Re: ISA Event

From: Chad A. Gross [SBS Community Member] (chad.gross_at_laytonflower.nospam.com)
Date: 09/27/04 

Date: Sun, 26 Sep 2004 21:34:34 -0500

Jack -

It sounds like you're trying to bind an IIS website to port 443 on your
external interface. This isn't going to happen because the ISA web
listeners are bound to 80 & 443 on your external interface. What you want
to do is create a web publishing rule in ISA. Open ISA Management, expand
Servers & Arrays | <servername> | Publishing | Web Publing Rules. Click
Action | New | Rule. Follow the wizard to create a new web publishing rule
to publish your web site.

The reason you want to do it this way (instead of directly binding the
website to the external interface) is to take advantage of the
application-level filtering that ISA gives you.

As for the wizards, they're there so we can easily & quickly fix an SBS and
get it to a recommended configuration after an Enterprise MCSE screws it up
. . . ;^) That is nothing against you personally - most smallbiz IT
consultants would have a hard time adjusting to an enterprise deployment.
The big difference is that we know we'd have to learn new things to fit into
that environment. All to often, the enterprise level tech assumes that SBS
is just these 4 products installed on one box. What they overlook is that
SBS is much more than the sum of it's parts, and the fact that we have IIS,
Exchange & ISA on our one & only DC means that we do things slightly
differently. More often than not, they don't respect that they may have to
learn something to get this box to sing. All of us have our own real-world
experiences of cleaning up after the enterprise MCSE who tried to set up SBS
. . . :^)

As for the security - we're all aware that SBS breaks MS' own rules
regarding ISA - and we'd love to be able to pull that off and put in on a
separate server. However, our threat vectors down here are slightly
different that the enterprise. Our main threat isn't the fact that our ISA
is on our DC - no, our main threat is our desktops, and poorly written
smallbiz apps (QuickBooks) that require local Administrator rights, etc.

Back to the wizards - you do realize that the wizards write log files that
tell you what they did? 

