Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
ISA/IIS relationship
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
ISA/IIS relationship - 15.Aug.2005 6:21:00 PM
|
|
|
jfberge
Posts: 4
Joined: 15.Aug.2005
Status: offline
|
I have a fairly typical SBS setup with two NICs, a .local LAN and a .com face on the external NIC via ISA translation. We have a hardware firewall that users go through for Internet access, so they're not using the SBS proxy server. What I can't quite understand is the relationship between IIS and ISA in SBS. Assuming that I only have an ISA listener for the external interface, shouldn't I be able to ignore ISA when accessing web pages on the local side of the SBS server? In such a case, all pages would be resolved by DNS, and the IIS port/address/header specs for each site, with ISA minding its own business. Conversely, could I set up ISA listeners for the local interface, and control those aspects via publishing rules (like having my sites on the same IP and port using IIS host headers which ISA invokes per requested url) instead of DNS?
I've somehow got everything askew on my SBS box. My internal NIC has three addresses (192.168.16.1,.2,.3), with .1 as the default host DNS. Sharepoint installed itself on .2, which seems to be immutable, and "publishing" as .3. I used the httcfg utility to make IIS listen on all three (and localhost), but it won't respond to .1 at all, which is the default IP, so things like public folder administration in Exchange don't work, as the local host name translates to .1. Is ISA using .1 anyway? Do I need to set up a listener on .1? Trying to go to http://192.168.16.1 results in an ISA generated error page (403 forbidden). The default web site is supposed to use "All Unassigned" IPs, which should include .1. Navigating to .2 and .3 call up the appropriate default web site page.
I'm just really confused. Should I just have one internal IP address? Where am I being goofy? I bought the Microsoft SBS2003 Administrator's book, but it's not very detailed about these things.
As it is, most everything works ok (SMTP, Remote Web Workplace, OWA). It's just this issue with calls to the host name not working (and sharepoint). I wish there were some simple chart that diagrammed the flow of address translation and resolution within a properly configured SBS server.
|
|
|
|
RE: ISA/IIS relationship - 16.Aug.2005 7:10:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Joseph,
I think your network design is a bit whack.
The NAT device should be in front of the ISA/SBS box, not in parallel. Then the clients should be configured to use the SBS box as Web proxy and Firewall clients. Doing otherwise really wastes the superior security that the ISA firewall can provide.
SBS and IIS get along just fine. Just configure your NAT device in front of the ISA firewall/SBS box to forward the approprate ports to the external interface of the ISA firewall/SBS machine.
HTH,
Tom
|
|
|
|
|
RE: ISA/IIS relationship - 16.Aug.2005 11:16:00 AM
|
|
|
jfberge
Posts: 4
Joined: 15.Aug.2005
Status: offline
|
quote:
Originally posted by tshinder:
I think your network design is a bit whack.
The NAT device should be in front of the ISA/SBS box, not in parallel. Then the clients should be configured to use the SBS box as Web proxy and Firewall clients. Doing otherwise really wastes the superior security that the ISA firewall can provide.
I was concerned that the extra demand on the SBS box would slow things down with the increased disc activity. Web response seems much snappier through the hardware firewall, which is also pretty secure (NAT, very few open ports). It also enables Internet access if the SBS box is down for any reason.
So if I move my users to the ISA proxy, should I just get rid of the hardware device? It seems like it wouldn't really be necessary anymore if all it did was forward ports. Our Internet interface is a fractional T1 router, with a subnet of 4 static, public IP addresses for our use. I currently have one used by the ISA box, one by the hardware firewall/router for office Internet use, and one with another, cheaper router for testing external access to our local services.
Thanks for your responses. I'm a programmer who's been thrust into the job of network administrator, and I'm trying to learn best practices.
|
|
|
|
|
RE: ISA/IIS relationship - 16.Aug.2005 11:54:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Joseph,
No problems! I'm trying to finish up on a 6 part doc on multihomed/multiperimeter ISA firewall configuation, but soon as I finish, I'm going to do a long series on SBS/ISA config.
It really depends on your environment, but even in the smallest of environments, user/group based access control can keep you out of a lot of hot water.
Also, calling the ISA firewall a "proxy" is somewhat of a misnomer. The ISA firewall is ALWAYS a firewall -- you can't turn off its stateful packet inspection. In contrast, you can very easily disable the Web proxy filter and not even use the Winsock proxy client.
Stay tuned for the SBS series!
Thanks!
Tom
|
|
|
|
|
RE: ISA/IIS relationship - 16.Aug.2005 12:32:00 PM
|
|
|
ababinchak
Posts: 195
Joined: 16.Aug.2005
From: Michigan
Status: offline
|
Nada. ISA doesn't ignore the inside of the network. ISA doesn't trust any computer regardless of where it is. Follow Toms advice and put that little router in front of ISA. Open up those holes in the router to allow the SBS servers that you require outside access.
Here's the full list. Pick and choose as needed.
21
FTP
Enables external and internal file transfer
25
Exchange Server
Enables incoming and outgoing SMTP mail
80 (http://)
IIS
Enables all nonsecure browser access, including: internal access to IIS Webs including the company Web, Windows SharePoint Web, Windows SharePoint administration Web, and server monitoring and usage reports Enables internal access to Exchange by OWA and OMA clients
110
POP3
Enables Exchange to accept incoming POP3 mail
123 (UDP port)
NTP
Enables the system to synchronize time with an external Network Time Protocol (NTP) server
143
IMAP4
Enables Exchange to accept incoming IMAP4-compliant messages
220
IMAP3
Enables Exchange to accept incoming IMAP3-compliant messages
443 (https://)
Outlook
Enables all secure browser access, including external access to Exchange for Outlook 2003, OWA, and OMA clients; required for external access to server monitoring and usage reports
444
Windows Share Point Services
Enables internal and external access to the SharePoint Web
500
IPSec
Enables external VPN connections by using IPSec
1701
L2TP clients
Enables external L2TP VPN connections
1723
PPTP clients
Enables external PPTP VPN connections
3389
Terminal Services
Enables internal and external Terminal Services client connections
4125 (Note: you can change this port in RRAS)
Remote Web Workplace
Enables external OWA access to Exchange, plus internal and external HTTPS access to the client Web site
4500
IPSec
Internet Key Exchange (IKE) Network Address Translation (NAT) traversal
|
|
|
|
|
RE: ISA/IIS relationship - 17.Aug.2005 10:41:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Amy,
Thanks!
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
