Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How do I configure an ISA 2006 Server (specifically the NICs) for Public IP Passthrough?

Posted on 2009-02-11
8
Medium Priority
?
524 Views
Last Modified: 2013-11-29
All,

Great site. Have been using it for almost 9 months and wouldn't trade a minute of my subscription.  Have an issue I need some help with...

I have a company network which is using MS ISA Server 2006 in a 3 Tier mode.  We are also using using MS Office Communications Server 2007 and as a result I have an OCS Edge Server in the Perimeter Network. I had originally just been NAT'ing the one IP address to a private perimeter network address (Access Edge).  However, now that we are moving to Live Meeting and Audio/Video, I need a public IP address for the A/V Edge NIC.

As a result, I upgraded my Telco lines and purchased a block of 13 IP addresses.

So I have configured my ISA Server as follows...

External NIC - xxx.68.71.115
Internal NIC - 10.1.10.1
Perimeter NIC - xxx.68.71.117

Network Rule is setup to allow Route and not NAT to the Perimeter network.

On the OCS Side, I have an edge server with the following IP Addresses...xxx.68.71.118-120.

For some reason I can not ping the Perimeter from the ISA Server and the ISA Server from the Perimeter.  There is no traffic to speak of going between the two zones.  I can not figure out why.

Don't know if this is a rule issue in ISA or a NIC configuration error.  Any help would be appreciated.
0
Comment
Question by:cknapp78
  • 4
  • 4
8 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23614207
You are not supposed to be able to.
Edit the ISA System policy (not the firewall policy) and enable icmp between the two network entities if you really want to be able to do this.
0
 

Author Comment

by:cknapp78
ID: 23614512
Do I need to edit this for passthrough of any protocol between the two zones?  I had it working in the past on NAT but not in routing.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23614642
No - It is for traffic that is directed to/from ISA itself as opposed to passthrough.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:cknapp78
ID: 23614707
I guess I am missing something then.

I have been doing this for over 12 years and have drawn a blank.  Is there any way to get a public IP passthrough to a server in the perimeter network?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23614765
What, exactly, are you trying to achieve? Maybe I am mis-reading your question.
0
 

Author Comment

by:cknapp78
ID: 23614792
I am trying to allow traffic over port 5061 (among others) to an edge server in my perimeter network.  The glitch is that I need to assign these server NICs with public IP addresses.  Nat'ing them is not allowed.  

In essence, I need to go from an outside client, through my ISA Box, to the Edge Server, without actually using the ISA IP address.  For example, my ISA outside address is xxx.68.71.115.  I have the Edge Server set for xxx.68.71.118-120.  I need to allow the client on the external network access to the edge server.
0
 

Author Comment

by:cknapp78
ID: 23614821
Half of me wonders if I even have the NICs setup on the ISA box correct.  THey are as follows...

External Network
IP - xxx.68.71.115
Gateway - xxx.68.71.1
Subnet - 255.255.255.0

Internal Network
IP - 10.1.10.1
Gateway - 255.255.255.0

Perimeter Network
IP - xxx.68.71.117
Subnet - 255.255.255.0


My edge server has 3 NICs with in the perimeter network with addresses xxx.68.71.118-120 and one NIC with an internal NIC with an address of 10.1.10.102 and a Gateway on the Internal NIC of 10.1.10.1.  Any help is appreciated.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 1000 total points
ID: 23614983
Looks good. Assume that was a typo on the internal nic and you meant mask 255.255.255.0, not gateway. The ISA internal nic and the perimeter nic MUST NOT have a gateway set - only the external nic.

Have you created protocol definitions for the traffic you want to pass?
As you are routing rather than natting, this should be an access list to allow protocol_name from external to perimeter. Naturally, if the traffic can be initiated from the perimeter boxes, then you will also need the same access rule from perimeter to external - repeat for each protocol you want of bundle all the protocols into one access allow rule.

When an access attempt is made, are you seeing an entry in the ISA realtime log?
Are the ports being forwarded/allowed by your external router to the ISA external IP?

I assume you have ISA2006 supportability pack and ISA2006 sp1 installed?

0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month14 days, 13 hours left to enroll

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question