Re: ISA Server on same machine as IIS

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 16 Oct 2003 11:34:03 -0500

Hi Amy,

If you use packet filters to allow inbound access, none of the inbound
connections are protected by any of the application filters. Its like
you've placed the services on a trihomed DMZ segment. That's why I make
such a big deal out of disabling socket pooling.

You can tell if socket pooling is disabed by doing:

Netstat -na | find ":25"

That will help you find the entries for the SMTP service. If you find it
listening on 0.0.0.0, then you've not disabled it. Any way to determine
if it is disabled is to try to create a Server Publishing Rule. If you
see an alert saying that there is a resource allocation error, then
socket pooling is not disabled.

The packet filter approach provides no firewall protection outside of
simple packet filtering. 

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Amy Babinchak [mailto:Amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 11:19 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

Tom,

There are application filters as well. I'm not sure how the two
interact. You would know better than I. Backup issues and worms, Trojans
and spyware take up much more of my time than firewall issues do thanks
to ISA server. (I've finally convinced most of my clients to allow me to
roll out PestPatrol so maybe there will be a light at the end of that
tunnel.) I'd love to learn more about ISA if I had the time; that's why
I'm on this list.

On SBS using the wizards is a must. I know that doing so rubs a lot of
admins the wrong way, but unless you're an expert at ISA and what it
needs to do for ALL of the Microsoft products that are running on an SBS
server I recommend the wizards. They haven't failed me yet. That's not
to say that you don't need to add some of your own custom stuff from
time to time you do, but for the basics I use the wizards.

Amy 
 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 11:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS

http://www.ISAserver.org

Hi Amy,

I think I see what's going on. If you use packet filters, then you don't
need to disable socket pooling, but you also lose a lot of the security
provided by the firewall application filters.

Thanks!
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Amy Babinchak [mailto:Amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 10:55 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

I believe so. The list of packet filters and rules is quite log on a
default install of SBS. Although it works it is probably a lot like the
HTML that office writes - excessively verbose.

Amy 
 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 11:45 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS

http://www.ISAserver.org

Hi Paul,

Are there SBS wizards that disable socket pooling for the WWW, NNTP,
SMTP and FTP services?

Thanks!
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Paul Nuernberger [mailto:pen@xxxxxxxxx] 
Sent: Thursday, October 16, 2003 10:44 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

If you followed the wizards properly, then the setup would have removed
'socket pooling' for IIS so that it only listens on the internal
interface
(it would have asked you for the IP address of the internal interface).

This being the case, you would have to 'publish' your web site in ISA
using
web publishing (& preferably also use a destination set to limit what
ISA
passes to IIS).  It would also be a good thing to look at what headers
your
IIS site is looking for (i.e. www.mysite.tld and mysite.tld), and make
sure
to pass the original headers to IIS (in web publishing).  Review the
docs
and help file, as well as stuff at www.isaserver.org, and you will see
how
these all work together.

If you are relying on using packet filters to get to your IIS web site -
don't.  Only use web publishing.

Paul Nuernberger

-----Original Message-----
From: DH [mailto:david.harkins@xxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 10:35 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

Sorry that should read SBS (Small business server) not SDS. It's a
standard
install and I can't access my website outwith the network. I do have a
public IP for the website and it is configured on DNS, can view it
internally. Thanks.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 10-2003