Solved

ISA Server 2006: How to configure two Web Listeners to listen to same Protocol and same Port

Posted on 2009-07-16
16
4,042 Views
Last Modified: 2012-05-07
I have a 1 NIC ISA 2006 Configuration that primarily serves as a Reverse Proxy and listens for HTTP/HTTPS requests on PORTs 80/443 for site1.company.com and then forwards that traffic to SharePoint Server.  OK, the problem is I want to listen also for site2.company.com on both HTTP/HTTPS on PORTs 80/447 and ISA flips an ERROR and states:
The Web listeners used in the rule site2.company.com and in the rule site1.company.com specify identical IP addresses and ports. Web listener IP addresses and ports used by different rules cannot overlap.

Actually the IP's don't over lap just the HTTP/HTTPS protocol, currently have site1.company.com and site2.company.com are on 2 different web servers.
0
Comment
Question by:kvigor
  • 10
  • 5
16 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 24870776
Actually the IP's don't over lap just the HTTP/HTTPS protocol, currently have site1.company.com and site2.company.com are on 2 different web servers.
It isn;t about the IP# of the web server,..it is about the fact that both listeners are using the same protocol on the same external IP on the ISA.
Your mistake is thinking that you even need two listeners to begin with.  Your supposed to use the same listener for both Publishing Rules.   You then use Host Headers to distinguish the sites.   Hosts headers are the same thing as the Common Name and the Public Name.
0
 

Author Comment

by:kvigor
ID: 24871153
Thanks windell,

You've just added a little bit of complexity to what I was planning on doing, because when I roll this out into production both of my sites will be on the same server, (same IP) and I'll need each site to use it's own certificate. As far as I can see you can only assign one certificate to an IP.  So how would I add both pub rules to one listener using 2 differents certs?  Is this even possible?  I  really don't want to have to purchase a wildcard cert if I don't have to... you know.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24871183
Yes, you need a wild card cert.
If you don't have that then you need to have two or more IP#s for the External side of the ISA.  The same listener can use multiple IP#, then you assign a Cert to each IP# within the same listener.  ISA2004 could not do this,..ISA 2006 can.
0
 

Author Comment

by:kvigor
ID: 24871280
Yes, however I'm listening to the pre defined External Network for web requests, could I add another nic and assign that to then listen for site2.company.com?
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 24871345
I just saw that you were using a single Nic ISA.  I just don't get involved with single Nic ISAs.  They present a horrible situation,...they are a waste of time in my opinion..
All I can say is that you need multiple IP#s on the Nic (there is only one Nic).  The Listener needs to be tied to those.   The difference with 2004 -vs- 2006 is that 2004 would use a unique Listener for each Site/Cert/IP combo,...while the 2006 can do it on one Listener,..but beyond that they work the same way after that point.
The features and limitations of a single-homed ISA Server 2004 computer
http://support.microsoft.com/kb/838364/en-us
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/single_adapter.mspx
 
 
0
 

Author Comment

by:kvigor
ID: 24871396
My apologies for above post I was thinking out loud incorrectly I might add.  So, I'm stuck with either putting each site on different servers or buying a wild card cert?
0
 

Author Comment

by:kvigor
ID: 24871449
If I do add addt'l NICs to my ISA what does that buy me for my existing situation?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24871632
It would no longer be your existing situation  :-)
Adding a Nic constitutes a redesign in topology.  
Two Nics gives you all of ISA's abilities,...a single nic gives you what the article I gave describes.  I don't have a simple answer for that.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:kvigor
ID: 24871752
I'll research on technet/msdn if I can solve my problem with ading an addt'l NIC, after which I'll award points.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24871777
These lilnk may speed up your research.
Technet Library
  ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx
Internal Client Concepts in ISA Server 2006
http://technet.microsoft.com/en-us/library/bb794762.aspx
ISA Firewall Dirty Dozen (FAQ)
http://www.isaserver.org/tutorials/ISA-Firewall-Dirty-Dozen-FAQ.html
0
 

Author Comment

by:kvigor
ID: 24871895
Thanks
0
 
LVL 1

Expert Comment

by:NicolasQuenard
ID: 24893355
You are configuring a SSL port that is non-standard.
Create a Web Listener for 447 for the HTTPS protocol won't work.  Because you still need to use the HTTPS Web Proxy Filter, you need to create a new tunneling port 447.

To add a non-standard tunnel port, use the ISA script  http://www.isatools.org/tools/isa_tpr.js  (cscript isa_tpr.js portSSL447 447)

Once the tunneling port added, you won't be able to see it in the ISA console, but you will be able to see it with the the script above or with the following one http://www.isatools.org/tools/isainfo.zip

Cheers
0
 

Author Comment

by:kvigor
ID: 24896008
I've added another NIC to the ISA Server (2 total now) I also added another NIC to my Web Server (Just In Case).
My web listener is currently listing to the following Networks: External, Local Host, Internal 1 (for site1.company.com ), and Internal 2 (for site2.company.com).  Both sites are now on the same Web Server.  
I was able to tell ISA Server to associate ISA NIC 1(Internal 1) for site1.company.com with SSL_Cert1 and associate ISA NIC2(Internal 2) for site2.company.com with SSL_Cert2 .  The problem is for each Network I'm listening to ISA wants an IP for (View Image Below), and I can't use the same NIC IP to  associate with the other networks, so I'm wondering what am I doing wrong.  I have to listen to the External and localhost for Web Requests when publishing SharePoint Sites right?  I have not yet to change my ISA Network Configuration from a Single Network Adapter.
ISA2006-ListenterProperties.jpg
0
 

Author Closing Comment

by:kvigor
ID: 31604301
In addition in order to get the IIS Server to respond to multiple SSL sites you have to add an addt'l NIC on the IIS Web Server as well responding to requests for the other SSL enabled site.
0
 

Author Comment

by:kvigor
ID: 24916781
Figured it out.. needed 3-Leg Network Template to accomplish what pwindell suggested in Post 24871345.
0
 

Author Comment

by:kvigor
ID: 26760794
OK had to go with the Edge Template instead.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Suggested Solutions

Summary In SharePoint 2010 it is easy to create custom color themes to jazz up a site. Theme colors can also be created in PowerPoint 2010 with a few clicks. But how do the chosen colors actually look in the SharePoint site? The attached PowerPoint…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now