Re: SBS R2 ISA2004 Dark Arts

I suspect you need to be over in the ISA forum. Like it or not. In the
SBS market KISS works. 2 nics. Folks that try to do three nics don't
seem to get too far.

On Tue, 21 Aug 2007 22:24:04 -0700, Marcus
<Marcus@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Thanks for the elaborated description and advice, SuperGumby.

I appreciate the help that the CEICW provides, but he's right; because both
CEICW and the templates in the ISA Server Management Console do not
accurately reflect my situation I'm asking the TechNet.

I have 4 NICS in the SBS 2003 R2 server.

NIC-1 faces the front firewall. Right now the front firewall is not an ISA
server but the intention is for that to become one in the future. Right now
it is in a front router mode. When I get the configuration to work, it will
then reset its functionality to only allow traffic through either way from
specific ports and for VPN from authenticated remote users.

NIC-2 faces the internal "Live" network.

NIC-3 will be a DMZ.

NIC-4 faces the "Test" network. I'm keeping "Test" and "Live" environments
separate.

So, with future activation of NIC-3 and NIC-4 in mind, what I need to do
first is to create specific policies/rules which allows traffic from/to
specific ports (like HTTP, HTTPS, the WSUS port, kerbanos...) on the
localhost NIC-1 and on the front firewall.

My question, I suppose, is what are these rules in this situation, and how
far up or down the ISA rule/policy stack do they go?

Is there somewhere within my ISA folder set some files which contain the
(perhaps XML) definitions of ALL of the possible template rules / policies. I
can then see what these are like and replicate the extra ones I need to make
this all work.

Finally, I know I'm probably straying beyond what SBS 2003 R2 was designed
for, but I see no reason why I shouldn't stretch its boundaries and
capabilities. I'm not going to be the only person in the world who's
interested in getting more done with less for less cost.

"Steve" wrote:

SuperGumby has done a great job of expanding on this. You'll have to use ISA
in SBS as intended or you'll get into trouble.

"Marcus" <Marcus@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6D48C99F-5C94-4758-AF87-5652D68627C1@xxxxxxxxxxxxxxxx
For me it's not that simple. I need the back firewall configuration as,
when
I get the simple case I have described to work, I'll then extend this to
include a DMZ in the perimeter network. The aim is to then place some
other
servers in the DMZ.

So, I have to get the back firewall configuration to work with the
perimeter
network (addresses as specified) in the rules/policies. If it can't work
without the DMZ then the chances of evolving to the DMZ configuration are
slim.

(Oh, I have lots of NICS on the server running SBS 2003 R2. So, specifying
another network should not be a problem.)

I'd happily take further advice, in particular if you have any pointers
(URLs) to sites with template/example policies and rules relevant to SBS
and
ISA deployments.

Thanks, Marcus

"Steve" wrote:

All my ISA 2004 installs also have another router in front of them. The
ISA
network configuration after running the CEICW is as an Edge Firewall not
a
Back Firewall. All functionality works fine. I suggest you just let the
CEICW do the configuration and setup the proper default ISA rules and
then
see if something still isn't working.

"Marcus" <Marcus@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DC20C4E6-F139-4FBE-9FB3-0064139240E1@xxxxxxxxxxxxxxxx
I'm having problems. I've posted on the ISA TecNet and it's not helped
(perhaps due to a SBS prejudice).

My infrastructure is this.
SBS2003 R2 Premium in the back-end fire wall configuration. Internal
network
NIC IP is 10.0.32.1 and perimeter (internet facing) NIC IP is
192.168.1.2.
There is a front firewall which has a perimeter (intranet facing) NIC
IP
of
192.168.1.1. It has an external static (internet facing) NIC IP of
W.X.Y.Z.
For the purposes of this discussion the front firewall is merely acting
as
a
front router (as I have disabled all of its firewall functionality).

I have installed SBS2003 R2 (and all service packs and WSUS updates).
I have configured the (non-ISA) Windows firewall, E-mail and remote
working
using CEICW.

So far, so good. Everything works. WSUS is fine. I get web pages (on
the
server and clients). E-mail is fine, including embedded images.

I install ISA2004 following the instructions exactly. I also downloaded
and
installed all of the service packs and WSUS updates, rebooting between
each
when prompted to do so.

It creates a proxy for IE clients. The proxy is also used by WSUS.
However,
I can't reach the internet from IE from the localhost or clients. WSUS
fails
to sync. E-mail arrives and goes out but I no longer get embedded
images.

I look at the ISA Management Console policies and rules. It doesn't
reflect
the back-firewall configuration I have so I run the back-firewall
template
granting full access. Still no joy.

I manually set the Computer->Front Firewall to 192.168.1.1 and the
perimeter
network to be 192.168.1.0 to 192.168.1.254.

None of the template generated rules includes either the perimeter
network
or the front fire wall. IE, WSUS and embedded images still don't work.

I bought Tom Shinder's book. It doesn't cover SBS and hints that SBS is
a
bad idea (waste of money for me). I went to isaserver.org (following
advice
from the ISA Server TechNet) and read all five parts of his series on
ISA
and
SBS, but I was waiting for parts 6 onwards which don't exist. Parts 1
to 5
were no help either.

I have visited every blog and site I can find and none tell me how to
write
rules or policies to get traffic out and back through the perimeter
network
and the front firewall.

I can't be the only person who has encountered this problem. How do I
get
out and back? Is there a site with examples of policies and rules which
work
in this configuration?

Finally, for clients which use the proxy, how do I ensure that the
experimental changes I make via ISA Server Management Console are
actually
employed when I test from a client? Do I have to log off and on each
time
I
make changes, or is there something else I can do?







.

Relevant Pages

  • Re: Cannot connect through ISA Server to www.microsoft.com, but can connect via IP address
    ... NICs at GB speed. ... So what happens when the server and the workstations are on the same ... Les Connor [SBS MVP] ... PMTU that ISA Server installation disabled. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 1002 Premium R2 Mangling Port Issues
    ... For solutions like forefront, I am unsure why MS is not using the Windows ... When we use the term "hardware" firewall, ... The direction now is hardware firewall in front of SBS. ... NIC or 2 NICs) did you finally end up with? ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 1002 Premium R2 Mangling Port Issues
    ... I will leave ISA out of the equation in that case. ... NIC or 2 NICs) did you finally end up with? ... the WAN NIC so there's only one NIC in the SBS (and then re-run CEICW ... port forward 8016 to the "external" SBS NIC IP ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS VPN setup?
    ... wouldn't need ISA, so that is completely gone in the matter. ... are you referring to a firewall device hardware type, ... I prefer SBS 2k3 without ISA. ... outlined above...and the firewall appliance is an ISA server, ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 + TS. HELP needed URGENTLY please!
    ... matter) about the routing table the ISA client will be intercepting calls. ... even without the ISA client on the TS (and depending on use it may ... SBS remote support services. ... The SBS server has 2 nics configured with ISA and a public IP I shall ...
    (microsoft.public.windows.server.sbs)