Routing public port for internal use

[Neebski]

Hey there, I have a little problem. I just installed active directory,
dns, dhcp the whole works and every thing works great BUT the websites
that I host on one of the servers I can not access from within the
local network. If I connect to a remote network or use a proxy
everything is fine and I can see the web pages fine.

Anyone know why this might be happening?


Thanks!
-Kevin Neberman

 

[Phillip Windell]

You haven't told anyone anything about what you have done,...there is no way
to begin to answer this. Which of the billions of possible network
designs/configurations have you done? Everybody has AD, DNS, DHCP, that
does not tells us anything.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx

 

[Neebski]

Well I made a network layout in visio sorry if its crud I just figgured
out how to use it.

http://dev.tree-media.com/Routing & Remote Access/Net1.jpg

I want the workstations and laptops to be able to go to any of the
websites that the WWW servers host.

You haven't told anyone anything about what you have done,...there is no way
to begin to answer this. Which of the billions of possible network
designs/configurations have you done? Everybody has AD, DNS, DHCP, that
does not tells us anything.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

Hey there, I have a little problem. I just installed active directory,
dns, dhcp the whole works and every thing works great BUT the websites
that I host on one of the servers I can not access from within the
local network. If I connect to a remote network or use a proxy
everything is fine and I can see the web pages fine.

Anyone know why this might be happening?


Thanks!
-Kevin Neberman

 

[Phillip Windell]

You can not make a "U-Turn" through a NAT Device (RRAS or any other for that
matter), NAT simply will not allow that. It creates a situation where both
the Source and the Destination MAC Address in the Layer2 portion of the
packets are the same number,...it can not go "from itself-to itself" at
Layer2 so it shoots itself in the head and fails.

Option #1
Your DNS should be properly configured so that the Site resolves to the
*internal* LAN IP number for the LAN user. But the external public users
have it resolve to the public IP number. The LAN and the Public side are
two different "worlds" and need to be treated that way.

Option #2
Train users to not use the Public Name of the sites when they are inside the
LAN. Use the Active Directory FQDN of the machine instead. Public names
are for the public,...AD names are for the LAN.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------

Well I made a network layout in visio sorry if its crud I just figgured
out how to use it.

http://dev.tree-media.com/Routing & Remote Access/Net1.jpg

I want the workstations and laptops to be able to go to any of the
websites that the WWW servers host.

You haven't told anyone anything about what you have done,...there is no
way
to begin to answer this. Which of the billions of possible network
designs/configurations have you done? Everybody has AD, DNS, DHCP, that
does not tells us anything.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those
of
my employer or anyone else associated with me.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

Hey there, I have a little problem. I just installed active directory,
dns, dhcp the whole works and every thing works great BUT the websites
that I host on one of the servers I can not access from within the
local network. If I connect to a remote network or use a proxy
everything is fine and I can see the web pages fine.

Anyone know why this might be happening?


Thanks!
-Kevin Neberman

 

[Neebski]

Found a solution that works well... and can still use the same domain
name.. If you setup a small dns server off to the side you can forward
the requests from the main dns server to the new secondary server which
serves internal users the internal ip address.

You can not make a "U-Turn" through a NAT Device (RRAS or any other for that
matter), NAT simply will not allow that. It creates a situation where both
the Source and the Destination MAC Address in the Layer2 portion of the
packets are the same number,...it can not go "from itself-to itself" at
Layer2 so it shoots itself in the head and fails.

Option #1
Your DNS should be properly configured so that the Site resolves to the
*internal* LAN IP number for the LAN user. But the external public users
have it resolve to the public IP number. The LAN and the Public side are
two different "worlds" and need to be treated that way.

Option #2
Train users to not use the Public Name of the sites when they are inside the
LAN. Use the Active Directory FQDN of the machine instead. Public names
are for the public,...AD names are for the LAN.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------

Well I made a network layout in visio sorry if its crud I just figgured
out how to use it.

http://dev.tree-media.com/Routing & Remote Access/Net1.jpg

I want the workstations and laptops to be able to go to any of the
websites that the WWW servers host.

You haven't told anyone anything about what you have done,...there is no
way
to begin to answer this. Which of the billions of possible network
designs/configurations have you done? Everybody has AD, DNS, DHCP, that
does not tells us anything.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those
of
my employer or anyone else associated with me.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------



Hey there, I have a little problem. I just installed active directory,
dns, dhcp the whole works and every thing works great BUT the websites
that I host on one of the servers I can not access from within the
local network. If I connect to a remote network or use a proxy
everything is fine and I can see the web pages fine.

Anyone know why this might be happening?


Thanks!
-Kevin Neberman

 

[Phillip Windell]

What's the point in that? You have to buy or own another machine,...buy or
own another lisence for the OS,...you now have to maintain another machine.

Just add a new Zone to the DNS you already have, create the Record for the
thing and forget it.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.

 

[Neebski]

Not if you use an old desktop, and linux. Free everything...

What's the point in that? You have to buy or own another machine,...buy or
own another lisence for the OS,...you now have to maintain another machine.

Just add a new Zone to the DNS you already have, create the Record for the
thing and forget it.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------

Found a solution that works well... and can still use the same domain
name.. If you setup a small dns server off to the side you can forward
the requests from the main dns server to the new secondary server which
serves internal users the internal ip address.

 

[Phillip Windell]

You still have to babysit the thing,..when all you had to do was just add a
new Zone to the DNS you already have, create the Record for the thing and
forget it.
..
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------

Not if you use an old desktop, and linux. Free everything...

What's the point in that? You have to buy or own another machine,...buy
or
own another lisence for the OS,...you now have to maintain another
machine.

Just add a new Zone to the DNS you already have, create the Record for
the
thing and forget it.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those
of
my employer or anyone else associated with me.
-----------------------------------------------------

Found a solution that works well... and can still use the same domain
name.. If you setup a small dns server off to the side you can forward
the requests from the main dns server to the new secondary server which
serves internal users the internal ip address.

 

[Neebski]

My reasoning for using just a cheap server like that is because I
couldent add the dns to the original since it was routing internal and
public ports already.

You still have to babysit the thing,..when all you had to do was just add a
new Zone to the DNS you already have, create the Record for the thing and
forget it.
.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------

Not if you use an old desktop, and linux. Free everything...

What's the point in that? You have to buy or own another machine,...buy
or
own another lisence for the OS,...you now have to maintain another
machine.

Just add a new Zone to the DNS you already have, create the Record for
the
thing and forget it.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those
of
my employer or anyone else associated with me.
-----------------------------------------------------

Found a solution that works well... and can still use the same domain
name.. If you setup a small dns server off to the side you can forward
the requests from the main dns server to the new secondary server which
serves internal users the internal ip address.