Actually, many of them are... <sigh> Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Saturday, October 23, 2004 10:36 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ping through isa server 2k4 http://www.ISAserver.org I've noticed a number of this kind of KBs lately. Are they being farmed out? Analysis of KB: INTRODUCTION This article describes how to configure secure network address translation (SecureNAT) in Microsoft Internet Security and Acceleration (ISA) Server 2004 to pass Internet Control Message Protocol (ICMP) packets between internal hosts and external hosts. >>TOM: We are discussing sending ping between a Protected Network host and a host on a non-Protected Network. OK. The term "internal" is now a bit of a misnomer since there's no LAT and no hard-coded "internal/external" definitions -- there's just different Network types. MORE INFORMATION In ISA Server 2004, the ICMP proxy is turned on only if the ISA Server computer has Internet Protocol (IP) routing turned on, and if there is a corresponding system policy setting that permits the external adapter on the ISA Server 2004 computer to send and receive ICMP packets. >>TOM: The ISA firewall doesn't "proxy" ICMP. It doesn't recreate the ICMP communication like a Proxy, its just NATing it. System Policy allowing ICMP from the ISA firewall itself is irrelevant, since the communication is coming from the Protected Network host, and not from the ISA firewall itself. The issuing isn't sending and receiving from the ISA firewall, its sending and receiving from the Protected Network host. Note The Allow ICMP requests from ISA server to selected servers system policy setting is pre-configured when you install ISA Server 2004. >>TOM: The default System Policy allows ICMP Information requests, ICMP Timestamp, and Ping from the Local Host Network to All Networks (and Local Host Network). Not what I would call "selected servers" To turn on IP routing, follow these steps: 1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management. >>TOM: IP Routing is enabled by default. 2. In the ISA Server Management console tree, expand ISAServer, where ISAServer is the name of the ISA Server that you want. 3. Expand Configuration, and then click General. 4. In the details pane, click Define IP Preferences under Additional Security Policy. 5. In IP Preferences, click the IP Routing tab. 6. Click to select the Enable IP routing check box, and then click OK. Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Saturday, October 23, 2004 1:43 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ping through isa server 2k4 http://www.ISAserver.org Who the @#^#@$ wrote that KB? "ICMP Proxy"?!? "permits the external adapter to send and receive ICMP packets"?!?!?!?!?!? ..did anyone else notice the glaring lack of another somewhat important piece of information? Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -----Original Message----- From: Watts, Jeb [mailto:Jwatts@xxxxxxxxxxx] Sent: Friday, October 22, 2004 9:24 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ping through isa server 2k4 http://www.ISAserver.org Take a look at this article and see if this is what you want. http://www.kbalertz.com/kb_838251.aspx Jeb ________________________________ From: Nick Holmes [mailto:nick_holmes@xxxxxxxxxxxxxxxx] Sent: Friday, October 22, 2004 7:13 AM To: [ISAserver.org Discussion List] Subject: [isalist] ping through isa server 2k4 http://www.ISAserver.org Hi guys, I enabled all System policy rules in ISA 2004 and still not able to ping a machine through isa server, i.e. from the internet. Even if i ran a traceroute, they all time out.. any idea ? Regards, Nick Holmes. ________________________________ Free, simple, fast, memorable email Become you@xxxxxxxxxxxxxxxx at http://www.emailaccount.com/ ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jwatts@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.