• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Sanity Check - ISA cutover this weekend

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> Server Publishing >> Sanity Check - ISA cutover this weekend Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Sanity Check - ISA cutover this weekend - 28.Jun.2001 8:08:00 PM   
nowikn

 

Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
I am going to cutover my network to ISA server this weekend and would appreciate a 'sanity check' from everyone.
Thanks in advance! :

ISA Server - "Server A":
* Windows 2000 Server SP#2
* Network info
- 192.168.1.7 (internal)
- DNS 208.244.176.xxx
- Gateway 192.168.1.7

- 208.244.x.x (external)
- DNS 208.244.176.xxx
- Gateway 208.244.176.x
* SMTP service disabled
* Exchange server (192.168.1.2) published in Publishing / Server Publishing Rules
* Access Policy / Protocol Rules - all ports open
* Policy Elements / Destination Sets - have created the Outlook Web Access rule per Shinder's
suggestion

===========

Exchange Server v5.5 SP#4 - "Server B":
* Windows NT 4.0 Server SP#6a
* Network info
- 192.168.1.2
- Gateway address 192.168.1.7 (using SecureNAT connection)
- DNS 208.244.176.xxx

Do I need to make any changes to the Exchange configuration?

Thanks again for this 'sanity check'!

Post #: 1
RE: Sanity Check - ISA cutover this weekend - 29.Jun.2001 1:35:00 PM   
jgrabiec

 

Posts: 191
Joined: 24.Jan.2001
From: Farmingdale,NY, USA
Status: offline
Just a few qucik things. The internal adapter MUST NOT have a default gateway address defined. Only one interface can have a default gateway, and that must be the external interface. Use static routes for everything else. Also, I do not think the internal interface needs the DNS server setting.

As far as the Exchange publishing goes, it is pretty straight forward. If you originaly had proxy server, make sure you rename the WSPCFG.ini files, and remove the proxy client.

Also, check your internet mail service. If your message delivery is set to "Use domain anem system (DNS)", then you may need to setup an outbound DNS protocol rule on the ISA server.

Just some quick thoughts.

------------------
-=john=-
MCSE,MCP+I,CCNA,CCA


(in reply to nowikn)
Post #: 2
RE: Sanity Check - ISA cutover this weekend - 29.Jun.2001 2:22:00 PM   
nowikn

 

Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
Sounds good, I will double check my settings - thanks John!

Nicholas


(in reply to nowikn)
Post #: 3
RE: Sanity Check - ISA cutover this weekend - 29.Jun.2001 3:43:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Nicholas,

John's got you covered with some good suggestions.

A word of warning re: the OWA on 5.5. The testing we did was on OWA for Exchange 2000. The instructions in the article may or may not work, because we've never tried to deal with Exchange 5.5 and OWA. However, everything else works with Exchange 5.5 and ISA Server, becasue we've tested it

HTH,
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here


(in reply to nowikn)
Post #: 4
RE: Sanity Check - ISA cutover this weekend - 29.Jun.2001 3:56:00 PM   
nowikn

 

Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
Thanks Tom - I'll let you all know how it goes on Monday.

(in reply to nowikn)
Post #: 5
RE: Sanity Check - ISA cutover this weekend - 29.Jun.2001 4:20:00 PM   
jgrabiec

 

Posts: 191
Joined: 24.Jan.2001
From: Farmingdale,NY, USA
Status: offline
Tom,

I use OWA and Enchange 5.5 everyday though the ISA server. Works great - no problems.

------------------
-=john=-
MCSE,MCP+I,CCNA,CCA


(in reply to nowikn)
Post #: 6
RE: Sanity Check - ISA cutover this weekend - 2.Jul.2001 2:34:00 PM   
nowikn

 

Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
I got everything to work yesterday . . . but not without a few headaches. Couple of tips:

* Create "DNS" Protocol Rule under Access Policy / Protocol Rules to allow your Exchange server (and other PCs) to access your ISPs DNS servers (if you are not hosting these on your network). Funny how NSLOOKUP fires right up afterwards.

* If nothing seems to be working on your ISA server (like allowing mail to flow into/out of your network) - REBOOT IT! Once I rebooted my ISA server, NSLOOKUP and other features were online.

* Read the posts on the Message Boards on this website - if there is an issue specific to your network, it will be listed here!

Good luck and feel free to email me of you have any questions. Thanks to all who posted and emailed me with tips!

Nicholas Nowik


(in reply to nowikn)
Post #: 7
RE: Sanity Check - ISA cutover this weekend - 2.Jul.2001 3:07:00 PM   
jgrabiec

 

Posts: 191
Joined: 24.Jan.2001
From: Farmingdale,NY, USA
Status: offline
Great to hear that you got it working.

I still can't figure out when the ISA server needs to be rebooted, services restarted, or whether the change will work immediately.

My rule is that if i've triple checked everything, restart the services. If that doesn't work, reboot!


------------------
-=john=-
MCSE,MCP+I,CCNA,CCA


(in reply to nowikn)
Post #: 8
RE: Sanity Check - ISA cutover this weekend - 5.Jul.2001 8:31:00 PM   
nowikn

 

Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
Tom/John, OWA is not functioning. I added a Web Publishing Rule" for OWA with the Destinations set to the internal IP address (192.168.1.2) with paths specified to /exchweb/*, /public/*, and /exchange/* . . . any ideas, etc?

Thanks,

Nicholas


(in reply to nowikn)
Post #: 9
RE: Sanity Check - ISA cutover this weekend - 7.Jul.2001 7:33:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Nicolas,

For Exchange 5.5, I think you only need the /exchange/* path statement and not the other ones.

Also, make that rule on the top of your list of rules.

HTH,
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here


(in reply to nowikn)
Post #: 10
RE: Sanity Check - ISA cutover this weekend - 7.Jul.2001 3:45:00 PM   
jgrabiec

 

Posts: 191
Joined: 24.Jan.2001
From: Farmingdale,NY, USA
Status: offline
Tom,

I agree. I actually think mine is set for /exchange*, but i'll have to check on Monday.

------------------
-=john=-
MCSE,MCP+I,CCNA,CCA


(in reply to nowikn)
Post #: 11
RE: Sanity Check - ISA cutover this weekend - 8.Jul.2001 9:04:00 PM   
nowikn

 

Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
I checked my settings per Tom's suggestion this afternoon (with no luck) and look forward to John's findings on Monday. . . thanks in advance - getting a bit frustrated here. . .

------------------
Nicholas Nowik


(in reply to nowikn)
Post #: 12
RE: Sanity Check - ISA cutover this weekend - 8.Jul.2001 10:47:00 PM   
jgrabiec

 

Posts: 191
Joined: 24.Jan.2001
From: Farmingdale,NY, USA
Status: offline
Nicholas,

Can you access the OWA from the internal network? (i.e. got to http://SERVERNAME/exchange, or http://PRIVATEIPADDRESS/exchange). Let's make sure it's not an OWA configuration issue.

I'll try and check tommorrow afternoon on my configuration (hopefully I'll get a chance, one of my clients just got smashed with the Loveletter virus!).

------------------
-=john=-
MCSE,MCP+I,CCNA,CCA


(in reply to nowikn)
Post #: 13
RE: Sanity Check - ISA cutover this weekend - 9.Jul.2001 3:24:00 PM   
nowikn

 

Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
John, I am able to use OWA inside the firewall using this address:
http://bnft1/exchange/logon.asp
(BNFT1 is our exchange/PDC server)

Good luck on the "Love Letter" virus. . . are your clients using the lastest patch from Microsoft that blocks that thing? If not, I have the patches and will gladly send them to you so the client PCs will not be able to spread the virus.

------------------
Nicholas Nowik


(in reply to nowikn)
Post #: 14
RE: Sanity Check - ISA cutover this weekend - 9.Jul.2001 7:56:00 PM   
nowikn

 

Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
John, I am running IIS on both my ISA server and Exchange 5.5 server . . . should I disable IIS on one of these servers, and if so which one? In addition, what changes to I need to make on IIS to allow OWA to function?

------------------
Nicholas Nowik


(in reply to nowikn)
Post #: 15
RE: Sanity Check - ISA cutover this weekend - 9.Jul.2001 10:37:00 PM   
jgrabiec

 

Posts: 191
Joined: 24.Jan.2001
From: Farmingdale,NY, USA
Status: offline
Nicholas,

a few things:

1. My destination set is set tp use the external FQDN (MAIL.MYSERVER.COM) with the path set to /exchange*. then I simply publish the web (using web publishing to the internal ip address of the exchange 5.5 server).
2. As far as IIS on ISA - Get rid of it! MS recommends not having it installed. If you do have it installed, then you are going to have port errors (This is probably your problem). Both ISa and IIS are going to listen for web request on PORT 80.
3. Check to ensure that you have allowed incoming web requests for your external interface of the ISA server . Right click on your ISA server in the tree, and select properties. Got to "Incoming Web Requests". Configure the interfaces, and change the PORT from 80 to something if you are going to leave IIS on the server (leave it at 80 if you uninstall IIS). NOTE: If you change it, then you are going to have to add the port at the end of your FQDN when you browse.

So, I recommend uninstalling IIS from the ISA server. Check to ensure that you are allowing incoming WEB traffic on the external interface, verify the destination set and publishing rule. Hopefully this will help.

------------------
-=john=-
MCSE,MCP+I,CCNA,CCA


(in reply to nowikn)
Post #: 16
RE: Sanity Check - ISA cutover this weekend - 9.Jul.2001 11:51:00 PM   
nowikn

 

Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
I have uninstalled IIS from my ISA server, performed your changes suggested above, and have the following settings on ISA for OWA:

* Access Policy / Site and Content Rule - "OWA rule" with destination sets pointing to mail.bnft1.com & /exchange* etc. etc.

* Policy Elements / Destination Set - "OWA rule" with above destinations included.

There must be something that I am missing here. . .

------------------
Nicholas Nowik


(in reply to nowikn)
Post #: 17
RE: Sanity Check - ISA cutover this weekend - 9.Jul.2001 11:56:00 PM   
nowikn

 

Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
This is what my browser is coming up with when I try to connect to mail.bnft1.com/exchange

Technical Information (for support personnel)

Background:
This error indicates that the gateway could not find the IP address of the Web site you are trying to access.

ISA Server: bnft2
Via:
URL: http://mail.bnft1.com/exchange
Time: 7/9/2001 9:44:17 PM GMT

------------------
Nicholas Nowik


(in reply to nowikn)
Post #: 18
RE: Sanity Check - ISA cutover this weekend - 10.Jul.2001 12:01:00 AM   
nowikn

 

Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
IT WORKS! I guess ISA needed a few minutes to synch up with everything. . . here's the link I am using:
http://mail.benefit1.com/exchange/logon.asp

Thanks John (and Tom) for all of your help. . . the past few weeks have been a great learning experience and appreciate your input - this website is a GREAT resource!

------------------
Nicholas Nowik


(in reply to nowikn)
Post #: 19
RE: Sanity Check - ISA cutover this weekend - 10.Jul.2001 2:52:00 AM   
jgrabiec

 

Posts: 191
Joined: 24.Jan.2001
From: Farmingdale,NY, USA
Status: offline
Nicholas,

GREAT! Glad to hear you got it working. One more suggestion, edit the LOGON.asp default page for OWA and remove the stuff with the revision, public folders, etc. No sense giving a hacker any info on the main page.

------------------
-=john=-
MCSE,MCP+I,CCNA,CCA


(in reply to nowikn)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> Server Publishing >> Sanity Check - ISA cutover this weekend Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts