Hi,

 

Is it possible to "capture" an incoming request on an certain port, and route it to a device in the local lan ?

 

Expl.

DSL-router from provider with fixed ip, and administerd bij isp

SBS 2003 Premium all patched and updated.

one nic for the DSL router.

one nic for the internal lan.

 

Often we have situation where other suppliers plug something in the lan (videocentrals, telephonecentrals, etc..)

They give the device an ip adress within the lan range, for example. 192.168.16.100

So users in the lan can connect in their browser to 192.168.16.100 and see the web-embedded interface of the device.

The question that always comes is, can you make this work over the internet ?

so if users on a remote location type in the fixed ip adress + :that port they can see the same web-embedded device.  for example : type in the browser    :8554   (8554 being the port that the device has)

 

So what i would like to do is : capture the incoming request if it is on that port and route it to the device.

So if someone browses to :  :8554   ,in isa server i would say go to 192.168.16.100

I don't know if it is possible ?

 

Regards,

Jo

 

PS.

I know you can view this problem from a different angle, and put the devices before the sbs-isa server, and reroute them direct on the router with fixed ip adress. so users who browse to :8554   are rerouted directly on the router to their device. So remote it will work immidiatly, but then i have the opposite problem, that my internal users cannot access the devices because they are in front of the sbs server and are in a different range.

As for now i have asked the isp to forward port 8554 to the server.

(so this is good i think ?)

So the requests will hit the server.

 

Can you be a little more detailed on how to create these rules (aspecially the custom protocol/web listener).

As isa server is my weak spot :-(

 

Regards,

Jo

Hi,

thanks for the good explanation, i think i know what you want to do.

For now i cannot test it because the port for the new device needs to be opend by the isp ( i already sent a mail, but i"m awaiting answer)

 

So may i come back on this one after the weekend ?

 

Thanks in advanced,

Regards,

Jo

Hi,

i"m back again with some news.

 

I made the rules you said, but no success yet, altough i can see traffic coming in.

I have 2 devices that need to be "accesible" from the internet, but to make it not confiusing i'll start with one device, the telephonecentral.

i made a rule for port 2070 and forwarded that to 192.168.16.109, being the internal ip of the device.

If i log in isa management i can see the following :

 

Initiated Connection SBSERVER 5/11/2007 17:02:48 Log type: Firewall service Status: The operation completed successfully. Rule: TelefoonCentrale Source: External ( :60223) Destination: Internal ( 192.168.16.109:2070) Protocol: Telprotocol User:

so i can see that the request is "captured" by my rule and that is is being redirected to the internal 192.168.16.109

So, so-far-so-good, i think ?

 

But after my "initiated connection" i immediatly get the following log :

 

Closed Connection SBSERVER 5/11/2007 17:02:51 Log type: Firewall service Status: A connection was abortively closed after one of the peers sent a RST segment. Rule: TelefoonCentrale Source: External ( :60223) Destination: Internal ( 192.168.16.109:2070) Protocol: Telprotocol User:

 

So this is probably the reason that i can't get trough to my device ?

 

Regards,

Jo

I get the same error in the log.

I get the info from :

ISA server management -> monitoring -> tab "logging" -> Start query

Then you see, line by line, requests coming in (i presume)

 

I hope this is the correct place to look for problems ?

Hi

 

the line is :

 

but in the additional info window you see the error.

Oops i forgot, the device is a telephonecentral.

Sorry, i think the englisch word is Telephone-exchange.

(The PBX box in a company, when you want to dial outside, you have to press 0 first, so the telephone-exchange takes an outside line and the you can make the call.)

 

No, thats a bit the problem. (as always, the computer guys will have to solve the problem)

You probably know the drill. Guys comes in put some nice hardware stuff in your network, demonstrate all the nice features to the customer, look this, and look that, and you can go directly into the pbx...etc..etc... And the customer goes nuts on all that wonderfull technology.

And then they go "O yeah, the computer guys will make sure you can do the same but from the outside..."

 

the only information i got was that, from within the LAN if you go, in internetexplorer,  to that ip adress (192.168.16.109) you see the "website" of the telephone-exchange, where you can do settings and stuff.

 

What they said was, the tel-exchange, uses port 2070 if you want to access it remotely, so make sure that port 2070 is open on your router (from ISP) and that your firewall (ISA) forwards the request to our pbx.

With other words if youre, somewhere, on a computer an you type in the fixedip followed by a collom and the port you should see the same thing. (http://fixedip:2070)

By asking i start to doubt, because if i take a computer from within the lan and type in 192.168.16.109:2070, i dont get to see anything. After a about 2 minutes i get the message "Page cannot be displayed"

 
 Network Access Message: The page cannot be displayed 
 
 Explanation: The request timed out before the page could be retrieved.

Try the following:
Refresh page: Search for the page again by clicking the Refresh button. This may have been a one-time error.
If you are still not able to view the requested page, try contacting your administrator or Helpdesk.

 
 Technical Information (for support personnel)
Error Code 1460: Timeout
Background: The gateway could not receive a timely response from the website you are trying to access, a DNS server, or another gateway server. This might indicate that the network is congested or that the website is experiencing technical difficulties.
Date: 7/11/2007 15:13:50
Server: sbserver.domain.local
Source: Firewall 
 

So i think this is big breaktrough in our thinking ? or not ?

 

If it doesn"t work in the internal lan on port 2070 it is because the "web-embedded-server" is listening to another port ? And my isa-rule probably sends my request from the outside to the inside on port 2070 ? (if outside traffic comes in on port 2070 redirect it to 192.168.16.109 also on port 2070)

 

If i go directly to 192.168.16.109 is see the webpage coming up ? i don't know if there's a default port for web-embedded stuff ? i think they use port 80 ?

 

If i do 192.168.16.109:80 then i can see my web-embedded-page also.

 

So what we would need to do, or adjust, is (i don't know if it is possible ?)

 

If traffic from the outside comes in on port 2070, redirect it to 192.168.16.109 but then on port 80.

 

Regards,

Jo

 

PS. I think there is light at the end of the tunnel.

im not sure i know a way of doing port redirection through ISA, you may be better rewarded to move the pbx to the external NIC lan - and then have a rule in isa to allow you to access port 80 of that device.

ill have a scout about but i think that would be the best bet. - assuming that doing this will not break how your pbx works.

 

(ten minutes later)

 

DOH!

 

cant quite beleive i said that.

 

of course we can use a web server publishing rule (which i probably should have advised in the first place) and i think that will sort you right out. - this in conjunction with a web listener listening on port 2070 should easily redirect the request internally to port 80.

 

Im so incredibly dull that i am still online :P but im just going off now - but ill post up some instructions first thing tommorow.