• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1121
  • Last Modified:

ISA 2006, Publishing LDAP through 2 firewalls, issues

Hi all

I'm attempting to publish LDAP (internal) to a range of IPs (external)

Info (not real):
Test PC Internet IP: 80.90.100.110
External ISA External IP: 80.80.80.80
Internal ISA IP: 172.172.172.172

One step at a time...
On the External ISA I have:
Created protocol "LDAP-in", TCP, 389/389, incoming
Created "Computer" "LDAP Test PC" with IP 80.90.100.110
Created "Network "Allowed LDAP IPs" containing (amongst others), IP of Test PC 80.90.100.110

I have created a Non-web publishing rule "LDAP incoming"
Allow, LDAP-in, to 172.172.172.172, from Anywhere, on "External"

Enable monitoring...
On test PC, "telnet 80.80.80.80 389"

Monitoring...
Denied Connection
Status:
Rule:
Source: Allowed LDAP IPs (Network) (80.90.100.110:65434)
Destination: Local Host (80.80.80.80:389)
Protocol: LDAP
User:

The question (finally!), why is the destination showing "Local Host"? It should be showing the destination as 172.172.172.172:389 should it not..?
0
FireW0lf
Asked:
FireW0lf
  • 5
  • 3
1 Solution
 
FireW0lfAuthor Commented:
And why is the protocol showing as "LDAP", not "LDAP-in"?
0
 
Suliman Abu KharroubIT Consultant Commented:

Who you dont use VPN to allow external to internal network ?
0
 
FireW0lfAuthor Commented:
VPN wouldnt be appropriate for this specific situation

I have just removed the test PC from Allowed LDAP IPs (Network) and retried

Monitoring...

Initiated Connection
Log Type: Firewall service
Status:
Rule: LDAP incoming
Source: External (80.90.100.110:49494)
Destination: Local Host (172.172.172.172:389)
Protocol: LDAP inbound
User:

So, it works if my test PC is not a member of a Network, but this needs to be enabled for a group of IP ranges. Why does it not work if I specify a Network as a container for my test pc?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
FireW0lfAuthor Commented:
Oops make that last one "Destination: Local Host (172.172.172.100:389)" - the internal IP of the External ISA

So it gets in, and is forwarded from the external IP to the internal IP, but why is the destination not the IP of the internal ISA, as specified in the server pub rule??
0
 
Suliman Abu KharroubIT Consultant Commented:
ISA server suppose that the destination server is 172.172.172.100 and it listen on ip address 80.80.80.80.

this is how ISA server works. like, you access  172.172.172.100 throw 80.80.80.80. so the destination IP from ISA view is 172.172.172.100.
0
 
FireW0lfAuthor Commented:
Oh gawd, I've been at this all morning... I'd put the wrong destination IP in the rule

I'm now seeing the accesses when monitoring my internal ISA

I've also figured out I was selecting the wrong entries in the "from" tab in the server rule

Sorry for wasting everyones time. I think I solved it by simply typing out the issue so I could see it clear in my head
0
 
Suliman Abu KharroubIT Consultant Commented:
No worries. Glad you get sorted.
0
 
FireW0lfAuthor Commented:
Self-solved
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now