Re: ISA Server on same machine as IIS

Hi Amy,

If there is a Web Publishing Rule, then socket pooling for WWW, secure
bindings and the FTP service must be disabled. Otherwise, the publishing
rules would fail.

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Amy Babinchak [mailto:Amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 12:41 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

There is a web publishing item for these ports 80,443, and 21.

Amy 
 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 1:24 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS

http://www.ISAserver.org

Hi James,

I don't know how SBS wizards handle OWA. If they depend on simple packet
filters for TCP 80 and 443, you're a proverbial sitting duck.  You have
to use Web Publishing rules, otherwise you might as well be using PIX as
your firewall :-)

HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: James May [mailto:Jmay@xxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 12:01 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

Hi Tom 
Can you try and answer this question

Should OWA work using destination sets on the SBS?
When I 1st installed SBS I tried using destination sets with my site.com
assign port 8155 all seemed to work OK Except OWA remote access wouldn't
load the inbox for the user.To the best of my memory users got the OWA
login but inbox never loaded error message was page cannot be displayed.
OWA worked fine on the lan side site.com:8155

I'm thinking of trying this again because I don't believe I had socking
pooling disabled. Do think this my have been causing me problems? RPC
publishing with exchange on the same box won't work, so it looks like
packet filters are the only way to run smtp services on the SBS server
is this true?

Thanks Jim  





-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 9:34 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

Hi Amy,

If you use packet filters to allow inbound access, none of the inbound
connections are protected by any of the application filters. Its like
you've placed the services on a trihomed DMZ segment. That's why I make
such a big deal out of disabling socket pooling.

You can tell if socket pooling is disabed by doing:

Netstat -na | find ":25"

That will help you find the entries for the SMTP service. If you find it
listening on 0.0.0.0, then you've not disabled it. Any way to determine
if it is disabled is to try to create a Server Publishing Rule. If you
see an alert saying that there is a resource allocation error, then
socket pooling is not disabled.

The packet filter approach provides no firewall protection outside of
simple packet filtering. 

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Amy Babinchak [mailto:Amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 11:19 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

Tom,

There are application filters as well. I'm not sure how the two
interact. You would know better than I. Backup issues and worms, Trojans
and spyware take up much more of my time than firewall issues do thanks
to ISA server. (I've finally convinced most of my clients to allow me to
roll out PestPatrol so maybe there will be a light at the end of that
tunnel.) I'd love to learn more about ISA if I had the time; that's why
I'm on this list.

On SBS using the wizards is a must. I know that doing so rubs a lot of
admins the wrong way, but unless you're an expert at ISA and what it
needs to do for ALL of the Microsoft products that are running on an SBS
server I recommend the wizards. They haven't failed me yet. That's not
to say that you don't need to add some of your own custom stuff from
time to time you do, but for the basics I use the wizards.

Amy 
 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 11:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS

http://www.ISAserver.org

Hi Amy,

I think I see what's going on. If you use packet filters, then you don't
need to disable socket pooling, but you also lose a lot of the security
provided by the firewall application filters.

Thanks!
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Amy Babinchak [mailto:Amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 10:55 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

I believe so. The list of packet filters and rules is quite log on a
default install of SBS. Although it works it is probably a lot like the
HTML that office writes - excessively verbose.

Amy 
 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 11:45 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS

http://www.ISAserver.org

Hi Paul,

Are there SBS wizards that disable socket pooling for the WWW, NNTP,
SMTP and FTP services?

Thanks!
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Paul Nuernberger [mailto:pen@xxxxxxxxx] 
Sent: Thursday, October 16, 2003 10:44 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

If you followed the wizards properly, then the setup would have removed
'socket pooling' for IIS so that it only listens on the internal
interface (it would have asked you for the IP address of the internal
interface).

This being the case, you would have to 'publish' your web site in ISA
using web publishing (& preferably also use a destination set to limit
what ISA passes to IIS).  It would also be a good thing to look at what
headers your IIS site is looking for (i.e. www.mysite.tld and
mysite.tld), and make sure to pass the original headers to IIS (in web
publishing).  Review the docs and help file, as well as stuff at
www.isaserver.org, and you will see how these all work together.

If you are relying on using packet filters to get to your IIS web site -
don't.  Only use web publishing.

Paul Nuernberger

-----Original Message-----
From: DH [mailto:david.harkins@xxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 10:35 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

Sorry that should read SBS (Small business server) not SDS. It's a
standard install and I can't access my website outwith the network. I do
have a public IP for the website and it is configured on DNS, can view
it internally. Thanks.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jmay@xxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


Other related posts: