RE: ISA 2004 Design and Config
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sun, 26 Sep 2004 14:48:39 -0500
Hi Duncan,
OK, I take it that you have not installed the Firewall client or
configured the browsers as Web Proxy clients on any of the systems yet.
So, this means you are using the SecureNAT client config, where the
client systems route Internet bound communicaitons through the ISA
firewall's interface closest to the clients.
The Access Rules are pretty straightforward. The wizard asks for the
protocol, the source location the destination location, and the users
who are allowed to use that rule.
So, if your internal DNS servers are configured to perform Internet host
name lookup, configure the clients to use your Internal DNS server. Then
create an Access Rule allowing the DNS servers outbound access to the
DNS protocol.
ISA firewall rules are evaluated from the top down. The first rule that
matches the connections characteristics is applied. The exception is
when you have rules that require authentication. In that case, an
unauthenticated user is treated as a member of a "unauthenticated user
group" and the connection will be denied.
Make sure the Network Rule controlling the relationship between the
source and destination networks reflects the route relationship you
desire.
HTH,
Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Duncan J Cameron [mailto:duncan@xxxxxxxxxxxxxxxxxxxx]
Sent: Sunday, September 26, 2004 2:42 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 Design and Config
http://www.ISAserver.org
Hello
Was just thinking now for outbound DNS I Could just set the 2 DCs DGs to
the
HW FW, and write a rule on the FW to only allow their 2 IPs out on the
port
53 only
I have only installed the FW Client on from the installation share of
ISA,
I tried to write ISA FW policy but I am confused to what the ISA System
policies are they are what appear to be blocking the nslookups,
Duncan
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: 26 September 2004 20:36
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 Design and Config
http://www.ISAserver.org
Hi Duncan,
Are you using:
Firewall client?
SecureNAT client?
Web Proxy client?
Remove the public DNS server from the external interface and put the
internal interface on the top of the interface list.
Create Access Rules allowing the traffic you want outbound. How would
you exert access control if a "hardware" firewall were installed? Just
let everything out?
HTH,
Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: duncan@xxxxxxxxxxxxxxxxxxxx [mailto:duncan@xxxxxxxxxxxxxxxxxxxx]
Sent: Sunday, September 26, 2004 3:36 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] ISA 2004 Design and Config
http://www.ISAserver.org
Can someone please give me some advice on the following,
I an currently working on a system upgrade for a client, the previous
domain was a Win NT4 Domain,
I started the upgrade on Friday this week, so far I have upgrade the
domain to 2003 AD, migrated all data, migrated exchange 5.5 server to
exchange 2003, migrated SQL to SQL 2000, set up Citrix Meta frame XPa
farm.& MS SUS Server
All Server are HP ML370, 2gb, 3.06 Xeon
2 x 2003 Domain Controllers
1 x 2004 Exchange Server
1 x SQL 2000, on 2003 Server
1 x 2003 File Print
2 x 2003 Citrix Xpa Terminal Server
1 x 2003 SUS Server
1 x ISA 2004 running on 2003, 2nd NIC Installed,
Started to configure ISA today, I have never installed ISA before and am
having an absolute nightmare; I normally just install a Hardware
Firewall.
I am unsure how ISA should be. Configured 100% I have web access
working
at the moment through the ISA Server but nslookups are failing
externaly,
Current config,
ISA Server has two network cards, protected subnet is 192.168.x.x /24,
external card 172.29.x.x /24
External card has ISPs, DNS Servers, Internal Card has internal DNS
Servers, Internal card has no DG set, external card is connected to
protected interface on Hardware FW 172.29.x.254,
Protected HWFW Interface then NATs out to Public IP, the current client
has a /29 block of IPs, so I have configured the next available IP as an
Alias on the HWFW, I then plan to setup the mobile VPN clients to that
IP
along with the site to site VPNs when I start the satellite offices,
The protected network card of the ISA server is every host on the
subnets
default GW including all Servers
Internet traffic is working through ISA but if I try and do an external
nslookup the query fails, If I check the ISA logs I see messages, saying
DNS Closed or sometimes Denied,
NSlookups fail from every server including the ISA server I think the
only
reason http traffic working is due to the ISPs DNS Server being set on
the
external NIC,
I have tried taking the HW FW out of the equation but still have the
same
problem of DNS queries failing externally,
The only way I can think of getting this working for the client tomorrow
is to, set all the other servers DG to the protected interface of the
FW,
setup a separate DMZ on one of the other FW interfaces then connect the
ISAs external card to the FW DMZ port,
I then plan to only allow port 53 out on the HW FW protected Interface,
I
will then setup the protected interface on the HW FW to allow 2 way site
to site IKE VPNs from the other HW FWs in the satellite offices when the
come on line.
At the moment it setup so the protected FW interface is connected to the
second NIC of the ISA as a DMZ, with my new plan above the protected
interface on the FW will have a 192 address and will be connected to the
same switch as the server bypassing the ISA server
The Second card in the ISA will be connected to a separate DMZ and will
only be used for incoming smtp and outgoing http traffic
All web traffic from both PCs & Servers will go out through the ISA
Server,All PCs will have the ISA Server set as there DG Server will be
HW
FW
The hardware FW has a mail proxy I want it to send SMTP traffic to the
external card of the ISA server, then have it some how proxy to exchange
server. Can this be done ?
Can somebody please advice me the best practice for the installation I
am
trying to carry out as I am unsure of the best ways to setup ISA
Regards
Duncan Cameron
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
duncan@xxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
