Re: SBS R2 ISA2004 Dark Arts
- From: "SuperGumby [SBS MVP]" <not@xxxxxxxxxxx>
- Date: Wed, 22 Aug 2007 10:11:39 +1000
not so much 'in trouble', but you move outside wizard based use, and I'm not
exactly sure what wizards (other than the CEICW, which is definite) would be
broken by a 3 legged config. The gist however is correct, use ISA on SBS as
intended, or move outside the 'supported' envelope at your own peril.
BTW: tks for the compliment.
"Steve" <newsgroup@xxxxxxxxxx> wrote in message
news:O03iUzE5HHA.4436@xxxxxxxxxxxxxxxxxxxxxxx
SuperGumby has done a great job of expanding on this. You'll have to use
ISA in SBS as intended or you'll get into trouble.
"Marcus" <Marcus@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6D48C99F-5C94-4758-AF87-5652D68627C1@xxxxxxxxxxxxxxxx
For me it's not that simple. I need the back firewall configuration as,
when
I get the simple case I have described to work, I'll then extend this to
include a DMZ in the perimeter network. The aim is to then place some
other
servers in the DMZ.
So, I have to get the back firewall configuration to work with the
perimeter
network (addresses as specified) in the rules/policies. If it can't work
without the DMZ then the chances of evolving to the DMZ configuration are
slim.
(Oh, I have lots of NICS on the server running SBS 2003 R2. So,
specifying
another network should not be a problem.)
I'd happily take further advice, in particular if you have any pointers
(URLs) to sites with template/example policies and rules relevant to SBS
and
ISA deployments.
Thanks, Marcus
"Steve" wrote:
All my ISA 2004 installs also have another router in front of them. The
ISA
network configuration after running the CEICW is as an Edge Firewall not
a
Back Firewall. All functionality works fine. I suggest you just let the
CEICW do the configuration and setup the proper default ISA rules and
then
see if something still isn't working.
"Marcus" <Marcus@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DC20C4E6-F139-4FBE-9FB3-0064139240E1@xxxxxxxxxxxxxxxx
I'm having problems. I've posted on the ISA TecNet and it's not helped
(perhaps due to a SBS prejudice).
My infrastructure is this.
SBS2003 R2 Premium in the back-end fire wall configuration. Internal
network
NIC IP is 10.0.32.1 and perimeter (internet facing) NIC IP is
192.168.1.2.
There is a front firewall which has a perimeter (intranet facing) NIC
IP
of
192.168.1.1. It has an external static (internet facing) NIC IP of
W.X.Y.Z.
For the purposes of this discussion the front firewall is merely
acting as
a
front router (as I have disabled all of its firewall functionality).
I have installed SBS2003 R2 (and all service packs and WSUS updates).
I have configured the (non-ISA) Windows firewall, E-mail and remote
working
using CEICW.
So far, so good. Everything works. WSUS is fine. I get web pages (on
the
server and clients). E-mail is fine, including embedded images.
I install ISA2004 following the instructions exactly. I also
downloaded
and
installed all of the service packs and WSUS updates, rebooting between
each
when prompted to do so.
It creates a proxy for IE clients. The proxy is also used by WSUS.
However,
I can't reach the internet from IE from the localhost or clients. WSUS
fails
to sync. E-mail arrives and goes out but I no longer get embedded
images.
I look at the ISA Management Console policies and rules. It doesn't
reflect
the back-firewall configuration I have so I run the back-firewall
template
granting full access. Still no joy.
I manually set the Computer->Front Firewall to 192.168.1.1 and the
perimeter
network to be 192.168.1.0 to 192.168.1.254.
None of the template generated rules includes either the perimeter
network
or the front fire wall. IE, WSUS and embedded images still don't work.
I bought Tom Shinder's book. It doesn't cover SBS and hints that SBS
is a
bad idea (waste of money for me). I went to isaserver.org (following
advice
from the ISA Server TechNet) and read all five parts of his series on
ISA
and
SBS, but I was waiting for parts 6 onwards which don't exist. Parts 1
to 5
were no help either.
I have visited every blog and site I can find and none tell me how to
write
rules or policies to get traffic out and back through the perimeter
network
and the front firewall.
I can't be the only person who has encountered this problem. How do I
get
out and back? Is there a site with examples of policies and rules
which
work
in this configuration?
Finally, for clients which use the proxy, how do I ensure that the
experimental changes I make via ISA Server Management Console are
actually
employed when I test from a client? Do I have to log off and on each
time
I
make changes, or is there something else I can do?
.
- References:
- Re: SBS R2 ISA2004 Dark Arts
- From: Steve
- Re: SBS R2 ISA2004 Dark Arts
- From: Marcus
- Re: SBS R2 ISA2004 Dark Arts
- From: Steve
- Re: SBS R2 ISA2004 Dark Arts
- Prev by Date: Re: connect computer problem
- Next by Date: Re: Rerouting my email to my local server
- Previous by thread: Re: SBS R2 ISA2004 Dark Arts
- Next by thread: Re: SBS R2 ISA2004 Dark Arts
- Index(es):
Relevant Pages
|
