Solved

ISA Server 2006: How to configure two Web Listeners to listen to same Protocol and same Port

Posted on 2009-07-16
16
4,112 Views
Last Modified: 2012-05-07
I have a 1 NIC ISA 2006 Configuration that primarily serves as a Reverse Proxy and listens for HTTP/HTTPS requests on PORTs 80/443 for site1.company.com and then forwards that traffic to SharePoint Server.  OK, the problem is I want to listen also for site2.company.com on both HTTP/HTTPS on PORTs 80/447 and ISA flips an ERROR and states:
The Web listeners used in the rule site2.company.com and in the rule site1.company.com specify identical IP addresses and ports. Web listener IP addresses and ports used by different rules cannot overlap.

Actually the IP's don't over lap just the HTTP/HTTPS protocol, currently have site1.company.com and site2.company.com are on 2 different web servers.
0
Comment
Question by:kvigor
  • 10
  • 5
16 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 24870776
Actually the IP's don't over lap just the HTTP/HTTPS protocol, currently have site1.company.com and site2.company.com are on 2 different web servers.
It isn;t about the IP# of the web server,..it is about the fact that both listeners are using the same protocol on the same external IP on the ISA.
Your mistake is thinking that you even need two listeners to begin with.  Your supposed to use the same listener for both Publishing Rules.   You then use Host Headers to distinguish the sites.   Hosts headers are the same thing as the Common Name and the Public Name.
0
 

Author Comment

by:kvigor
ID: 24871153
Thanks windell,

You've just added a little bit of complexity to what I was planning on doing, because when I roll this out into production both of my sites will be on the same server, (same IP) and I'll need each site to use it's own certificate. As far as I can see you can only assign one certificate to an IP.  So how would I add both pub rules to one listener using 2 differents certs?  Is this even possible?  I  really don't want to have to purchase a wildcard cert if I don't have to... you know.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24871183
Yes, you need a wild card cert.
If you don't have that then you need to have two or more IP#s for the External side of the ISA.  The same listener can use multiple IP#, then you assign a Cert to each IP# within the same listener.  ISA2004 could not do this,..ISA 2006 can.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:kvigor
ID: 24871280
Yes, however I'm listening to the pre defined External Network for web requests, could I add another nic and assign that to then listen for site2.company.com?
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 24871345
I just saw that you were using a single Nic ISA.  I just don't get involved with single Nic ISAs.  They present a horrible situation,...they are a waste of time in my opinion..
All I can say is that you need multiple IP#s on the Nic (there is only one Nic).  The Listener needs to be tied to those.   The difference with 2004 -vs- 2006 is that 2004 would use a unique Listener for each Site/Cert/IP combo,...while the 2006 can do it on one Listener,..but beyond that they work the same way after that point.
The features and limitations of a single-homed ISA Server 2004 computer
http://support.microsoft.com/kb/838364/en-us
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/single_adapter.mspx
 
 
0
 

Author Comment

by:kvigor
ID: 24871396
My apologies for above post I was thinking out loud incorrectly I might add.  So, I'm stuck with either putting each site on different servers or buying a wild card cert?
0
 

Author Comment

by:kvigor
ID: 24871449
If I do add addt'l NICs to my ISA what does that buy me for my existing situation?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24871632
It would no longer be your existing situation  :-)
Adding a Nic constitutes a redesign in topology.  
Two Nics gives you all of ISA's abilities,...a single nic gives you what the article I gave describes.  I don't have a simple answer for that.
0
 

Author Comment

by:kvigor
ID: 24871752
I'll research on technet/msdn if I can solve my problem with ading an addt'l NIC, after which I'll award points.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24871777
These lilnk may speed up your research.
Technet Library
  ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx
Internal Client Concepts in ISA Server 2006
http://technet.microsoft.com/en-us/library/bb794762.aspx
ISA Firewall Dirty Dozen (FAQ)
http://www.isaserver.org/tutorials/ISA-Firewall-Dirty-Dozen-FAQ.html
0
 

Author Comment

by:kvigor
ID: 24871895
Thanks
0
 
LVL 1

Expert Comment

by:NicolasQuenard
ID: 24893355
You are configuring a SSL port that is non-standard.
Create a Web Listener for 447 for the HTTPS protocol won't work.  Because you still need to use the HTTPS Web Proxy Filter, you need to create a new tunneling port 447.

To add a non-standard tunnel port, use the ISA script  http://www.isatools.org/tools/isa_tpr.js  (cscript isa_tpr.js portSSL447 447)

Once the tunneling port added, you won't be able to see it in the ISA console, but you will be able to see it with the the script above or with the following one http://www.isatools.org/tools/isainfo.zip

Cheers
0
 

Author Comment

by:kvigor
ID: 24896008
I've added another NIC to the ISA Server (2 total now) I also added another NIC to my Web Server (Just In Case).
My web listener is currently listing to the following Networks: External, Local Host, Internal 1 (for site1.company.com ), and Internal 2 (for site2.company.com).  Both sites are now on the same Web Server.  
I was able to tell ISA Server to associate ISA NIC 1(Internal 1) for site1.company.com with SSL_Cert1 and associate ISA NIC2(Internal 2) for site2.company.com with SSL_Cert2 .  The problem is for each Network I'm listening to ISA wants an IP for (View Image Below), and I can't use the same NIC IP to  associate with the other networks, so I'm wondering what am I doing wrong.  I have to listen to the External and localhost for Web Requests when publishing SharePoint Sites right?  I have not yet to change my ISA Network Configuration from a Single Network Adapter.
ISA2006-ListenterProperties.jpg
0
 

Author Closing Comment

by:kvigor
ID: 31604301
In addition in order to get the IIS Server to respond to multiple SSL sites you have to add an addt'l NIC on the IIS Web Server as well responding to requests for the other SSL enabled site.
0
 

Author Comment

by:kvigor
ID: 24916781
Figured it out.. needed 3-Leg Network Template to accomplish what pwindell suggested in Post 24871345.
0
 

Author Comment

by:kvigor
ID: 26760794
OK had to go with the Edge Template instead.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Link SQL table to Webpage 9 61
Creating csr file for SSL 4 52
Reading the Web.Config using IIS 7.5? 4 35
How do I write a redirect rule for this scenario? 2 22
Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question