ISA Server and Domain traffic

N

Netmasker

I have a windows 2000 network with the following
configuration/components:

(Win 2000 clients ---------- ISA Server ---------- Domain Controler
server)

- A windows 2000 ISA Server with two network interfaces on two
different subnets and I have enabled routing between the two
interfaces (with the setting on the registry) on it.
- A number of windows 2000-domain members-clients the gateway of which
is the internal interface of ISA Server (they belong to the first
subnet).
- A windows 2000 Active Directory Server with a route to the first
subnet pointing to the external interface of ISA Server (the AD server
belongs to the second subnet).

On ISA Server:
- I allow all protocols to any request (with "Protocol Rules")
- I allow all traffic, both directions from any computer (with "IP
Packet filters rules")

The question is if Domain traffic can pass through this configuration!

I noticed that the internal clients can successfully ping and connect
to the DC Server ports like port 389, but
how the external DC can communicate and send through the ISA firewall
the Domain settings to the internal clients ??? This seems not to
work!

Thanks in advance
 
G

Gabriel Zabal

ISAServer2000 has not been designed to acomplish that scenario.
Because one network is Internal and the other, External
From the External the traffic wont pass unless you make publishing rules.
But that is for making accesible internal servers, not to allow full
comunication with the internal network.

Gabriel Zabal
 
A

Ace Fekay [MVP]

In
Gabriel Zabal said:
ISAServer2000 has not been designed to acomplish that scenario.
Because one network is Internal and the other, External
From the External the traffic wont pass unless you make publishing
rules. But that is for making accesible internal servers, not to
allow full comunication with the internal network.

Gabriel Zabal
Click to expand...

Also would have to take into account that if NAT is being used, that domain
communication (LDAP, RPC and Kerberos) cannot pass thru NAT.

If routing between two internal private subnets (defined in LAT) then there
is another issue with H.323 support (default enabled) that will kill LDAP
communication also. That would have to be disabled too. I can post more info
on this if interested.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

ISA server installation............ 3
Demoting DC with ISA 2000 installed 1
Can I change domain name in AD 1
win98 - access to logon server has been denied 3
ISA server and DDNS 2
configuring ISA server as part of domain 5
A DMZ challenging question for the Old Masters ! 1
SBS 2000 to SBS 2003 through VPN 4

Top