Re: Fw: ISA Server 2004 Issues Followup

• From: "Rob Moore" <RMoore@xxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 14 Sep 2004 12:01:29 -0400

Yes, it makes sense. But then I've got something fundamentally wrong. I
have two subnet rules that allow all traffic between the remote sites
and the home office. (I've also defined all the actual subnet addresses
as part of the internal network.) I get communication between the remote
sites and the home office, but it's flaky. When I remove the subnet
rules, my ISA server can ping hosts in the remote networks, but they
can't ping the ISA server (or anything else using the ISA server as its
gateway). As soon as I add the subnet rules back into the firewall
policy, communication starts back up (though still flaky).

As for your second question, I have two all traffic allowed rules on the
local ISA firewall (for access from/to both networks). The remote
firewalls aren't ISA. They're IPCop linux firewalls.

Thanks,
Rob

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Tuesday, September 14, 2004 9:17 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Fw: ISA Server 2004 Issues Followup

http://www.ISAserver.org

Hi Rob,

The subnet objects aren't required unless you want to perform access
control on those subnets. Since all the subnets are part of the internal
network, all those addresses are encompassed by the Internal Network
"Network" object. Make sense?

What access rules did you create on the local ISA firewall VPN gateway
and the remote ISA firewall VPN gateway?

Thanks!
Tom 

-----Original Message-----
From: Rob Moore [mailto:RMoore@xxxxxxxx]
Sent: Monday, September 13, 2004 12:57 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Fw: ISA Server 2004 Issues Followup

http://www.ISAserver.org

I think I've done that. In "1" I assume you mean the routing table for
the ISA 2004 server, right? I've got that.

I've also done "2".

Clint Denham's article says I should also create Subnet Objects (in ISA
2004) for these subnets. He says: "Once all of these address ranges are
included in the Network, you should go into the Firewall Policy ->
Toolbox -> Network Objects and create new "Subnets" for the .0, .10, .20
and .30 [his sample subnets] subnets and then create Firewall Policy
Access Rules that apply to the Subnets instead of the "Network"." I
created one rule with the intent of allowing all traffic to pass between
the remote subnets and the home network. Since I did that, things are
working better, but still not perfectly. For example, DNS traffic seems
to pass very slowly, and drive mappings don't pass through at all (e.g.,
when I RDP to a remote server, my local drive mappings don't connect,
though I can ping from the remote server to the ISA 2004 box here in
Philadelphia; this all worked just fine with my ISA 2000 box).

Tearing my hair out...

Rob

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Monday, September 13, 2004 1:21 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Fw: ISA Server 2004 Issues Followup

http://www.ISAserver.org

1 - make sure the ISA routing table understands that subnet "S" is
reachable through interface "I".
2 - add subnet "S" to the network object that services interface "I"
using the "addresses" tab in "Properties"

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!

----- Original Message -----
From: "Rob Moore" <RMoore@xxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, September 13, 2004 08:27
Subject: [isalist] Re: Fw: ISA Server 2004 Issues Followup


http://www.ISAserver.org

Hi Jim--

Can you tell me how to "associate Ipsets with existing network objects"?
I think this is what I need to do--I have a bunch of non-local subnets
that are VPN'd (through third-party site-to-site VPN appliances) into
the home office network. At this point I'm getting quirky connection
berween the home office network and the remote networks.

Thanks,
Rob

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Monday, September 13, 2004 11:13 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Fw: ISA Server 2004 Issues Followup

http://www.ISAserver.org

This is asking for trouble.
You can't create a network object for specific IPs; although you can
associate IPsets with existing network objects (this is how you
associate non-local subnets with network objects).
RIS operates with DHCP; if you have to combine boxes, combine those two,
not ISA.
You *can* combine IIS with ISA, but why?
If you need all that and a bag-o'-chips, then buy SBS; it's built and
designed to give you an all-in-one scenario.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!

----- Original Message -----
From: <vesterby@xxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, September 13, 2004 07:15
Subject: [isalist] Fw: ISA Server 2004 Issues Followup


http://www.ISAserver.org


I tried implementing the suggestions that both Jim and Tom made to
resolve the Java app issue, but none of them worked.  It seems the only
way I'm going to resolve this is to give the java app users static IP
addresses, create a separate network object with those IP addresses with
authentication turned off, and then create a new access rule with the
new network object.  Any other suggestions on that?

I have another issue.  My company wants me to implement Microsoft SUS
and RIS on the same box as ISA Server 2004.  I found out that SUS
listens on port 80, is dependent on IIS, and can't be changed (according
to Microsoft).  Any problems with reconfiguring the ISA server listeners
to listen on ports other than port 80 to avoid potential conflicts?
Thanks.

---------- Forwarded Message ----------

Recall that I mentioned we are currently using Proxy Server 2.0 and are
going to get rid of it in favor of ISA Server 2004.  When we addressed
the java application issue for Proxy 2.0, we fixed the problem by
installing the Proxy Client software on the client's workstations.  This
enabled the users to connect to the java application via Winsock and
everything worked.  The authentication issue didn't matter.

In order to fix this issue, isn't there a way to do something similar in
ISA Server 2004?  I did try installing the Firewall Client software on
my workstation and attempted to access the java application with that,
but it didn't work.  Should I explore the option of using SecureNat?  I
appreciate the help.


________________________________________________________________
Get your name as your email address.
Includes spam protection, 1GB storage, no ads and more Only $1.99/ month
- visit http://www.mysite.com/name today!

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rmoore@xxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rmoore@xxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rmoore@xxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Fw: ISA Server 2004 Issues Followup
• » Re: Fw: ISA Server 2004 Issues Followup
• » Re: Fw: ISA Server 2004 Issues Followup
• » Re: Fw: ISA Server 2004 Issues Followup
• » Re: Fw: ISA Server 2004 Issues Followup
• » Re: Fw: ISA Server 2004 Issues Followup
• » Re: Fw: ISA Server 2004 Issues Followup
• » Re: Fw: ISA Server 2004 Issues Followup
• » Re: Fw: ISA Server 2004 Issues Followup
• » Re: Fw: ISA Server 2004 Issues Followup

1. Home
2. isalist
3. Archive
4. 09-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---