RE: ISA 2004 Design and Config

• From: "Steve Moffat" <steve@xxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Sun, 26 Sep 2004 17:58:17 -0300

Just create a new access rule using the dns protocol, as Tom said. Allow
from either your internal network or computer objects to external.

S 

-----Original Message-----
From: Duncan J Cameron [mailto:duncan@xxxxxxxxxxxxxxxxxxxx] 
Sent: Sunday, September 26, 2004 5:56 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 Design and Config

http://www.ISAserver.org

Internal DNS Servers have forwarders setup to forward to ISPs DNS
Servers, DHCP assigns internal DNS Servers to clients, all servers bar
the second NIC in the ISA point to the internal DNS Servers

I will remove the ISP DNS servers from the second nic and leave it with
no DNS, but its getting the rule to allow DNS traffic out on the ISA I
am having trouble with, as far as I am aware I have wrote a rule that
should let the traffic out, I must have something wrong, do you know if
there is any URL where I could get screen shots of how it should be ?

Regards

Duncan

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: 26 September 2004 21:43
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 Design and Config

http://www.ISAserver.org

Hi Duncan,

Again, remove the external DNS server from the external interface of the
ISA firewall.

Configure internal DNS servers to resolve Internet host names.

Configure internal network clients to use those DNS servers

Configure Access Rules allowing the DNS servers outbound access to
Internet DNS servers using the DNS protocol.

HTH,

Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls



-----Original Message-----
From: Duncan J Cameron [mailto:duncan@xxxxxxxxxxxxxxxxxxxx]
Sent: Sunday, September 26, 2004 3:33 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 Design and Config


http://www.ISAserver.org

have successfully wrote a rule to allow http & https traffic out for
designated users, have tried writing one to allow dns out but just keep
getting message in the ISA log saying DNS blocked or denied, the only
reason
I think web traffic is working is down to all clients web browsers
pointing
to ISA on port 8080, each PCs DG way is the local NIC of the ISA the
outside
NIC has the ISPs DNS Servers, the internal NIC is set to use the
internal
DNS Servers

Duncan

-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx] 
Sent: 26 September 2004 21:23
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 Design and Config

http://www.ISAserver.org

Have you created any access rules??

S 

-----Original Message-----
From: Duncan J Cameron [mailto:duncan@xxxxxxxxxxxxxxxxxxxx] 
Sent: Sunday, September 26, 2004 4:42 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 Design and Config

http://www.ISAserver.org

Hello

Was just thinking now for outbound DNS I Could just set the 2 DCs DGs to
the HW FW, and write a rule on the FW to only allow their 2 IPs out on
the port
53 only

I have only installed the FW Client on from the installation share of
ISA,

I tried to write ISA FW policy but I am confused to what the ISA System
policies are they are what appear to be blocking the nslookups,

Duncan

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: 26 September 2004 20:36
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 Design and Config

http://www.ISAserver.org

Hi Duncan,

Are you using:

Firewall client?
SecureNAT client?
Web Proxy client?

Remove the public DNS server from the external interface and put the
internal interface on the top of the interface list.

Create Access Rules allowing the traffic you want outbound. How would
you exert access control if a "hardware" firewall were installed? Just
let everything out?

HTH,


Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls



-----Original Message-----
From: duncan@xxxxxxxxxxxxxxxxxxxx [mailto:duncan@xxxxxxxxxxxxxxxxxxxx]
Sent: Sunday, September 26, 2004 3:36 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] ISA 2004 Design and Config


http://www.ISAserver.org

Can someone please give me some advice on the following,

I an currently working on a system upgrade for a client, the previous
domain was a Win NT4 Domain,

I started the upgrade on Friday this week, so far I have upgrade the
domain to 2003 AD, migrated all data,  migrated exchange 5.5 server to
exchange 2003, migrated SQL to SQL 2000, set up Citrix Meta frame XPa
farm.& MS SUS Server

All Server are HP ML370, 2gb, 3.06 Xeon

2 x 2003 Domain Controllers
1 x 2004 Exchange Server
1 x SQL 2000, on 2003 Server
1 x 2003 File Print
2 x 2003 Citrix Xpa Terminal Server
1 x 2003 SUS Server
1 x ISA 2004 running on 2003, 2nd NIC Installed,

Started to configure ISA today, I have never installed ISA before and am
having an absolute nightmare; I normally just install a Hardware
Firewall.

I am unsure how ISA should be. Configured 100%  I have web access
working
at the moment through the ISA Server but nslookups are failing
externaly,

Current config, 

ISA Server has two network cards, protected subnet is 192.168.x.x /24,
external card 172.29.x.x /24

External card has ISPs, DNS Servers, Internal Card has internal DNS
Servers, Internal card has no DG set, external card is connected to
protected interface on Hardware  FW 172.29.x.254,

Protected HWFW Interface then NATs out to Public IP, the current client
has a /29 block of IPs, so I have configured the next available IP as an
Alias on the HWFW, I then plan to setup the mobile VPN clients to that
IP
along with the site  to site VPNs when I start the satellite offices,

The protected network card of the ISA server is every host on the
subnets
default GW including all Servers

Internet traffic is working through ISA but if I try and do an external
nslookup the query fails, If I check the ISA logs I see messages, saying
DNS Closed or sometimes Denied,

NSlookups fail from every server including the ISA server I think the
only
reason http traffic working is due to the ISPs DNS Server being set on
the
external NIC,

I have tried taking the HW FW out of the equation but still have the
same
problem of DNS queries failing externally,

The only way I can think of getting this working for the client tomorrow
is to, set all the other servers DG to the protected interface of the
FW,
setup a separate DMZ on one of the other FW interfaces then connect  the
ISAs external card to the FW DMZ port,

I then plan to only allow port 53 out on the HW FW  protected Interface,
I
will then setup the protected interface on the HW FW to allow 2 way site
to site IKE VPNs from the other HW FWs in the satellite offices when the
come on line.

At the moment it setup so the protected FW interface is connected to the
second NIC of the ISA as a DMZ, with my new plan above the protected
interface on the FW will have a 192 address and will be connected to the
same switch as the server bypassing the ISA server

The Second card in the ISA will be connected to a separate DMZ and will
only be used for incoming smtp and outgoing http traffic

All web traffic from both PCs & Servers will go out through the ISA
Server,All PCs will have the ISA Server set as there DG Server will be
HW
FW

The hardware FW has a mail proxy  I want it  to send SMTP traffic to the
external card of the ISA server, then have it some how proxy to exchange
server. Can this be done ?

Can somebody please advice me the best practice for the installation I
am
trying to carry out as I am unsure of the best ways to setup ISA

Regards

Duncan Cameron

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
duncan@xxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
steve@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

This E-Mail is confidential. It is not intended to be read, copied,
disclosed or used by any person other than the recipient named above.

Unauthorised use, disclosure, or copying is strictly prohibited and may
be
unlawful. Optimum IT Solutions Ltd disclaims any liability for any
action
taken in connection of this E-Mail. The comments or statements expressed
in
this E-Mail are not necessarily those of Optimum IT Solutions Ltd or its
subsidiaries or affiliates.

administrator@xxxxxxxxxx 



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
duncan@xxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
duncan@xxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
steve@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » ISA 2004 Design and Config
• » RE: ISA 2004 Design and Config
• » RE: ISA 2004 Design and Config
• » RE: ISA 2004 Design and Config
• » RE: ISA 2004 Design and Config
• » RE: ISA 2004 Design and Config
• » RE: ISA 2004 Design and Config
• » RE: ISA 2004 Design and Config
• » RE: ISA 2004 Design and Config
• » RE: ISA 2004 Design and Config
• » RE: ISA 2004 Design and Config

1. Home
2. isalist
3. Archive
4. 09-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---