Two simple questions

[ftoddt]

When you publish a Web sever behind an ISA server, do you use the external routable ip for the Web server(presently setup as standalone in dmz with its own ip)or do use the isa server external routable ip? I have purchased routable ip's that are available and presently setup with internet provider DNS. I would like to keep the same ip on the web server that it presently has. Is that possible when publishing behind an ISA server? Everything that I have read so far makes me believe that you use the ISA server IP for your DNS record for your Web server.
Thanks to all of you who do all the answering of these questions from us not in the know... You are appreciated

 

[darpet]

If you use Web publishing rule you can use only the default external ISA IP address.

You can do this...

Insert a secondary ip address on the external ISA Interface...

Go to Protocol definition and make a new http definition for Inbound packets.

then use Server publishing rule to map the http inboud protocol from your secondary external ip address to your internal server.


Tell me later.
bye
Darpet

 

[ftoddt]

Thank You very very much. I will try this and see what happens. Will keep you posted as to what happens.
Thanks again

 

[ftoddt]

Darpet,
I just recently had the time to pursue the web configruation behing the isa server and after many attemps, I think I see what you are talking about but wish to verify.
When you say add a seconday Ip to the external ISA address, are you talking about the advanced window where I can actually add a second ip to that external nic card properties.
I believe that when I tried to use Create the server publishing rule for this web server, when the wizare asked for the external ip address on the ISA sever, I got a dropdown box that only had the initial ip of the the ISA server and would not let me put in the web servers external ip address. After I added the ip in the advanced window to the nic card, the drawdown box then shows that ip also to select from> Was this what you meant. I tried that and some other setup but could never see my web page as I could before when I hooked the server (dual nic) with its wan card and its external ip plugged straight the the router. I must not have done everything correctly but will plug on.
Please confirm that adding the other Ip as you suggest is the same as what I am thinking.
Todd

 

[nhidalgo]

The Web server to be published needs to be set up as a secure nat Client. Meaning the web server's default gateway must be the internal ip address of your isa server. This may be why you can not see your web pages.

Nick

 

[ftoddt]

Ok maybe I am not clear on presenting this. I have a web server now that has dual nic. One side connected to my interal lan and the other outside the LAN with direct access to the router. Now I am nervous security wise about having the exposed WAN nic card with the routable Ip outside my system. I would like to put the web sever behind the isa server and do away with the external routable exposed nic but I would like to use the external routable ip that the web server has somehow behind the isa server. Everything I have read says you must use the ip of the isa as your contact point but I thought NAT could convert an external ip to an internal ip through ISA but am unusre how to do this. As you can see I found I can add another Ip to the isa and was asking if that is how it is done. I will need to get a book or something. It just isn't clicking with me. The web server as will all our servers and clients except for the isa point to the isa as the gateway, so I am unsure as to what you mean.
Thanks,
Todd

 

[nhidalgo]

You may want to try this:
1.Add The web server's Wan address to the Isa Server Tcp/ip Setttings
2. In isa managment go to policy elements and protocol definitions.
3 Create a new def call "Published Http Server", Port 80, Tcp, Inbound. Secondary connections Ports 1025-65534, Tcp, Inbound.
4. Got to publishing, then server publishing, Create a new publishing rule. Enter the web servers internal address, enter the web servers external address(the one you added to the ip settings of ISa),select "Published Http Server" under Mapper server protocol. And apply it to all requests.
5. Make sure the default gateway of your Web server is set to the isa server's internal ip address. Disable the wan card in your web server and make sure

http://www service

is not running on the isa server.

This should do what you wish to accomplish.

Nick

 

[ftoddt]

Thank You Thank You Thank You,
I appreciate your help Nick. Sounds like you have done this before. I will let you know how it turns out. You have made this step by step and that is what I need.
Todd
I have another brief opinion from you that I would like to know. As I said, the web server was dual nic with its wan outside the isa direct to the router. I also had qpackets in the protocols. It made incoming requests come in via the wan and information going back thru the isa. When I do a

http://www.grc.com

shields up test of security, it only shows the isa server and not the external ip of the web server. Grc says it is extremely secure but is it really which the isa is but is the web server secure. That is why I am thinking of putting it totally behind the isa with single nic as you showed me how to do...
Thanks again