Re: From Cisco Pix to ISA.

Tech-Archive recommends: Fix windows errors by optimizing your registry

---

• From: Chris3458 <Chris3458@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Mon, 30 Jul 2007 15:24:02 -0700

---

Thank you for the reply.

I tried setting this up over the weekend (no test network) and though I
could get things to run by always pointing to the primary IP address
configured on my external facing card, I could not get things to run using a
secondary or tertiary address I added to its advanced IP properties.

In other words, my current configuration uses three static ISP-provided
addresses that each map (1:1) to three different addresses on my internal
network. Though I can get all three services running successfully if I
reconfigure and point everything to the primary external ISA address, nothing
gets through when I add the other two ISP addresses to my external card (IP
advanced properties) and point to them. This means I would need to
reconfigure the addresses on all my outside clients and also where I have my
mail delivered to. Am I missing something, or is one external address the
only way to go with ISA? The only thing I didn't try, and I could kick
myself, is rebooting the server after configuring my additional IP's, but I
might just be grasping at straws that it would be something that simple.

Thanks in advance for any further insight.

"Phillip Windell" wrote:

"Chris3458" <Chris3458@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:542E61F3-E51B-4BC5-96D0-102B43415885@xxxxxxxxxxxxxxxx

* Example: 70.158.42.71 maps to 172.16.1.100 and only accepts inbound
port
25 traffic from range 207.126.144.0 through 207.126.159.255. (Outbound
traffic is not filtered).

Clients outside our office connect to a similarly mapped server (outside
to
inside address), but inbound traffic is limited to port 1677.

* Example: 70.158.42.72 maps to 172.16.1.101 and only accepts
connections
on port 1677.

In the ISA MMC Tree:

For Mail (port 25)
1. Rightclick on Firewall Policy
2. Choose New-->Mail Server Publishing Rule
3. Follow the prompts from there. It should be fairly simple.
Just remember to choose the Protocol "SMTP Server", not the
regular SMTP.

For the "other" Service on Port 1677 (assuming TCP?)
A. Create the Protocol
1. Select (normal click) Firewall Policy
2. Select Toolbox--->Protocols at far right of MMC Window
3. Create a "new" Protocol
a. Name: <whatever> (I suggest "TCP1677 Server" or UDP1677
Server")
b. TCP (or UDP?)
c. Port Range 1677 to 1677 (for a single number)
d. Direction is Inbound (normal protocols are outbound,
but server publishing protocols are inbound)

B. Create the Publishing Rule
1. Rightclick on Firewall Policy
2. Choose New-->Server Publishing Rule (not Mail Server)
3. Follow the prompts with these things in mind
a. You can "listen" on External or a specific IP#
b. Publish to the IP# of the Server in question
c. The Protocol will be the one you created above
d. Server Publishing Rule are simply a "Reverse NAT" (aka Static
NAT) which is what the old Cisco box did. You cannot control
access via user accounts, that can only be done with Rules based
on Web Publishing (based on CERN Compliant Web Proxy
functionality)


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------

.

---

• References:
  • Re: From Cisco Pix to ISA.
    • From: Phillip Windell

• Prev by Date: Re: From Cisco Pix to ISA.
• Previous by thread: Re: From Cisco Pix to ISA.
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: "Opening ports" ... When filtering log on port 5656, ... Create Protocol: ... Understanding the ISA 2004 Access Rule Processing ... Microsoft Internet Security & Acceleration Server: ... (microsoft.public.isa) Re: SBS2003, Terminal server and Mobile 6 ... RRAS as Firewall) and SBS 2K3 Premium: ... in order for a custom protocol to be considered a "Server" ... In the ''Policy Elements'' branch of ISA server mmc, ... Next...Enter the destination port number for the custom protocol being ... (microsoft.public.windows.server.sbs) Re: not what Im after ... Users A, B, and C have to be listening to a port to get a message over that ... proxy server between then, then the proxy server actually "owns" the IP ... Will you be using an established protocol or are you writing your own? ... "Advanced .NET Remoting" by Ingo Rammer. ... (microsoft.public.dotnet.languages.csharp) Re: Remote access from Internet ... An initial proposal was to implement the entire user interface as a Java applet and use a simple back-end protocol to move data. ... The user who desires access connects to relay server with a browser and logs in. ... then you probably need to block all ports *except* for one that you actively manage - ideally by something strong like SSH. ... As a side note on ssh security, there is no need to put ssh on port 22. ... (comp.arch.embedded) RE: Port Forwarding ... RRAS as Firewall) and SBS 2K3 Premium: ... in order for a custom protocol to be considered a "Server" ... In the ''Policy Elements'' branch of ISA server mmc, ... For example, for Terminal Server, the port number would be 3389. ... (microsoft.public.windows.server.sbs)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > ISA  > microsoft.public.isa.publishing  > 2007-07