Sunday, January 06, 2013 3:35 PMI have two independent networks on site to handle the needs of two different divisions in the company. Both networks are protected by ISA Server and each has its own static IP and gateway.
DivA has a gateway that is protected by TMG (edge firewall configuration) with a group of computers behind it on an Ethernet switch (192.168.100.x subnet), most notably a Windows SBS 2011 box that runs SQL Server 2008 and is at 192.168.100.3
DivB has a gateway that is protected by ISA Server 2006 (edge firewall configuration) with a group of computers behind it on an Ethernet switch (192.168.201.x subnet).
What I’m trying to figure out is how to publish the SQL Server on DivA to the DivB computers without having to go out through the DivB gateway to the Internet and into the DivA network. Even if I set up a site-to-site connection it seems like a waste to take that traffic out to the open Internet.
Here is what I attempted to do but it is not working:
1.I ran an Ethernet cable from the DivA Ethernet switch directly into an Ethernet port on DivB’s ISA Server 2006 box. I named the network adapter DivANetwork on the ISA server and assigned it a static IP of 192.168.100.243.
2.I set up a network named DivA pointing to that adapter to get the address range. I set up a Route network rule with Internal as the source and DivA as the Destination. I’m not sure if I need NAT network rule but I suspect not.
At this point I can ping the 192.168.100.3 box from the DivB ISA Server (localhost) but attempts to ping it from other DivB computers fail.
3.I created a “Publish Non Web Server” firewall rule that points to the 192.168.100.3 box and created an access rule to allow SQL Server traffic from (Internal, Localhost, DivA) to (Internal, Localhost, DivA).
4.I then created a UDL file, which allows you to test connections to a SQL Server, and tried to access the published server. This failed with the ISA Monitor showing the Default Rule denying the connection from Source Network: Local Host, Destination Network: DivA, Client IP: 192.168.100.243 (the static I assigned above), Destination IP: 192.168.100.3, Protocol: Microsoft SQL (TCP), Destination Port: 1433.
I’m looking for someone that can tell me if I’m doing this right or not. Any help will be greatly appreciated.
Thank you, Herb
Tuesday, January 08, 2013 7:31 AMModerator
Thank you for the post.
On ISA Server, you may add new network adapter named DivA which direct connect Ethernet switch (192.168.100.x subnet). And create route network rule between internal network and DivA network. If you want internal subnet to access SQL server, just create access rule to allow SQL(TCP, UDP) protocol from internal to DivA.
Nick Gu - MSFT
- Proposed As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Wednesday, January 09, 2013 1:56 AM
- Marked As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Monday, January 14, 2013 1:53 AM