Re: ISA Server on same machine as IIS

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 16 Oct 2003 14:33:45 -0500

HI Jim,

You never put a default gateway address on the internal interface of the
firewall. Make sure you bind the internal address to the Web site,
creates the HOSTS file entry, and redirect to the same FQDN as the
incoming request comes on. The HOSTS file entry will resolve the FQDN to
the internal interface address on the firewall.

HTH,
Tom
www.isaserver.org/shinder
 

-----Original Message-----
From: James May [mailto:Jmay@xxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 2:28 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS

http://www.ISAserver.org

Hi Amy
What ip address is assigned to your default website is it the internal
ip?

I tried to create a destination set and use web publishing rules this
failed again couldn't access the website remotely. 

I always thought that in order to use destination set and web publishing
rules you needed to have the iis server located on the lan with gateway
pointing to the internal nic of the isa server. SBS does not have a
gateway listed on the lan side nic because isa in on that box. 

Jim 

-----Original Message-----
From: Amy Babinchak [mailto:Amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
Sent: Thursday, October 16, 2003 10:41 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

There is a web publishing item for these ports 80,443, and 21.

Amy 
 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 1:24 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS

http://www.ISAserver.org

Hi James,

I don't know how SBS wizards handle OWA. If they depend on simple packet
filters for TCP 80 and 443, you're a proverbial sitting duck.  You have
to use Web Publishing rules, otherwise you might as well be using PIX as
your firewall :-)

HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: James May [mailto:Jmay@xxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 12:01 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

Hi Tom 
Can you try and answer this question

Should OWA work using destination sets on the SBS?
When I 1st installed SBS I tried using destination sets with my site.com
assign port 8155 all seemed to work OK Except OWA remote access wouldn't
load the inbox for the user.To the best of my memory users got the OWA
login but inbox never loaded error message was page cannot be displayed.
OWA worked fine on the lan side site.com:8155

I'm thinking of trying this again because I don't believe I had socking
pooling disabled. Do think this my have been causing me problems? RPC
publishing with exchange on the same box won't work, so it looks like
packet filters are the only way to run smtp services on the SBS server
is this true?

Thanks Jim  





-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 9:34 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

Hi Amy,

If you use packet filters to allow inbound access, none of the inbound
connections are protected by any of the application filters. Its like
you've placed the services on a trihomed DMZ segment. That's why I make
such a big deal out of disabling socket pooling.

You can tell if socket pooling is disabed by doing:

Netstat -na | find ":25"

That will help you find the entries for the SMTP service. If you find it
listening on 0.0.0.0, then you've not disabled it. Any way to determine
if it is disabled is to try to create a Server Publishing Rule. If you
see an alert saying that there is a resource allocation error, then
socket pooling is not disabled.

The packet filter approach provides no firewall protection outside of
simple packet filtering. 

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Amy Babinchak [mailto:Amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 11:19 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

Tom,

There are application filters as well. I'm not sure how the two
interact. You would know better than I. Backup issues and worms, Trojans
and spyware take up much more of my time than firewall issues do thanks
to ISA server. (I've finally convinced most of my clients to allow me to
roll out PestPatrol so maybe there will be a light at the end of that
tunnel.) I'd love to learn more about ISA if I had the time; that's why
I'm on this list.

On SBS using the wizards is a must. I know that doing so rubs a lot of
admins the wrong way, but unless you're an expert at ISA and what it
needs to do for ALL of the Microsoft products that are running on an SBS
server I recommend the wizards. They haven't failed me yet. That's not
to say that you don't need to add some of your own custom stuff from
time to time you do, but for the basics I use the wizards.

Amy 
 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 11:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS

http://www.ISAserver.org

Hi Amy,

I think I see what's going on. If you use packet filters, then you don't
need to disable socket pooling, but you also lose a lot of the security
provided by the firewall application filters.

Thanks!
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Amy Babinchak [mailto:Amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 10:55 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

I believe so. The list of packet filters and rules is quite log on a
default install of SBS. Although it works it is probably a lot like the
HTML that office writes - excessively verbose.

Amy 
 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 11:45 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS

http://www.ISAserver.org

Hi Paul,

Are there SBS wizards that disable socket pooling for the WWW, NNTP,
SMTP and FTP services?

Thanks!
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Paul Nuernberger [mailto:pen@xxxxxxxxx] 
Sent: Thursday, October 16, 2003 10:44 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

If you followed the wizards properly, then the setup would have removed
'socket pooling' for IIS so that it only listens on the internal
interface (it would have asked you for the IP address of the internal
interface).

This being the case, you would have to 'publish' your web site in ISA
using web publishing (& preferably also use a destination set to limit
what ISA passes to IIS).  It would also be a good thing to look at what
headers your IIS site is looking for (i.e. www.mysite.tld and
mysite.tld), and make sure to pass the original headers to IIS (in web
publishing).  Review the docs and help file, as well as stuff at
www.isaserver.org, and you will see how these all work together.

If you are relying on using packet filters to get to your IIS web site -
don't.  Only use web publishing.

Paul Nuernberger

-----Original Message-----
From: DH [mailto:david.harkins@xxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 10:35 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

Sorry that should read SBS (Small business server) not SDS. It's a
standard install and I can't access my website outwith the network. I do
have a public IP for the website and it is configured on DNS, can view
it internally. Thanks.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jmay@xxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jmay@xxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS
• » Re: ISA Server on same machine as IIS

1. Home
2. isalist
3. Archive
4. 10-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---