I'll start off by admitting I'm a newbie to ISA... I've read Drs. Shinders' book and browsed around this site to solve a lot of my issues, but I've come up against one that I simply can't figure out.
We are running a native Win2k server environment (brand new office and equipment). ISA Server is running by itself on a server in integrated mode, serving a frac T-1 to our internal clients. There are three servers in the domain, all configured as Secure-NAT and working very well. All of the workstations are brand new Dells with Windows XP and the firewall client.
Outgoing internet access on the workstations is great with two exceptions:
1. 99% of streaming media doesn't get through 2. POP3 access to an external mail server just broke yesterday.
I have been battling issue #1 for a week or so without a resolution. #2 just revealed itself yesterday and I've yet to solve that one either. Protocol rules are wide open at this point, and Outlook still returns a "Outlook is unable to contact your default mail server" error. We have an internal exchange 2000 server that is working great.
On the streaming media front, I have not tested RealMedia (and refuse to because I hate the client), but just about any Windows media stream will not work. The client just hangs at the "Connecting to media" stage.
I've tried hooking my laptop directly to the net connection and both streaming media and pop3 work fine, so I know the problem lies with ISA somewhere.
The newest piece to this puzzle, I discovered tonight, is that if I configure a workstation as SecureNAT and disable the firewall client, both streaming media and pop3 work perfectly. As per Dr. Shinder's recommendations, I set the DHCP server to not configure clients with a default gateway/router address so that they're forced to use the firewall client and web proxy.
Everything I've read indicates that the firewall client is supposed to be the preferable solution. I like the thought of having all traffic logged to the particular user, and I want to be able to handle all protocols without much hassle, so the firewall client seemed like a no-brainer to me. But people here are very accustomed to their internet radio stations and I'm catching a lot of heat because they're still not working.
I know that the power to figuring out a lot of this is in the logging, and I must confess that I don't know how to interpret most of the info in the logs. I did turn on logging for allow as well as deny and I enabled logging of all fields for all three services. One thing I just tried was checking the logs with the firewall client enabled and then with it disabled and with a default gateway configured, and trying and Outlook Send/Receive. The results with the firewall client enabled (and no default gateway) were NO entries in the FWSEXTD20020423 log showing any kind of request for port 110 (or any other port). Then, with the firewall client disabled and no default gateway, the following two entries appeared in the log:
Maybe that's normal for nothing to appear in that log with the firewall client enabled... I still don't know enough about the logging yet.
But my experiences with the firewall client are contradicting everything I'd heard about it being the less problematic (compared to SecureNAT) as far as getting different kinds of traffic through.
You guys are some real experts with this product, so I'm appealing for any assistance you can offer here! Configuring 20 workstations back to SecureNAT is something I can do, but I would rather get the FW client working like it's supposed to.
I would paste logs detailing the windows media access (with firewall client and then snat client enabled) but those are a lot more complicated and I have no idea what to look for. If pasting log info would be helpful in figuring out that side of my problem I'd be happy to do so.
Oh, and just so I've covered all of my bases, under Site and Content rules I have only an "Allow All" rule. Under Protocol Rules I have an "Allow All" rule among other specific allow rules (I do not have any deny rules). The only IP packet filters enabled are the default ICMP and DNS filters.
As you can see, I've made everything wide-open until I can get everything working. Then I'll start locking things down.
I hope that was enough info without being overwhelming. I would really appreciate any info you all can provide!
When I hear there are problems with the Firewall client but not the SecureNAT client, I suspect a DNS configuration issue at the ISA Server. How do you have DNS configured on your ISA Server interfaces?
Thanks for the quick reply. There are two NICs in my ISA box, with DNS configured as follows:
North Interface (external): My ISP's DNS (they host our domain name), and Qwest's ns1 as secondary.
South Interface (internal): My interal DNS server, running on a Win2k domain controller (IP is 192.168.0.253). Per your book, I configured that DNS server to use a forwarder out to my ISP's DNS server (the same address listed as primary for the North interface).
Hope that was enough info. All of the clients have the internal DNS server (192.168.0.253) as their primary DNS (supplied by DHCP).
Secondly, your internal DNS servers use forwarders to resolve external names. That's very good, but make sure you enable DNS Query (UDP port 53) and Zone Transfer (TCP port 53) in the protocol rule for your internal DNS server.
Dan, For what its worth, if you can ping the quest mail server via its host name then DNS is not the problem. I am forwarding on my network as well from my internal DNS server and it works fine. As for the DNS server on you external NIC, I tend to agree with Tom. Dont put anything there. As for streaming media, the Osbourne book says that some of the intrusion detection packet filters can conflict with streaming media. I beleve you need to make sure the "Enable filtering of IP fragments" Box is unchecked.
Lastly I will say this. After using this program for 8 months now , I find ISA server mystical and terrible. You configure site and contect rules, Protocol rules along with definitions, and IP Packet filters and sometimes it allows traffic to pass as it should and some times it does not. Ive even made the rules etc apply to all requests. POP3 mail works one day and after rebooting it does not. One day RDP works , then it does not??!
It just seems strange that you configure it step by step just like its supposed to be configured, and it doesnt work like it should. Then again sometimes it does. Ive had the same problems that youve had. (Save for the streaming media)
Im going to go out on a limb here. For 2500 to 4000 dollars that Microsoft wants for this hard to configure unstable SOFTWARE firewall, you could get a top of the line watch gaurd, raptor, or netscreen firewall. They actually work like they are supposed to when you configure them.... I should know I work for an ISP and we do it all day and all night. I share your frustration pal. Ill make one more prediction here. You will try something off the wall and it will work again...
spouseele & loosestools (nice name LOL),
Thank you both for your suggestions and for sharing in my frustrations!
I will definitely check out my DNS configuration again and remove the DNS servers from the external interface on my ISA Server. Maybe I'll even try reinstalling ISA Server for good measure.
And loosestools thanks for the tip on a watchguard or similar appliance. If I can't get these problems resolved it might end up being a better alternative to just drop the $$ on a dedicated appliance and be done with it!
I'm still a supporter of the internal/external interface configuration because of the weird way Win2k has of disabling all DNS servers in the list of a particular interface if a negative response is received from a DNS server. I've run into problems a couple of times because of this, although not so much that you have to have a DNS server on the external interface. On networks with a solid internal DNS infrastrucutre and a reliable connection to the internet, I will put the DNS servers on the internal interface only and leave the external interface either empty, or put the same settings on the external interface to deal with the occasional screw up in the DNS client service where it turns off the DNS server list.
My experiences with ISA Server are not the same as loosetools! I find it very robust and as long as I don't try to make ISA Server do things its not designed to do, everything works fine (with the exception of bandwidth rules on machines with multiple IP addresses on the external interface; in that case you can foget about using bandwidth control). I've been able to make it do everything I want, and my clients want (after I teach them what they want) it to do.
Many streaming media sites will conk out because of fragment filtering. If you need to allow access to the sites, disable fragement filtering but be aware of the risk you have by allowing this fairly common expliot from being run against you.
I have noticed, on just a couple of occasions, that a POP3 client with the Firewall client installed will not work if the time outs at the ISPs mail server are too long. That is a problem with the ISP not managing their mail service correctly, IMHO. Each time I called them on this isue, they admitted that they were either being attacked or they had a runaway process they were tracking down.
You can use local DNS name resolution for the Firewall client, too. I find this helpful only on larger networks. On smaller networks, I prefer to allow the ISA Server to perform DNS proxy and configure the LDT to instruct the Firewall clients which domains they should query for locally.