Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Sanity Check - ISA cutover this weekend
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Sanity Check - ISA cutover this weekend - 28.Jun.2001 8:08:00 PM
|
|
|
nowikn
Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
|
I am going to cutover my network to ISA server this weekend and would appreciate a 'sanity check' from everyone.
Thanks in advance! :ISA Server - "Server A":
* Windows 2000 Server SP#2
* Network info
- 192.168.1.7 (internal)
- DNS 208.244.176.xxx
- Gateway 192.168.1.7 - 208.244.x.x (external)
- DNS 208.244.176.xxx
- Gateway 208.244.176.x
* SMTP service disabled
* Exchange server (192.168.1.2) published in Publishing / Server Publishing Rules
* Access Policy / Protocol Rules - all ports open
* Policy Elements / Destination Sets - have created the Outlook Web Access rule per Shinder's
suggestion ===========
Exchange Server v5.5 SP#4 - "Server B":
* Windows NT 4.0 Server SP#6a
* Network info
- 192.168.1.2
- Gateway address 192.168.1.7 (using SecureNAT connection)
- DNS 208.244.176.xxx Do I need to make any changes to the Exchange configuration? Thanks again for this 'sanity check'!
|
|
|
|
RE: Sanity Check - ISA cutover this weekend - 29.Jun.2001 1:35:00 PM
|
|
|
jgrabiec
Posts: 191
Joined: 24.Jan.2001
From: Farmingdale,NY, USA
Status: offline
|
Just a few qucik things. The internal adapter MUST NOT have a default gateway address defined. Only one interface can have a default gateway, and that must be the external interface. Use static routes for everything else. Also, I do not think the internal interface needs the DNS server setting. As far as the Exchange publishing goes, it is pretty straight forward. If you originaly had proxy server, make sure you rename the WSPCFG.ini files, and remove the proxy client. Also, check your internet mail service. If your message delivery is set to "Use domain anem system (DNS)", then you may need to setup an outbound DNS protocol rule on the ISA server. Just some quick thoughts. ------------------
-=john=-
MCSE,MCP+I,CCNA,CCA
|
|
|
|
|
RE: Sanity Check - ISA cutover this weekend - 29.Jun.2001 2:22:00 PM
|
|
|
nowikn
Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
|
Sounds good, I will double check my settings - thanks John! Nicholas
|
|
|
|
RE: Sanity Check - ISA cutover this weekend - 29.Jun.2001 3:43:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Nicholas, John's got you covered with some good suggestions. A word of warning re: the OWA on 5.5. The testing we did was on OWA for Exchange 2000. The instructions in the article may or may not work, because we've never tried to deal with Exchange 5.5 and OWA. However, everything else works with Exchange 5.5 and ISA Server, becasue we've tested it  HTH,
Tom ------------------
Tom Shinder
http://www.isaserver.org/shinder/
 Get It Here
|
|
|
|
RE: Sanity Check - ISA cutover this weekend - 29.Jun.2001 3:56:00 PM
|
|
|
nowikn
Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
|
Thanks Tom - I'll let you all know how it goes on Monday.
|
|
|
|
|
RE: Sanity Check - ISA cutover this weekend - 29.Jun.2001 4:20:00 PM
|
|
|
jgrabiec
Posts: 191
Joined: 24.Jan.2001
From: Farmingdale,NY, USA
Status: offline
|
Tom, I use OWA and Enchange 5.5 everyday though the ISA server. Works great - no problems. ------------------
-=john=-
MCSE,MCP+I,CCNA,CCA
|
|
|
|
|
RE: Sanity Check - ISA cutover this weekend - 2.Jul.2001 2:34:00 PM
|
|
|
nowikn
Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
|
I got everything to work yesterday . . . but not without a few headaches. Couple of tips: * Create "DNS" Protocol Rule under Access Policy / Protocol Rules to allow your Exchange server (and other PCs) to access your ISPs DNS servers (if you are not hosting these on your network). Funny how NSLOOKUP fires right up afterwards.  * If nothing seems to be working on your ISA server (like allowing mail to flow into/out of your network) - REBOOT IT! Once I rebooted my ISA server, NSLOOKUP and other features were online. * Read the posts on the Message Boards on this website - if there is an issue specific to your network, it will be listed here! Good luck and feel free to email me of you have any questions. Thanks to all who posted and emailed me with tips! Nicholas Nowik
|
|
|
|
RE: Sanity Check - ISA cutover this weekend - 2.Jul.2001 3:07:00 PM
|
|
|
jgrabiec
Posts: 191
Joined: 24.Jan.2001
From: Farmingdale,NY, USA
Status: offline
|
Great to hear that you got it working. I still can't figure out when the ISA server needs to be rebooted, services restarted, or whether the change will work immediately. My rule is that if i've triple checked everything, restart the services. If that doesn't work, reboot!
------------------
-=john=-
MCSE,MCP+I,CCNA,CCA
|
|
|
|
RE: Sanity Check - ISA cutover this weekend - 5.Jul.2001 8:31:00 PM
|
|
|
nowikn
Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
|
Tom/John, OWA is not functioning. I added a Web Publishing Rule" for OWA with the Destinations set to the internal IP address (192.168.1.2) with paths specified to /exchweb/*, /public/*, and /exchange/* . . . any ideas, etc? Thanks, Nicholas
|
|
|
|
|
RE: Sanity Check - ISA cutover this weekend - 7.Jul.2001 7:33:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Nicolas, For Exchange 5.5, I think you only need the /exchange/* path statement and not the other ones. Also, make that rule on the top of your list of rules. HTH,
Tom ------------------
Tom Shinder
http://www.isaserver.org/shinder/
Get It Here
|
|
|
|
|
RE: Sanity Check - ISA cutover this weekend - 7.Jul.2001 3:45:00 PM
|
|
|
jgrabiec
Posts: 191
Joined: 24.Jan.2001
From: Farmingdale,NY, USA
Status: offline
|
Tom, I agree. I actually think mine is set for /exchange*, but i'll have to check on Monday. ------------------
-=john=-
MCSE,MCP+I,CCNA,CCA
|
|
|
|
RE: Sanity Check - ISA cutover this weekend - 8.Jul.2001 9:04:00 PM
|
|
|
nowikn
Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
|
I checked my settings per Tom's suggestion this afternoon (with no luck) and look forward to John's findings on Monday. . . thanks in advance - getting a bit frustrated here. . . ------------------
Nicholas Nowik
|
|
|
|
|
RE: Sanity Check - ISA cutover this weekend - 8.Jul.2001 10:47:00 PM
|
|
|
jgrabiec
Posts: 191
Joined: 24.Jan.2001
From: Farmingdale,NY, USA
Status: offline
|
Nicholas, Can you access the OWA from the internal network? (i.e. got to http://SERVERNAME/exchange, or http://PRIVATEIPADDRESS/exchange). Let's make sure it's not an OWA configuration issue. I'll try and check tommorrow afternoon on my configuration (hopefully I'll get a chance, one of my clients just got smashed with the Loveletter virus!). ------------------
-=john=-
MCSE,MCP+I,CCNA,CCA
|
|
|
|
|
RE: Sanity Check - ISA cutover this weekend - 9.Jul.2001 3:24:00 PM
|
|
|
nowikn
Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
|
John, I am able to use OWA inside the firewall using this address:
http://bnft1/exchange/logon.asp
(BNFT1 is our exchange/PDC server)Good luck on the "Love Letter" virus. . . are your clients using the lastest patch from Microsoft that blocks that thing? If not, I have the patches and will gladly send them to you so the client PCs will not be able to spread the virus. ------------------
Nicholas Nowik
|
|
|
|
|
RE: Sanity Check - ISA cutover this weekend - 9.Jul.2001 7:56:00 PM
|
|
|
nowikn
Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
|
John, I am running IIS on both my ISA server and Exchange 5.5 server . . . should I disable IIS on one of these servers, and if so which one? In addition, what changes to I need to make on IIS to allow OWA to function? ------------------
Nicholas Nowik
|
|
|
|
|
RE: Sanity Check - ISA cutover this weekend - 9.Jul.2001 10:37:00 PM
|
|
|
jgrabiec
Posts: 191
Joined: 24.Jan.2001
From: Farmingdale,NY, USA
Status: offline
|
Nicholas, a few things: 1. My destination set is set tp use the external FQDN (MAIL.MYSERVER.COM) with the path set to /exchange*. then I simply publish the web (using web publishing to the internal ip address of the exchange 5.5 server).
2. As far as IIS on ISA - Get rid of it! MS recommends not having it installed. If you do have it installed, then you are going to have port errors (This is probably your problem). Both ISa and IIS are going to listen for web request on PORT 80.
3. Check to ensure that you have allowed incoming web requests for your external interface of the ISA server . Right click on your ISA server in the tree, and select properties. Got to "Incoming Web Requests". Configure the interfaces, and change the PORT from 80 to something if you are going to leave IIS on the server (leave it at 80 if you uninstall IIS). NOTE: If you change it, then you are going to have to add the port at the end of your FQDN when you browse. So, I recommend uninstalling IIS from the ISA server. Check to ensure that you are allowing incoming WEB traffic on the external interface, verify the destination set and publishing rule. Hopefully this will help.
------------------
-=john=-
MCSE,MCP+I,CCNA,CCA
|
|
|
|
|
RE: Sanity Check - ISA cutover this weekend - 9.Jul.2001 11:51:00 PM
|
|
|
nowikn
Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
|
I have uninstalled IIS from my ISA server, performed your changes suggested above, and have the following settings on ISA for OWA: * Access Policy / Site and Content Rule - "OWA rule" with destination sets pointing to mail.bnft1.com & /exchange* etc. etc. * Policy Elements / Destination Set - "OWA rule" with above destinations included. There must be something that I am missing here. . . ------------------
Nicholas Nowik
|
|
|
|
|
RE: Sanity Check - ISA cutover this weekend - 9.Jul.2001 11:56:00 PM
|
|
|
nowikn
Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
|
This is what my browser is coming up with when I try to connect to mail.bnft1.com/exchange Technical Information (for support personnel) Background:
This error indicates that the gateway could not find the IP address of the Web site you are trying to access. ISA Server: bnft2
Via:
URL: http://mail.bnft1.com/exchange
Time: 7/9/2001 9:44:17 PM GMT
------------------
Nicholas Nowik
|
|
|
|
|
RE: Sanity Check - ISA cutover this weekend - 10.Jul.2001 12:01:00 AM
|
|
|
nowikn
Posts: 87
Joined: 27.Jun.2001
From: Dallas, TX
Status: offline
|
IT WORKS! I guess ISA needed a few minutes to synch up with everything. . . here's the link I am using:
http://mail.benefit1.com/exchange/logon.asp Thanks John (and Tom) for all of your help. . . the past few weeks have been a great learning experience and appreciate your input - this website is a GREAT resource! ------------------
Nicholas Nowik
|
|
|
|
|
RE: Sanity Check - ISA cutover this weekend - 10.Jul.2001 2:52:00 AM
|
|
|
jgrabiec
Posts: 191
Joined: 24.Jan.2001
From: Farmingdale,NY, USA
Status: offline
|
Nicholas, GREAT! Glad to hear you got it working. One more suggestion, edit the LOGON.asp default page for OWA and remove the stuff with the revision, public folders, etc. No sense giving a hacker any info on the main page. ------------------
-=john=-
MCSE,MCP+I,CCNA,CCA
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
