Re: ISA SP3 lockdown?

From: "Jim Harrison $ISA SE$" <jmharr@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 3 Jan 2008 09:27:34 -0800

1. AV server - this will require a single rule allowing whatever protocol
the AV client uses to get updates between the SIA and the AV server. No
"network browser" functionality required.
2. "Browsing Network neighborhood using Windows Explorer" uses the Windows
Browser functionality and this is a workstation process.

I can appreciate the need to multi-purpose the ISA, but you're better off to
avoid creating huge holes in your firewall for convenience sake.
ISA already provides a default system policy allowing you to connect to file
shares internally using SMB. "Browsing" typically involves a lot of
broadcast traffic which ISA doesn't support.
--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html

"DanaK" <DanaK@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:489D56B0-9CEF-4B42-9FFF-ECD13873B575@xxxxxxxxxxxxxxxx
For one thing our antivirus server is internal on the network and I need to
set up rules for its protocols so the ISA can be protected and updated.
Also, I'm talking about browsing the network via Network Neighborhood in
Windows Explorer. I don't generally use the ISA as a workstation. The
capability just gives you options when you have a budget as low as mine - 10
schools, 1 office, ~120 computers and (maybe) $8000. I'm just glad I get
paid!

"Jim Harrison (ISA SE)" wrote:

Why do you want "Windows browser" to work from the ISA?
You shouldn't be using it as a workstation.

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html

"DanaK" <DanaK@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AF9C679F-4200-48A3-A3FE-418183FB9906@xxxxxxxxxxxxxxxx
"...correcting ISA behavior..." Yes, I guess you could say that it does
just
that. Once we got the extenal NIC addresses corrected AND shut the server
down once or twice the mail protocols began going thorough. Thanks.

Now I have to figure out why the ISA can't browse the internal network.
It
wouldn't do this even before sp3. The server was joined to the network
before I installed ISA. I'll run the troubleshooting tool tomorrow and
see
what else comes up.

Thanks to you both.
Dana

"Jim Harrison (ISA SE)" wrote:

This is an unsupported deployment.
SP3 helps you understand that by correcting ISA behavior in this regard.

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html

"DanaK" <DanaK@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ECD5017A-5A25-4A68-A494-3CB6E6D3D892@xxxxxxxxxxxxxxxx
Apparently ISA 2004's sp3 is much less forgiving when it comes to
denying
protocol throughput. I must confess that I do not have a separate IP
range
configured yet for my external NIC and am, thus, getting a regular
notice
of
such since I installed sp3 just in case that is the problem. I'm trying
to
get clearance from the people that set up our Cisco firewall in our DMZ
to
change that internal IP, though. They have yet to answer. However,
prior
to
installing sp3 I could get e-mail protocols through the ISA with no
problems
with just an "Allow All" rule for all protocols even though the internal
IP's
were the same. Since installing sp3 I've created the new e-mail
protocol
rules but to no avail.

Even though I have "Allow" rules set up for all e-mail protocols - POP3
through SMTP Server AND an Allow All rule - ISA tells me in its log for
e-mail protocols that these connections are denied due to the Firewall's
Default Rule which denies access to everyone on any protocol. What's
going
on with this?

Follow-Ups:
- Re: ISA SP3 lockdown?
  - From: DanaK

References:
- Re: ISA SP3 lockdown?
  - From: Jim Harrison $ISA SE$
- Re: ISA SP3 lockdown?
  - From: DanaK
- Re: ISA SP3 lockdown?
  - From: Jim Harrison $ISA SE$
- Re: ISA SP3 lockdown?
  - From: DanaK

Prev by Date: Re: Force All to use firewall Client ONLY
Next by Date: Re: Force All to use firewall Client ONLY
Previous by thread: Re: ISA SP3 lockdown?
Next by thread: Re: ISA SP3 lockdown?
Index(es):
- Date
- Thread

Relevant Pages

Re: ISA 2006 configuration question - multiple VLANs and domains
... very familiar with network segments vs. domains et. al. ... multihomed ISA 2006 server forward a DHCP request to the proper VLAN ... ISA is a Firewall Product designed to protect a network from the Internet. ...
(microsoft.public.isa.configuration)
RE: Firewall service and remoteaccess service shut down frequently
... Do you have run the CEICW after installing the ISA components? ... please open SBS server management console, ... Click the Add Adapter button, and add your internal network adapter ... Meanwhile, from the subject, you said you the firewall service and RRAS ...
(microsoft.public.windows.server.sbs)
Re: VPN breaks after installing patches
... I have just received your email due to some network traffic problems. ... access the network shares was denied by ISA Server. ... Open the Server management console, navigate to "Internet and E-mail", ...
(microsoft.public.windows.server.sbs)
Re: Connect the SBS to a remote IIS for Internet Printing
... the server can access the Internet with no problems at all. ... Checking network connection, and after a few seconds it says The ... the problem is cause by the configuration of ISA. ...
(microsoft.public.windows.server.sbs)
Re: Workgroup
... I have one XP Home used as a file server and 5 other PCs ... >>protocols are installed, it can access the internet, ... >than one protocol can make the network unreliable, ... >Windows XP Network Protocols ...
(microsoft.public.windowsxp.network_web)