• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA/IIS relationship

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> ISA 2004 SBS >> ISA/IIS relationship Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA/IIS relationship - 15.Aug.2005 6:21:00 PM   
jfberge

 

Posts: 4
Joined: 15.Aug.2005
Status: offline
I have a fairly typical SBS setup with two NICs, a .local LAN and a .com face on the external NIC via ISA translation. We have a hardware firewall that users go through for Internet access, so they're not using the SBS proxy server. What I can't quite understand is the relationship between IIS and ISA in SBS. Assuming that I only have an ISA listener for the external interface, shouldn't I be able to ignore ISA when accessing web pages on the local side of the SBS server? In such a case, all pages would be resolved by DNS, and the IIS port/address/header specs for each site, with ISA minding its own business. Conversely, could I set up ISA listeners for the local interface, and control those aspects via publishing rules (like having my sites on the same IP and port using IIS host headers which ISA invokes per requested url) instead of DNS?
I've somehow got everything askew on my SBS box. My internal NIC has three addresses (192.168.16.1,.2,.3), with .1 as the default host DNS. Sharepoint installed itself on .2, which seems to be immutable, and "publishing" as .3. I used the httcfg utility to make IIS listen on all three (and localhost), but it won't respond to .1 at all, which is the default IP, so things like public folder administration in Exchange don't work, as the local host name translates to .1. Is ISA using .1 anyway? Do I need to set up a listener on .1? Trying to go to http://192.168.16.1 results in an ISA generated error page (403 forbidden). The default web site is supposed to use "All Unassigned" IPs, which should include .1. Navigating to .2 and .3 call up the appropriate default web site page.
I'm just really confused. Should I just have one internal IP address? Where am I being goofy? I bought the Microsoft SBS2003 Administrator's book, but it's not very detailed about these things.
As it is, most everything works ok (SMTP, Remote Web Workplace, OWA). It's just this issue with calls to the host name not working (and sharepoint). I wish there were some simple chart that diagrammed the flow of address translation and resolution within a properly configured SBS server.
Post #: 1
RE: ISA/IIS relationship - 16.Aug.2005 7:10:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Joseph,

I think your network design is a bit whack.

The NAT device should be in front of the ISA/SBS box, not in parallel. Then the clients should be configured to use the SBS box as Web proxy and Firewall clients. Doing otherwise really wastes the superior security that the ISA firewall can provide.

SBS and IIS get along just fine. Just configure your NAT device in front of the ISA firewall/SBS box to forward the approprate ports to the external interface of the ISA firewall/SBS machine.

HTH,
Tom

(in reply to jfberge)
Post #: 2
RE: ISA/IIS relationship - 16.Aug.2005 11:16:00 AM   
jfberge

 

Posts: 4
Joined: 15.Aug.2005
Status: offline
quote:
Originally posted by tshinder:

I think your network design is a bit whack.
The NAT device should be in front of the ISA/SBS box, not in parallel. Then the clients should be configured to use the SBS box as Web proxy and Firewall clients. Doing otherwise really wastes the superior security that the ISA firewall can provide.

I was concerned that the extra demand on the SBS box would slow things down with the increased disc activity. Web response seems much snappier through the hardware firewall, which is also pretty secure (NAT, very few open ports). It also enables Internet access if the SBS box is down for any reason.
So if I move my users to the ISA proxy, should I just get rid of the hardware device? It seems like it wouldn't really be necessary anymore if all it did was forward ports. Our Internet interface is a fractional T1 router, with a subnet of 4 static, public IP addresses for our use. I currently have one used by the ISA box, one by the hardware firewall/router for office Internet use, and one with another, cheaper router for testing external access to our local services.
Thanks for your responses. I'm a programmer who's been thrust into the job of network administrator, and I'm trying to learn best practices.

(in reply to jfberge)
Post #: 3
RE: ISA/IIS relationship - 16.Aug.2005 11:54:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Joseph,

No problems! I'm trying to finish up on a 6 part doc on multihomed/multiperimeter ISA firewall configuation, but soon as I finish, I'm going to do a long series on SBS/ISA config.

It really depends on your environment, but even in the smallest of environments, user/group based access control can keep you out of a lot of hot water.

Also, calling the ISA firewall a "proxy" is somewhat of a misnomer. The ISA firewall is ALWAYS a firewall -- you can't turn off its stateful packet inspection. In contrast, you can very easily disable the Web proxy filter and not even use the Winsock proxy client.

Stay tuned for the SBS series!

Thanks!
Tom

(in reply to jfberge)
Post #: 4
RE: ISA/IIS relationship - 16.Aug.2005 12:32:00 PM   
ababinchak

 

Posts: 195
Joined: 16.Aug.2005
From: Michigan
Status: offline
Nada. ISA doesn't ignore the inside of the network. ISA doesn't trust any computer regardless of where it is. Follow Toms advice and put that little router in front of ISA. Open up those holes in the router to allow the SBS servers that you require outside access.

Here's the full list. Pick and choose as needed.

21
FTP
Enables external and internal file transfer

25
Exchange Server
Enables incoming and outgoing SMTP mail

80 (http://)
IIS
Enables all nonsecure browser access, including: internal access to IIS Webs including the company Web, Windows SharePoint Web, Windows SharePoint administration Web, and server monitoring and usage reports Enables internal access to Exchange by OWA and OMA clients

110
POP3
Enables Exchange to accept incoming POP3 mail

123 (UDP port)
NTP
Enables the system to synchronize time with an external Network Time Protocol (NTP) server

143
IMAP4
Enables Exchange to accept incoming IMAP4-compliant messages

220
IMAP3
Enables Exchange to accept incoming IMAP3-compliant messages

443 (https://)
Outlook
Enables all secure browser access, including external access to Exchange for Outlook 2003, OWA, and OMA clients; required for external access to server monitoring and usage reports

444
Windows Share Point Services
Enables internal and external access to the SharePoint Web

500
IPSec
Enables external VPN connections by using IPSec

1701
L2TP clients
Enables external L2TP VPN connections

1723
PPTP clients
Enables external PPTP VPN connections

3389
Terminal Services
Enables internal and external Terminal Services client connections

4125 (Note: you can change this port in RRAS)
Remote Web Workplace
Enables external OWA access to Exchange, plus internal and external HTTPS access to the client Web site

4500
IPSec
Internet Key Exchange (IKE) Network Address Translation (NAT) traversal

(in reply to jfberge)
Post #: 5
RE: ISA/IIS relationship - 17.Aug.2005 10:41:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Amy,

Thanks!

Tom

(in reply to jfberge)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> ISA 2004 SBS >> ISA/IIS relationship Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts