Registered users    
MembershipMembership:
Latest New UserLatest:Phil Clarkson
New TodayNew Today:5
New YesterdayNew Yesterday:6
User CountOverall:22929
Private messaging    
You must be logged in to use this module.
Top 10 posters    
NamePosts
Mariette Knap12490
Marina Roos12181
Eriq Neale2071
Michael Patrick1901
Stan Guinn1817
Robert Pearman1720
Nick Pieters1425
Stewart Brown609
Kevin D.563
Eddie Kerr534
Welcome unauthorized visitor    
If you want to join us in the discussions on this forum you need to register first. Registration is free! If you are already a registered user please login to join the forum.
Small Business Server Support Forum    
Forums > Microsoft Smallbusiness Server > ISA Server 2004
Subject: IP Address Translation/Proxy Issues
Prev Next
You are not authorized to post a reply.

Author Messages
Tim Saunders User is Offline
United States
Member since
7/16/2007

Registered Users
Posts: 39
5/21/2008 04:52 AM  
I have an SBS2003 server running ISA 2004 in a Single Network Adapter configuration.  (We have an ASA5510 on the outside.)  This is mainly running for cache and site blocking purposes.  I noticed the other day that I can access the "Welcome to Windows Small Business Server 2003" page from the outside.  This is the page that is at the root of the web server and should not be available from the outside.  I can even launch /ConnectComputer and get prompted to install the ActiveX control from the outside.  I really need to get this sealed back up.
 
I have reviewed the ISA logs and the SBS Inbound Access Rule is what is processing my inbound request.  The IIS logs show that the ISA server's IP is both the source and the destination address.  Since the IP Address Restrictions on the root of the Default Web Site in IIS are configured to Grant Access to the entire subnet, this translation appears to be what is allowing me to come through from the outside.  It seems like ISA is doing some sort of translation that is making IIS think the request is coming from an internal IP address.
 
Any thoughts on what to do or where to look next?
 
Note - ISA used to be configured as an Edge Firewall.  When we got in the ASA5510, we backed ISA down to just caching.  When it was an Edge Firewall, there were a couple of Web Server Publishing rules in existence.  Now there are none.  I am assuming that this is just due to the difference in ISA config rather than possibly being the problem here.  However, I figured I would throw that out there.
robert pearman User is Offline
United Kingdom
Member since
2/23/2007

Platinum Membership
Posts: 1720
5/21/2008 11:03 AM  
is your hardware firewall, doing any firewalling?

sounds like you have opend up port 80 and if i read your post correctly, the isa box has one NIC - which means this is not doing any firewalling either.
Tim Saunders User is Offline
United States
Member since
7/16/2007

Registered Users
Posts: 39
5/21/2008 04:29 PM  
Yes, the hardware firewall is doing firewalling.

We have NAT running on the firewall appliance and port 80 is open.
Marina Roos User is Offline
The Netherlands
Member since
3/24/2005

Forum Admins
Posts: 12181
5/24/2008 12:01 AM  
Hi Tim,
 
If you are not hosting your own website, you can and should close port 80 inbound.
Marina Roos Smallbizserver.Net AdministratorMission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local  network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain'
Tim Saunders User is Offline
United States
Member since
7/16/2007

Registered Users
Posts: 39
5/27/2008 02:31 AM  
I completely agree.  However, I still have this issue that I would prefer to resolve, with port 80 open or not.
 
Any ideas of how to adjust the ISA server to stop it from proxying this traffic?
Marina Roos User is Offline
The Netherlands
Member since
3/24/2005

Forum Admins
Posts: 12181
6/01/2008 09:34 PM  
Close port 80 first on your firewall. And when using only one nic in the SBS server, you will only be able to use the cache feature from ISA.
Marina Roos Smallbizserver.Net AdministratorMission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local  network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain'
You are not authorized to post a reply.
Forums > Microsoft Smallbusiness Server > ISA Server 2004 > IP Address Translation/Proxy Issues


ActiveForums 3.7
Forum policy    
These Discussion Forums are dedicated to the discussion of the Small Business Server and related server and client software. For the benefit of the community please observe the following posting guidelines:
  1. No Advertising. This includes promotion of commercial products and non-commercial products which are not directly related to Small Business Server and related server and client software.
  2. No Flaming or Trolling.
  3. No Profanity, Racism, or Prejudice.
  4. Site Moderators have the final word on approving/removing a thread or post or comment.
Copyright 2002-2008 Concentrix b.v.    :   Page generated in 0.2500016 seconds.   :   Terms Of Use   :   Privacy Statement