 
LVL 1

Author Comment

by:ModernAge
ID: 20353061
I guess you can say I'm trying to keep "bridging the gap" as simple as possible right now. :-)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20353065
Ah - sorry, the listener, not the from box. Am eating dinner currently lol
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 250 total points
ID: 20353088
If your site, for example, only had one web server then it would not matter that you were listening for port 80 on all ip addresses as the traffic was gettuing where it was needed and didn't conflict with anything.

Your new requirement needs multiple 'copies' of the same rule so now we have to tell ISA not to listen on all ip addresses for rdp and apply it to the first rdp rule it finds (which it would do) but to listen for rdp on only one of those available external ip's. the first rule could to listen to ip 5, the 2nd rdp rule could listen to ip 2 and so on.
0
 
LVL 19

Assisted Solution

by:SteveH_UK
SteveH_UK earned 250 total points
ID: 20353106
You can understand it as follows:

The server to publish is the machine you want to access via Remote Desktop
You shouldn't see a To option as this is a server rule, not an access rule
The From option says which remote machines this rule applies to
The Protocol is where you choose RDP Server or equivalent
The other option is where you select what External addresses you listen on

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20353120
lol - you need a TO box Sreve - it holds the internal ip address things are being forwarded to.
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20353163
Sorry, I thought the box had a different name on server rules.  I don't have access to an ISA server at present!
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20353167
I did mention the "server to publish", didn't I! lol ;-P
0
 
LVL 1

Author Comment

by:ModernAge
ID: 20353215
my initial mistake was that I was trying to configure an access rule...dumb on my part considering I had already created a "server rule" as you put it by using the "Publish non-web server protocols" option off the task pane for the ISA server itself.  As Keith mentioned I editied that rule so it only listened on 1 external address instead of all 8 and created another that pointed to a different internal host and it is working as expected.

In a nutshell, what is the relative difference between an access rule and a "server rule" as you put it?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20353228
Access rule is outbound. Server (publishing) is inbound from the Internet
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20353234
An access rule is for traffic going through a route relationship in your firewall, or outbound through a NAT rule.

Server rules (web and non-web) are to allow inbound access, especially through a NAT boundary.
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20353248
Just to clarify, Server Rules are not just for traffic from the Internet.  You can use them for traffic from a DMZ or traffic to the Internet, depending on your needs.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20353274
Agreed, the same way you can route drom a DMZ to internal also.

I have some good reading material dave. I'll post them up in a mo - well worth tyhe effort.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20353323
Most of my stuff is on the Microsoft MVP ISA site and unfortunately I cannot give you access to that - I'd get lynched, but this site hosts a number of useful articles

http://www.redline-software.com/eng/support/articles/isaserver/publishing/

Microsoft words on publishing Concepts
http://www.microsoft.com/technet/isa/2006/deployment/publishing_concepts.mspx

Internal client concepts
http://www.microsoft.com/technet/isa/2006/clients.mspx

VPN'ning
http://www.microsoft.com/technet/isa/2006/vpn.mspx

Might be useful to you.

cheers
keith
0
 
LVL 1

Author Comment

by:ModernAge
ID: 20353370
guys...you have been most helpful...I think part of the challenge is applying different terminology to what I already know.  Any good publications on ISA 2006 you recommend as well?
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20353404
Give yourself an hour or two to read plenty of the MS product documentation.  That'll give you a head start.

The MS Press books tend to be pretty good too, but I haven't read them for ISA server.  You might also want to check out www.isaserver.org for a wealth of info.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20353478
There is no manual for ISA2006 that is available to the public. the reason being that ISA2006 was a limited life-time product in the sense that on the whole, the ISA2004 manual is identical apart from some additional wizards such as Sharepoint publishing. It therefore did not warrant a book being done.

The new version will be out soon anyway, we have been evaluating and reviewing it for quite some time and it will knock peoples socks off when released. Its brilliant.

The 2004 MS Press internet server & acceleration guide is very good. It is the tool I used before I took my Microsoft Certified Trainer exams for ISA

http://www.amazon.co.uk/MCSA-Self-paced-Training-70-350-Pro-Certification/dp/0735621691/ref=pd_sim_b?ie=UTF8&qid=1196113510&sr=1-1

I was invited by Microsoft to become an MVP for ISA so I must have done OK :)
https://mvp.support.microsoft.com/profile=C45F2878-F783-41BB-BA94-080D5E9C900C

0
 
LVL 1

Author Comment

by:ModernAge
ID: 20359693
awesome...yeah I love the MS Press books so I'll keep a lookout for them as well.  Thanks guys for all of your help...gonna split the points for ya.
0
 
LVL 1

Author Closing Comment

by:ModernAge
ID: 31411062
this did the trick...thanks!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20360013
:)  Thank you
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20360323
Thank you too :)  I haven't had much access to EE today, so sorry for the delayed reply
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now