• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA 2k6 upgrade and reconfiguring our current config???

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> ISA 2k6 upgrade and reconfiguring our current config??? Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
ISA 2k6 upgrade and reconfiguring our current config??? - 9.Oct.2006 10:04:00 PM   
manning

 

Posts: 121
Joined: 9.Oct.2006
Status: offline
Yes, I definitely need Dr Shinder's book. And yes I am quite confused about what to do and somewhat new at this.

Edited for clarity

I described how our network is configured over on the Security Forums in the past and the comment was made that our web server is just sitting there waiting for somebody to slap its balls. Basically it straddles the internal and external network, with one card configured with an internal IP set and the other with our external IPs for web publishing. It does not pass through the ISA 2000 server in any way. I personally don't like it sitting there like that, and in fact somebody started uploading movies and junk onto that server the other day via FTP, which was easy enough since the FTP folder was set up with anonymous access.

So, I figure since we are going to upgrade that server from Win2k/ISA Server 2K to Win2K3/ISA Server 2006 I would go ahead and take the opportunity to reconfigure how that part of our network is set up. I cannot afford to set up a back to back DMZ right now, so I figured three-homing would be better than nothing, but I am getting confused. The way I read it from MSKB and Tom Shinder's tutorials, with three-homing the ISA has one card directed to our internal net, one directed to the internet and one that points to the web server, which also has to have a "public" IP. That comment about the web server having to have a public IP leads me to believe that it is still sitting out there exposed on the web, but seperated by ISA from our internal network. So that then leads me to believe that it still isn't really protecting the web server, so now not only is ISA facing the web, but so is the web server. Hmm?

So then I started thinking maybe we pull the web server behind the ISA, just like how the Exchange server is set up. BUT when we did this in the past with ISA 2000, the other admin told me that Webtrends stopped recording hits properly and a few other things didn't work as planned, though I don't recall exactly what.
So, in this situation, what would you do? EDIT I found out what one of the other problems was. We has private pages on our website that are intended for our clients to be able to access documents and drawings. The issue was that when we had the web server behind ISA 2000, the clients could not always authenticate to access those pages. This was especially problematic if they were also behind an ISA firewall.

The way Exchange is positioned behind ISA currently works great, so we can keep it that way.

I need WebTrends to function as intended.

I need FTP uploading and downloading to work, though using basic authentication at least.

I need web pages to be able to be served up and clients to be able to access their project related sites.

And I want the web server to be more secure than I feel it is right now. BUT, at minimum I want the big hole plugged and if that means the web server sits out on the web by itself, then so be it.


Any help or pointers in the right direction will be greatly appreciated.

I also think our DNS configuration is hosed, but that is another subject.

< Message edited by manning -- 10.Oct.2006 12:52:21 PM >


_____________________________

Manning

I only do this because I have to.

ISA 2006 standard on Server 2k3 R2
Post #: 1
RE: ISA 2k6 upgrade and reconfiguring our current confi... - 11.Oct.2006 9:48:04 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Manning,

ISA 2006 is majorly different from 2000. The new ISA Firewall should solve just about all the issues you've run into.

Which one do you want to handle first?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to manning)
Post #: 2
RE: ISA 2k6 upgrade and reconfiguring our current confi... - 12.Oct.2006 10:51:50 AM   
manning

 

Posts: 121
Joined: 9.Oct.2006
Status: offline
Well, after typing for ten minutes I closed IE by mistake, so let me start over

Thank you for responding first and foremost. I understand most of the concepts, though the detail is somewhat of a mystery. To answer the question about what to handle first, that is tricky and I think I need to backtrack first to address a couple things regarding our netwrok config before I proceed to ISA.

The most important is our current DNS configuration, and while I figure this maybe isn't the place to address that, perhaps you still can assist. I suspect that our current DNS is not configured properly or is over configured if that makes sense. We have DNS running on the ISA 2000 server, and we have DSN installed on all 3 domain controllers though it is only configured on 2 of them. All three forward to Qwest's DNS servers. All three appear to be configured to use root hint servers. And all three have what I guess are the requesite forward and reverse lookup zones. In addition, I do not see any DNS errors in the event logs. BUT what I do see happen is:

1) When I run simple tests on the monitoring tab all three DNS servers pass. When I run recursive tests, the two internal servers fail.

