Re: Halt ISA for a Day
From: Tony Su (TonySu_at_discussions.microsoft.com)
Date: 02/24/05
- Next message: Muffy: "Bittorrent - THERE!... I said it !"
- Previous message: Muffy: "Bittorrent! - There! - I said it! - ports.JPG (0/1)"
- In reply to: Phillip Windell: "Re: Halt ISA for a Day"
- Next in thread: Phillip Windell: "Re: Halt ISA for a Day"
- Reply: Phillip Windell: "Re: Halt ISA for a Day"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 23 Feb 2005 22:49:02 -0800
Hello "Listsubscriber" (keeping your ID secret?<BG>),
And Phillip, good to see you're on List. I've embedded my comments and a
suggestion which should enable the network to work until Listsubscriber can
arrive onsite.
Tony
"Phillip Windell" wrote:
> "List Subscriber" <listsubscriber@hotmail.com> wrote in message
> news:eX3lb$NGFHA.3648@TK2MSFTNGP10.phx.gbl...
> > #1 Is there a way to shutdown ISA for a day? If I stop the services,
> > will all the XP Pro clients stop working since their browsers are
> > automatically set to use the proxy?
>
> Yes, they will stop working.
>
> > before the folks get to work. I am trying to make the addition of ISA
> > transparent, but it's been anything but so far.
>
> I don't think it can be transparent. If you were *not* using automatic
> configuration then you could place a different proxy in it place temporarily
> by giving it the IP# that ISA used and have it listen on port 8080. But the
> auto config may get in the way,..not really sure,..I have never used the
> auto config,..I always felt it was more trouble than just the manual config.
> I always use GPO to give the "proxy settings" rather than the auto config
> technique. The GPO makes it easy to change and I can make different machines
> use different ones or none at all.
<Tony> On an SBS box, IE is configured by a FW client setting, not
auto-config. This still won't solve your problem though, manually configuring
every XP can be a problem.
>
> > #3 Since EVERYTHING SBS related is installed on one box with 2 NICs, all
> > the clients in the organization point to the SBS box for DNS, DHCP, etc.
> > So does that automatically make every machine a SecureNAT client?
>
> No, but it leaves them in a "position" to be if you wanted them to.
> Actually they *don't* need to use the SBS box as their Default Gateway. I
> can not think of anything on the SBS box that requires it be used as a
> Default Gateway of the clients. ISA does not require it "except" for the
> SecureNAT Service only. Web Proxy and Firewall Clients function perfectly
> fine with even a blank Default Gateway in many situations.
>
> What makes a client a SecureNAT client is more than just having the ISA box
> as the Default Gateway (or at least be in the Layer3 path),..it also
> requires the right type of ISA Rules to go with it. The SecureNAT Rules
> "allow" based on the IP# of the Client and not by who the user is as the
> other Rules do. If the ISA is the DFG the Client will still fail if the
> Rule isn't correct,...by the same token the Rule could be correct but if the
> ISA isn't the DFG or at least in the Layer3 path then the Client will still
> fail. It is the combination of both being correct that makes tha Client a
> SecureNAT Client.
>
> However if there are "proxy settings" in the Browser or the Firewall Client
> is installed,...then those take prioity and over-ride the SecureNAT aspect
> and the SecureNAT Client again will fail.
>
<Tony> I agree with everything Phillip just stated, and would like to add
that if you can configure an alternative DG, you can easily manipulate the
settings on each host machine without touching the machine directly. In fact,
this is what I would do if I were you... In DHCP, determine which leases are
machines which should remain as Web Proxy clients and which clients will want
to connect as non-Web Proxy clients. Your Web Proxy clients of course will
continue to point to ISA while the others will be pointed to the alternate
DG. So, you next have to decide which group will be assigned regular dynamic
addresses and which will be assigned reserved leases. For one of these
groups, change from regular dynamic DHCP leases to reserved leases and for
each of these configure the DG option to point to the alternate DG. Voila!
All machines should be working fine until you arrive.
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>
- Next message: Muffy: "Bittorrent - THERE!... I said it !"
- Previous message: Muffy: "Bittorrent! - There! - I said it! - ports.JPG (0/1)"
- In reply to: Phillip Windell: "Re: Halt ISA for a Day"
- Next in thread: Phillip Windell: "Re: Halt ISA for a Day"
- Reply: Phillip Windell: "Re: Halt ISA for a Day"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
