Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Strange problem publishing web server located on site-to-site VPN

9 views
Skip to first unread message

jos

unread,
Mar 8, 2010, 1:10:01 PM3/8/10
to
Hi,

I've posted this question at the Microsoft Technet Forums and isaserver.org,
but received no answers. I can't believe no one has seen this before, or that
it isn't a common scenario.

Here's a figure describing our setup: http://pix.sonhult.se/networksetup.png

The ISA Server has one External NIC and one Internal NIC, so it has one
External Network and one Internal Network in ISA. It also has one network for
the remote site in the site-to-site VPN connection.

What we're trying to do is to publish a web server located at the
10.50.7.0-network to the Internet. For example, request coming to
http://www.myurl.com/ should be forwarded from the ISA to 10.50.7.5, which
should serve the request.

We setup a web publishing rule for this, and the logs shows an initiated
connection to the host 10.50.7.5 when an external client tries to connect.
However, after a minute or so, the following message shows up in the log:

Failed Connection Attempt
Log type: Web Proxy (Reverse)
Status: 10065 A socket operation was attempted to an unreachable host.
Rule: Test Publishing
Rule Source: External (<external client IP>)
Destination: (10.50.7.5:80)
Request: GET http://www.myurl.com/favicon.ico
Filter information:
Req ID: 0765ffa5; Compression: client=Yes, server=No, compress rate=0%
decompress rate=0%
Protocol: http
User: anonymous

It appears the ISA Server cannot find the host on the 10.50.7.0-network. Why
is that? If we try to ping the web server from the ISA Server directly we get
"Negotiating IP Security", but if we ping the web server from a host on the
10.50.6.0-network we get replies, so the tunnel is working (we're using the
tunnel in our day-to-day work, so it IS working).

Any ideas why this might be happening? All inputs are welcome, I need new
angles on this!

Thanks in advance! / Jonas

Phillip Windell

unread,
Mar 9, 2010, 11:08:10 AM3/9/10
to

"jos" <j...@discussions.microsoft.com> wrote in message
news:D647FE87-DC7B-4116...@microsoft.com...

> Hi,
>
> I've posted this question at the Microsoft Technet Forums and
> isaserver.org,
> but received no answers. I can't believe no one has seen this before, or
> that
> it isn't a common scenario.

In 10 years I have not seen this before and it is not a common scenario.
And I saw the post at www.isaserver.org as well.

Couple things:

1. Don't use IP#s. Always use FQDNs in the Publishing Rule that match what
the user enters in the address bar. It is critical that the ISA properly
resolve that FQDN to the *Private* IP# of the website as it is seen over the
VPN Tunnel. This will mean that you have to use Split-DNS. In *any*
Publishing situation with websites using Split-DNS is almost a "given",...so
you might as well do it and get it over with,..it is not that complex.

2. Make sure the Publishing Rule is set to "Requests appear to come from the
ISA". This is found on the TO Tab of the Rule. Without this it will most
likely fail,...*your* ISA is not the web server's normal path to the
Internet, so when it tries to respond to the user it tries to go its "own
way" to the Internet instead of back through the publishing ISA. Enabling
that setting causes the web server to reply back to the ISA doing the
Publishing and the path integrity is maintained.

Ping does not mean squat. Ping can fail and everything else can fail and
yet the Publishing Rule would work. Every protocol is mutually
exlusive,...each protocol can only "speak for itself",...you can not use one
protocol to verify if a different protocol works. The only way to test
HTTP,...is to use HTTP.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------


jos

unread,
Mar 30, 2010, 12:09:01 PM3/30/10
to
Hi Philip, thanks for your reply! Sorry for the late follow-up, been very
busy lately.

1. I'd rather not introduce split-DNS right now and make it even more
complicated if I'm not confident that's the problem. The publishing rule
works if I set it to pass the request to a web server located on the Internal
Network, so it resolves everything correct in the publishing rule itself.

2. I've tried both alternatives here, but it is currently set to "... look
as if the traffic originated from the ISA server computer".

3. If I try to connect to the web site on the ISA itself, it does not work.
If I connect to the web site using a computer on the Internal Network, it
works. Maybe that's the problem right there? Is the ISA server sending the
request using the wrong interface?

"Phillip Windell" wrote:

> .
>

Phillip Windell

unread,
Mar 31, 2010, 2:00:27 PM3/31/10
to
I blew past the "VPN" thing in the subject line too quickly without thinking
it through.

Publishing to External is fine.

Publishing to the S2S VPN is a problem.
Forget it,...use an Access Rule to make it available to the networks comming
over the VPN. The VPN needs a "routed" relationship anyway,...not NAT.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"jos" <j...@discussions.microsoft.com> wrote in message

news:E08EA6A9-B1EE-4A42...@microsoft.com...

jos

unread,
Apr 9, 2010, 10:00:01 AM4/9/10
to
Thanks for posting, see comments below =)

"Phillip Windell" wrote:

> I blew past the "VPN" thing in the subject line too quickly without thinking
> it through.
>
> Publishing to External is fine.

I always publish to External, right? There is a NAT relationship between my
site-to-site VPN and the External network.

>
> Publishing to the S2S VPN is a problem.
> Forget it,...use an Access Rule to make it available to the networks comming
> over the VPN. The VPN needs a "routed" relationship anyway,...not NAT.
>

You mean I should have a routed relationship between the S2S VPN and
External? How would that work? The S2S VPN has internal addresses, I can't
publish those directly to the Internet. That also means I can't use an Access
Rule, as that does not do any translation from the External IP to the Interal
IP.

> .
>

Phillip Windell

unread,
Apr 9, 2010, 1:56:43 PM4/9/10
to
VPN to Internal = Routed

VPN to External = NAT

Publish site to External Only,...not to VPN Network. Clean up the
Publishing Rule so that the From does not say "everywhere",...it needs to
say From: External.

The Site "lives" on the Internal,...the VPN Network gets to the Site via a
routed relationship to Internal. VPN
Network ----to---->Internal----to----->web site. This is controlled by an
Access Rule,...not a Publishing Rule.

0 new messages