2) While root hint servers are listed on the root hints tab, I cannot get any of them to resolve on the two internal servers when I click the edit button and then click to resolve the name.

Internal resolution works however, and I am pointing to on of the internal DNS servers right now. Is what I described above an issue to be concerned about?

EDIT I don't know that it matters, but our internal and external domain names are different. For example, internal might be Shmoe.com and external is JoeSchmoe.com

To the ISA question, I don't really now where to starts. I did manage to get 2004 media, since it is downloadable from the MVLS site, so I will likely upgrade to 2004 first - or should I note waste my time?

The next step is whether to pull the web server behind or put it in a DMZ, And that is really the question to answer before I worry about the configuration too much, no?

Based on my needs listed about, what makes more sense. Let me add that I am not 100% sure I need to fret about protecting the web server, I really want to plug the hole it is currently making in our network AND still be able to access it from my desk. By that I mean I need to be able to move files and folders over to it and not have to monkey around too much to do that. With it behind the ISA that is easy breezy, but with it out in the DMZ, how simple is that process? The worry is that as confusing as this all is to me, think of how confused my coworkers will be if they have to jump through hoops to move files out onto the web server for our clients to access from their respective private web folders.

The next consideration is - with the web server out in the DMZ it is completely out in the public space, correct? With it behind ISA it is in our private space, but we have to set up rules to allow traffic from the outside to access it. Which is safer for my network and secondarily for the web server? Or which makes more sense from a practicle standpoint?

As long as I can: easily allow FTP access for uploading and downloading using authentication fo some sort, allow our clients to access their private sites with authentication, and make sure Webtrends will properly record hits and where they are coming from then I will be pretty happy.

Do I need to focus a bit, are is there enough there to start? Basically, to DMZ or pull behind ISA?

I have more questions than this one post can handle, like why the guy who originally set up our web server and the ISA server has about 5 IPs configured on each of the network cards, but we can address that later.

< Message edited by manning -- 12.Oct.2006 4:16:15 PM >


_____________________________

Manning

I only do this because I have to.

ISA 2006 standard on Server 2k3 R2

(in reply to tshinder)
Post #: 3
RE: ISA 2k6 upgrade and reconfiguring our current confi... - 18.Oct.2006 2:06:50 PM   
manning

 

Posts: 121
Joined: 9.Oct.2006
Status: offline
Got the books, including the how to cheat at setup book. Awesome. Very easy reads so far. I think I have a better feeling about going forward with this, though our current DNS setup is still troubling me. I'm also still not sure which direction as to pulling the web server in behind the ISA or put it in a DMZ, but I am leaning toward pulling it behind the ISA.

I also think I am going to talk my boss into letting me buy a basic entry level server to replace our current ISA server so I can have a new clean install under way, while the existing ISA still keeps doing its thing for now. Also the old server is actually an old workstation and is getting pretty long in the tooth and at very least could stand a new pair of drives since these have 5 years of constant running right now.

I still wouldn't mind a little input based on my first couple of posts. Please.

_____________________________

Manning

I only do this because I have to.

ISA 2006 standard on Server 2k3 R2

(in reply to manning)
Post #: 4
RE: ISA 2k6 upgrade and reconfiguring our current confi... - 19.Oct.2006 10:04:19 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Manning,

I actually wrote a very detailed explanation of things but then the Web site went haywire and I lost a half hour of work

What are you most significant issues right now?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to manning)
Post #: 5
RE: ISA 2k6 upgrade and reconfiguring our current confi... - 19.Oct.2006 12:30:08 PM   
manning

 

Posts: 121
Joined: 9.Oct.2006
Status: offline
Thank you for replying. I think right now after reading the first 300 pages of the ISA 2004 book and some of the How to Cheat book I feel a lot more relaxed. I am pretty sure we have DNS on the two internal servers slightly off kilter and DNS on the ISA server is not quite right either. I also think there may be a rule missing or misconfigured in ISA for the DNS queries. I am out until Monday, so I'll have to wait until then to check the config as I don't want to do it remotely.

So the right now issue is to check DNS and the rules in my current ISA to make sure they are correct. I'll post what I find on Monday.

I guess maybe one question since I haven't read far enough in is, should I just blow away DNS on the ISA server and make sure my rules are set up correctly or go for the cache only setup and proper rules? Right now the DNS on our ISA 2000 has everything from forward and reverse zones, forwarders and root hints to taborines and trumpets and I am pretty sure the forwarders and zones are not quite right..

_____________________________

Manning

I only do this because I have to.

ISA 2006 standard on Server 2k3 R2

(in reply to tshinder)
Post #: 6
RE: ISA 2k6 upgrade and reconfiguring our current confi... - 21.Oct.2006 12:58:41 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Manning,

You can have a DNS server on the ISA Firewall, but it should be configured as a caching only DNS server, and should not be hosting any zones or domains. The you can configure the internal DNS server to use the ISA Firewall as a caching only DNS forwarder.

However, a cleaner setup is to have another machine perform DNS resolution and configure the ISA Firewall to use that machine.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to manning)
Post #: 7
RE: ISA 2k6 upgrade and reconfiguring our current confi... - 23.Oct.2006 11:18:11 AM   
manning

 

Posts: 121
Joined: 9.Oct.2006
Status: offline
If I understand this from what I've read so far, I would set up the two internal DNS servers for internet access, perhaps based on this KB article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;323380

Then make sure ISA has rules in place to allow DNS through it, which should basically be configuring rules for TCP and UDP ports 53? And finally point the internal interface to use one of the internal DNS servers for names resolution. Simple as that? Any gotchas to be aware of?

_____________________________

Manning

I only do this because I have to.

ISA 2006 standard on Server 2k3 R2

(in reply to tshinder)
Post #: 8
RE: ISA 2k6 upgrade and reconfiguring our current confi... - 24.Oct.2006 9:41:55 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Manning,

That should do it!

Make sure to create the rules on the ISA Firewall to allow the outbound DNS connections.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to manning)
Post #: 9
RE: ISA 2k6 upgrade and reconfiguring our current confi... - 24.Oct.2006 10:28:16 PM   
manning

 

Posts: 121
Joined: 9.Oct.2006
Status: offline
OK, I feel a little bit better and really crappy today.

Better - I finally figured out what was missing that was messing up DNS on my two internal DNS servers. It was indeed one more missing rule in ISA. The guy who set up ISA and the rest of our network for that matter, and is still our other sys admin, never bothered to add any rules or filters for DNS, and that has been like 5 years ago that he first set it up. So since I took the initiative to get our network working properly a few months ago I've been banging my head against the wall as I slowly found each missing rule or filter. Thanks to your book and help so far I now feel comfortable moving forward with the upgrade since I now know DNS is working well enough.

Crappy - Well, right after I got the above issue sorted, I went on to upgrade a DC to Win 2K3 and wouldn't you know it, it took a dump on me. So now I have to manually remove it from AD and then replace the failed drive and start over from scratch.

The new server for the ISA upgrade should be here in a day or so, and I hope to make it as clean and by the book as possible. No DNS on it, no unneeded services, etc.

Thanks again!

_____________________________

Manning

I only do this because I have to.

ISA 2006 standard on Server 2k3 R2

(in reply to tshinder)
Post #: 10
RE: ISA 2k6 upgrade and reconfiguring our current confi... - 25.Oct.2006 8:08:37 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Manning,

You're getting there, slow but sure!

Sorry to hear about the 2003 upgrade :( 

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to manning)
Post #: 11
RE: ISA 2k6 upgrade and reconfiguring our current confi... - 13.Nov.2006 8:44:33 AM   
manning

 

Posts: 121
Joined: 9.Oct.2006
Status: offline
Dr. Shinder,

You already know I started a 2004 install. I decided not to upgrade the old 2000 server in place, especially after the 2003 server upgrade fiasco. I also couldn't import my old config from the existing 2000 server into the new 2004 instance for some reason. So my question is, in your or other peoples' opinions should I bother to go forward with configuring 2004 or skip ahead and configure as 2006?

_____________________________

Manning

I only do this because I have to.

