RE: ISA 2000 upgrade to ISA 2004

Hello Brian,

Thank you for kind update.

1. From the segment of your sessions monitoring, I cannot ensure the
behavior is normal. Please reproduce the issue and gather the ISA log, send
the ISA log to me. I will analyze the log and let you know the result.

2. If you do NOT want Internal Users to use SecureNAT to access the
Internet, you only have to install ISA firewall client on the client
computers.

As we know, if we enable SecureNAT, web proxy and firewall client on one
workstation at same time, the http and https access will try to connect
external via web proxy first. The other access (like RDP, SMTP, POP3 and so
on) will try to connect external via firewall client first. If the web
proxy fail, the access will try firewall client, if the firewall client
fail, the access will try SecureNAT at the end.

Therefore, we do not need to delete Gateway address from DHCP.

3. If we do not want internal clients access Internet thru anonymous
authentication, we have to enable authentication requirement on ISA:
please open the ISA2004 Management Console, in the left panel, expand to
Configuration->Networks. Under "Networks panel", double click "Internal".
Switch to "Web Proxy" panel, click "Authentication" button and ensure you
tick the "Require all users to authenticate" option and "Integrated"
option. Then click OK twice and click the Apply button to save the changes.

4. If you do Not want ALL Web site services to be accessible from the
Internet, you can select "Allow access to only the following Web site
services from the Internet" and select the services you want to publish
(the steps just for your reference).

Hope these steps will give you some help.

Thanks and have a nice day!

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Thread-Topic: ISA 2000 upgrade to ISA 2004
| thread-index: Ace6WAmLgjCmFopkQZOCZF54OfcqhQ==
| X-WBNR-Posting-Host: 207.46.193.207
| From: =?Utf-8?B?QnJpYW4=?= <Brian@xxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <F45DA164-1D24-400C-8702-239420141B73@xxxxxxxxxxxxx>
<ydke1fiuHHA.3972@xxxxxxxxxxxxxxxxxxxxxx>
| Subject: RE: ISA 2000 upgrade to ISA 2004
| Date: Fri, 29 Jun 2007 07:16:08 -0700
| Lines: 250
| Message-ID: <0FA71CE5-5F93-4258-AFC0-7ED835C2CD9D@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:47187
| NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Terence,
|
| Thanks for your response. In answer to your questions:
|
| a, Because in ISA Server Management: Server | Monitoring | Sessions it
| displays:
|
| Activation Session Type Client IP Source Network

| Client Host Nm
| 06/29/2007 9:49:46 AM SecureNAT 88.245.xxx.xxx EXTERNAL
88.245.xxx.xxx
|
| b, Because I do NOT want Internal Users to use SecureNAT to access the
| Internet, I want them to use other methods that provide User information;
| that will be included in the ISA logs / reports. i.e. I want users to
be
| forced to use the Firewall Client.
|
| c, Microsoft Windows Server 2003 for Small Business Server Service Pack 1

| (R1)
|
|
| I already ReRan the CEICW. All access, in and out, seems to be working.
|
| Can you please answer: IS THIS NORMAL BEHAVIOR? (from my original post)
|
| Also, why would I have to:
|
| "e. On the "Web Services Configuration" page, make sure "Allow access to
the
| entire Web site from the Internet" is selected. If you select "Allow
access
| to only the following Web site services from the Internet", make sure ALL
| item in the list are selected."
|
| What if I do Not want ALL Web site services to be accessible from the
| Internet??
|
| Thanks,
| Brian
|
|
|
|
|
| "Terence Liu [MSFT]" wrote:
|
| > Hello Brian,
| >
| > Thank you for posting here.
| >
| > Fist, please let me know:
| > a. Why do you think the connections come from External?
| > b. Why do you remove the Gateway address from DHCP?
| > c. What's edition of your SBS?
| >
| > Based on my research, after you upgrade your ISA 2000 to ISA 2004, you
have
| > to rerun the CEICW first. I suggest we try the following steps to see
if we
| > can resolve this issue:
| >
| > You have to rerun the CEICW to make sure your SBS 2003 server have
right
| > network configuration. Go through the follow KB and Rerun CEICW again
| > carefully.
| >
| > How to configure Internet access in Windows Small Business Server 2003
| > http://support.microsoft.com/kb/825763/en-us
| >
| > Detailed steps for your reference:
| >
| > a. On the SBS 2003 Server open the Server Management console. Go to
| > Standard Management\To Do List.
| >
| > b. Click the "Connect to the Internet" link.
| >
| > c. When navigating to the Firewall page, select "Enable firewall" and
click
| > Next (I suppose you have 2 network adapters in SBS 2003).
| >
| > d. On the "Services Configuration" page, select all the items and then
| > click Next.
| >
| > e. On the "Web Services Configuration" page, make sure "Allow access to
the
| > entire Web site from the Internet" is selected. If you select "Allow
access
| > to only the following Web site services from the Internet", make sure
all
| > item in the list are selected. Click Next.
| >
| > f. On the "Web Server Certificate" page, choose to create a new Web
server
| > certificate and then type the public FQDN (your public DNS name) that
you
| > will use to access OWA and RWW (for example, if your public FQDN that
you
| > use to access the sites is www.xyz.com, you should type www.xyz.com as
the
| > new certificate name).
| >
| > g. Go through the remaining steps.
| >
| > If we cannot resolve the issue after we perform the above steps, please
| > kindly help me collect some information for further investigation:
| >
| > 1. Please help to gather the ISA Info:
| >
| > 1) Download the file from the following URL:
| >
| > http://www.isatools.org/tools/isainfo.zip
| >
| > 2) Extract all files to a folder on ISA server.
| >
| > 3) Double click Isainfo.js. This will generate 2 files
| > ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in
the
| > current folder.
| >
| > 4) Please send these files to me at v-terliu@xxxxxxxxxxxxx
| >
| > 2. Please also help to gather the ISA logs:
| >
| > 1) Schedule a down time.
| >
| > 2) Open ISA 2004 management console.
| >
| > 3) Expand the server node and highlight 'Monitoring'.
| >
| > 4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
| > Pane' is showed there.
| >
| > 5) In the 'Task Pane', click 'Configure Firewall Logging' under
'Logging
| > Tasks', and then switch the 'log storage format' from 'MSDE database'
| > (default) to 'File'.
| >
| > 6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
| >
| > 7) In the 'Task Pane', click 'Configure Web Proxy Logging' under
'Logging
| > Tasks', and then switch the 'log storage format' from 'MSDE database'
| > (default) to 'File'.
| >
| > 8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
| >
| > 9) Click 'Apply' to save changes and update the configuration.
| >
| > 10) Temporarily disable the Firewall service. To do that, please click
| > Monitoring | Services tab, and then right click 'Microsoft Firewall' to
| > choose 'Stop'.
| >
| > 11) Clear the current existing W3C logs. To do that, go to the log
saving
| > directory and clean any existing .W3C logs. By default, the logs will
be
| > saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may
not
| > be able to deleted, that's normal.) You may backup them first and
then
| > delete them.
| >
| > 12) Go back to the ISA 2004 management console, and then Start the
stopped
| > 'Microsoft Firewall' service.
| >
| > 13) Reproduce the problem, stop the service, and then gather the
resulting
| > W3C files to me for analysis.
| >
| > 14) Please also let me know the IP address of the testing clients so
that I
| > can filter the data.
| >
| > Hope these steps will give you some help.
| >
| > Thanks and have a nice day!
| >
| > Best regards,
| >
| > Terence Liu(MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| > --------------------
| > | Thread-Topic: ISA 2000 upgrade to ISA 2004
| > | thread-index: Ace54vQqugo8htrlRDevIIDY/RfBHw==
| > | X-WBNR-Posting-Host: 207.46.19.168
| > | From: =?Utf-8?B?QnJpYW4=?= <Brian@xxxxxxxxxxxxxxxxxxxxxxxxx>
| > | Subject: ISA 2000 upgrade to ISA 2004
| > | Date: Thu, 28 Jun 2007 17:18:01 -0700
| > | Lines: 31
| > | Message-ID: <F45DA164-1D24-400C-8702-239420141B73@xxxxxxxxxxxxx>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | Path: TK2MSFTNGHUB02.phx.gbl
| > | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:47083
| > | NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | I upgraded from ISA 2000 to 2004.
| > |
| > | I see a number of SecureNAT connections from External;
| > |
| > | and FOUR sessions from each workstation:
| > |
| > | date time SecureNAT 192.xxx.xxx.43 Internal

| >
| > | 192.xxx.xxx.43
| > | date time Web Proxy 192.xxx.xxx.43 Internal anonyomous
| > | date time Web Proxy 192.xxx.xxx.43 Internal Domain\user
| > | date time Firewall Cl 192.xxx.xxx.43 Internal Domain\user

| > | WorkstationID
| > |
| > |
| > | IS THIS NORMAL BEHAVIOR?
| > |
| > |
| > | I found and disabled the Rule: Allow traffic from Internal network
to
| > local
| > | host.
| > |
| > | (Note: This rule was created by the migration tool in order to
maintain
| > the
| > | default ISA 2000 behavior. This rule allows access from the Internal
| > network
| > | to services that run on the firewall.)
| > |
| > | I removed the Gateway address from DHCP (and workstations have
refreshed).
| > |
| > | Is there anything else I should do? (I want Reports to include User
name
| > | not IP's)
| > |
| > | Thanks!
| > | Brian
| > |
| >
| >
|

.

Loading