We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

ISA 2006, Publishing LDAP through 2 firewalls, issues

Medium Priority
1,171 Views
Last Modified: 2012-06-21
Hi all

I'm attempting to publish LDAP (internal) to a range of IPs (external)

Info (not real):
Test PC Internet IP: 80.90.100.110
External ISA External IP: 80.80.80.80
Internal ISA IP: 172.172.172.172

One step at a time...
On the External ISA I have:
Created protocol "LDAP-in", TCP, 389/389, incoming
Created "Computer" "LDAP Test PC" with IP 80.90.100.110
Created "Network "Allowed LDAP IPs" containing (amongst others), IP of Test PC 80.90.100.110

I have created a Non-web publishing rule "LDAP incoming"
Allow, LDAP-in, to 172.172.172.172, from Anywhere, on "External"

Enable monitoring...
On test PC, "telnet 80.80.80.80 389"

Monitoring...
Denied Connection
Status:
Rule:
Source: Allowed LDAP IPs (Network) (80.90.100.110:65434)
Destination: Local Host (80.80.80.80:389)
Protocol: LDAP
User:

The question (finally!), why is the destination showing "Local Host"? It should be showing the destination as 172.172.172.172:389 should it not..?
Comment
Watch Question

CERTIFIED EXPERT

Author

Commented:
And why is the protocol showing as "LDAP", not "LDAP-in"?
Suliman Abu KharroubIT Consultant
CERTIFIED EXPERT

Commented:

Who you dont use VPN to allow external to internal network ?
CERTIFIED EXPERT

Author

Commented:
VPN wouldnt be appropriate for this specific situation

I have just removed the test PC from Allowed LDAP IPs (Network) and retried

Monitoring...

Initiated Connection
Log Type: Firewall service
Status:
Rule: LDAP incoming
Source: External (80.90.100.110:49494)
Destination: Local Host (172.172.172.172:389)
Protocol: LDAP inbound
User:

So, it works if my test PC is not a member of a Network, but this needs to be enabled for a group of IP ranges. Why does it not work if I specify a Network as a container for my test pc?
CERTIFIED EXPERT

Author

Commented:
Oops make that last one "Destination: Local Host (172.172.172.100:389)" - the internal IP of the External ISA

So it gets in, and is forwarded from the external IP to the internal IP, but why is the destination not the IP of the internal ISA, as specified in the server pub rule??
Suliman Abu KharroubIT Consultant
CERTIFIED EXPERT

Commented:
ISA server suppose that the destination server is 172.172.172.100 and it listen on ip address 80.80.80.80.

this is how ISA server works. like, you access  172.172.172.100 throw 80.80.80.80. so the destination IP from ISA view is 172.172.172.100.
CERTIFIED EXPERT
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Suliman Abu KharroubIT Consultant
CERTIFIED EXPERT

Commented:
No worries. Glad you get sorted.
CERTIFIED EXPERT

Author

Commented:
Self-solved
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.