ISA 2006 standard on Server 2k3 R2

(in reply to tshinder)
Post #: 12
RE: ISA 2k6 upgrade and reconfiguring our current confi... - 13.Nov.2006 3:37:11 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Manning,

What I would do is document the rules on the ISA 2000 box, and then go with ISA 2006, and recreate the rules on the new ISA 2006 box.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to manning)
Post #: 13
RE: ISA 2k6 upgrade and reconfiguring our current confi... - 13.Nov.2006 4:16:12 PM   
manning

 

Posts: 121
Joined: 9.Oct.2006
Status: offline
So skip 2004 altogether?

I am documenting the 2000 box. The only worry is that some of the rules, filters, etc. are not configured well. I found one the other day when I was trying to get that DNS issue sorted that had about half the protocols available selected for allow. Needless to say that rule didn't do what the other admin had intended for it to do.

_____________________________

Manning

I only do this because I have to.

ISA 2006 standard on Server 2k3 R2

(in reply to tshinder)
Post #: 14
RE: ISA 2k6 upgrade and reconfiguring our current confi... - 14.Nov.2006 9:27:29 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Manning,

That's the value of going over the old policy. You're finding problems with it that you won't repeat in the ISA 2006 firewall configuration.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to manning)
Post #: 15
RE: ISA 2k6 upgrade and reconfiguring our current confi... - 17.Nov.2006 4:23:12 PM   
manning

 

Posts: 121
Joined: 9.Oct.2006
Status: offline
Yeah. It is a little bit annoying though since there are so many rules configured and I'm having a bit of a time with which are legit and which are garbage.

I also kind of liked how 2000 had the different elements broken out into different branches on the left hand tree, versus being stuck under the Firewall Policy catagory in 04/06

The other thing that is giving me heartburn is that since I have to bind our various external IPs onto the external NIC to get things to work I can't really have the old server up and running as I configure and test new elements on the new server.

_____________________________

Manning

I only do this because I have to.

ISA 2006 standard on Server 2k3 R2

(in reply to tshinder)
Post #: 16
RE: ISA 2k6 upgrade and reconfiguring our current confi... - 19.Nov.2006 11:57:55 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Manning,

That's true. You can't have both machines with the same IP addresses bound to them live on the the same Ethernet segments.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to manning)
Post #: 17
RE: ISA 2k6 upgrade and reconfiguring our current confi... - 27.Nov.2006 2:24:00 PM   
manning

 

Posts: 121
Joined: 9.Oct.2006
Status: offline
Sorry to keep dragging this thread up. I have a few more questions. This thread is kind of like watching a train wreck, huh?

1) Is there no other way to handle the external addresses other than binding them to the external NIC? Couldn't the router or ISA be set up to handle all of that translation, or would that be a security risk or performance hit? It just seems so messy to have all of the external addresses bound to that one card.

2) This is a stupid question, but what is it exactly that causes the ISA server to say hey, look at me, I'm the default gateway. I currently have a spare public address from a block of 8 that do not include any of our FQDNs bound to the external card on our new ISA server and have been using it as the proxy server on my desktop computer, but can't set it as the default gateway on my computer. Does the IP have to be from a range that has our FQDN in it? What am I missing here? Did I maybe use the wrong IP as the gateway on the ext card on the new ISA? Perhaps there can't be more than one gateway on a network? Or is this purely handled by what is configured in the router (static IPs) and I can configure IPs from each of my blocks as additional gateways?

3) EDIT Never mind that question about DNS. The problem with skimming articles initially is that you miss some of the key words. I just reread the Microsoft quickstart and they state the DNS running on ISA should only be caching-only. However, the article does specifically state that you should run it on the ISA server. I think I'll pass on that for the time being unless there is a good argument to run DSN caching-only on the ISA server. 

< Message edited by manning -- 28.Nov.2006 9:28:57 AM >


_____________________________

Manning

I only do this because I have to.

ISA 2006 standard on Server 2k3 R2

(in reply to tshinder)
Post #: 18
RE: ISA 2k6 upgrade and reconfiguring our current confi... - 30.Nov.2006 9:44:58 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
1) Is there no other way to handle the external addresses other than binding them to the external NIC? Couldn't the router or ISA be set up to handle all of that translation, or would that be a security risk or performance hit? It just seems so messy to have all of the external addresses bound to that one card.
TOM: I have machines that have over two hundred addresses bound to their external interface. What problems do you think you'd have with doing that? Not to say that it is required, but you're always in better shape if you and use public addresses on the ISA firewall's external interface -- in that way you don't have to deal with the vagaries and pains of having a NAT device in front of the ISA Firewall

2) This is a stupid question, but what is it exactly that causes the ISA server to say hey, look at me, I'm the default gateway. I currently have a spare public address from a block of 8 that do not include any of our FQDNs bound to the external card on our new ISA server and have been using it as the proxy server on my desktop computer, but can't set it as the default gateway on my computer. Does the IP have to be from a range that has our FQDN in it? What am I missing here? Did I maybe use the wrong IP as the gateway on the ext card on the new ISA? Perhaps there can't be more than one gateway on a network? Or is this purely handled by what is configured in the router (static IPs) and I can configure IPs from each of my blocks as additional gateways?
TOM: The default gateway is configured on the ISA Firewall's external interface to point to your upstream router or ISP. The clients behind the ISA Firewall use the ISA Firewall's LAN interface address as their default gateway (in a very simple network setup).

3) EDIT Never mind that question about DNS. The problem with skimming articles initially is that you miss some of the key words. I just reread the Microsoft quickstart and they state the DNS running on ISA should only be caching-only. However, the article does specifically state that you should run it on the ISA server. I think I'll pass on that for the time being unless there is a good argument to run DSN caching-only on the ISA server. 
TOM: NO, the article does NOT say you SHOULD, it's only provided as an option. How do I know? I WROTE IT
 
HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to manning)
Post #: 19
RE: ISA 2k6 upgrade and reconfiguring our current confi... - 30.Nov.2006 11:04:17 AM   
manning

 

Posts: 121
Joined: 9.Oct.2006
Status: offline
Hey Tom,

Thanks for the reply. I really appreciate the time you are taking.

re. binding the external addresses. I wasn't sure if maybe there was a different way to handle that. I don't know why, but it bugs me that there are so many addresses bound to our external card right now. I figured if we have a router ahead of the ISA already, why not let it handle the translation.

re. the default gateway, I figured that was the answer but for some reason I can't get the new ISA box to be recognized as a gateway. Here's the deal; we have 4 unique blocks of 8 address each configured on our Cisco router. The block we have been using to bind to the old ISA box for it's external card is 65.x.x.2xx with a gateway defined as 65.x.x.217. Since all of the address are in use on the old ISA box I can't bind them to the new ISA box (yet), so I figured I would use addresses from another one of our blocks for testing. So I grabbed an address from our 208..x.x.2xx block which I thought had a gateway defined as 208.x.x.233. The ISA 2006 server seems to run just fine without bitching about address conflicts or missing gateway or anything, but when I try and bind that servers LAN addy as my Default Gateway and then run netdiag on my computer I get a result of failed for the Dafault Gateway config. I don't seem to suffer any netwrok performance issues and I can surf just fine, but I get that failed Default Gateway result every time. I know there can only be one gateway bound to a multihomed computer, but can there only be one gateway in existance on my LAN (simple network) at all? Or can our router be configured to only allow that one address from the 65.x.x.x block to be used as a gateway?

re. the quickstart guide I downloaded from Microsoft's website - It says this:

quote:

You should install a DNS server on the ISA Server 2004 firewall computer. This enables machines on your network to perform Internet host name resolution. Computers must be able to resolve names of Internet servers in order to contact computers not located on the internal network. Even if you already have a DNS server located on the internal network, you should configure the ISA Server 2004 firewall computer as a caching-only DNS server and configure computers on the internal network to use the ISA Server 2004 machine as their DNS server.


You wrote that???

I read/skimmed your article(s) from this site already and knew you suggested it as an option, not an absolute. I would prefer to not configure it if I don't need it. I'd like to keep this server as sleak as possible (1) because I am upgrading for securities sake and (2) it's not really a kick-ass server. It is new, but only runs a 3.06 P4 with 1GB ram. Since we may have 8 or 10 VPN connections, a dozen OWA sessions, 20 or 30 people on the LAN browsing all at once and eventually the web servers behind it, I want to keep other services to a minimum.

_____________________________

Manning

I only do this because I have to.

ISA 2006 standard on Server 2k3 R2

(in reply to tshinder)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> ISA 2k6 upgrade and reconfiguring our current config??? Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts