When we have an ISA server installed as Edge Firewall with two network Cards. One Network card connected to the Internal Network of ISA and the other one to the External Network. We have seen a lot of times that when we try to create a Web Listener on the ISA Server for a Web Publishing Rule we do not see any IP address associated with the External Network of ISA.
This can be caused because of some misconfiguration of Networks or Network Cards on the ISA server.
While creating a Web Publishing Rule when we reach to the step of creating a new Web Listener, we notice that there is no IP address associated with the default External Network defined on the ISA. Because of this we cannot make a Port(80 or 443) listen on the External IP address. And hence the web site can’t be published.
We have noticed that we can get into the above scenario primarily because of two major misconfigurations on the ISA. We have discussed below those two misconfigurations in detail:
1) When we do IPCONFIG/all on the ISA server we see the following result:
As you can see the IP addresses of both the Internal and External Network Cards are in the same network. Because of this we can see the following when we try to create a new web listener:
NOTE: The above configuration is wrong which means that we should not have both the Internal and External IP addresses of ISA in the same network/subnet.
2) While going through the overall ISA configuration we see that ISA is configured as an Edge Firewall with two Network Cards installed. But when we check the ‘Networks’ tab we see that there is another network being created by the name ‘DMZ’ and which has the same range of IP addresses as of the External Network Card of the ISA server.
Please see the figures below for a better understanding:
We can see the IPCONFIG results in the figure below:
And, here we see the ‘Networks’ tab of the ISA server in the figure below:
And because of the DMZ network defined in the above scenario we again do not see any IP address associated with the External Network in the web listener (as shown in the figure below):
NOTE: The configuration mentioned in the above scenario is again wrong. The Networks on the ISA server should be defined as per the Network Cards enabled e.g., if we have two Network Cards(Internal and External) then there is no need to create a new Network for the External IP address range as it will come under the Default ‘External’ Network.
In order to be able to publish a web site on the ISA server we should first make sure that the basic Network configuration of the ISA server is correct.