Re: ISA Server on same machine as IIS

  • From: "Paul Nuernberger" <pen@xxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 17 Oct 2003 12:54:38 -0500

Yes, OWA does work with Destination Sets on SBS - have done it on several
installations.  You need to disable socket pooling (see my reply to your
previous message).

As to SMTP services - I have had mixed results with this on SBS.  You can
set all of the various components of Exchange to only listen to the internal
interface, and then use the secure mail publishing wizard in ISA.  The
problems I have seen with this is that sometimes things go non-responsive
(have not had the time to troubleshoot this one yet).  I am unaware of any
wizard in SBS that helps with this set up, but it should be straightforward.

Amy (on this list) is probably more familiar with SBS than I am.  I am
hoping she will weigh in on this and help out, or better yet point out if I
am in error somewhere.

Paul Nuernberger

-----Original Message-----
From: James May [mailto:Jmay@xxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 12:01 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

Hi Tom 
Can you try and answer this question

Should OWA work using destination sets on the SBS?
When I 1st installed SBS I tried using destination sets with my site.com
assign port 8155 all seemed to work OK Except OWA remote access wouldn't
load the inbox for the user.To the best of my memory users got the OWA login
but inbox never loaded error message was page cannot be displayed. OWA
worked fine on the lan side site.com:8155

I'm thinking of trying this again because I don't believe I had socking
pooling disabled. Do think this my have been causing me problems? RPC
publishing with exchange on the same box won't work, so it looks like packet
filters are the only way to run smtp services on the SBS server is this
true?

Thanks Jim  





-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 9:34 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

Hi Amy,

If you use packet filters to allow inbound access, none of the inbound
connections are protected by any of the application filters. Its like you've
placed the services on a trihomed DMZ segment. That's why I make such a big
deal out of disabling socket pooling.

You can tell if socket pooling is disabed by doing:

Netstat -na | find ":25"

That will help you find the entries for the SMTP service. If you find it
listening on 0.0.0.0, then you've not disabled it. Any way to determine if
it is disabled is to try to create a Server Publishing Rule. If you see an
alert saying that there is a resource allocation error, then socket pooling
is not disabled.

The packet filter approach provides no firewall protection outside of simple
packet filtering. 

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Amy Babinchak [mailto:Amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 11:19 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

Tom,

There are application filters as well. I'm not sure how the two interact.
You would know better than I. Backup issues and worms, Trojans and spyware
take up much more of my time than firewall issues do thanks to ISA server.
(I've finally convinced most of my clients to allow me to roll out
PestPatrol so maybe there will be a light at the end of that
tunnel.) I'd love to learn more about ISA if I had the time; that's why I'm
on this list.

On SBS using the wizards is a must. I know that doing so rubs a lot of
admins the wrong way, but unless you're an expert at ISA and what it needs
to do for ALL of the Microsoft products that are running on an SBS server I
recommend the wizards. They haven't failed me yet. That's not to say that
you don't need to add some of your own custom stuff from time to time you
do, but for the basics I use the wizards.

Amy 
 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 11:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS

http://www.ISAserver.org

Hi Amy,

I think I see what's going on. If you use packet filters, then you don't
need to disable socket pooling, but you also lose a lot of the security
provided by the firewall application filters.

Thanks!
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Amy Babinchak [mailto:Amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 10:55 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

I believe so. The list of packet filters and rules is quite log on a default
install of SBS. Although it works it is probably a lot like the HTML that
office writes - excessively verbose.

Amy 
 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 11:45 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS

http://www.ISAserver.org

Hi Paul,

Are there SBS wizards that disable socket pooling for the WWW, NNTP, SMTP
and FTP services?

Thanks!
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Paul Nuernberger [mailto:pen@xxxxxxxxx] 
Sent: Thursday, October 16, 2003 10:44 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

If you followed the wizards properly, then the setup would have removed
'socket pooling' for IIS so that it only listens on the internal interface
(it would have asked you for the IP address of the internal interface).

This being the case, you would have to 'publish' your web site in ISA using
web publishing (& preferably also use a destination set to limit what ISA
passes to IIS).  It would also be a good thing to look at what headers your
IIS site is looking for (i.e. www.mysite.tld and mysite.tld), and make sure
to pass the original headers to IIS (in web publishing).  Review the docs
and help file, as well as stuff at www.isaserver.org, and you will see how
these all work together.

If you are relying on using packet filters to get to your IIS web site -
don't.  Only use web publishing.

Paul Nuernberger

-----Original Message-----
From: DH [mailto:david.harkins@xxxxxxxxxxxxxxxxx] 
Sent: Thursday, October 16, 2003 10:35 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Server on same machine as IIS


http://www.ISAserver.org

Sorry that should read SBS (Small business server) not SDS. It's a standard
install and I can't access my website outwith the network. I do have a
public IP for the website and it is configured on DNS, can view it
internally. Thanks.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jmay@xxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
pen@xxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 10-2003