I have WinXP beta2 running ISA on the same box that is connected to the internet through Starband. The Starband side is currently using a Model 180 modem with the ethernet jack enabled.
For over a month, I ran this setup clean using the 180 on my external nic without installing the AS_agent IP Accellerator software. All was well for the most part.
Recently I installed the IPA, which sets up a localhost proxy on port xxxx and have configured ISA to proxy chain to it. As far as I can tell, this works.

Also on the XP box, I installed DNS and let it run as 'cache only' to try and cut down on the # of lookups sent through the uplink.

My next step is to enable the packet filtering and intrusion detection and harden the security on this system.
What I hope to do is come up with a simple configuration template or checklist for other Starband or satellite-connected users to use. Anyone out there connected in the same way?

There have been plenty of problems with Satellite connection configurations. If you can get this to work, you'll be the ISA Server Hero of the month

Thanks!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/
Get It Here

Starband's latest upgrade is on the user side: a new modem called the model360. Sofar the driver software for it is proving to be too buggy to keep the server itself up much less the ISA!
Top of that, there's a new .net server out for betatesters. I am praying for better luck with that one once I install it, hopefully tomorrow.
- Bill

It seems to me, then, that I have to enable whatever protocol the Win2K software is using to talk to the 360 modem. If this is correct, then I don't know exactly what the specifics of the protocol being used is, other than it has something to do with the Nettgain 2000 software, which is based on the "Boosted Session Transport" protocol.

Does anybody know more about this and could shed some light? I'd be glad to share whatever clues I come up with as well.

Thanks,
-Dave Baskin

Following the "Getting Started" document, I basically opened up the ISA server, allowing all protocols and turning off all packet filtering. Of course, this is not very secure, so I still need to get information about what packet filtering needs to go on between the Win2K machine and the StarBand 360 modem. I wonder if the folks at Flash Networks (http://www.flashnetworks.com) would help.

The other thing I had to do, was set up my DHCP server to pass the StarBand DNS servers to the computers on my network.

Anybody know any more about the NettGain software and the protocol it uses?

Thanks,

------------------
Dave F. Baskin

I still haven't rx'ed the 360 yet, but if it's like the 180, you will need to open up 9878 port for the connection to the HPA. I haven't verified this yet, but it sure is a question that needs an answer. As for the BST protocol, other than not being supported through routers, no clue here; but I'm hunting for one.
- Bill

To start it back up, I have to stop the ISA services (Firewall, WebProxy, ISA Service), then renew the IP address of the network card attached to the StarBand modem (via DHCP on the modem). Then restart the ISA services. Is it possible that the StarBand system needs to change this IP address every so often? Or, I may be just chasing a red herring.

I left a message with Flash Networks. Their reply, of course, was that it's Starband's problem, not theirs, but they "might" get back with me. Starband doesn't give out this kind of information, though. They only indirectly support WinProxy for client connections.

An ISA question: If there is a protocol that is used between the Win2K box and the Starband 360 modem using port 9878, how would you enable this within ISA? I didn't find where you could set something like: "Allow sending and receiving all IP traffic on port 9878". Evidently, ISA needs to more about what kind of traffic will sent/received (ICMP, UDP, etc.)

I'll play around with it some more and keep this item updated (for anybody who's interested at least <g> ). Hope its helpful.

------------------
Dave F. Baskin

As for the 360/Starband problem you're having, it looks like you're saying you don't have a static IP through the modem? I hope that isn't the case. Most of what I've read says it's not fixed, and while *band can reassign them anytime, they don't. Either way, I may want to reconsider giving up my 180 so easily.. Especially in light of the other ISA issues I have with WinXP server (aka .net server) - I'll post that mess seperately.
BTW, did you already use the netstat command to see what ports are showing activity under Netgain2000?
Under the 180 with AS_Agent there was traffic on TCP9877, TCP9876 and UDP9875.
I have yet to get packet filtering to work under starband, but I'm still trying.
We'll keep the updates coming.

- Bill James

Looks like you're getting closer to actually making ISA Server work with Starband! This is fantastic. When you finally get it to work, I'll put your names in the newsletter for ISA Server hero's of the month

But, in order to get the secret prize, you must get packet filtering to work, AND you must be able to get server and web publishing to work

Thanks!

Tom

------------------
http://www.isaserver.org/shinder/



Get It Here!

quote:

---

Originally posted by bjames:
first thing I would wonder is why not run DNS on the ISA box itself as a chache?

---

I'll eventually get it set up this way. I'm not concerned about optimizing the system just yet. I want to make sure it works reliably first.

quote:

---

As for the 360/Starband problem you're having, it looks like you're saying you don't have a static IP through the modem?

---

What appears to be happening is that when the NIC connected to the modem receives its IP address from the DHCP server on the modem, the lease on the IP address is two hours. Exactly two hours later, the Starband connection is dropped (the misssion control monitor icon goes to black).

To restore the connection, I have to stop the ISA services (fwsrv, w3proxy, and isactrl), renew the IP address for the NIC ("ipconfig /renew"), then restart the ISA services. Currently, I've just got a batch file to automate and repeat this process every two hours.

Does this mean that my IP address is changing every two hours? I'm not sure. Is there any way to get a more permanent lease on the IP address? Is there a configuration option within Win2K to do this? These and other questions I'm researching now.

------------------
Dave F. Baskin

If you look over the dhcp info it sets you up with and use it as static info, does that work?

I hope so.. Or they're not getting this 180 modem anytime soon.

Now, perhaps I'll have time to work on the firewall services.

quote:

---

But, in order to get the secret prize, you must get packet filtering to work, AND you must be able to get server and web publishing to work.

---

Exactly what packet filtering are you interested in?

I recently setup my 360 and appear to have things working for SecureNAT clients. I've been running about 1 week now without major issues, but I still have some concerns. My main concern is that scanning my external interface from another site results in *tons* of ports registering.....not the most comforting feeling.

After enabling everything based on Tom's Getting Started paper, I have been able to lock things down a bit. To ensure that the Starband comms kept running, I had to create a few new IP Packet Filters as follows:

AS_Agent: TCP 9877 & UDP 9875 (both outbound)
Mission Control: UDP 9874

Mission control allocates a couple additional ports after a reboot and they change each time (broad range), so you lose the green icon, but all appears to continue to work.

fyi....A great tool for determining ports being used on your system is fport from www.foundstone.com (look under R&D/Tools).

I haven't tried web publishing yet as I want to get my external interface into a more stealth like mode. For the life of me I can't figure it out (I only have the "default" packet filters enabled as well as those I noted above). I just received Tom's book today, so I'll do a little reading to gain a better understanding of things :-).

I did have an issue with assiging a static ip address to my external NIC and others on the Starbandusers.com site indicate a Win2K reinstall had fixed their similar issue....may have to give it a shot for my packet filtering issue (it's worth a shot).

Let's keep this thread going....I am really enjoying ISA. After I get this all functional, I plan on implementing a dual ISA DMZ configuration if I can dig up the hardware (I don't want to publish my website on my internal network) :-).

If anyone has any other suggestions on my stealth port issue, let me know.

Cheers,
Kevin

Do you have packet filtering and intrusion detection enabled? The reason is ask is that, from what I understand, Starband requires *two* external interfaces connected to *two* different networks: a modem interface and the satellite interface. Is that correct?

From my experience with two NICs, you run into a lot of problems because of the multiple external interfaces, because data needs to come back on the same interface that it left on; the dynamic packet filter is created on the interface the packet was sent on. If it comes back on a different interface, ISA will treat the SYN-ACK as unelicited and think its getting a Half-scan attack,

Thanks for any insight into this. I think Satellite Internet is the future of the Internet, and I would be really happy to hear that ISA had full functionality with this type of connection.

Thanks!

Tom

------------------
http://www.isaserver.org/shinder/



Get It Here!

Starband is a bi-directional satellite offering so there is no need for the second interface for the modem. So my satellite serves as both the downstream and upstream connection...I'm actually a "satellite broadcaster" now (pretty cool huh).

I agree that satellite will play a BIG part of future Internet access. The only downsides currently are the latency and upstream data rate (normally less than 56k). I can deal with the latency, but the upstream feed has to improve.

To answer your questions regarding packet filtering and ID, yes both are enabled.

- Kevin

Kevin, that is fastastic! I did not know that Starband was bidirection satellite. That is quite cool. If they get up upstream throughput to 128Kbps that would be good enough. Are you able to publish servers? Do you have a public or private IP address on the external interface? Do they assign the external address via DHCP or do you have a static address?

Bill, what happens when you enable packet filtering? I'm not sure ISA will run normally on XP/Whistler/.Net yet.

Thanks!

Tom

------------------
http://www.isaserver.org/shinder/



Get It Here!

I do have filtering and ID working. My frequent scans of my site (over a separate dial-up line) are showing in my event logs so ID appears to be working. As for the packet filtering....I'm not sure. I continue to be puzzled on why scans of my external interface are showing 1000's of ports responding to connection attempts.

Tom: any additional ideas on how to get the external side of this config in a more stealth mode. Here are some more of the details.

The external interface is a public address, assigned by Starband's DHCP server. The internal interface is a private address. I'm running SecureNAT client configs internally with DHCP assiging default gateway. The only changes I have made to the default ISA install are as follows:

1) Secure Server set to Dedicated
2) Enabled Packet Filtering, ID & IP Routing
3) Enabled Protocol rules for standard outbound services (HTTP, FTP, MSN Messenger, SMTP (sending), POP3, Usenet), only enabled for "internal clients" accessing external servers
4) Default Packet filters are left as-is

Bill: I don't have any green lights on Mission Control software, but all appears to be working. I loaded the 360 Tool that Ken Knight wrote that shows the RPA status. My RPA shows as suspended. I'm not sure what (if any) acceleration I'm getting, but since installing my 360, the DSLReports speed test has been pretty consistent as ~600 down/20 up. I have been able to open up some port that allow AS_Agent and MC to talk better, but each reboot results in a different set of ports :-(. I'll keep trying :-).
If I can get the RPA communicating better, should I chain the ISA Web Proxy to the RPA accelerator port (TCP 9877)? I'm not 100% clear how the acceleration works but it would be great to be able to bump up my 600k speed :-).

Let me know your thoughts.
- Kevin

After a bit of trial and error, it appears that I was successful in getting web publishing working for my personal website (www.kevinwestby.com). Not the fastest site (remember the slow uplink speeds :-)) but it's working.

Bill: Didn't make much progress re:RPA ports....will do some more work tomorrow night :-).

- Kevin