Welcome to ISAserver.org

isa server 2004 RTM

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Cache] >> General >> isa server 2004 RTM

Page: [1]

Message

<< Older Topic Newer Topic >>

isa server 2004 RTM - 5.Jul.2004 3:35:00 AM

watts3000

Posts: 115
Joined: 27.Jun.2004
Status: offline

I recently saw somewhere that isa server 2004 is in a rtm state. Does anyone here know if this is true? Also is this just isa standard edition or do they also have the enterprise edition ready for rtm?

Post #: 1

Featured Links*

RE: isa server 2004 RTM - 5.Jul.2004 6:00:00 PM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Watts,

Where did you read that?

Thanks!
Tom

(in reply to watts3000)

Post #: 2

RE: isa server 2004 RTM - 6.Jul.2004 5:24:00 AM

watts3000

Posts: 115
Joined: 27.Jun.2004
Status: offline

Tom I read it here http://winxp.bink.nu/DesktopModules/ArticleDetail.aspx?ArticleID=2057 I don't know if its a good source though. BTW could you please answer my below post no one here cared to answer it.
//////////////////////////////////////////////////////////
I'm looking for a proxy server for our network. I need something that can block active x content, javascript. I also want to be able to create a list of trusted websites. For example, let say that I block active x and javascript but there are certain business related websites that use these feature. I simply want to be able to enter that url into isa. I would than like that url that I enterd not to be subjected to the blocking of active x and java script. Also I don't know to go ahead and delpoy isa server 2000 or wait for 2004. I really need something right now. When is isa server 2004 expected to come out.

(in reply to watts3000)

Post #: 3

RE: isa server 2004 RTM - 6.Jul.2004 3:02:00 PM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Watts,

Thanks! Interesting info.

To answer your question. Yes, you can block Java and Active X on a per-site basis because the HTTP Security Filter is enabled on a per-rule basis.

HTH,
Tom

(in reply to watts3000)

Post #: 4

RE: isa server 2004 RTM - 7.Jul.2004 1:04:00 AM

watts3000

Posts: 115
Joined: 27.Jun.2004
Status: offline

You have to do it on a per site basis. I want to block active x for all sites. Than if its a site thas needed for business use I want to be able to put that site in a special list so it want be filtered. We do this with our checkpoints all the time. Surely isa server can do it.

(in reply to watts3000)

Post #: 5

RE: isa server 2004 RTM - 7.Jul.2004 2:07:00 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Watts,

You can create exceptions to the Deny rule, so that its not applied to the appropriate sites and/or users.

HTH,
Tom

(in reply to watts3000)

Post #: 6

RE: isa server 2004 RTM - 7.Jul.2004 7:18:00 AM

watts3000

Posts: 115
Joined: 27.Jun.2004
Status: offline

Tom does your book isa server and deyond list all the possible ways isa server can be deployed. BTW this is also how I noticed that isa server 2004 is complete. Download this quickstart guide you'll notice they are using 120 day eval copy not the beta version. I'm interested in setting up isa server behind one of our clients sonicwall firewall, but I've noticed that also you can set up behind a firewall just using one nic. Whats the difference between the two setups I'm assuming if you use 1 nic you can only publish servers. What all firewall features are you giving up if you use the one nic. Than I know you can just simply deploy isa server on the border of a network also using one interface for external and the other for lan. Sorry if I did'nt phrase myself clearly here I'm just trying to see the different depployment setups.

http://members.microsoft.com/partner/products/servers/isaserver2004/quickstartguide.aspx

(in reply to watts3000)

Post #: 7

RE: isa server 2004 RTM - 7.Jul.2004 1:58:00 PM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Watts,

Thanks for the link to the QS guide.

I would highly recommend that you install the ISA firewall using two NICs, either in front of or behind the sonicwall. Or, replace the sonicwall with the ISA firewall. The sonicwall is just a packet filter, so in reality, it doesn't provide what I would call true firewall capability. However, the sonciwall can provide some basic screening to offload some processing from the ISA firewall.

Check out:
http://isaserver.org/articles/2004tales.html

HTH,
Tom

(in reply to watts3000)

Post #: 8

RE: isa server 2004 RTM - 7.Jul.2004 6:57:00 PM

watts3000

Posts: 115
Joined: 27.Jun.2004
Status: offline

Tom thanks for that article. Uou don't know how many times I've heard people say. I would feel comfortable if I did'nt have a pix or checkpoint in front of the isa box. I always knew that firewall proxies provided more security because it simply operates at a higher level on the osi model, but you would be surprised at how many people set up company firewalls and don't know the osi mode. Tom I would like to ask you one something though. I noticed that is the quickstart it said that you should not join the isa server computer to a domain. Can you tell me why this box should not be joined to a domain? Also I know you are not supposed to run any other apps on the isa server box but would it be safe to run sms 2003 or a norton antivirus server on the box?

(in reply to watts3000)

Post #: 9

RE: isa server 2004 RTM - 8.Jul.2004 12:05:00 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Watts,

In general, you don't want any domain members facing the Internet, esp. in the case of the firewall, which is always the focus of pointed attack by external users. However, I have no problem when the ISA firewall is behind another authenticating firewall that allows only authenticated connections inbound, like a front-end ISA firewall.

HTH,
Tom

(in reply to watts3000)

Post #: 10

RE: isa server 2004 RTM - 8.Jul.2004 12:20:00 AM

watts3000

Posts: 115
Joined: 27.Jun.2004
Status: offline

Tom let me ask 3 more things and I'm off to the test lab. You answered most of my last question but can you install any software on a isa server firewall such as norton antivirus servers or sms. For example, you have a sonicwall doing stateful and a isa behind it. Also are there any advantages to running a caching only dns server on the isa server. I normally just run internal dns servers and set up forwarders for traffic that needs internet access. Also is there an advatage to running a dhcp server on your isa firewall? BTW thanks for all of your help I will be picking up your isa 2004 book when it comes out.

(in reply to watts3000)

Post #: 11

RE: isa server 2004 RTM - 8.Jul.2004 6:27:00 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Watts,

I never run AV software on the ISA firewall because there's no mechanism for it to be attacked. I never use client applications on the firewall itself. That means, no Outlook Express, no IE, no RDP outbound, no nothing. Of course, the ISA box could be hit by something like the Sasser worm or something similar, but you would have to allow inbound access to the firewall from a network that had an infected client, and access would have to be allowed on the worm's port. In that case, you'll get hit before Norton or any other AV finds it. However, there are other's who believe that its a good idea to have an AV on the ISA box. I recommend that you do what you're most comfortable with. I'm comfortable without it, so I continue doing it that way [Smile]

I would definitely NOT put SMS or comparable software on the ISA firewall because of the service that need inbound and outbound access to and from the firewall. That's getting into a scary situation, almost as bad as putting an Exchange server on the firewall! [Wink]

I like putting the caching-only DNS server on the ISA firewall because it represents a forwarder that I trust and have configured to prevent issues such as cache poisoning, etc. I have control over the forwarder and I also configure the forwarder on the ISA firewall to use my ISP's DNS server as a forwarder, because I trust my ISPs and typically use only trusted ISPs (i.e., not AOL/Earthlink/Charter). However, if I have the option, I prefer to put the caching-only forwarder on a DMZ segment. The goal is to prevent any Internal network host from having a "direct" connection with Internet hosts. This is the same as the firewall philosophy that no Internal network host should be "Internet facing", although they typically mean not accepting new inbound connections when they use that term. I prefer to have my Internal network hosts never have any contact with Internet hosts. However, this is not required and you can safely use a trusted ISP's DNS server as your only forwarder.

There are NO advantages to running a DHCP server on the ISA firewall. However, I included that info in the Getting Started doc because a lot of shops expect the firewall to be a DHCP allocator/server. However, I far prefer having the DHCP server on another machine on the network, such as the same machine that is acting as the WINS/DNS/RADIUS/Certificate server. Prefer to not have it on a DC, but you can certainly do that, however there are security implications if you use dynamic DNS registrations on your network.

HTH,
Tom

(in reply to watts3000)

Post #: 12