I have to admit that I do like wizards. After having installed so many SBS servers in a streak for a while there it was a rude awakening to have to install a Windows 2003 new domain. My brain kept saying, "Are we there yet? If you use the wizard we'd have been done 2 hours ago." That part of my brain has a pretty annoying whine too. :-) But I'm sure the ISA BPA is just my lack of memory. Brain is full so things fall out of it now and then. Amy Babinchak Harbor Computer Services ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, January 09, 2007 1:37 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Server Publishing Rule It never worked on ISA 2000. If you tried and (could only have) failed, you weren't paying attention to the error messages that said "not here, you don't..." Yasilly, the wizard disease seems to be claiming another victim... :-) From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: Tuesday, January 09, 2007 10:30 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Server Publishing Rule Maybe I need to take a fresh look at it. I didn't find it helpful but it's been a long time, maybe ISA 2000 long. Can't really remember. Amy Babinchak Harbor Computer Services ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, January 09, 2007 12:20 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Server Publishing Rule Why in the world would you (of all people) make such a distinction? Use ISABPA on any ISA 2004+ deployment - it's written to assist with ISA troubleshooting regardless of the environment. From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: Tuesday, January 09, 2007 9:13 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Server Publishing Rule OK, I'll run it. I don't usually bother with BPA on SBS boxes. Amy Babinchak Harbor Computer Services ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, January 09, 2007 9:41 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Server Publishing Rule Nope; ISABPA includes a neato toy called ISABPAPack. It will gather the most common data required for ISA behavioral analysis. Its use is covered in the docs that come with the package. "isabpapack +repro" is the command line used to start the process. From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: Tuesday, January 09, 2007 5:43 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Server Publishing Rule They are firewall clients. I'll see about gathering the data for you. By repro data you mean the captures? Amy Babinchak Harbor Computer Services ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, January 09, 2007 12:11 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Server Publishing Rule If internal clients are using ISA to reach the internal app, then your problem isn't in the rule, but the client configuration. Internal access of server publishing is necessarily SecureNET or FWC clients only. Got ISABPAPack +repro data? From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: Monday, January 08, 2007 8:21 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Server Publishing Rule I would agree however when WalMart says you'll use this app if you want to sell us product, then you use the app. The nature of the fail doesn't show in ISA. If I have a range of ports in my server publishing rule, then Internal clients attempting to access the app server can't get there. ISA doesn't show any fails or denied. NetMon running on the SBS server shows a successful packet to the app server but the response from the app server is stack error 1250. If I have a single port (tcp 1521) in the server publishing rule then internal clients can get the app server just fine. Since the server publishing rule only applies from External to the app server why is this affecting internal workstation access to the app server? Amy Babinchak From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Monday, January 08, 2007 10:56 PM To: isapros@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Server Publishing Rule Amy, Any time a vendoir tells you they need "all inbound ports", it's time to shitcan that application and bitch-slap teh vendor back to their Commodore Vic-20. That said: Q1 - what is the port range are you defining? Q2 - what is the nature of "fails"? ________________________________ From: isapros-bounce@xxxxxxxxxxxxx on behalf of Amy Babinchak Sent: Mon 1/8/2007 4:00 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Server Publishing Rule I have published an internal server on port 1521. Works fine. However, the vendor (an EDI application) says they need access over all inbound ports. If I create a range published to this server, then Internal access to the server fails. Why? Amy Babinchak Harbor Computer Services All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned.