Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

New to ISA, need Firewall, VPN and more help.

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> New to ISA, need Firewall, VPN and more help. Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
New to ISA, need Firewall, VPN and more help. - 2.May2004 9:07:00 PM   
MonsterMaxx

 

Posts: 79
Joined: 2.May2004
Status: offline 		Hi everyone.
IÆm new here, I could sure use some help, let me introduce myself.

NameÆs Robin. IÆm an mechanical engineer and have an engineering company as well as manufacturing capabilities along with retail sales, website & forums.

Over the last few years my computer systems have grown all out of proportion with my abilities. IÆve received help from others, though am pretty well crippled when they arenÆt available û so I have to learn this stuff. IÆm no dummy, but my time is much better spent doing engineering than it is surfing the net trying to pick out the tiny kernel of information I need to understand the basis of a concept, then continuing on from there.

Currently I have an internal AC network which IÆm moderately capable of configing and maintaining {if I donÆt screw it up}.

The Linux webservers at the colo are totally over my head, IÆve pretty much given up on learning Linux, just donÆt have the time, and what with RH being discontinued, the whole Fedora thing, just have little interest.

So here I am today, my immediate needs are to get the shop connected to corporate.
HereÆs a pic of what IÆm trying to accomplish in the end.
""

I break this down into 3 bites.

1. Get Zuul acting as corporate firewall and get off the dumb blue box. I seem to be missing some core understanding of how this works, because this part should be a simple step and IÆm just not getting it.
2. Get Helios working, use him to house corpÆs mailboxes while Medusa gets upgraded, then send Helios to the remote location.
a. Right now, itÆs having fits w/ exchange. This was a fresh install of Æ03, then ISA04, then Exchange03. Soon as I get it happy, IÆll use it to house my mailboxes and upgrade Medusa to Win03. After a recent total muck-up {wasnÆt pretty} IÆm going to err on the side of caution when upgrading MedusaÆs OS. I tried disabling all the HeliosÆs ISA services and rebooting, but it didnÆt work and Exchange is still pissed. It will start manually, but itÆs tossing all kinds of errors into the logs.
{I question if trying to get one box to be a Firewall/VPN/Exchange/DC/File Server is even possible, much less wise.}
b. Setup a VPN to Zuul
c. Setup domain user accounts w/ limited access and roaming profiles.
3. Allow certificate based client VPN access. There will be at most 2-3 users w/ the rights to do this, primarily me needing a file off the corporate server or being able to VPN into Helios and fix something.
4. Teach Exchange to pull the mail off the webserver and stop popping at the client (outlook) level.
5. Connect the webservers to corporate (corp VPN to webserver?) I need to be able to sync a database.
6. Perhaps migrate the webservers to Windows, though I doubt this is possible w/ the fact that two of the web apps were never written to cohabitate with windows û being that one is of the GPL type, itÆs likely to meet lots of resistance too.

ItÆs been suggested that we use WebOutlook for the remote locationÆs mail. My reluctance here is that we are on cable modems, my max uplink is 128 until I move, then I can get up to 512.
Another potential issue is that I cannot get a fixed IP. It only gets changed when the power is out for more than 8 hoursàbut this does happen sometimes, as does the remote location. IÆll need to be able to reset these when this happens. ItÆs been suggested that the webservers could take this responsibility, though I think this adds a layer of complexity that need not be there.

Anyway, thank you for taking the time to read this. Any help would be appreciated.
If any of you are consultant type (or just looking for extra money) and are in the Charlotte, NC // Greenville, SC area IÆd be willing to pay {magic word, right} for instruction.
I really donÆt want someone to just ædo itÆ for me, I need to learn this stuff.
IÆd think thereÆs a number of you types out there, though IÆm having a tough time finding one at all, much less one I can afford.
IÆll just tell you up front, these $125/hr portal to portal companies are out of my price range. I can pay, but IÆm not fat w/ money.

I can be reached at MM@UEusa.net

Thanks again,
Robin

[ May 02, 2004, 09:11 PM: Message edited by: MonsterMaxx ]
Post #: 1
RE: New to ISA, need Firewall, VPN and more help. - 3.May2004 5:59:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Robin,

You made a very nice picture! I appreciate it, because it make it a lot easier to figure out what's going on.

This looks like a typical branch office setup, with the exception that you've put Exchange on the firewall; that's a definite NO NO. While its possible, its not ISAServer.org policy and I never cover those configs on this site. However, if you can get the Exchange Server (and DC) off the firewall at the Manufactering site, you'll be in good shape.

