Hi Tom, Inline... Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Tom Rogers [mailto:trogers@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, June 30, 2004 2:23 PM To: [ISAserver.org Discussion List] Subject: [isalist] Newbie Needs Help http://www.ISAserver.org First of all, is this list a place for newbies to get help or is it only for seasoned pro's? If newbies can obtain help via this list, then here's my scenario... I have a simple, single domain, single subnet W2K network. I have 6 servers total and various servers run DHCP, DNS, WINS, Exchange 2000, Proxy Server 2.0 SP-1, IIS-5, etc. I am trying to implement an ISA 2000 Server. This is a brand new box. It has two NICs, one internal and one connected to a Road Runner Cable Modem which assigned IPs via DHCP. I have both my NICs setup properly - following the tutorial on ISAserver.org TOM==>Ouch. Make sure you have the latest service pack installed. I'm not sure what the support it for Web and Server Publishing Rules for dynamic addresses on the External interface. Jim is more likely up to speed on this. I know it was a big problem in the past. No problem with ISA Server 2004 firewalls, though.<== I need to allow the following services to run through ISA: Internet User -> ISA Server -> FTP Server Internet User -> ISA Server -> WEB Server Internet User -> ISA Server -> OWA 2000 from Internal Exchange 2000 Server IIS-5 (Not using SSL, but requiring Windows Authentication TOM=>Should ALWAYS use SSL. I wouldn't use it without it and its pretty easy to accomplish<== Internet User VIA VPN -> ISA Server -> Internal Network share Access (and to use Terminal Server to access Servers) requires Windows Authentication TOM==>No problem. Check out the VPN Deployment Kit.<== Internet User VIA pcAnywhere -> ISA Server -> Access any host running pcAnywhere, including host on the ISA Server TOM==>Not possible, not recommended.<== Exchange/POP3 software [an email gateway (connector) that retrieves messages from Internet POP3 email accounts (IMAP also supported) and delivers them to Exchange Server] software on ISA Server that goes out to our ISPs mail server, downloads all emails into our Exchange Server box -> ISA Server -> Internet (in order for this to work, all I need to do is to be able to successfully TELNET to our ISP mail server on port 110) TOM==>Why not host the Exchange Services yourself? Regardless, no problem with creating Protocol Rules to allow the required access<== DynIP needs to work (software that automatically tracks dynamic IP addresses assigned by our ISP, so we can act like we have a static IP) When I make a web connection into my internal web server, i get to use http://name.dynip.com/website instead of having to manually keep track of the ISP assigned IP number. TOM==>No problem with that. I host a number of OWA sites and other Web sites behind a dynamic address using www.tzo.com. I assume it will work with other DDNS providers<== Internal User running Outlook Express -> ISA Server -> SMTP/POP3 to Road Runner ISP on Internet Internal User running AOL Instant Messenger -> ISA Server -> Internet Internal User running Weatherbug - > ISA Server -> Internet Internal User running MS IE 6.0 SP-1 -> ISA Server -> Internet Internal User running MS Windows Media Player 9 -> ISA Server -> Internet Internal User running RealOne Player 10 -> ISA Server -> Internet Internal User running Listen Rhapsody 2.1 -> ISA Server -> Internet TOM==>Just create the appropriate Protocol Rules. For some of the funky stuff (AOL, Rhapsody, et al) you'll have to find out what protocols are required<== Ok, I know it's alot, but that is my task. When I installed ISA Server, I created and enabled a protocol rule so that only our internal INTERNET USERS could access the Internet using all protocols, at all times, the ALLOW ACCESS (Sites and Content) was already there. This worked fine. I could access the internet with my web proxy clients and firewall clients. I even setup the ISA server so that it could access the Internet - worked fine. TOM==>Most common, and most non-secure setup<== I next tried to setup the Exchange/Pop3 software, by trying to Telnetting out, but it would not work. Sites and Content has the rule ALLOW ACCESS, and I already have a Protocol rule setup to allow all protocols, all the time. I could not Telnet. Then I setup a protocol rule for Telnet, and created an IP Packet Filter and opened port 23 both directions, on internal and remote. No luck. Then I tried to make ISA server wide-open (everything flows freely) and it worked. I have no idea how to correctly configure this with security. TOM==>Why would you telnet to TCP 23 to access POP and SMTP? Why did you create a packet filter?What do you mean by wide open? (please don't say you disabled packet filter, otherwise, you've been surely "owned" and will need to crater the server and start over<=== I have setup the DynIP software correctly - they had a tutorial on their website. I tried to publish my OWA web server, but I cannot access it from the outside world. I have not tried/tested the other things I need to get working. TOM==>Check out the ISA 2000/Exchange Kit for detailed into on how to get this working, and make sure you use SSL! Its not an option not to<== Currently EVERYTHING works on my Proxy 2.0 Server when connected to Road Runner cable modem. (I move the RR connection from my Proxy Server to the ISA server when testing.) TOM==>Use Vmware to test all configs first, and when you get it working in Vmware, then you know that you can get it working in production. Never use your production network as a test lab :-)<== I have looked all over ISAserver.org, read numerous books and web articles, but have yet to find out how to do all this. I really want to get rid of my Proxy Server 2.0 and OWA 5.5 server (which runs on the Proxy box). TOM==>Everything you want to accomplish here is on the www.isaserver.org site. If anyone can help, please do so. I would GREATLY appreciate it. (ISA Server seems more trouble than it is worth right now.) TIA, -Tom ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist