none
ISA Server 2006 - PPPoE with multiple IP addresses

    Question

  • Environment:
    Windows Server 2003/ISA Server 2006
    1 PPPoE WAN Miniport  -  85.50.xx.15
    1 NIC LAN  -  192.168.23.1
    1 NIC WAN  -  85.50.xx.120, 85.50.xx.121

    I have a DSL broadband connection with PPPoE.
    Therefore I created a PPPoE WAN Adapter using ‘Control Panel’ – ‘Network Connections’ – ‘New Connection Wizard’ on the Windows Server hosting ISA and configured a PPPoE connection according to KB837830.

    A single static IP address has assigned from the ISP by DHCP to the PPPOE adaptor (83.50.xx.15)

    We received another block of 4 addresses 83.50.xx.120 – 83.50.xx.123. I put 2 of these addresses on the WAN adapter of my ISA Server, which is connected to the cable modem

    I created a web listener and bound it to only one of the ‘external' IP addresses (83.50.xx.122). The ‘Test Rule’ button results in everything green, so it seems to be ok. But if I look at the logs, it ends up hitting the last default deny rule 
    à  0xc004000d FWX_E_POLICY_RULES_DENIED

    The MX record is set to the 85.50.xx.15 ip and that works fine.

    How can I get the web-listener to work? Any idea?


    Regards
    Peter
    Friday, July 16, 2010 9:54 AM

Answers

  • I don't know if any of this would be of any help but I did a search and noticed that there is hardly anything "out there" on this,..but I did find these two links:
     
    Multiple IP's on PPP-OE - Astaro User Bulletin Board
     
    Howto Assign Multiple Static Public IP Addresses under SBC's PPPoE Static Ip system
     
    I think I would really try to find another solution that does not involve PPPoE,...PPPoE is just always bad for a business environment.  It works fine for simple "home user" situations which is what is was desgined for,...but beyond that I have never ever heard  anything "good" about it,..ever.
     
    If you can't do that then go to a single address model (if they charge you less for that).  You can do a lot with just one address if you engineer everything properly.  For example, as far as things like publishing http sites you can do an almost unlimited number of those on the same IP# and Port# as long as you don't go SSL.

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
     
    "PeterN22" <=?utf-8?B?UGV0ZXJOMjI=?=> wrote in message news:0c61e62c-bafe-461a-814d-4d5ca31b73d4...

    Environment:
    Windows Server 2003/ISA Server 2006
    1 PPPoE WAN Miniport  -  85.50.xx.15
    1 NIC LAN  -  192.168.23.1
    1 NIC WAN  -  85.50.xx.120, 85.50.xx.121

    I have a DSL broadband connection with PPPoE.
    Therefore I created a PPPoE WAN Adapter using �Control Panel� � �Network Connections� � �New Connection Wizard� on the Windows Server hosting ISA and configured a PPPoE connection according to KB837830.

    A single static IP address has assigned from the ISP by DHCP to the PPPOE adaptor (83.50.xx.15)

    We received another block of 4 addresses 83.50.xx.120 � 83.50.xx.123. I put 2 of these addresses on the WAN adapter of my ISA Server, which is connected to the cable modem

    I created a web listener and bound it to only one of the �external' IP addresses (83.50.xx.122). The �Test Rule� button results in everything green, so it seems to be ok. But if I look at the logs, it ends up hitting the last default deny rule 
      0xc004000d FWX_E_POLICY_RULES_DENIED

    The MX record is set to the 85.50.xx.15 ip and that works fine.

    How can I get the web-listener to work? Any idea?


    Regards
    Peter
    Monday, July 19, 2010 7:18 PM
  • Hello Phillip

    Thanks for your answers and sorry for my delay!

    I now use a router between the cable modem and the ISA Server, and let the router do the PPPOE authentication.
    Works fine.

    Regards
    Peter

    • Marked as answer by PeterN22 Sunday, September 26, 2010 8:35 AM
    Thursday, September 02, 2010 8:14 PM

All replies

  • It is probably working.  It cannot Deny a connection if it never "heard" the connection.  Listeners do not "deny" or "allow" connections,...they only "listen" for them.
     
