Smeg
Fri Dec 17 17:13:42 CST 2004
That's what I fugure as well. I'll open up the server again to where
everything worked and then gradually close it down until I get to the
point where the only things are open that need to be.
Thanks for the help
Smeghead
"Dave Nickason [SBS MVP]" <gwdibble@NOSPAM.frontiernet.net> wrote in
news:#DZ1s2v4EHA.2788@TK2MSFTNGP15.phx.gbl:
> OK, so the routing rule is using a destination set that includes only
> the external PC, right? In that case, it seems appropriate.
>
> Thinking about it, ISA would be forwarding everything to the broadband
> router's IP, which is why it's not finding the other PC on the WAN
> side. So this solution makes sense to me, although I'm far from an
> ISA expert. (I don't think I helped you any, but you definitely
> taught me something).
>
> When you're finished, you could go to www.grc.com and run Shields Up
> to test your ISA configuration for security, choosing the "all ports"
> option.
>
>
> "Smeg Head" <here.there@everywhere> wrote in message
> news:Xns95C0E53E98523herethereeverywhere@207.46.248.16...
>>I have had some success with this but need to check if I have opened
>>the
>> server up too much or made some kind of mistake.
>>
>>
>> I have attached a PC on the same "external" switch as the cache box
>> and it works (as per your suggestion). The access is via Internet
>> Explorer with the following in the address bar:
>>
http://10.81.10.250/admin.html
>>
>> The provided PC (cache box) has no monitor, kbd nor mouse. It's just
>> a box.
>> Just for the sake of it I attached a monitor to it and it was on a
>> login/password screen that I have no access. Ah well.
>>
>>> Is the cache PC pulling the information from the source(s), or is
>>> the information being pushed to the cache PC by the sources?
>> I think it's both from the brief instruction pack that we got with
>> it.
>>
>>
>> Anyway, on to the real success story:
>> I found a flow chart on the internet of ISA security and followed it.
>> The last entry on the flowchart was to do with routing (and I think I
>> have all the others as OK)
>> I tried adding an entry in "ISA Management" as follows and it works.
>> Under "Servers and Arrays, then the server name
>> "Network Configuration"
>> I added another entry in "Routing" specifically for the "external
>> PC" It is "Order 1" i.e. top of the list
>>
>> I can't remember all of the settings that I made but is this bad,
>> apart from the fact that it works now. If this is OK I will close
>> down (one at a time) my other changes that opened everything up to
>> get things back to normal.
>>
>> I have disabled this new entry in "Routing" and my other "Allow All"
>> tests for the time being so it's back to not working at the moment
>> for security purposes.
>>
>> Thanks for any help
>>
>> Cheers
>>
>> Smeghead
>>
>>
>>
>> "Dave Nickason [SBS MVP]" <gwdibble@NOSPAM.frontiernet.net> wrote in
>> news:uENDhmV4EHA.524@TK2MSFTNGP09.phx.gbl:
>>
>>> I'm not sure I get the answer, but at least I get the question : -)
>>>
>>> Is the cache PC pulling the information from the source(s), or is
>>> the information being pushed to the cache PC by the sources? It
>>> seems that the cache box could be inside the LAN and that ISA would
>>> just allow it to go out and get the information it needs. I agree
>>> with you that it would be foolish to give up the protection provided
>>> by ISA, especially since if this is a conventional broadband
>>> connection, I don't see anywhere that they are providing firewall
>>> protection - it's all ISA in my understanding of the situation.
>>>
>>> It can't be a routing thing since you can ping the server. I was
>>> going to say create a destination set for that IP, then a site and
>>> content rule to allow access to the destination set. Since it
>>> appears that you've done that, and since the cache PC is still not
>>> responding, I wonder if it's the cache PC that's blocking the
>>> request rather than ISA.
>>>
>>> What I would do now is to temporarily stick a PC on the external
>>> switch and attempt to access the cache box. That way you'll have an
>>> idea what result you should be seeing through ISA. And, if the
>>> cache PC doesn't respond as expected, you'll know it's not an ISA
>>> issue.
>>>
>>> If this is normal http traffic, ISA wouldn't be blocking it, right?
>>> I'd expect that you'd be able to access
http://10.81.10.250 just as
>>> you do
http://www.cnn.com.
>>>
>>>
>>> "Smeg Head" <here.there@everywhere> wrote in message
>>> news:Xns95BDB92181313herethereeverywhere@207.46.248.16...
>>>> Thanks for the reply.
>>>>
>>>> The setup is in a school and the education authority have provided
>>>> a PC (which I have no control over) to act as a cache and source of
>>>> education software. The idea is that certain education websites can
>>>> be completely cached (or mirrored) so that when a Teacher comes to
>>>> do the lesson it is guaranteed that the website can be accessed i.e
>>>> on this local machine. This PC must have direct access to the
>>>> internet (or so they say). Anyway I have no control over it so
>>>> that's how it works. All I know is that I access it using its IP
>>>> address in Internet Explorer with a certain path name, userid and
>>>> password.