-- 
Chad A. Gross - SBS MVP
SBS ROCKS!
www.msmvps.com/cgross
www.gosbs.org
Jack wrote:
> Mate, just face the fact that you don't know how to fix my problem. I
> don't know by what you mean the hard way? I ran the wizards in the to
> do list and it didn't fix the problem just like you recommended. SBS
> is  basicly made for companys who don't really have a fulltime
> administrator and thats why there is so many wizards. You dont get
> all those wizards in enterprise edition and that makes  a whole lot
> of difference when troubleshooting a problem as you need to know the
> program not just how to run a wizard. How do you know a wizard worked
> as they don't tell you where wizard makes changes so how can you
> troubleshoot a problem if you don't know where the exact changes are
> made.I would rather make the changes myself even though it might take
> a bit longer at lease you know what happened step by step if there is
> a problem down the track so you know where to fix the problem .And
> how can you undo wizards. You can't. You just rerun them. dodgy.
> Jack
>
>
> "SuperGumby [SBS MVP]" <not@your.nellie> wrote in message
> news:#YN6t43oEHA.3460@TK2MSFTNGP15.phx.gbl...
>> and I feel sorry for people who do things the hard way.
>>
>> "Jack" <jack2007a@hotmail.com> wrote in message
>> news:#j996I3oEHA.800@TK2MSFTNGP14.phx.gbl...
>>> Hi, when i said i am new to sbs 2k i mean't new to having all apps
>>> on the same box. I use windows Advanced server 2003 in an
>>> enterprise with a multiple domain structure with seperate boxes for
>>> ISA, Exchange etc. I am currently Studying my MCSE 2003 and as the
>>> books say.....Don't have isa and iss on the same box. MS recommend
>>> having the seperate scenario for security purposes even exchange
>>> should be seperate. Basicly SBS breaks their own rules. I have also
>>> noticed that alot of the services are not even being used on sbs,
>>> What a waste. I feel sorry for people who just use sbs as they
>>> don't get to see the full function of Forest wide domain structure
>>> and all the services that come with it. To answer your question i
>>> did use the to do list. The iis section in yhe list just runs a
>>> wizard which does exactly the same thing as i did in the command
>>> prompt (Disabled socketpooling) In sbs 2003 it is easy to do using
>>> httpcfg but not 2k.
>>> I just need to know how to disablesocketpooling for port 443 rather
>>> than just 80 without having to change the port which will work.
>>> Thanks
>>> Jack.
>>> "SuperGumby [SBS MVP]" <not@your.nellie> wrote in message
>>> news:u8thTa8nEHA.3968@TK2MSFTNGP11.phx.gbl...
>>>> It says nothing of the sort, there is an inference that socket
>>>> pooling has been disabled, if you stretch your imagination a long
>>>> way, all you really present is a single line of netstat output.
>>>> But hey, what's the big deal.
>>>>
>>>> More important than any measure you may have manually taken I'm
>>>> interested to find out whether you have completed (at least) the
>>>> to-do list items I refer to and hopefully the full to-do list. I
>>>> don't want to know if you have manually performed the functions
>>>> you believe are accomplished by the to-do list items, I wanna know
>>>> if you have completed the to-do list. Main reason being that
>>>> someone who had completed the to-do list would not normally
>>>> experience the problem you are experiencing.
>>>>
>>>> Why do you wish to move the 'exchange virtual servers'? what do
>>>> you believe you will accomplish by doing this? As the system is
>>>> SBS no component of the SBS applications can be moved to another
>>>> box, but, for example, you could easily set up an SMTP service on
>>>> another box, it would just need to be an SMTP service (or virtual
>>>> server) which IS NOT part of SBS Exchange. eg. GFI ME can be set
>>>> up as an SMTP filter on a front end which feeds SBS exchange, I'm
>>>> not suggesting this is recommended let alone advised but it is a
>>>> possibility.
>>>>
>>>> "Jack" <jack2007a@hotmail.com> wrote in message
>>>> news:ulJk936nEHA.536@TK2MSFTNGP11.phx.gbl...
>>>>> I disabled socketpooling If you read my first article properly it
>>>>> says that. I have done what i should but sbs2k is useless. I will
>>>>> move the web pages to another server and if i do that is it
>>>>> possible to move the exchange virtual servers to a member server
>>>>> on my network?
>>>>> cheers
>>>>> Jack.
>>>>> "SuperGumby [SBS MVP]" <not@your.nellie> wrote in message
>>>>> news:#20YGAsnEHA.2140@TK2MSFTNGP11.phx.gbl...
>>>>>> go through the to-do list. 'Configure IIS' (will disable socket
>>>>>> pooling and bind the IIS listeners to the internal only) and
>>>>>> 'Connect to the Internet'.
