I am trying to configure the ISA 2006 publish website and web listener to allow HTTPS / SSL login from the external DMZ web server tot he internal web server.
ISA 2006 had limitations on the web listener per protocol and physical network port.
I already have HTTPS web listener for email OWA access setup but need an additional https / ssl link from the dmz web server (hosts the main website) so a visitor to the site can login to a web applet and access the internal secure web server.
I have tried setting up the ports 20443 and directing the traffic from the dmz web site page to the internal server but the ISA blocks the traffic.
As the above web listener for the exchange server does not function correctly and is not absolutely necessary I could remove this and setup the Publish Web Site task and link to a fresh web listener for standard HTTPS port will this work. The documented procedure on Microsoft does not work, nor the ones I have found on other sites.
Has someone set this up before and can help overcome whatever is stopping this ISA working on this aspect?
I already have HTTPS web listener for email OWA access setup but need an additional https / ssl link from the dmz web server (hosts the main website) so a visitor to the site can login to a web applet and access the internal secure web server.
I have tried setting up the ports 20443 and directing the traffic from the dmz web site page to the internal server but the ISA blocks the traffic.
As the above web listener for the exchange server does not function correctly and is not absolutely necessary I could remove this and setup the Publish Web Site task and link to a fresh web listener for standard HTTPS port will this work. The documented procedure on Microsoft does not work, nor the ones I have found on other sites.
Has someone set this up before and can help overcome whatever is stopping this ISA working on this aspect?
ASKER
Thanks for this option I was aware of this variation and had tried it before without success but I have until this evening not been able to make the web listener and publishing rules function. It would appear some ISP network issues with their default gateways and dns issues on their side that were fixed last week have also resolved some of the problems I have had in accessing published internal sites.
The next issue is I have two sites on the internal server both requiring SSL and again having access using the same 443 port is not possible unless I add a second IP address to the nic and link each sites via the different IP addresses. Thanks for reminding me to use this option.
The next issue is I have two sites on the internal server both requiring SSL and again having access using the same 443 port is not possible unless I add a second IP address to the nic and link each sites via the different IP addresses. Thanks for reminding me to use this option.
2nd issue - 2nd question Tim
Keith
Keith
ASKER
OK back to the first question.
The use of two IP addresses works fine for setting up the web listeners however the external firewall can only port forward HTTPS to one IP address so I am still no further forward!!!!
The use of two IP addresses works fine for setting up the web listeners however the external firewall can only port forward HTTPS to one IP address so I am still no further forward!!!!
I'll leave you to it then
ASKER
I thought this site was about helping people!
What the site is about is helping people to help themselves improve and learn. That is why I freely give my own time to respond to questions.
Your question title and your initial post asks about how to do this from the web server in the DMZ to internal servers
I have answered your question and, as you have stated, this works as you would have expected.
Now you are talking about internet access to the internal sites through an external firewall and are bringing other equipment into the mix. If you don't ask the question that you actually wanted answering, whose fault is that?
However, the reasoning is exactly the same as my first response to you. You can only have one ip address/port combination. If you have an external firewall in the mix, you will need two ip addresses on that device - each listening on the port.
The one exception (if the two web services are on the same server) is if they share the same domain name and you can use host headers to send all https requests to the web server and then the IIS service will control the allocation.
Your question title and your initial post asks about how to do this from the web server in the DMZ to internal servers
I have answered your question and, as you have stated, this works as you would have expected.
Now you are talking about internet access to the internal sites through an external firewall and are bringing other equipment into the mix. If you don't ask the question that you actually wanted answering, whose fault is that?
However, the reasoning is exactly the same as my first response to you. You can only have one ip address/port combination. If you have an external firewall in the mix, you will need two ip addresses on that device - each listening on the port.
The one exception (if the two web services are on the same server) is if they share the same domain name and you can use host headers to send all https requests to the web server and then the IIS service will control the allocation.
ASKER
Sorry, I did not want to seem ungrateful and thank you for your further advice. Unfortunately there is only one IP address for the external firewall available and the two web services are on completely separate servers. Some in the domain and others outside of it.
As you can see I have been around this loop time and time again and was hoping someone would have a unique solution around all these restrictions.
Back to the drawing board or redesign the topology is the only solution left.
Thanks Tim
As you can see I have been around this loop time and time again and was hoping someone would have a unique solution around all these restrictions.
Back to the drawing board or redesign the topology is the only solution left.
Thanks Tim
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It is not a restriction on the physical port, that is irrelevant. The restriction is on one ip address & port combination.If it is from the dmz to the internal, just put additional ip addresses on the ISA dmz interface - each can then listen to port 443.
When you publish a rule, you select the interface that will listen - on that tab you will see an addresses box. In here you can select for the interface to listen for port 443 on ALL ip addresses (default) or select individual aip addresses.
So, stick two addresses on the DMZ nic port.
publish rule 1 on 443 using 1st ip, then 2nd publishing rule on 443 using 2nd ip.
Job done