>>>>
>>>> So, the external box is on the premises. The hardware setup is:
>>>>
>>>> Internal workstations are connected to the SBS2000 server on a
>>>> 10.0.0.X network via an "internal" ethernet switch. The Server has
>>>> a second NIC connected to another ethernet switch. This switch has
>>>> a broadband modem connected. (As an aside the "external" switch
>>>> also has the administrative PCs connected i.e the secretary, head
>>>> teacher plus one other but that's not really relevant here).
>>>>
>>>>
>>>> The "external" switch has this cache PC connected to it and I need
>>>> to have Internet Explorer access this PC - IP address 10.81.10.250.
>>>> The external NIC in the Server is address 10.81.10.1
>>>>
>>>> I currently have a proxy forward setup to the education authority
>>>> intrAnet which then forwards normal internet access from there.
>>>>
>>>> The argument I am getting from the education authority is that I
>>>> can "turn off" ISA as they provide enough intrusion protection. But
>>>> I would prefer to maintain the current setup because:
>>>> 1. It works
>>>> 2. I think of security like layers of an onion skin, the more you
>>>> have the better. (is that a bit over the top!!).
>>>>
>>>> Thanks for any help
>>>>
>>>> Smeghead
>>>>
>>>>
>>>>
>>>>
>>>> "Dave Nickason [SBS MVP]" <gwdibble@NOSPAM.frontiernet.net> wrote
>>>> in news:#vMLOv73EHA.2608@TK2MSFTNGP10.phx.gbl:
>>>>
>>>>> Can you please give a more detailed description of what you're
>>>>> trying to accomplish? I'm assuming the external box is on your
>>>>> premises since the 10.x address would not be Internet-routable.
>>>>> So why does it have to be on the WAN side of the SBS instead of on
>>>>> the local network?
>>>>>
>>>>> What are you trying to access on the external PC? ISA would not
>>>>> be blocking an internally-generated request, so maybe the external
>>>>> PC's settings are blocking the incoming attempt? Wouldn't it be
>>>>> easier to have the PC inside your network as part of your domain,
>>>>> then allow it outbound access through ISA to get the information
>>>>> it needs, similarly to how the AV downloads signature files for
>>>>> distribution to the local network PCs?
>>>>>
>>>>> Sorry to be obtuse but I don't understand your situation : -)
>>>>>
>>>>>
>>>>> "Smeg Head" <here.there@everywhere> wrote in message
>>>>> news:Xns95BBE5B33C5BCherethereeverywhere@207.46.248.16...
>>>>>> Hi All
>>>>>>
>>>>>> I need to set up an SBS 2000 to allow access to a computer on the
>>>>>> external side of the server.
>>>>>>
>>>>>> The server has the standard 2 NICs, one internal and one
>>>>>> external. Clients connected to internal and external used for
>>>>>> broadband internet (and now this computer).
>>>>>>
>>>>>> We need to have a cache that stores specific things that it
>>>>>> updates from the internet. It's complicated but suffice to say
>>>>>> that I don't have any control over this aspect.
>>>>>>
>>>>>> The external NIC on SBS has 10.81.10.1 as it address. The
>>>>>> external PC has 10.81.10.250
>>>>>>
>>>>>> I have already setup:
>>>>>> 1. Site & Content Rules
>>>>>> an "Allow ALL" access policy (this is what I use when
>>>>>> testing
>>>>>> only)
>>>>>> all destinations, always, allow,
>>>>>> applies to any request, all HTTP content
>>>>>>
>>>>>> 2. Protocol Rules
>>>>>> an "Allow ALL" access policy (this is what I use when
>>>>>> testing
>>>>>> only)
>>>>>> All IP traffic, always, applies to any request
>>>>>>
>>>>>> 3. IP Packet Filters
>>>>>> There are lots of filters. I have setup one as:
>>>>>> enables, predefined HTTP Server (port 80)
>>>>>> Local computer and remore computer I have
>>>>>> tried different settings
>>>>>>
>>>>>> The external network does not appear in the LAT nor the LDT.
>>>>>>
>>>>>> I can Ping the 10.81.10.250 from an internal client and the
>>>>>> server so I know it exists and that the server is forwarding the
>>>>>> ping requests. I tried 10.81.10.249 and it didn't work (as I
>>>>>> expected).
>>>>>>
>>>>>> Should I have an entry in the Network Configuration - Routing
>>>>>> list. If so what are the settings?
>>>>>>
>>>>>> Please help as I am really stuck. After 5 frustrating hours I
>>>>>> still can't get it to work.
>>>>>>
>>>>>> Cheers
>>>>>>
>>>>>> SmegHead
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>
>
>