    More than likely there is something wrong with the "Test Rule" that is behind the Listener,...or there is something wrong in the way you are trying to "test"..
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "PeterN22" <=?utf-8?B?UGV0ZXJOMjI=?=> wrote in message news:0c61e62c-bafe-461a-814d-4d5ca31b73d4...

    Environment:
    Windows Server 2003/ISA Server 2006
    1 PPPoE WAN Miniport  -  85.50.xx.15
    1 NIC LAN  -  192.168.23.1
    1 NIC WAN  -  85.50.xx.120, 85.50.xx.121

    I have a DSL broadband connection with PPPoE.
    Therefore I created a PPPoE WAN Adapter using �Control Panel� � �Network Connections� � �New Connection Wizard� on the Windows Server hosting ISA and configured a PPPoE connection according to KB837830.

    A single static IP address has assigned from the ISP by DHCP to the PPPOE adaptor (83.50.xx.15)

    We received another block of 4 addresses 83.50.xx.120 � 83.50.xx.123. I put 2 of these addresses on the WAN adapter of my ISA Server, which is connected to the cable modem

    I created a web listener and bound it to only one of the �external' IP addresses (83.50.xx.122). The �Test Rule� button results in everything green, so it seems to be ok. But if I look at the logs, it ends up hitting the last default deny rule 
      0xc004000d FWX_E_POLICY_RULES_DENIED

    The MX record is set to the 85.50.xx.15 ip and that works fine.

    How can I get the web-listener to work? Any idea?


    Regards
    Peter
    Friday, July 16, 2010 1:13 PM
  • Hi Phillip

    Yes of course, it's the publishing rule that is not working - Sorry.

    I am trying to publish Outlook Web Access. The rule behind the listener is correct.

    We had to change to this PPPoE connection (ISP related), because of the need of multiple static ip addresses. Before this change OWA worked with the same Listener and Publishing Rules. I just changed to the new ip addresses.

    Update:
    Outlook Web Access is now working, but I had to use the ip that has been assigned to the PPPoE adapter.
    If I try to use one of the other ip addresses, I always receive the error 0xc004000d FWX_E_POLICY_RULES_DENIED.

    I guess there is a problem with this configuration ISA - PPPoE - multipe static ip addresses.
    In the meantime I found different postings with similar issues, but no solution.

    Is this configuration no supported?

    Regards
    Peter

    Friday, July 16, 2010 2:12 PM
  • I don't know.   PPPoE, almost by definition, is Dynamic and a single IP#.  So I don't know what this ISP is doing or how they think they are doing it.  For me, there is no way I would even get involved with an ISP that tried to force PPPoE on me.  I guess I have no answer for you.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "PeterN22" <=?utf-8?B?UGV0ZXJOMjI=?=> wrote in message news:b26d05c2-da8c-4d92-97c2-8827913c1907...

    Hi Phillip

    Yes of course, it's the publishing rule that is not working - Sorry.

    I am trying to publish Outlook Web Access. The rule behind the listener is correct.

    We had to change to this PPPoE connection (ISP related), because of the need of multiple static ip addresses. Before this change OWA worked with the same Listener and Publishing Rules. I just changed to the new ip addresses.

    Update:
    Outlook Web Access is now working, but I had to use the ip that has been assigned to the PPPoE adapter.
    If I try to use one of the other ip addresses, I always receive the error 0xc004000d FWX_E_POLICY_RULES_DENIED.

    I guess there is a problem with this configuration ISA - PPPoE - multipe static ip addresses.
    In the meantime I found different postings with similar issues, but no solution.

    Is this configuration no supported?

    Regards
    Peter

    Friday, July 16, 2010 3:51 PM
  • Thanks anyway.
    Monday, July 19, 2010 6:19 PM
  • Surely the ISP has had issue with other customers. Have you contacted them?  Even if they know nothing of ISA/TMG (and they probably don't) they still might be able to give clues to how their stuff works that then might be able to help with how ISA deals with it.  So gaining some understanding of how they use their technology could help.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
     
     
    "PeterN22" <=?utf-8?B?UGV0ZXJOMjI=?=> wrote in message news:d2859bcc-150b-4ef0-a762-c63951e7b364...
    Thanks anyway.
    Monday, July 19, 2010 6:59 PM
  • I don't know if any of this would be of any help but I did a search and noticed that there is hardly anything "out there" on this,..but I did find these two links:
     
    Multiple IP's on PPP-OE - Astaro User Bulletin Board
     
    Howto Assign Multiple Static Public IP Addresses under SBC's PPPoE Static Ip system
     
    I think I would really try to find another solution that does not involve PPPoE,...PPPoE is just always bad for a business environment.  It works fine for simple "home user" situations which is what is was desgined for,...but beyond that I have never ever heard  anything "good" about it,..ever.
     
    If you can't do that then go to a single address model (if they charge you less for that).  You can do a lot with just one address if you engineer everything properly.  For example, as far as things like publishing http sites you can do an almost unlimited number of those on the same IP# and Port# as long as you don't go SSL.

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
     
    "PeterN22" <=?utf-8?B?UGV0ZXJOMjI=?=> wrote in message news:0c61e62c-bafe-461a-814d-4d5ca31b73d4...

    Environment:
    Windows Server 2003/ISA Server 2006
    1 PPPoE WAN Miniport  -  85.50.xx.15
    1 NIC LAN  -  192.168.23.1
    1 NIC WAN  -  85.50.xx.120, 85.50.xx.121

    I have a DSL broadband connection with PPPoE.
    Therefore I created a PPPoE WAN Adapter using �Control Panel� � �Network Connections� � �New Connection Wizard� on the Windows Server hosting ISA and configured a PPPoE connection according to KB837830.

    A single static IP address has assigned from the ISP by DHCP to the PPPOE adaptor (83.50.xx.15)

    We received another block of 4 addresses 83.50.xx.120 � 83.50.xx.123. I put 2 of these addresses on the WAN adapter of my ISA Server, which is connected to the cable modem

    I created a web listener and bound it to only one of the �external' IP addresses (83.50.xx.122). The �Test Rule� button results in everything green, so it seems to be ok. But if I look at the logs, it ends up hitting the last default deny rule 
      0xc004000d FWX_E_POLICY_RULES_DENIED

    The MX record is set to the 85.50.xx.15 ip and that works fine.

    How can I get the web-listener to work? Any idea?


    Regards
    Peter
    Monday, July 19, 2010 7:18 PM
  • Hello Phillip

    Thanks for your answers and sorry for my delay!

    I now use a router between the cable modem and the ISA Server, and let the router do the PPPOE authentication.
    Works fine.

    Regards
    Peter

    • Marked as answer by PeterN22 Sunday, September 26, 2010 8:35 AM
    Thursday, September 02, 2010 8:14 PM
  • I suppose if you add the same number of external IP#s on the ISA as is on the external side of the Cable NAT Box then maybe it can do a 1-to-1 NAT between each public IP and ISA IP.  Assuming of course that the Cable box is doing NAT and can do multiple 1-to-1 NATs.  I'm also assuming that the Cable NAT box is doing NAT across it which creates a Back-to-Back DMZ between it and the ISA.
     
    Of corse there is the method of changing the Internal -vs- External Relationship of NAT to "routed".  So there are a couple ways to deal with it.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "PeterN22" <=?utf-8?B?UGV0ZXJOMjI=?=> wrote in message news:4b3684fa-a048-4e35-926c-601974b2dc03...

    Hello Phillip

    Thanks for your answers and sorry for my delay!

    I now use a router between the cable modem and the ISA Server, and let the router do the PPPOE authentication.
    Works fine.

    Regards
    Peter

    Thursday, September 02, 2010 8:54 PM