ISA Server 2006 with Cisco front end
-
28. září 2010 22:36
Hi there,
We have a gnarly issue that I would really appreciate some help with. Our customer has a Cisco router on the edge of their network, this in turn connects to an ISA2006 Server. They have a supplier who has a site to site VPN which terminates on the Cisco server and they then RDP directly to a Terminal Server which lives behind the ISA Server. This always worked fine when the ISA was ISA Server 2004 but since the upgrade to ISA Server 2006 we have had issues. We can see the connections coming in to the ISA Server but they are constantly denied (Denied Connection in the log). There is a rule to allow RDP but the connections are not even hitting this rule and are just getting denied immediately. We are pretty sure the site to site VPN is working as the connections are appearing at the ISA Server but being denied.
Here are a list of IP addresses:
Suppliers subnet: 10.64.x.x
Inside IP address of Cisco: 192.168.250.1
Outside IP address of ISA Server: 192.168.250.228
Inside IP Address of ISA Server: 192.168.0.227
Address of Terminal Server: 192.168.0.156
There is a Network configured to define the 10.64.x.x network and a Network rule to route traffic between the 10.64.x.x and Internal networks.
Does anyone have any ideas, do you need any more information to help in troubleshooting?Just some additional info, from my research, I think the issue is that the ISA Server thinks the 10.64.x.x network is on the inside of the ISA Server and the packets are dropped because they hit the external NIC and so seem to be spoofed. Something like that anyway...
Regards,
Richard
Všechny reakce
-
30. září 2010 7:40Moderátor
Hi,
Thank you for the post.
How do you create the access rule? For the RDP rule, please make it allow from Anywhere to internal and Protocol is RDP Server (TCP 3389 Inbound).
Regards,
Nick Gu - MSFT -
30. září 2010 20:55
Hi Nick,
That is exactly how the rule is created. I don't believe this is the issue however as when the connection is denied it is not denied because of any particular rule. There is no Anywhere network but it is set up to allow traffic from External and the suppliers subnet. This is what is in the log:
Denied Connection FE06754 28/09/2010 2:17:53 p.m.
Log type: Firewall service
Status:
Rule:
Source: Gentrack (10.64.2.199:1856)
Destination: Internal (192.168.0.156:3389)
Protocol: RDP (Terminal Services)
User:
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0 ms Original Client IP: 10.64.2.199
Client agent:
Regards,
Richard
-
7. října 2010 1:48
Anyone have any ideas on this. I'm really stuck and the customer is getting pretty irate!
Cheers,
Rich
-
7. října 2010 15:14Přispěvatel
There are some fundamental problems here. It would probably be best not to use an access rule to do this if you are using a NAT network relationship between your Internal network and the External network. It would be best practice to use a server publishing rule (AKA non-web publishing rule) the Terminal Server. That being said, if the rule is the same in ISA 2004 then the same rule should work in ISA 2006. You are probably missing a route to the remote network. On the ISA 2006 server, open a command prompt and type the following:
ROUTE ADD 10.64.0.0 MASK 255.255.0.0 192.168.250.1 –p
When you crated the network object, was it created as an External network?
If you want to go ther server publishing route, then look at 294720 How to Server Publish a Terminal Server with ISA While also Running Terminal Services on the ISA Server
http://support.microsoft.com/default.aspx?scid=kb;EN-US;294720
Brennan Crowe- Navržen jako odpověď Brennan CroweEditor 7. října 2010 15:14
-
7. října 2010 20:07
Hi Brennan,
Thanks for the response. There was no route defined that I could see by doing a route print. There is a network definition called Contractor for 10.64.2.0-10.64.2.255 (sorry, I got the network mask wrong in the first post but the server was correctly configured). There is a network rule called Contractor which is configured to route traffic from the Contractor network (as defined above) to and from Internal. I am surprised that creating this network rule and network definition does not add a route to the ISA Server I have to admit!
So, I have added the route manually and asked the contractors to test (I can't do it from here as I am not on their network).
The rule is an Non-web Server publishing rule set to allow RDP to the internal Terminal Server (192.168.0.156) from the Contractor network, however, the rule does not appear to be being hit in the ISA logs, I just see Denied Connection with no rule specified.
The odd thing is that if I run the Traffic Simulator and simulate from 10.64.2.5 port 3389 to 192.168.0.156 port 3389 it works fine if I have an Access Rule created but gets denied by the Default Rule if I create a Non-web Server Publishing Rule... very strange...
Thanks once again and if the tests prove positive I will let you know and mark the question answered.
Cheers,
Richard
-
7. října 2010 20:29Přispěvatel
What the logic is that the source is coming from a network that was previously defined yet the traffic is received on the external interface which indicates that the traffic may be spoofed and thus denied. If you would have the route defined, then the traffic would come from to the external network yet could be expected.
Brennan Crowe -
7. října 2010 20:56I am surprised that creating this network rule and network definition does not add a route to the ISA Server I have to admit!That's because Networks in ISA are logical policy based networks,...they have nothnig to do with TCP/IP based Layer3 subnets or the routing table. The ISA Networks are there provide a foundation to how policy works.What is happening here that I can see is that you have defined/created an ISA Network when one should have never been created. There would not be a static route because there should not be one to begin with.If I'm not mistaken (using an NNTP reader I don't see all the past posts), the best I can interpret this is that the Contractor is comming from External,..and the orginal intent was to limit what is published by the Publishing Rule to the IP#s or IP Range that the Contractor would be comming from. This should have been done by creating an Address Set or a Subnet Object (not a Network Definition) and then creating a normal Publishing Rule,...then going back into the Rule Properties and replacing External with the Address Set or Subnet Object.
--
Phillip WindellThe views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspxUnderstanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.htmlTroubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.docMicrosoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspxMicrosoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------
"Noyzyboy" <=?utf-8?B?Tm95enlib3k=?=> wrote in message news:4587ff86-c86d-4cef-8ccb-dd4a4a0b4f55...Hi Brennan,
Thanks for the response. There was no route defined that I could see by doing a route print. There is a network definition called Contractor for 10.64.2.0-10.64.2.255 (sorry, I got the network mask wrong in the first post but the server was correctly configured). There is a network rule called Contractor which is configured to route traffic from the Contractor network (as defined above) to and from Internal. I am surprised that creating this network rule and network definition does not add a route to the ISA Server I have to admit!
So, I have added the route manually and asked the contractors to test (I can't do it from here as I am not on their network).
The rule is an Non-web Server publishing rule set to allow RDP to the internal Terminal Server (192.168.0.156) from the Contractor network, however, the rule does not appear to be being hit in the ISA logs, I just see Denied Connection with no rule specified.
The odd thing is that if I run the Traffic Simulator and simulate from 10.64.2.5 port 3389 to 192.168.0.156 port 3389 it works fine if I have an Access Rule created but gets denied by the Default Rule if I create a Non-web Server Publishing Rule... very strange...
Thanks once again and if the tests prove positive I will let you know and mark the question answered.
Cheers,
Richard
-
7. října 2010 20:57
Hi Brennan,
I think that makes sense, just surprised that greating the network rule does not automatically create a route. I've followed the instructions in the TechNet article which we hadn't already done. I need to restart the ISA Server now which I can't do during working hours so will have to test next week. Also confusing why the traffic simulator shows it working but then it doesn't...
Thasnk for the help so far.
Richard
-
7. října 2010 21:29There may be more to thiis than we think. I'm starting to think the whole approach might be wrong, and we are contiue to move farther from the true solution instead of closer (just my guess anyway). See my other post.
--
Phillip WindellThe views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
"Noyzyboy" <=?utf-8?B?Tm95enlib3k=?=> wrote in message news:cc0fae8a-ff80-4974-b7f6-d0b56931070a...Hi Brennan,
I think that makes sense, just surprised that greating the network rule does not automatically create a route. I've followed the instructions in the TechNet article which we hadn't already done. I need to restart the ISA Server now which I can't do during working hours so will have to test next week. Also confusing why the traffic simulator shows it working but then it doesn't...
Thasnk for the help so far.
Richard
-
7. října 2010 22:16
Hi Phillip,
Thanks for your comments. So basically what I need to do is:
- Remove the network rule for Contractors
- Remove the network definiation for Contractors
- Add a Subnet Object for 10.64.2.x/24
- Add a route to allow the traffic (could you please give me an example based on the networks as follows: Internal: 192.168.0.x/24 Contractors: 10.64.2.x/24) at the Windows layer, not in ISA
- Set up a Server Publishing rule to publish RDP access from the Subnet Object defined above to the Internal Terminal Server (192.168.0.156)
Anything else?
Regards,
Richard
-
8. října 2010 14:42Leave out #4. There is no route. There is no "routing",...we are not dealing with routing at all. This is 100% Reverse Network Address Translation,...and that is what the Server Publishing does. In ISA2004 they called them Server Publishing Rules,...in ISA2006 and TMG MS had to screwup perfectly good terminology and now call it "Non-Web Server Publishing Rule",...why,...well,... because it is not a Web Publishing Rule.Revised list would be
- Remove the network rule for Contractors
- Remove the network definiation for Contractors
- Add a Subnet Object for 10.64.2.x/24
- Set up a Server Publishing rule to publish RDP access from the Subnet Object defined above to the Internal Terminal Server (192.168.0.156)
--
Phillip WindellThe views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
"Noyzyboy" <=?utf-8?B?Tm95enlib3k=?=> wrote in message news:83e8aa8e-d54a-4dc6-a77a-d9e4bd27c7dd...Hi Phillip,
Thanks for your comments. So basically what I need to do is:
- Remove the network rule for Contractors
- Remove the network definiation for Contractors
- Add a Subnet Object for 10.64.2.x/24
- Add a route to allow the traffic (could you please give me an example based on the networks as follows: Internal: 192.168.0.x/24 Contractors: 10.64.2.x/24) at the Windows layer, not in ISA
- Set up a Server Publishing rule to publish RDP access from the Subnet Object defined above to the Internal Terminal Server (192.168.0.156)
Anything else?
Regards,
Richard
-
10. října 2010 20:04
Thanks, Phillip. I'll give that a try and let you know how it goes. It seems obvious when you describe it I'm not sure why all the complicated stuff was set up in ISA2004 as I get the impression it probably wasn't needed. It was set up by someone else and I didn't want to mess with it in case I made it worse.
Regards,
Richard
-
11. října 2010 21:18
Hi there,
We are still having the same issues. The following is show in the Diagnostic Logging. The funny thing is that the server publishing rule we created is getting bypassed completely. The rule that is allowing the traffic is an Access rule (created by someone else) which is further down the rule list than my publishing rule. This allows the traffic, then it looks for a suitable network rule and gets denied by the Internet Access rule. This rule basically has a NAT from Internal, Quarantined VPN Clients, and VPN Clients (all built in objects) to External. I'm pretty sure this is a default configuration. Any ideas?
Cheers,
Rich
3040 11/10/2010 9:37:11 fffde531 Firewall service The Firewall service is performing rule evaluation.
3041 11/10/2010 9:37:11 fffde531 Firewall service Protocol: RDP (Terminal Services)
3042 11/10/2010 9:37:11 fffde531 Firewall Engine Packet properties: Source IP address: 10.64.2.199 Source array network: External Destination IP address: 192.168.0.156 Destination array network: Internal
3043 11/10/2010 9:37:11 fffde531 Firewall service ISA Server will check only rules that are associated with the protocol RDP (Terminal Services).
3044 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is evaluating the rule [System] Allow remote management from selected computers using Terminal Server.
3045 11/10/2010 9:37:11 fffde531 Firewall service source does not match the packet.
3046 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is evaluating the rule [System] Allow MS Firewall Control communication to selected computers.
3047 11/10/2010 9:37:11 fffde531 Firewall service The source port does not match the rule.
3048 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is evaluating the rule Talgenttra allow all.
3049 11/10/2010 9:37:11 fffde531 Firewall service The rule Talgenttra allow all matches the packet. The packet is allowed.
3050 11/10/2010 9:37:11 fffde531 Firewall service The rule Talgenttra allow all allowed the packet.
3051 11/10/2010 9:37:11 fffde531 Firewall service The Firewall service is performing rule evaluation.
3052 11/10/2010 9:37:11 fffde531 Firewall Engine Packet properties: Source IP address: 10.64.2.199 Source array network: External Destination IP address: 192.168.0.156 Destination array network: Internal
3053 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is looking for an applicable network rule.
3054 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is evaluating the network rule Local Host Access.
3055 11/10/2010 9:37:11 fffde531 Firewall service The source IP address in the packet does not match the source specified in the network rule.
3056 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is checking the reverse direction of the network rule Local Host Access.
3057 11/10/2010 9:37:11 fffde531 Firewall service The destination IP address in the packet does not match the source specified in the network rule.
3058 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is evaluating the network rule VPN Clients to Internal Network.
3059 11/10/2010 9:37:11 fffde531 Firewall service The source IP address in the packet does not match the source specified in the network rule.
3060 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is checking the reverse direction of the network rule VPN Clients to Internal Network.
3061 11/10/2010 9:37:11 fffde531 Firewall service The source IP address in the packet does not match the destination specified in the network rule.
3062 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is evaluating the network rule Havelock.
3063 11/10/2010 9:37:11 fffde531 Firewall service The source IP address in the packet does not match the source specified in the network rule.
3064 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is checking the reverse direction of the network rule Havelock.
3065 11/10/2010 9:37:11 fffde531 Firewall service The source IP address in the packet does not match the destination specified in the network rule.
3066 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is evaluating the network rule Internet Access.
3067 11/10/2010 9:37:11 fffde531 Firewall service The source IP address in the packet does not match the source specified in the network rule.
3068 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is checking the reverse direction of the network rule Internet Access.
3069 11/10/2010 9:37:11 fffde531 Firewall service The source and destination in the packet match the source and destination specified in the network rule Internet Access in the reverse direction.
3070 11/10/2010 9:37:11 fffde531 Firewall service The reverse direction of the network rule Internet Access, which defines a NAT relationship, matches the source and destination IP addresses specified in the packet. The traffic is denied.
3071 11/10/2010 9:37:11 fffde531 Firewall service No network rule was found.
Record Time Context Log Source Message
-
12. října 2010 19:18There is no way that an Access Rule can allow inbound traffic unless the Network Relationship between Internal -vs- External is changed to "routed" and all Hosts involved are able to route to/from you RFC Private Addresses on the LAN (which is impossble across the Internet without without being tunneled).This has just become too convoluted to me to deal with.There has to be a lot of config and topology "unknowns" here that have never been revealed,...and there is no way to solve this unless all things are clearly known.
--
Phillip WindellThe views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspxUnderstanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.htmlTroubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.docMicrosoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspxMicrosoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------
"Noyzyboy" <=?utf-8?B?Tm95enlib3k=?=> wrote in message news:8a6de77d-3257-4555-8eb3-ea6090d97326...Hi there,
We are still having the same issues. The following is show in the Diagnostic Logging. The funny thing is that the server publishing rule we created is getting bypassed completely. The rule that is allowing the traffic is an Access rule (created by someone else) which is further down the rule list than my publishing rule. This allows the traffic, then it looks for a suitable network rule and gets denied by the Internet Access rule. This rule basically has a NAT from Internal, Quarantined VPN Clients, and VPN Clients (all built in objects) to External. I'm pretty sure this is a default configuration. Any ideas?
Cheers,
Rich
3040 11/10/2010 9:37:11 fffde531 Firewall service The Firewall service is performing rule evaluation.
3041 11/10/2010 9:37:11 fffde531 Firewall service Protocol: RDP (Terminal Services)
3042 11/10/2010 9:37:11 fffde531 Firewall Engine Packet properties: Source IP address: 10.64.2.199 Source array network: External Destination IP address: 192.168.0.156 Destination array network: Internal
3043 11/10/2010 9:37:11 fffde531 Firewall service ISA Server will check only rules that are associated with the protocol RDP (Terminal Services).
