Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
How i configure ISA SERVER without proxy?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: How i configure ISA SERVER without proxy? - 4.Jun.2008 7:32:30 AM
|
|
|
elmajdal
Posts: 4959
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
Ok you need to set the client as securenet client, that is to point its default gateway to ISA Server Internal NIC. seems like you already did this, but where is the DNS Entry on the Internal ISA Server machine and on the client ?
do you have an internal DNS Server ?
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: How i configure ISA SERVER without proxy? - 4.Jun.2008 12:58:03 PM
|
|
|
tobiastromm
Posts: 13
Joined: 3.Jun.2008
Status: offline
|
Hi!
Yesterday work... today dosen't work more...
Please...
DNS:
INTERNET:
IP: 192.168.0.4
Gateway: 192.168.0.1
Máscara: 255.255.255.0
Primary DNS: 201.10.120.3
Secondary DNS: 201.10.1.2
LOCAL NETWORK:
IP: 10.0.0.1
Máscara: 255.0.0.0
Gateway: blank
Primary DNS: 10.0.0.1
-x-
Desktops:
IP: 10.x.x.x
Máscara: 255.0.0.0
Gateway: 10.0.0.1
Primary DNS: 10.0.0.1
_____________________________
Tobias Tromm
tobias@tromm.no-ip.org
|
|
|
|
|
RE: How i configure ISA SERVER without proxy? - 4.Jun.2008 1:01:04 PM
|
|
|
tobiastromm
Posts: 13
Joined: 3.Jun.2008
Status: offline
|
When I ping a external host, for example
ping google.com.br from internal network, he find ip but don't have a answer...
_____________________________
Tobias Tromm
tobias@tromm.no-ip.org
|
|
|
|
|
RE: How i configure ISA SERVER without proxy? - 4.Jun.2008 7:25:29 PM
|
|
|
elmajdal
Posts: 4959
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
quote:
ORIGINAL: tobiastromm
INTERNET:
IP: 192.168.0.4
Gateway: 192.168.0.1
Máscara: 255.255.255.0
Primary DNS: 201.10.120.3
Secondary DNS: 201.10.1.2
LOCAL NETWORK:
IP: 10.0.0.1
Máscara: 255.0.0.0
Gateway: blank
Primary DNS: 10.0.0.1
Never put any DNS Entry on the external NIC ! remove the ISP DNS Entries from the external NIC.
now on the internal NIC, i can see that the same internal of your ISA Server is set in the DNS Entry , is your ISA Server a DNS Server as well ????
Also you will need to read my article here : Internal DNS Forwarding Through ISA Server 2004/2006
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: How i configure ISA SERVER without proxy? - 4.Jun.2008 9:24:22 PM
|
|
|
tobiastromm
Posts: 13
Joined: 3.Jun.2008
Status: offline
|
OK. I remove the primary and secondary DNS from INTERNET NIC and the system say "the dns list is empty, now your DNS is the local IP because this machine is a DNS Server"...
Then, the two NIC - Local Network and Internet - receive a localhost for DNS = 127.0.0.1????
_____________________________
Tobias Tromm
tobias@tromm.no-ip.org
|
|
|
|
|
RE: How i configure ISA SERVER without proxy? - 5.Jun.2008 2:07:18 AM
|
|
|
HePa
Posts: 135
Joined: 9.May2008
From: Sweden, Gothenburg
Status: offline
|
quote:
ORIGINAL: tobiastromm
OK. I remove the primary and secondary DNS from INTERNET NIC and the system say "the dns list is empty, now your DNS is the local IP because this machine is a DNS Server"...
Then, the two NIC - Local Network and Internet - receive a localhost for DNS = 127.0.0.1????
The comment is explaind because of you configuration as Tarek said.
LOCAL NETWORK:
IP: 10.0.0.1
Máscara: 255.0.0.0
Gateway: blank
Primary DNS: 10.0.0.1
Have you installed the ISA server as a DNS server? It's look like you have installed the ISA server as a DNS server, so the other question is why you chosen that kind of configuration?
It's preferd that you forward external namerasolution queries to a DNS server outside you corporate network. The internal DNS server should be configured with at forwarder for external queries.
_____________________________
Henrik Parkkinen
|
|
|
|
|
RE: How i configure ISA SERVER without proxy? - 5.Jun.2008 5:23:24 AM
|
|
|
elmajdal
Posts: 4959
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
quote:
ORIGINAL: tobiastromm
OK. I remove the primary and secondary DNS from INTERNET NIC and the system say "the dns list is empty, now your DNS is the local IP because this machine is a DNS Server"...
Then, the two NIC - Local Network and Internet - receive a localhost for DNS = 127.0.0.1????
Hi ,
Installing DNS Services is one of the supported configurations.
Check this : http://technet.microsoft.com/en-us/library/cc302550.aspx
HTH,
Tarek
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: How i configure ISA SERVER without proxy? - 5.Jun.2008 11:37:56 AM
|
|
|
tobiastromm
Posts: 13
Joined: 3.Jun.2008
Status: offline
|
Hey... Can you please conect to my remote desktop to look my configuration? Send a message to my e-mail, and i give for you the server name and login/password.
_____________________________
Tobias Tromm
tobias@tromm.no-ip.org
|
|
|
|
|
RE: How i configure ISA SERVER without proxy? - 6.Jun.2008 12:48:06 PM
|
|
|
HePa
Posts: 135
Joined: 9.May2008
From: Sweden, Gothenburg
Status: offline
|
quote:
ORIGINAL: elmajdal
quote:
ORIGINAL: HePa
Ok, but as the technet article says it a "caching-only DNS" that's the supported of how to intall a DNS server service on a ISA server(?, right?! There is actually diffrent kind of DNS server solutions, and caching-only DNS is only one of those
Hi Hepa,
Do a search on the net and on this site and you will find multiple articles on how to install DNS Server on ISA Server, also other supported services such as DHCP etc ....
As you have said, there are plenty of scenarios and i'm not going to paste the links for each and every scenario
I will, my question was just if the only DNS-solution was the "caching-only DNS"...because that I've never heard about anything else. Anyway, I'll search for the articles and going to take a look at those.
So it's supported to install a ISA server as a DHCP server, but is it recomended? As I've understod you should place the DHCP service on an other server within your organisation if you have the possibility...but that's not maby true(?).
_____________________________
Henrik Parkkinen
|
|
|
|
|
RE: How i configure ISA SERVER without proxy? - 6.Jun.2008 12:59:07 PM
|
|
|
elmajdal
Posts: 4959
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
Hi Hepa,
If it was up to me, i would always prefer to leave the ISA Server as it should be and treat it only as a Firewall and nothing else.
There are few supported cases and services that can be installed on ISA Server, but its always the fault of the administrator who should not increase the attack surface on his Firewall. users tend to create an open rule such as follows:
Allow > ALL Protocols> From Internal & LocalHost > To Internal & LocalHost > ALL Users which is a NO NO NO !!!
As for the DHCP Article,Check the article here :Configuring the ISA Server Computer as a DHCP Server
before i forget, one of the debatable issue, is installing IIS on ISA Server, well the new TMG will install IIS , as it needs it for SQL Service Reporting, although TMG will install IIS for specific purposes, user should not abuse it and start using it as a Web Server and start to publish website on the Firewall itself.
Here is the blog entry : http://blogs.isaserver.org/shinder/2008/05/12/tmg-runs-iis-7-is-this-a-security-issue/
< Message edited by elmajdal -- 6.Jun.2008 1:03:05 PM >
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: How i configure ISA SERVER without proxy? - 6.Jun.2008 2:01:28 PM
|
|
|
HePa
Posts: 135
Joined: 9.May2008
From: Sweden, Gothenburg
Status: offline
|
Hi Tarek,
Exactlly, installing "unecesarry" service on a ISA server increses the attack surface...so I'm also against solutions like those. I actually were about to add that to my comment, and explain why I think it's not a fancy solution. My personal comment is that allways separate services from each other if there posibility and don't install them onto the same server. I hate when I see a DC installed with a SQL database for example (which I've seen several times)...so therefore I'm by nature agains all those solutions with installing multiple services onto a server (which increases the attack surface) and can adventure the server performance, configuration, security etc.
TMG can be installed on a Windows Server 2008 server as I've heard so there is actually some benefits with that. The attack surface is smaller because of the number of installed services and started services by default after the server has been installd. IIS in Windows Server 2008 is hardend and is modulary built, in about 40 modules, and each one which you need on your server needs to be installed...but I understand that there has been a discussion about IIS installed on a Firewall, it don't sound good in my ears anyway if it's running on W2k8 or W2k3.
_____________________________
Henrik Parkkinen
|
|
|
|
|
RE: How i configure ISA SERVER without proxy? - 6.Jun.2008 5:54:38 PM
|
|
|
tobiastromm
Posts: 13
Joined: 3.Jun.2008
Status: offline
|
Boys, please... don't fight.
My network is very small. My server is a file server, dhcp server, proxy server, dns server, antivirus server, etc. All services run on this server...
Back to my ploblem... Is not a DNS problem!!! I think i find the problem, something conflict with OfficeScan Personal Firewall. I'am testing and post a result...
_____________________________
Tobias Tromm
tobias@tromm.no-ip.org
|
|
|
|
|
RE: How i configure ISA SERVER without proxy? - 7.Jun.2008 2:16:10 AM
|
|
|
elmajdal
Posts: 4959
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
We are not fighting ! These are Web Boards  and its the place to discuss, illustrate, argue and stuff like this .
quote:
My network is very small. My server is a file server, dhcp server, proxy server, dns server, antivirus server, etc. All services run on this server...
So are you creating the rule quote:
Allow > ALL Protocols> From Internal & LocalHost > To Internal & LocalHost > ALL Users which is a NO NO NO !!! You are putting all your eggs in one basket, so watch out !
quote:
Back to my ploblem... Is not a DNS problem!!! I think i find the problem, something conflict with OfficeScan Personal Firewall. I'am testing and post a result...
Keep us updated, thanks
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: How i configure ISA SERVER without proxy? - 7.Jun.2008 6:43:00 AM
|
|
|
HePa
Posts: 135
Joined: 9.May2008
From: Sweden, Gothenburg
Status: offline
|
I hope you found the problem and as said before, we are not fighting, we are having a discussion. It's interesting to exchange experiance and thoughts of how to do and what to do. As I've learnd during my carrier it's not allways the best configuration just because of the configuration is supported. In some cases, if you have a small network, it may be the only solution to place the most of the services on a handfull number of servers...but thats not a solution that I like but as I said, sometimes there isn't no other solution.
Anyway, I hope the problems is solved for you.
_____________________________
Henrik Parkkinen
|
|
|
|
|
RE: How i configure ISA SERVER without proxy? - 7.Jun.2008 4:55:35 PM
|
|
|
tobiastromm
Posts: 13
Joined: 3.Jun.2008
Status: offline
|
Boys, thank you.
My problem is over.
I stop and disable the service OfficeScan Personal Firewall on the server and the problem over. The same service work perfectly on desktops, but not on the server.
Thank you!
_____________________________
Tobias Tromm
tobias@tromm.no-ip.org
|
|
|
|
|
RE: How i configure ISA SERVER without proxy? - 7.Jun.2008 5:38:31 PM
|
|
|
elmajdal
Posts: 4959
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
Great , glad that you sorted it out and thanks for the follow up.
By the way, why are installing a firewall on a firewall ?
If it is an Antivirus app, is there any option to disable the firewall part ?
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
How i configure ISA SERVER without proxy? - 
