HI Jim, You never put a default gateway address on the internal interface of the firewall. Make sure you bind the internal address to the Web site, creates the HOSTS file entry, and redirect to the same FQDN as the incoming request comes on. The HOSTS file entry will resolve the FQDN to the internal interface address on the firewall. HTH, Tom www.isaserver.org/shinder -----Original Message----- From: James May [mailto:Jmay@xxxxxxxxxxxxx] Sent: Thursday, October 16, 2003 2:28 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Server on same machine as IIS http://www.ISAserver.org Hi Amy What ip address is assigned to your default website is it the internal ip? I tried to create a destination set and use web publishing rules this failed again couldn't access the website remotely. I always thought that in order to use destination set and web publishing rules you needed to have the iis server located on the lan with gateway pointing to the internal nic of the isa server. SBS does not have a gateway listed on the lan side nic because isa in on that box. Jim -----Original Message----- From: Amy Babinchak [mailto:Amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Thursday, October 16, 2003 10:41 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Server on same machine as IIS http://www.ISAserver.org There is a web publishing item for these ports 80,443, and 21. Amy -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Thursday, October 16, 2003 1:24 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Server on same machine as IIS http://www.ISAserver.org Hi James, I don't know how SBS wizards handle OWA. If they depend on simple packet filters for TCP 80 and 443, you're a proverbial sitting duck. You have to use Web Publishing rules, otherwise you might as well be using PIX as your firewall :-) HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: James May [mailto:Jmay@xxxxxxxxxxxxx] Sent: Thursday, October 16, 2003 12:01 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Server on same machine as IIS http://www.ISAserver.org Hi Tom Can you try and answer this question Should OWA work using destination sets on the SBS? When I 1st installed SBS I tried using destination sets with my site.com assign port 8155 all seemed to work OK Except OWA remote access wouldn't load the inbox for the user.To the best of my memory users got the OWA login but inbox never loaded error message was page cannot be displayed. OWA worked fine on the lan side site.com:8155 I'm thinking of trying this again because I don't believe I had socking pooling disabled. Do think this my have been causing me problems? RPC publishing with exchange on the same box won't work, so it looks like packet filters are the only way to run smtp services on the SBS server is this true? Thanks Jim -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Thursday, October 16, 2003 9:34 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Server on same machine as IIS http://www.ISAserver.org Hi Amy, If you use packet filters to allow inbound access, none of the inbound connections are protected by any of the application filters. Its like you've placed the services on a trihomed DMZ segment. That's why I make such a big deal out of disabling socket pooling. You can tell if socket pooling is disabed by doing: Netstat -na | find ":25" That will help you find the entries for the SMTP service. If you find it listening on 0.0.0.0, then you've not disabled it. Any way to determine if it is disabled is to try to create a Server Publishing Rule. If you see an alert saying that there is a resource allocation error, then socket pooling is not disabled. The packet filter approach provides no firewall protection outside of simple packet filtering. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Amy Babinchak [mailto:Amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Thursday, October 16, 2003 11:19 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Server on same machine as IIS http://www.ISAserver.org Tom, There are application filters as well. I'm not sure how the two interact. You would know better than I. Backup issues and worms, Trojans and spyware take up much more of my time than firewall issues do thanks to ISA server. (I've finally convinced most of my clients to allow me to roll out PestPatrol so maybe there will be a light at the end of that tunnel.) I'd love to learn more about ISA if I had the time; that's why I'm on this list. On SBS using the wizards is a must. I know that doing so rubs a lot of admins the wrong way, but unless you're an expert at ISA and what it needs to do for ALL of the Microsoft products that are running on an SBS server I recommend the wizards. They haven't failed me yet. That's not to say that you don't need to add some of your own custom stuff from time to time you do, but for the basics I use the wizards. Amy -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Thursday, October 16, 2003 11:59 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Server on same machine as IIS http://www.ISAserver.org Hi Amy, I think I see what's going on. If you use packet filters, then you don't need to disable socket pooling, but you also lose a lot of the security provided by the firewall application filters. Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Amy Babinchak [mailto:Amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Thursday, October 16, 2003 10:55 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Server on same machine as IIS http://www.ISAserver.org I believe so. The list of packet filters and rules is quite log on a default install of SBS. Although it works it is probably a lot like the HTML that office writes - excessively verbose. Amy -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Thursday, October 16, 2003 11:45 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Server on same machine as IIS http://www.ISAserver.org Hi Paul, Are there SBS wizards that disable socket pooling for the WWW, NNTP, SMTP and FTP services? Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Paul Nuernberger [mailto:pen@xxxxxxxxx] Sent: Thursday, October 16, 2003 10:44 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Server on same machine as IIS http://www.ISAserver.org If you followed the wizards properly, then the setup would have removed 'socket pooling' for IIS so that it only listens on the internal interface (it would have asked you for the IP address of the internal interface). This being the case, you would have to 'publish' your web site in ISA using web publishing (& preferably also use a destination set to limit what ISA passes to IIS). It would also be a good thing to look at what headers your IIS site is looking for (i.e. www.mysite.tld and mysite.tld), and make sure to pass the original headers to IIS (in web publishing). Review the docs and help file, as well as stuff at www.isaserver.org, and you will see how these all work together. If you are relying on using packet filters to get to your IIS web site - don't. Only use web publishing. Paul Nuernberger -----Original Message----- From: DH [mailto:david.harkins@xxxxxxxxxxxxxxxxx] Sent: Thursday, October 16, 2003 10:35 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Server on same machine as IIS http://www.ISAserver.org Sorry that should read SBS (Small business server) not SDS. It's a standard install and I can't access my website outwith the network. I do have a public IP for the website and it is configured on DNS, can view it internally. Thanks. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jmay@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jmay@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')