3044 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is evaluating the rule [System] Allow remote management from selected computers using Terminal Server.
3045 11/10/2010 9:37:11 fffde531 Firewall service source does not match the packet.
3046 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is evaluating the rule [System] Allow MS Firewall Control communication to selected computers.
3047 11/10/2010 9:37:11 fffde531 Firewall service The source port does not match the rule.
3048 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is evaluating the rule Talgenttra allow all.
3049 11/10/2010 9:37:11 fffde531 Firewall service The rule Talgenttra allow all matches the packet. The packet is allowed.
3050 11/10/2010 9:37:11 fffde531 Firewall service The rule Talgenttra allow all allowed the packet.
3051 11/10/2010 9:37:11 fffde531 Firewall service The Firewall service is performing rule evaluation.
3052 11/10/2010 9:37:11 fffde531 Firewall Engine Packet properties: Source IP address: 10.64.2.199 Source array network: External Destination IP address: 192.168.0.156 Destination array network: Internal
3053 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is looking for an applicable network rule.
3054 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is evaluating the network rule Local Host Access.
3055 11/10/2010 9:37:11 fffde531 Firewall service The source IP address in the packet does not match the source specified in the network rule.
3056 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is checking the reverse direction of the network rule Local Host Access.
3057 11/10/2010 9:37:11 fffde531 Firewall service The destination IP address in the packet does not match the source specified in the network rule.
3058 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is evaluating the network rule VPN Clients to Internal Network.
3059 11/10/2010 9:37:11 fffde531 Firewall service The source IP address in the packet does not match the source specified in the network rule.
3060 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is checking the reverse direction of the network rule VPN Clients to Internal Network.
3061 11/10/2010 9:37:11 fffde531 Firewall service The source IP address in the packet does not match the destination specified in the network rule.
3062 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is evaluating the network rule Havelock.
3063 11/10/2010 9:37:11 fffde531 Firewall service The source IP address in the packet does not match the source specified in the network rule.
3064 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is checking the reverse direction of the network rule Havelock.
3065 11/10/2010 9:37:11 fffde531 Firewall service The source IP address in the packet does not match the destination specified in the network rule.
3066 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is evaluating the network rule Internet Access.
3067 11/10/2010 9:37:11 fffde531 Firewall service The source IP address in the packet does not match the source specified in the network rule.
3068 11/10/2010 9:37:11 fffde531 Firewall service ISA Server is checking the reverse direction of the network rule Internet Access.
3069 11/10/2010 9:37:11 fffde531 Firewall service The source and destination in the packet match the source and destination specified in the network rule Internet Access in the reverse direction.
3070 11/10/2010 9:37:11 fffde531 Firewall service The reverse direction of the network rule Internet Access, which defines a NAT relationship, matches the source and destination IP addresses specified in the packet. The traffic is denied.
3071 11/10/2010 9:37:11 fffde531 Firewall service No network rule was found.
Record Time Context Log Source Message
-
13. října 2010 1:29
Hi Phillip,
I appreciate your help so far. Is there anything else I can give you in terms of the configuration that you need to know? I inherited this server and configuration from another IT supplier and am trying to make the best of it. I have been discussing with the customer about ditching the server completely and installing TMG instead and building up the rules from scratch as this is an upgrade from ISA 2004 so who knows what is left over. Their current rule set is really quite complicated and messy as you can see and I'm not really an ISA expert (more VMware and Exchange for me...).
I would be really grateful if you would have one last stab at helping out, as I am at the end of my knowledge here.
Thanks,
Richard
In terms of network rules we only have the following:
The standard Local Host Access rule (routes local host to all networks)
The standard VPN clients to Internal Networks rule (routes Quarantined PVN Clients and VPN Clients to Internal
The standard Internet Access rule (NATs Intneral, Quarantined VPN Clients, VPN Clients to External)
The Internal network is defined as a bunch of 192.168.x.0/24 networks (specifically 0,10,20,40,41,42,50,51,101).
The routing table on the server looks as below:
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x10003 ...00 21 5e 40 86 52 ...... Broadcom BCM5708C NetXtreme II GigE (NDIS VB
D Client) #2
0x10004 ...00 21 5e 40 86 50 ...... Broadcom BCM5708C NetXtreme II GigE (NDIS VB
D Client)
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.250.1 192.168.250.227 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.227 192.168.0.227 10
192.168.0.1 255.255.255.255 192.168.0.52 192.168.0.52 1
192.168.0.52 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.0.227 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.0.255 255.255.255.255 192.168.0.227 192.168.0.227 10
192.168.10.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.20.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.40.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.41.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.42.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.50.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.51.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.101.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.102.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.103.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.104.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.105.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.250.0 255.255.255.0 192.168.250.227 192.168.250.227 20
192.168.250.227 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.250.228 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.250.255 255.255.255.255 192.168.250.227 192.168.250.227 20
203.173.161.157 255.255.255.255 192.168.250.1 192.168.250.227 20
224.0.0.0 240.0.0.0 192.168.0.227 192.168.0.227 10
224.0.0.0 240.0.0.0 192.168.250.227 192.168.250.227 20
255.255.255.255 255.255.255.255 192.168.0.227 192.168.0.227 1
255.255.255.255 255.255.255.255 192.168.250.227 192.168.250.227 1
Default Gateway: 192.168.250.1
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
192.168.10.0 255.255.255.0 192.168.0.251 1
192.168.103.0 255.255.255.0 192.168.0.251 1
192.168.20.0 255.255.255.0 192.168.0.251 1
192.168.101.0 255.255.255.0 192.168.0.251 1
192.168.102.0 255.255.255.0 192.168.0.251 1
192.168.104.0 255.255.255.0 192.168.0.251 1
192.168.105.0 255.255.255.0 192.168.0.251 1
192.168.40.0 255.255.255.0 192.168.0.251 1
192.168.41.0 255.255.255.0 192.168.0.251 1
192.168.50.0 255.255.255.0 192.168.0.251 1
192.168.42.0 255.255.255.0 192.168.0.251 1
192.168.51.0 255.255.255.0 192.168.0.251 1 -
14. října 2010 14:05Your details posted below look fine but there really isn't any way to deal with overly complex Access Rules (combined maybe with messed up ones on top of that) in an evnvironment that has a very foggy design,...by using these simple forum messages.We are also dealing with RDP here,...which can be a problem if the ISA is also trying to allow RDP to itself from the private LAN for management purposes. You're better off to disable RDP to the ISA itself and use something else like VNC or whatever for local management purposes so that the RDP sockets are freed up for publishing for the Contractor.As far as additional information I would have no idea what to even ask for any more.
--
Phillip WindellThe views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspxUnderstanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.htmlTroubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.docMicrosoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspxMicrosoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------
"Noyzyboy" <=?utf-8?B?Tm95enlib3k=?=> wrote in message news:8e5697fa-437e-4bc7-b0a6-2131a8cb0fd7...Hi Phillip,
I appreciate your help so far. Is there anything else I can give you in terms of the configuration that you need to know? I inherited this server and configuration from another IT supplier and am trying to make the best of it. I have been discussing with the customer about ditching the server completely and installing TMG instead and building up the rules from scratch as this is an upgrade from ISA 2004 so who knows what is left over. Their current rule set is really quite complicated and messy as you can see and I'm not really an ISA expert (more VMware and Exchange for me...).
I would be really grateful if you would have one last stab at helping out, as I am at the end of my knowledge here.
Thanks,
Richard
In terms of network rules we only have the following:
The standard Local Host Access rule (routes local host to all networks)
The standard VPN clients to Internal Networks rule (routes Quarantined PVN Clients and VPN Clients to Internal
The standard Internet Access rule (NATs Intneral, Quarantined VPN Clients, VPN Clients to External)
The Internal network is defined as a bunch of 192.168.x.0/24 networks (specifically 0,10,20,40,41,42,50,51,101).
The routing table on the server looks as below:
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x10003 ...00 21 5e 40 86 52 ...... Broadcom BCM5708C NetXtreme II GigE (NDIS VB
D Client) #2
0x10004 ...00 21 5e 40 86 50 ...... Broadcom BCM5708C NetXtreme II GigE (NDIS VB
D Client)
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.250.1 192.168.250.227 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.227 192.168.0.227 10
192.168.0.1 255.255.255.255 192.168.0.52 192.168.0.52 1
192.168.0.52 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.0.227 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.0.255 255.255.255.255 192.168.0.227 192.168.0.227 10
192.168.10.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.20.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.40.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.41.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.42.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.50.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.51.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.101.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.102.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.103.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.104.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.105.0 255.255.255.0 192.168.0.251 192.168.0.227 1
192.168.250.0 255.255.255.0 192.168.250.227 192.168.250.227 20
192.168.250.227 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.250.228 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.250.255 255.255.255.255 192.168.250.227 192.168.250.227 20
203.173.161.157 255.255.255.255 192.168.250.1 192.168.250.227 20
224.0.0.0 240.0.0.0 192.168.0.227 192.168.0.227 10
224.0.0.0 240.0.0.0 192.168.250.227 192.168.250.227 20
255.255.255.255 255.255.255.255 192.168.0.227 192.168.0.227 1
255.255.255.255 255.255.255.255 192.168.250.227 192.168.250.227 1
Default Gateway: 192.168.250.1
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
192.168.10.0 255.255.255.0 192.168.0.251 1
192.168.103.0 255.255.255.0 192.168.0.251 1
192.168.20.0 255.255.255.0 192.168.0.251 1
192.168.101.0 255.255.255.0 192.168.0.251 1
192.168.102.0 255.255.255.0 192.168.0.251 1
192.168.104.0 255.255.255.0 192.168.0.251 1
192.168.105.0 255.255.255.0 192.168.0.251 1
192.168.40.0 255.255.255.0 192.168.0.251 1
192.168.41.0 255.255.255.0 192.168.0.251 1
192.168.50.0 255.255.255.0 192.168.0.251 1
192.168.42.0 255.255.255.0 192.168.0.251 1
192.168.51.0 255.255.255.0 192.168.0.251 1 -
14. října 2010 16:13Přispěvatel
Richard,
E-mail me your contact information. Let me set up a time where I'll call you to look at this. Brennan.Crowe at Microsoft.com
Thanks,
Brennan Crowe -
14. října 2010 19:18
Hi Phillip,
Understood and appreciated. Thanks for your help so far, I think the use of VNC is a good idea and I'll suggest to my customer as I'm meeting them today. Thanks so much for your help so far in such tricky circumstances and I have learnt a lot even from this short discussion. I did tell the customer several months ago, I thought their rule set was overly complicated and needed a complete overhaul. Perhaps we will just move to TMG and start from scratch unless Brennan can help me out below.
Thanks once again and best wishes from sunny New Zealand!!
Richard
-
15. října 2010 16:15You're welcome sir!Hope it all works out.I'm sure Brennan can get you going if he can get a better veiw of what is going on than I can from here.
--
Phillip WindellThe views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspxUnderstanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.htmlTroubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.docMicrosoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspxMicrosoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------
"Noyzyboy" <=?utf-8?B?Tm95enlib3k=?=> wrote in message news:ee973b9d-232c-4ce9-b0b3-fc851013fedf...Hi Phillip,
Understood and appreciated. Thanks for your help so far, I think the use of VNC is a good idea and I'll suggest to my customer as I'm meeting them today. Thanks so much for your help so far in such tricky circumstances and I have learnt a lot even from this short discussion. I did tell the customer several months ago, I thought their rule set was overly complicated and needed a complete overhaul. Perhaps we will just move to TMG and start from scratch unless Brennan can help me out below.
Thanks once again and best wishes from sunny New Zealand!!
Richard
.png)
