Firstly, my apologies for the length of this post, it takes a bit of explaining! I'm having difficulty trying to configure ISA server to allow remote access to our CCTV system through several static ips that are already configured for full access via our router's firewall.

The CCTV traffic is on port 8234, operating with both tcp and udp protocols as far as I can ascertain. Our internal network operates on a 192.168.0 subnet and our externally facing network operates on a 172.168.16 subnet. In our router's NAT table I have added an entry to redirect port 8234 traffic to 172.168.16.1 (our ISA Server's external ip).

In ISA Server I have the following configured:

Protocol Definitions
DM1 - port 8234, tcp protocol, inbound direction
DM2 - port 8234, tcp protocol, outbound direction
DM3 - port 8234, udp protocol, send receive direction

Protocol Rules
DM - allow any request for the DM1, DM2, DM3 protocols

IP Packet Filters
DM1 - allow custom filter, tcp protocol, both direction, 8234 local port, 8234 remote port
DM2 - allow custom filter, udp protocol, both direction, 8234 local port, 8234 remote port

Server Publishing Rules
DM1 - DM1 protocol, internal ip 192.168.0.151, external ip 172.168.16.1, applies to any request
DM3 - DM3 protocol, internal ip 192.168.0.151, external ip 172.168.16.1, applies to any request

I'm not sure if all the above are required to be honest, in the logs I was originally getting blocked requests on port 8234 but now I can't see that ISA Server is blocking anything - but obviously it still doesn't work :D. Hoping it's just something simple I have overlooked - all help and advice appreciated :).

I should add to the above that the CCTV server is on ip 192.168.0.151, just in case that wasn't clear :). Also, since posting the above I've made a change to the ip packet filters:

IP Packet Filters
DM1 - allow custom filter, tcp protocol, both direction, 8234 local port, all remote ports
DM2 - allow custom filter, udp protocol, both direction, 8234 local port, all remote ports

I've changed the remote port from 8234 to all - I think this is correct as the external packet port number could be anything right? At any rate, it still doesn't work :D.

I assume you are not openly publishing web-based CCTV cameras onto the Internet? You don't mention SSL or anything so it sounds a bit insecure....

You need a listener on whatever port you want (8234). If you use the wizard it does everything for you.

Not sure why you posted your external IP on here ....

Which wizard is it?

Thanks for the reply - the external ip address is only the subnet the router is on, it's not the router's external ip address... if that makes sense :D Basically, there are two network cards in our ISA Server box, one is the 172.168.16 subnet (the router's) and the other is 192.168.0 subnet (our internal network).

Should have mentioned we're using ISA 2000, so there are no wizards as far as I know :( (actually, there is one for a Secure Mail Server but this obviously isn't appropriate).

The cctv isn't openly published, our hardware firewall only lets through non-web traffic on specific IP addresses, plus the cctv requires login authentication.

What do you mean by a listener? As you can tell, I'm no ISA expert :D.

Which wizard is it?

Publish a web server

Ahh, ok - I used the server publishing wizard rather than the web publishing one. I've invoked the web publishing wizard but I can't really follow it - any chance of some assistance or a pointer to a good resource on the subject? Do I need to do anything with IIS? I had a look there and there are wizards for ftp or web site, but again I'm not really able to follow the principles :?:

I've not been able to figure out the listeners properly in the past. I wish there was a manual way of doing it.

It does seem rather complicated doesn't it? :). In the main ISA properties there are configuration tabs for 'Incoming Web Requests' and 'Outgoing Web Requests' - is this where the listeners can be configured? It seems to be, but I get the feeling changing these settings may break something or other...

Hi,

Have you tried http://www.isaserver.org for any help. it is a site dedicated to ISA server. I have used it several times in the past and they seem to have the answer to most problems

gadgetgear - yes, I have had a look at www.isaserver.org in both the tutorials and message board but I haven't found anything directly relating to my requirements (or maybe I just can't find it :) ). Found the site very useful in the past though :thumbs:

Bump :help:

Hi BrynJ,

Just some wild questions to try to clarify what is happening and to understand your system better.

Have you tried to access the cctv from the 192.168.0.x subnet? If you are able to do so then we can at least confirm that the isa server is the problem and not some other network device.

What application are you using to access the CCTV?

Do you sucessfully access any other servers / webservers / emailservers etc on the 192.168.0.x subnet from the 172.168.16.x subnet via the isa server?

You also mention in your first post a "router's firewall" that has been configured. Is this between the isa server and the cctv? Do you have to go through this as well to access the cctv? If not, what part does it play in your network configuration?

Hi gadgetgear - thanks for your further help, some good questions there, which I've tried to answer below:


Have you tried to access the cctv from the 192.168.0.x subnet? If you are able to do so then we can at least confirm that the isa server is the problem and not some other network device.Yes, I can access the CCTV from the 192.168.0 subnet - I simply install the viewer software and it connects without issue.


What application are you using to access the CCTV?It's called Network Viewer and can be found at the hardware manufacturer's homepage, www.dedicatedmicros.com. The CCTV system we use is called Digital Sprite.


Do you sucessfully access any other servers / webservers / emailservers etc on the 192.168.0.x subnet from the 172.168.16.x subnet via the isa server?
I have to admit I'm not 100% what you mean here - we do run Exchange on our server, I guess this is routing through external traffic via the 172.168.16 subnet to our internal 192.168.0 subnet? That's the only example I can think of, sorry!


You also mention in your first post a "router's firewall" that has been configured. Is this between the isa server and the cctv? Do you have to go through this as well to access the cctv? If not, what part does it play in your network configuration?The firewall I referred to is our adsl router firewall, so that sits between the outside world, so to speak, and the isa server - the cctv server shouldn't be affected by the router firewall, as it's on our internal network.

Our cctv supplier actually gave me an ip address of another company's site (unbelievable, i know!) and I tried accessing this from a machine on our 192.168.0 subnet - as you might expect, it didn't work. I then tried connecting a machine directly to the adsl router, and was I able to connect to this other company's cctv (this confused me somewhat actually, as I didn't remove the entry in the adsl router's NAT table to port forward 8234 to isa server - I would have thought doing this would make all traffic on port 8234 only go to 172.168.16.1? Confused!).

Well, I hope that further info has helped clarify some of the details :).

Bump :)

Daily Bump :help:

Another bump for this - any suggestions? I'm really stuck on things to try, I've been doing some more reading and I'm wondering if I have to do anything with the Routing and Remote Access Service (RRAS)? I've read conflicting things, but the concensus is that ISA Server handles the configuration of this if it is required...

Cheers,

Bryn.

Hi BrynJ

Under pressure at work at the moment so it will take time to get back to you. I have been reading the documentation of your cctv system (its saturday night how sad is that). One thought that might be the problem, what is the default gateway of the cctv system? If that is incorrect, it would still let you connect on the same subnet (uses broadcasts to mac addresses), but to get the data to a different network the cctv system has to know how to get the data there. (uses the ip address and the default gateway). The default gateway I think should be the 192.x.x.x interface on the isa server.

Another thought that comes to mind, if you are accessing the cctv from the internet via the adsl router, then via the isa server you are creating a double nat problem. What I mean is that the ip addresses from the 192.. network are going via the isa server and get natted (is there such a word), to a 172... address, then they go out via the adsl where they will get natted again. I believe you may have a problem there unless your adsl router will allow the double nat situation.

Hi gadgetgear - sorry about my delay in replying, really should learn to subscribe to threads I start! Many thanks for your help and suggestions. I'm not sure about the double nat situation (in that I can't quite get my head around it! :D) but your comment about setting the gateway lit a lightblub above my head - I'm not 100% sure, but I think I recall questioning the gateway setting when the cctv company engineer was demonstrating the system, as I'm sure it had been set to 192.168.1.1 (note the deliberate error). I will be onsite tomorrow so I will take a look at that and change if necessary - fingers crossed :)

Cheers,

Bryn.

I've checked the network setting in the cctv server and I was wrong, the gateway wasn't set to 192.168.1.1 - it wasn't set to anything! I've configured it as 192.168.0.1 but I still can't get it to work. I will have to look further into the double nat situation, but I'd appreciate any further ideas you might have :)

I've checked the network setting in the cctv server and I was wrong, the gateway wasn't set to 192.168.1.1 - it wasn't set to anything! I've configured it as 192.168.0.1 but I still can't get it to work. I will have to look further into the double nat situation, but I'd appreciate any further ideas you might have :)

BrynJ - more than happy to help. I will have a read when I get 5 and get back to you. If you have a network diagram in visio that helps to visualise things - if not perhaps I could help as I do them all the time.

Hi FunkyD - thanks for the offer of help. We don't have a network diagram unfortunately, but it's a fairly simple one - just the 192.168.0 internal subnet, the 172.168.16 externally facing subnet, with ISA Server between the two, and then the router to the outside world. If you want to know any specifics just ask. Cheers :)