I have a fairly typical SBS setup with two NICs, a .local LAN and a .com face on the external NIC via ISA translation. We have a hardware firewall that users go through for Internet access, so they're not using the SBS proxy server. What I can't quite understand is the relationship between IIS and ISA in SBS. Assuming that I only have an ISA listener for the external interface, shouldn't I be able to ignore ISA when accessing web pages on the local side of the SBS server? In such a case, all pages would be resolved by DNS, and the IIS port/address/header specs for each site, with ISA minding its own business. Conversely, could I set up ISA listeners for the local interface, and control those aspects via publishing rules (like having my sites on the same IP and port using IIS host headers which ISA invokes per requested url) instead of DNS? I've somehow got everything askew on my SBS box. My internal NIC has three addresses (192.168.16.1,.2,.3), with .1 as the default host DNS. Sharepoint installed itself on .2, which seems to be immutable, and "publishing" as .3. I used the httcfg utility to make IIS listen on all three (and localhost), but it won't respond to .1 at all, which is the default IP, so things like public folder administration in Exchange don't work, as the local host name translates to .1. Is ISA using .1 anyway? Do I need to set up a listener on .1? Trying to go to http://192.168.16.1 results in an ISA generated error page (403 forbidden). The default web site is supposed to use "All Unassigned" IPs, which should include .1. Navigating to .2 and .3 call up the appropriate default web site page. I'm just really confused. Should I just have one internal IP address? Where am I being goofy? I bought the Microsoft SBS2003 Administrator's book, but it's not very detailed about these things. As it is, most everything works ok (SMTP, Remote Web Workplace, OWA). It's just this issue with calls to the host name not working (and sharepoint). I wish there were some simple chart that diagrammed the flow of address translation and resolution within a properly configured SBS server.
The NAT device should be in front of the ISA/SBS box, not in parallel. Then the clients should be configured to use the SBS box as Web proxy and Firewall clients. Doing otherwise really wastes the superior security that the ISA firewall can provide.
SBS and IIS get along just fine. Just configure your NAT device in front of the ISA firewall/SBS box to forward the approprate ports to the external interface of the ISA firewall/SBS machine.
quote:Originally posted by tshinder: I think your network design is a bit whack. The NAT device should be in front of the ISA/SBS box, not in parallel. Then the clients should be configured to use the SBS box as Web proxy and Firewall clients. Doing otherwise really wastes the superior security that the ISA firewall can provide.
I was concerned that the extra demand on the SBS box would slow things down with the increased disc activity. Web response seems much snappier through the hardware firewall, which is also pretty secure (NAT, very few open ports). It also enables Internet access if the SBS box is down for any reason. So if I move my users to the ISA proxy, should I just get rid of the hardware device? It seems like it wouldn't really be necessary anymore if all it did was forward ports. Our Internet interface is a fractional T1 router, with a subnet of 4 static, public IP addresses for our use. I currently have one used by the ISA box, one by the hardware firewall/router for office Internet use, and one with another, cheaper router for testing external access to our local services. Thanks for your responses. I'm a programmer who's been thrust into the job of network administrator, and I'm trying to learn best practices.
No problems! I'm trying to finish up on a 6 part doc on multihomed/multiperimeter ISA firewall configuation, but soon as I finish, I'm going to do a long series on SBS/ISA config.
It really depends on your environment, but even in the smallest of environments, user/group based access control can keep you out of a lot of hot water.
Also, calling the ISA firewall a "proxy" is somewhat of a misnomer. The ISA firewall is ALWAYS a firewall -- you can't turn off its stateful packet inspection. In contrast, you can very easily disable the Web proxy filter and not even use the Winsock proxy client.
Nada. ISA doesn't ignore the inside of the network. ISA doesn't trust any computer regardless of where it is. Follow Toms advice and put that little router in front of ISA. Open up those holes in the router to allow the SBS servers that you require outside access.
Here's the full list. Pick and choose as needed.
21 FTP Enables external and internal file transfer
25 Exchange Server Enables incoming and outgoing SMTP mail
80 (http://) IIS Enables all nonsecure browser access, including: internal access to IIS Webs including the company Web, Windows SharePoint Web, Windows SharePoint administration Web, and server monitoring and usage reports Enables internal access to Exchange by OWA and OMA clients
110 POP3 Enables Exchange to accept incoming POP3 mail
123 (UDP port) NTP Enables the system to synchronize time with an external Network Time Protocol (NTP) server
143 IMAP4 Enables Exchange to accept incoming IMAP4-compliant messages
220 IMAP3 Enables Exchange to accept incoming IMAP3-compliant messages
443 (https://) Outlook Enables all secure browser access, including external access to Exchange for Outlook 2003, OWA, and OMA clients; required for external access to server monitoring and usage reports
444 Windows Share Point Services Enables internal and external access to the SharePoint Web
500 IPSec Enables external VPN connections by using IPSec