Re: SBS R2 ISA2004 Dark Arts

---

• From: "Steve Foster [SBS MVP]" <steve.foster@xxxxxxxxxxxxx>
• Date: Wed, 22 Aug 2007 06:05:59 -0700

---

Marcus wrote:

I'm having problems. I've posted on the ISA TecNet and it's not helped
(perhaps due to a SBS prejudice).

Some ISA experts do have very large anti-SBS chips on their shoulders.

My infrastructure is this.
SBS2003 R2 Premium in the back-end fire wall configuration.

SBS has no concept of "back-end firewall". It's the edge firewall, pure and simple. That you may layer another firewall in front of it is irrelevant to SBS.

Internal network
NIC IP is 10.0.32.1 and perimeter (internet facing) NIC IP is 192.168.1.2.
There is a front firewall which has a perimeter (intranet facing) NIC IP of
192.168.1.1. It has an external static (internet facing) NIC IP of W.X.Y.Z.
For the purposes of this discussion the front firewall is merely acting as a
front router (as I have disabled all of its firewall functionality).

That's all fine. You just tell SBS that it's internal network is 10.0.32.x, and everything else is external.

I have installed SBS2003 R2 (and all service packs and WSUS updates).
I have configured the (non-ISA) Windows firewall, E-mail and remote working
using CEICW.

So far, so good. Everything works. WSUS is fine. I get web pages (on the
server and clients). E-mail is fine, including embedded images.

I install ISA2004 following the instructions exactly. I also downloaded and
installed all of the service packs and WSUS updates, rebooting between each
when prompted to do so.

It creates a proxy for IE clients. The proxy is also used by WSUS. However,
I can't reach the internet from IE from the localhost or clients. WSUS fails
to sync. E-mail arrives and goes out but I no longer get embedded images.

I look at the ISA Management Console policies and rules. It doesn't reflect
the back-firewall configuration I have so I run the back-firewall template
granting full access. Still no joy.

I manually set the Computer->Front Firewall to 192.168.1.1 and the perimeter
network to be 192.168.1.0 to 192.168.1.254.

No, no, *no*. The CEICW sets up ISA just the way you need it for SBS. At this point, I'd start by deleting all the ISA rules, and rerun the CEICW. If that doesn't reset ISA, you may need to uninstall/reinstall to clear the bad configuration.

None of the template generated rules includes either the perimeter network
or the front fire wall. IE, WSUS and embedded images still don't work.

I bought Tom Shinder's book. It doesn't cover SBS and hints that SBS is a
bad idea (waste of money for me). I went to isaserver.org (following advice
from the ISA Server TechNet) and read all five parts of his series on ISA and
SBS, but I was waiting for parts 6 onwards which don't exist. Parts 1 to 5
were no help either.

Tom knows ISA very well, but his site has had no good SBS-specific content for a while. The articles he does have mostly apply to SBS2000 only.

I have visited every blog and site I can find and none tell me how to write
rules or policies to get traffic out and back through the perimeter network
and the front firewall.

You don't need to. The default SBS configuration does all you need to ISA. Beyond that, it's up to the other firewall.

I can't be the only person who has encountered this problem. How do I get
out and back? Is there a site with examples of policies and rules which work
in this configuration?

Finally, for clients which use the proxy, how do I ensure that the
experimental changes I make via ISA Server Management Console are actually
employed when I test from a client? Do I have to log off and on each time I
make changes, or is there something else I can do?

The ISA rules that will be applied are those in force at the time. IOW, as soon as you click the big Apply in the ISA console.

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.
.

---

• Prev by Date: Re: Logon failures filling the event log
• Next by Date: Re: Moving the Monitoring Database
• Previous by thread: Re: SBS R2 ISA2004 Dark Arts
• Next by thread: Controlling Bandwidth with ISA2004
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: SBS R2 ISA2004 Dark Arts ... You suggest 'For the purposes of this discussion the front firewall is ... ISA server. ... In a 'classic' ISA on SBS implementation where SBS has only two NICs and a ... ISA in this configuration can be configured by the SBS CEICW and acts as an ... (microsoft.public.windows.server.sbs) Re: SBS R2 ISA2004 Dark Arts ... ISA in SBS as intended or you'll get into trouble. ... I have to get the back firewall configuration to work with the ... network in the rules/policies. ... (microsoft.public.windows.server.sbs) Re: SBS VPN setup? ... wouldn't need ISA, so that is completely gone in the matter. ... are you referring to a firewall device hardware type, ... I prefer SBS 2k3 without ISA. ... outlined above...and the firewall appliance is an ISA server, ... (microsoft.public.windows.server.sbs) Re: SBS R2 ISA2004 Dark Arts ... Right now the front firewall is not an ISA ... NIC-2 faces the internal "Live" network. ... I have to get the back firewall configuration to work with the ... (microsoft.public.windows.server.sbs) Re: SBS R2 ISA2004 Dark Arts ... I suspect you need to be over in the ISA forum. ... Folks that try to do three nics don't ... I have 4 NICS in the SBS 2003 R2 server. ... Right now the front firewall is not an ISA ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)