I will cover this config almost to a "T" in the upcoming ISA 2004 Branch Office Deployment Kit. There are a lot of steps, but they aren't complicated, and the deployment kits walk you through the steps. I'm using a new design with the ISA 2004 kits v. the ISA 2000 kits, which I think will make them easier to use. They are similar to the approach I too with the ISA 2000 Branch Office Kit, which you can find on this site.

Give me about two weeks and I think you'll be very happy with the results and you'll be able to get your config up and running with minimal pain.

HTH,
Tom

(in reply to MonsterMaxx)
Post #: 2
RE: New to ISA, need Firewall, VPN and more help. - 3.May2004 9:34:00 AM   
MonsterMaxx

 

Posts: 79
Joined: 2.May2004
Status: offline 		Well thank you.

I feared (based in install probs) that trying to do all the remote office stuff on one machine would not be wise.
Ratz, was really hoping I had enough hard&soft ware to do this.
Now I have to go hunt up another machine and give the dratted MS more $ for another lic of the OS.
{I built Zuul & Helios out of leftovers and I'm about out of leftovers}

'Ce la vie

off to eBay...maybe I'll get lucky

Can you at least point me in the direction of how to config Zuul to be my firewall (bite one on my list.)

I was able to move my mailbox onto Helios today, upgrade Medusa to '03 and move the mailbox back.
Getting a little noise in the error logs, nothing too serious I don't think.

Thanks, I eagerly await the instructions (unless that is one of you bright boys is in my area and would like some extra coin)

[ May 03, 2004, 09:35 AM: Message edited by: MonsterMaxx ]

(in reply to MonsterMaxx)
Post #: 3
RE: New to ISA, need Firewall, VPN and more help. - 4.May2004 1:22:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Robin,

Just a thought here; are you trying to allow access between the sites using Web and Server Publishing rules, or have you thought about a site to site VPN? The site to site VPN would be a better solution if each office trusts the other.

Thanks!
Tom

(in reply to MonsterMaxx)
Post #: 4
RE: New to ISA, need Firewall, VPN and more help. - 14.May2004 4:20:00 AM   
MonsterMaxx

 

Posts: 79
Joined: 2.May2004
Status: offline 		Ok, I got some hardware, re-installed Helios from scratch and have the new machine which will be the offsite firewall/vpn server running.

What next?

(in reply to MonsterMaxx)
Post #: 5
RE: New to ISA, need Firewall, VPN and more help. - 14.May2004 7:23:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Robin,

The next step is to create a site to site VPN link to join the two sites.

HTH,
Tom

(in reply to MonsterMaxx)
Post #: 6
RE: New to ISA, need Firewall, VPN and more help. - 20.May2004 4:02:00 PM   
MonsterMaxx

 

Posts: 79
Joined: 2.May2004
Status: offline 		wouldn't the first step be to get Zuul acting as the firewall?

I seem to be not understanding something in this process.

Do you have a white paper on that?

(in reply to MonsterMaxx)
Post #: 7
RE: New to ISA, need Firewall, VPN and more help. - 23.May2004 5:29:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Robin,

Yes, Zuul and Kerberos need to be ISA 2004 firewalls, then make the site to site link. PPTP is fine; in fact, that's what Microsoft uses.

HTH,
Tom

(in reply to MonsterMaxx)
Post #: 8
RE: New to ISA, need Firewall, VPN and more help. - 30.May2004 12:31:00 AM   
MonsterMaxx

 

Posts: 79
Joined: 2.May2004
Status: offline 		I got a network engineer in here today.

Zuul was a no go. Absolutely would not get an IP from Charter's DHCP server.

Cerberus on the other hand, had not yet had ISA04 installed, picked up an IP no problem.

We removed ISA from Zuul, still a no-go. Uninstalled and reinstalled the nic (software, not hardware) still no-go.

Gave up, re-installing the OS and will try again.

He moved on and got Cerberus working and ready for VPN. Says all the tools he needs to do firewall & VPN are built into 03Server.
He says I don't need ISA.

His comments were:
Very expensive, going to cost $3k
Likely that MS will not 'upgrade' when full release is avail and we'll have to do all this configuring again.
Haven't seen anything in ISA that makes it worthwhile.
Bells, whistles & wizzards may not be avail in 03Server, but it'll do it everything ISA can do (on the list of things I actually need.)