>>>>>>
>>>>>> --
>>>>>> Mick Malloy
>>>>>> http://www.micropol.com.au
>>>>>>
>>>>>> "jack" <jack2007a@hotmail.com> wrote in message
>>>>>> news:edIEBwrnEHA.2388@TK2MSFTNGP10.phx.gbl...
>>>>>>> There is 2 nics and here is My ipconfig:
>>>>>>> Windows 2000 IP Configuration
>>>>>>>
>>>>>>> Host Name . . . . . . . . . . . . : server
>>>>>>> Primary DNS Suffix  . . . . . . . : domain name
>>>>>>> Node Type . . . . . . . . . . . . : Hybrid
>>>>>>>
>>>>>>> IP Routing Enabled. . . . . . . . : Yes
>>>>>>>
>>>>>>> WINS Proxy Enabled. . . . . . . . : No
>>>>>>>
>>>>>>> DNS Suffix Search List. . . . . . : domain name
>>>>>>>
>>>>>>> Ethernet adapter local:
>>>>>>>
>>>>>>> Connection-specific DNS Suffix  . :
>>>>>>> Description . . . . . . . . . . . : HP NC7760 Gigabit Server
>>>>>>> Adapter Physical Address. . . . . . . . . : mac address
>>>>>>>
>>>>>>> DHCP Enabled. . . . . . . . . . . : No
>>>>>>>
>>>>>>> IP Address. . . . . . . . . . . . : 10.0.0.2
>>>>>>>
>>>>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>>>>>
>>>>>>> Default Gateway . . . . . . . . . :
>>>>>>>
>>>>>>> DNS Servers . . . . . . . . . . . : 10.0.0.2
>>>>>>> Primary WINS Server . . . . . . . : 10.0.0.2
>>>>>>>
>>>>>>> Ethernet adapter external:
>>>>>>>
>>>>>>> Connection-specific DNS Suffix  . :
>>>>>>> Description . . . . . . . . . . . : HP NC3123 Fast Ethernet NIC
>>>>>>> Physical Address. . . . . . . . . : mac address
>>>>>>>
>>>>>>> DHCP Enabled. . . . . . . . . . . : No
>>>>>>>
>>>>>>> IP Address. . . . . . . . . . . . : 192.168.4.9
>>>>>>>
>>>>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>>>>>
>>>>>>> Default Gateway . . . . . . . . . : 192.168.4.11
>>>>>>>
>>>>>>> DNS Servers . . . . . . . . . . . : 10.0.0.2
>>>>>>>
>>>>>>> "SuperGumby [SBS MVP]" <not@your.nellie> wrote in message
>>>>>>> news:erix$zqnEHA.3876@TK2MSFTNGP15.phx.gbl...
>>>>>>>> looks like a single NIC SBS? correct?
>>>>>>>>
>>>>>>>> please give us the output of 'ipconfig /all > c:\ipconfig.txt'
>>>>>>>> from the server.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mick Malloy
>>>>>>>> http://www.micropol.com.au
>>>>>>>>
>>>>>>>> "Jack" <jack2007a@hotmail.com> wrote in message
>>>>>>>> news:OLR6ksqnEHA.1304@TK2MSFTNGP09.phx.gbl...
>>>>>>>>> I am new to sbs and i need some help with publishing 0n isa.
>>>>>>>>> I keep gettig the error below in the event viewer:
>>>>>>>>> Web Proxy service failed to bind its socket to 192.168.4.9
> port
>>>> 443.
>>>>>>> This
>>>>>>>>> could be caused by another service that is already using the
>> same
>>>>> port
>>>>>>> or
>>>>>>>>> by
>>>>>>>>> a network interface card that is not functional. The error
>>>>>>>>> code specified in
>>>>>>>>> the Data area of the event properties indicates the cause of
>>>>>>>>> the failure. For more information about this event, see ISA
>>>>>>>>> Server Help.
>>>>>>>>>
>>>>>>>>> I looked on the web for help and did a netstat -an and this
> is
>>> what
>>>> i
>>>>>>> get:
>>>>>>>>>
>>>>>>>>> TCP     192.168.4.9:443     0.0.0.0:0    LISTENING.
>>>>>>>>>
>>>>>>>>> How do i stop this error. I found an article to disable
>>>>>>>>> socketpooling on
>>>>>>>>> the
>>>>>>>>> sbs if isa and iss are on the same box but it didn't seem to
> do
>>> any
>>>>>>> good.
>>>>>>>>> Any help would be much appreciated.
>>>>>>>>> Thanks
>>>>>>>>> Jack.

Relevant Pages

  • RE: ISA access rules, help
    ... please let me know whether you're using ISA 2000 or ISA 2004 ... (SBS SP0 or SBS SP1). ... the ISA server will not be used as a proxy server. ... Since SBS already used port 80, ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA Event
    ... applying ISA SP1 resolved the issue. ... So it's worth asking - is this SBS ... > Web Proxy service failed to bind its socket to 192.168.4.9 port 443. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: DNS Suspect
    ... The I did use the wizards to publish almost everyting. ... Not sure what happens to SBS if you manually do all that. ... My server runs on two Gb network cards, and ISA is installed. ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote Web Workplace Partially Works
    ... With ISA installed in integrated mode, ... so don't bother looking in there for the filter for port 4125. ... Les Connor [SBS Community Member - SBS MVP] ... > ditto for the Remote Connection Disk but I was looking for straws to grasp ...
    (microsoft.public.windows.server.sbs)
  • Multiple public ip and pix firewall
    ... From what I have read this device can only port forward 1024-65535 ... SBS for the users to connect for remote e-mail and remote desk top. ... ISA behing the cisco and set up publishing rules utlizing ...
    (microsoft.public.windows.server.sbs)