So my question to you ISA gurus is:
How much of this is true?
Is there anything that ISA can do for me that I really need that cannot be done with the OS by itself?
Is it really going to cost $3k (two licenses?)
Will MS offer an 'upgrade' from Beta or is it likely I'll have to start from scratch?

Thanks again.

(in reply to MonsterMaxx)
Post #: 9
RE: New to ISA, need Firewall, VPN and more help. - 30.May2004 5:33:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Robin,

My own observations:

1. Your consultant is clueless. You might want to tell him that next time you run into him. The comment that the built-in firewall and VPN provide the same thing indicates that he's blowing stuff right out of his blow-hole.

2. What are you security requirements? What are your access control requirements?

3. If you don't need strong user/group based access control for outbound access, then a simple pix would fit better.

4. If you don't need strong user/group based access control for inbound access, then a simple pix would fit better

5. If you don't need strong user/group based access control for VPN remote access client and site to site VPN connections, then a simple pix would fit better.

So, the decision really revolves around your requirements. I use ISA because my business depends on my network working 24/7. A simple packet filtering "firewall" wouldn't really meet my business requirements.

HTH,
Tom

(in reply to MonsterMaxx)
Post #: 10
RE: New to ISA, need Firewall, VPN and more help. - 30.May2004 10:00:00 PM   
MonsterMaxx

 

Posts: 79
Joined: 2.May2004
Status: offline 		1. Thanks, but I don't think I'm going to say that. Right now, he's the only one who can help me.

[ May 30, 2004, 10:01 PM: Message edited by: MonsterMaxx ]

(in reply to MonsterMaxx)
Post #: 11
RE: New to ISA, need Firewall, VPN and more help. - 31.May2004 7:00:00 PM   
Bunshaw

 

Posts: 28
Joined: 8.Feb.2004
From: USA
Status: offline
quote:
Originally posted by MonsterMaxx:
So my question to you ISA gurus is:
How much of this is true?
Is there anything that ISA can do for me that I really need that cannot be done with the OS by itself?
Is it really going to cost $3k (two licenses?)
Will MS offer an 'upgrade' from Beta or is it likely I'll have to start from scratch?
I'm not an ISA Guru but I don't understand what he means. The basic firewall that's part of RRAS or the basic ICF? Neither can be your sole firewall for Win2k3 or replace ISA.

Yes, access control and firewall protection. The OS does NOT provide adequate firewall protection by itself.

Unfortunately, I believe that price is right for 2 copies running at the same time. Looks to me like Zuul should run ISA since the configuration is more complex but a basic hardware firewall could handle Helios' firewall tasks.

One thing that I think won't change from the beta is the configuration information. Export your entire configuration, upgrade to retail, and then import it. I already tried it in beta and it restored everything on a fresh install. It's what I plan to do once retail comes out.

[ May 31, 2004, 07:03 PM: Message edited by: Bunshaw ]

(in reply to MonsterMaxx)
Post #: 12
RE: New to ISA, need Firewall, VPN and more help. - 31.May2004 7:51:00 PM   
MonsterMaxx

 

Posts: 79
Joined: 2.May2004
Status: offline 		Thanks.
Back on the ISA bandwaggon.

One thing about simplification (eliminating Cerberus and using an appliance which we already have.)

I need to be able to take control of machines at the shop. Many users are inexperienced and I've found (just having my accountant accross the office) that being able to grab their mouse (w/ VNC) is soooo much easier when I'm trying to teach or fix something.

In reality, we need is to have it be one network - like the internet isn't between us and we are in one location.
Whatever it takes to get that done is what is needed.

If someone can spec that, or better yet do it, I would be forever in your debt.

tshinder: did you ever finish the instructions for connecting one office to another?

(in reply to MonsterMaxx)
Post #: 13
RE: New to ISA, need Firewall, VPN and more help. - 31.May2004 7:59:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Robin,

Exactly. When you create the site to site VPN between two ISA firewalls, the offices are treated like one bigger network, and the Internet connection between them is transparent to all the machines on both networks.

Head on over to www.msfirewall.org/isa2004kits.htm for check out the branch office kit. There are many docs there that will help you set this up.

HTH,
Tom

(in reply to MonsterMaxx)
Post #: 14
RE: New to ISA, need Firewall, VPN and more help. - 19.Jun.2004 8:56:00 PM   
MonsterMaxx

 

Posts: 79
Joined: 2.May2004
Status: offline 		oof, trouble.

Trying to learn this so I'm not dependant on others.

Finished the basic install, found some typos in the instructions...got thru.

Can ping out, can't IE though, struggling. Nobody internal can ping out.

(in reply to MonsterMaxx)
Post #: 15
RE: New to ISA, need Firewall, VPN and more help. - 20.Jun.2004 8:08:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Maxx,

Let me know where the typos are and I'll get them fixed up ASAP! Send me a note at tshinder@isaserver.org

Thanks!
Tom

(in reply to MonsterMaxx)
Post #: 16
RE: New to ISA, need Firewall, VPN and more help. - 20.Jun.2004 10:16:00 PM   
MonsterMaxx

 

Posts: 79
Joined: 2.May2004
Status: offline 		1. When specifying internal adaptor, your pic after #12 shows the internal range 10.0.0.1 - 10.0.0.255 and 10.255.255.255 - 10.255.255.255
no clue what the second set is, mine didn't get that.

2. I didn't get anything about allowing computers runnign earlier versions...nor was I asked to restart (though I did anyway.)

3. In your configs's tables, #4 All outbound traffic does not exist, there is an all protocols which is what I used. Same prob further down when creating this rule. There's no protocol w/ the word 'traffic' in it. Not in the Beta I got from MS anyway.

4. When creating the rule for DHCP (reply) in the line #6, you say DHCP (request), though the pic shows (reply) and so does the table in the beginning, this is what I used.

That's about it. Very well written instructions by the way. Sadly there appears to be something I'm doing wrong.

I've read these and re-read them multiple times.
I can ping out (by IP or to www.Yahoo.com) but when I try to get out from IE I get a forbidden by ISA. No other machines on the subnet can even ping out. ISA's monitoring shows everything in connectivity as unknown, not configured and the alert is configuration error.

I've checked and double checked, I'm not getting it.
Might have a little moola for you if you can help me out, YGM.

Here's the latest update on my config pic, only difference being that I put a switch between the cable modem and the firewalls so I can get this figured out before toting the ones for mfging 2 hrs away. Charter gratiously allowed me 2x DHCP IP's in order to assist in this.


[ June 20, 2004, 11:05 PM: Message edited by: MonsterMaxx ]

(in reply to MonsterMaxx)
Post #: 17
RE: New to ISA, need Firewall, VPN and more help. - 20.Jun.2004 10:56:00 PM   
MonsterMaxx

 

Posts: 79
Joined: 2.May2004
Status: offline 		Note: for those trying to get this to work, add "local host" to the allow all rule and you'll at least be able to get out from the firewall machine.

What's next i don't know, I'm shutting everyone down and bringing them up one at a time starting with the DC, then firewall, then a workstation to see if that perhaps resolves the inability to get out when I should be able to...

(in reply to MonsterMaxx)
Post #: 18
RE: New to ISA, need Firewall, VPN and more help. - 23.Jun.2004 8:17:00 AM   
Guest
 Monster -

If you can ping out, but can not browse...

Have you verified that your IE connection settings are set to use the ISA proxy port (probably port 8080)

That is open IE
Tools->Internet Options
Click on the "Connections" tab
Then click on the "LAN Settings"

Uncheck the autodetect.

Fill in the proxy info with:
IP of local ISA server
Port of 8080.

Now see if Browse works.

-Neil

(in reply to MonsterMaxx)
  Post #: 19
RE: New to ISA, need Firewall, VPN and more help. - 24.Jun.2004 7:34:00 PM   
MonsterMaxx

 

Posts: 79
Joined: 2.May2004
Status: offline 		Whoot!

On the theory that the 'network engineer' had some settings that were conflicting with ISA I reinstalled the OS on Cerberus.

Followed the instructions again and pop, I was right on.

Reinstalled the OS on Zuul, followed the instructions and pop I was right on.

Whooo Hoo!

Now that's progress.

Tom, did you get a msg from me the other day or has it gone astray?

I'm ready for the next step: Connect Zuul & Cerberus in a VPN

I'm not sure if I should choose Chapter 6 or 7 from the BO kit. 7 seems to be the right choice since Helios is a DC...

[ June 24, 2004, 07:41 PM: Message edited by: MonsterMaxx ]

(in reply to MonsterMaxx)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> New to ISA, need Firewall, VPN and more help. Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts