• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion of the Getting Started with ISA2004 article

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> RE: Discussion of the Getting Started with ISA2004 article Page: <<   < prev  1 [2] 3 4   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Discussion of the Getting Started with ISA2004 article - 29.Jan.2004 9:58:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by jmunyan:
Hi, I was wondering if anyone could comment on the interface limitation of ISA 2004? Will 2k4 raise the limitation of one private, public, and dmz interface? Can the new product instantiate more than one instance of the NAT process? In otherwords, can the DMZ use private IP addresses rather than the rather cluggie sub division of the public space?

Thanks,

John

Hi John,

You bet! You can have as many internal and DMZ interfaces as you like! Firewall policy is applied to all interfaces. The entire LAT concept is gone. You can also control the network relationships between any two networks: NAT, Route or none.

HTH,
Tom

(in reply to tshinder)
Post #: 21
RE: Discussion of the Getting Started with ISA2004 article - 29.Jan.2004 10:00:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by jmunyan:
One more question:

Will ISA 2k4 support affinity on multiple private to public SNATS?

I had a nasty situation with ISA 2K where when publishing mulitple mail servers (each with their own SNAT) outbound mail regardless of mapping was stamped with the default source address of the firewall (first address in the binding order).

This caused me much grief and ultimatly resulted in an unsuccessful implementation as reverse look ups to host had only an n-1 chance of resolving correctly.

So will the new product correct this deficiency?

Thanks,

John

Hi John,

No [Frown]

HTH,
Tom

(in reply to tshinder)
Post #: 22
RE: Discussion of the Getting Started with ISA2004 article - 29.Jan.2004 10:06:00 AM   
Guest
Hi Tom,

This guy's question seems to have ommitted.

"How do I find out what to create to enable outbound Outlook to Exchange access ? Even with a rule allowing everything outbound, I still can't get Outlook to connect to Exchange.

Anthony"

Please answer so that we know where we are with exchange and outlook with ISA2004 beta2.

Thanks.

Jimmy

(in reply to tshinder)
  Post #: 23
RE: Discussion of the Getting Started with ISA2004 article - 29.Jan.2004 11:46:00 AM   
thejedi70

 

Posts: 73
Joined: 11.Apr.2001
Status: offline
hello Tom & people,

i have just started using ISA2004 with dial-up. As of now, it all worked smoothly. I'd like to do more tests about the subject. Tom, please let me know if i may be of any assistance with specific tests.

I haven't thouroughly checked out the filters sections yet. If i am not wrong i still see a socks4 filter (but not the socks5). Any plans for this to be included or should we expect to see it again in the SDK samples? Besides, i'd like to know whether the socks filters are still in a use-all-or-use-none fashion, or if access rules can be (finally) specified.

Cheers all.

(in reply to tshinder)
Post #: 24
RE: Discussion of the Getting Started with ISA2004 article - 29.Jan.2004 12:22:00 PM   
orentrutner

 

Posts: 17
Joined: 28.Jan.2004
From: Redmond
Status: offline
quote:

Originally posted by jmunyan:
One more question:

Will ISA 2k4 support affinity on multiple private to public SNATS?

I had a nasty situation with ISA 2K where when publishing mulitple mail servers (each with their own SNAT) outbound mail regardless of mapping was stamped with the default source address of the firewall (first address in the binding order).

This caused me much grief and ultimatly resulted in an unsuccessful implementation as reverse look ups to host had only an n-1 chance of resolving correctly.

So will the new product correct this deficiency?

Thanks,

John

As Tom indicates, the quick answer is no.

However, one thing you can do with ISA Server 2004 is assign the mail servers public IP addresses, and have them routed directly to the Internet. ISA Server 2004 allows these servers to reside in a NAT-ed network and still be routed, as an exception to the rule.

This will resolve the source address issue at the cost of dedicating a public IP address to a mail server.

(in reply to tshinder)
Post #: 25
RE: Discussion of the Getting Started with ISA2004 article - 29.Jan.2004 12:34:00 PM   
pegloff

 

Posts: 2
Joined: 29.Jan.2004
Status: offline
Great article!

I have a few question on ISA 2004 ...

1.) What about Active Directory Integration? Is this something that will be available in the Enterprise Edition only, scheduled for late 2004?

2.) Without the Enteprise Version: Is there an easy way to administer 2 ISA servers configured identically?

3.) Any ideas about load balancing? Will NLB still work?

Thanks and best regards,
Patrick

(in reply to tshinder)
Post #: 26
RE: Discussion of the Getting Started with ISA2004 article - 29.Jan.2004 12:41:00 PM   
orentrutner

 

Posts: 17
Joined: 28.Jan.2004
From: Redmond
Status: offline
thejedi70 wrote:
quote:

I haven't thouroughly checked out the filters sections yet. If i am not wrong i still see a socks4 filter (but not the socks5). Any plans for this to be included or should we expect to see it again in the SDK samples? Besides, i'd like to know whether the socks filters are still in a use-all-or-use-none fashion, or if access rules can be (finally) specified.

We've adapted the SOCKS4 filter to support multiple networks and we brushed it up a bit.

The SOCKS filter now lets you control on what networks it will accept SOCKS traffic. For example, you can specify that it will accept SOCKS traffic from the internal network, but not from the DMZ -- or vice versa.

There is no production-quality SOCKS5 support in the box. When we asked, most of you suggested we focus the investment elsewhere. I realize some of you care for SOCKS5; this may be addressed by a partner offering.

(in reply to tshinder)
Post #: 27
RE: Discussion of the Getting Started with ISA2004 article - 29.Jan.2004 12:57:00 PM   
orentrutner

 

Posts: 17
Joined: 28.Jan.2004
From: Redmond
Status: offline
pegloff,

quote:
1.) What about Active Directory Integration? Is this something that will be available in the Enterprise Edition only, scheduled for late 2004?

ISA Server 2004 Standard Edition (SE) integrates with Active Directory for authentication, and integrating AD users+groups into the firewall policy. Its user interface also lets you browse AD for domain names, computers, etc.

I cannot comment on the feature set of Enterprise Edition (EE) yet, but you can expect it to do more and better than ISA Server 2000 EE did. One special note is that ISA Server 2004 EE aims to support environments with or without AD, such that not having AD in the DMZ will not be a blocker for deployment.

quote:

2.) Without the Enteprise Version: Is there an easy way to administer 2 ISA servers configured identically?

Yes! ISA Server 2004 introduces an import/export feature that lets you drop the entire server configuration to an XML file, which you can import seamlessly on another server. This is a manual (scriptable) process, however. If you have a small number of servers and don't change configurations frequently, this may work for you.

Of course, EE adds more value in automatic replication, centralized management and monitoring, fault tolerance, load balancing, etc.

quote:

3.) Any ideas about load balancing? Will NLB still work?

With EE: yes, and better than ever before.
With SE: I assume it does, but I don't know that we had it tested. The introduction of multiple networks adds some interesting challenges to configuring NLB. SE does not attempt to address any of those.

(in reply to tshinder)
Post #: 28
RE: Discussion of the Getting Started with ISA2004 article - 29.Jan.2004 1:27:00 PM   
thejedi70

 

Posts: 73
Joined: 11.Apr.2001
Status: offline
quote:
Originally posted by Oren Trutner [MSFT]:
thejedi70 wrote:

We've adapted the SOCKS4 filter to support multiple networks and we brushed it up a bit.
The SOCKS filter now lets you control on what networks it will accept SOCKS traffic. For example, you can specify that it will accept SOCKS traffic from the internal network, but not from the DMZ -- or vice versa.

quote:

There is no production-quality SOCKS5 support in the box. When we asked, most of you suggested we focus the investment elsewhere. I realize some of you care for SOCKS5; this may be addressed by a partner offering.

In Isa2k the socks filter was a major problem. it pratically was unconfigurable. You enable it or you don't. You have no way to define any access rules (other than the weak change to a non-standard port). The network thing in isa2004 is certainly a step forward, but (correct me if i am wrong) i will need to move all legitimate socks client to a different network and define specific rules. All clients in that subnet will be able to use the socks filter with no other chance to restrict access. this doesn't sound exactely flexible. [Frown]

As for socks5 support: adding such a filter shouldn't be a big investment (certainly not for Microsoft [Razz] ). Besides, it wouldn't need to be developed from scratch, right?

Thanks for your information.

[ January 29, 2004, 01:30 PM: Message edited by: thejedi70 ]

(in reply to tshinder)
Post #: 29
RE: Discussion of the Getting Started with ISA2004 article - 29.Jan.2004 1:51:00 PM   
ptwilliams

 

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline
The GUI and features mentioned above look (and sound) great. Will this run on Win2k or will it be Server 2003 only?

Also, any news on RC1? If so, how can I get hold of it? [Big Grin]

Paul.

(in reply to tshinder)
Post #: 30
RE: Discussion of the Getting Started with ISA2004 article - 29.Jan.2004 1:52:00 PM   
ptwilliams

 

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline
Tom, I guess from an earlier comment that you're working on a new book? Hows the book coming along? Does this mean there wont be an ISA 2000 2nd Ed.?

Paul.

(in reply to tshinder)
Post #: 31
RE: Discussion of the Getting Started with ISA2004 article - 29.Jan.2004 2:13:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by <jimmy>:
Hi Tom,

This guy's question seems to have ommitted.

"How do I find out what to create to enable outbound Outlook to Exchange access ? Even with a rule allowing everything outbound, I still can't get Outlook to connect to Exchange.

Anthony"

Please answer so that we know where we are with exchange and outlook with ISA2004 beta2.

Thanks.

Jimmy

Hi Jimmy,

The All RPC Protocol should allow outbound access to Exchange Servers. In fact, support for this was included with Feature Pack 1 for ISA2000.

If you can't connect, it may be a name resolution issue, might be worth checking out.

HTH,
Tom

(in reply to tshinder)
Post #: 32
RE: Discussion of the Getting Started with ISA2004 article - 29.Jan.2004 2:15:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by thejedi70:
hello Tom & people,

i have just started using ISA2004 with dial-up. As of now, it all worked smoothly. I'd like to do more tests about the subject. Tom, please let me know if i may be of any assistance with specific tests.

I haven't thouroughly checked out the filters sections yet. If i am not wrong i still see a socks4 filter (but not the socks5). Any plans for this to be included or should we expect to see it again in the SDK samples? Besides, i'd like to know whether the socks filters are still in a use-all-or-use-none fashion, or if access rules can be (finally) specified.

Cheers all.

Hi Jedi,

Thanks! What I'm most interested in are things that don't seem to work with dial-up. In ISA2000, there were problems with Web and Server Publishing Rules with dial-up connections, some of them were related to IP address changing on the external interface, and some related to other things. Anything that you notice that doesn't seem to work right, let us know!

Thanks!
Tom

(in reply to tshinder)
Post #: 33
RE: Discussion of the Getting Started with ISA2004 article - 29.Jan.2004 2:19:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by thejedi70:
quote:
Originally posted by Oren Trutner [MSFT]:
thejedi70 wrote:

We've adapted the SOCKS4 filter to support multiple networks and we brushed it up a bit.
The SOCKS filter now lets you control on what networks it will accept SOCKS traffic. For example, you can specify that it will accept SOCKS traffic from the internal network, but not from the DMZ -- or vice versa.

quote:

There is no production-quality SOCKS5 support in the box. When we asked, most of you suggested we focus the investment elsewhere. I realize some of you care for SOCKS5; this may be addressed by a partner offering.

In Isa2k the socks filter was a major problem. it pratically was unconfigurable. You enable it or you don't. You have no way to define any access rules (other than the weak change to a non-standard port). The network thing in isa2004 is certainly a step forward, but (correct me if i am wrong) i will need to move all legitimate socks client to a different network and define specific rules. All clients in that subnet will be able to use the socks filter with no other chance to restrict access. this doesn't sound exactely flexible. [Frown]

As for socks5 support: adding such a filter shouldn't be a big investment (certainly not for Microsoft [Razz] ). Besides, it wouldn't need to be developed from scratch, right?

Thanks for your information.

Hi Alex,

You'll still need SOCKS5 for authentication, but you can use Computer sets and Network Sets and Address Ranges and subnets and to control access by IP address. If you use DHCP, then you can assign permissions to specific DHCP scopes.

HTH,
Tom

(in reply to tshinder)
Post #: 34
RE: Discussion of the Getting Started with ISA2004 article - 29.Jan.2004 2:20:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Paul Williams:
The GUI and features mentioned above look (and sound) great. Will this run on Win2k or will it be Server 2003 only?

Also, any news on RC1? If so, how can I get hold of it? [Big Grin]

Paul.

Hi Paul,

Yes, it will run on both Win2k and Win2003.

RC1? Beta2 just came out yesterday! [Big Grin]

Thanks!
Tom

(in reply to tshinder)
Post #: 35
RE: Discussion of the Getting Started with ISA2004 article - 29.Jan.2004 2:21:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Paul Williams:
Tom, I guess from an earlier comment that you're working on a new book? Hows the book coming along? Does this mean there wont be an ISA 2000 2nd Ed.?

Paul.

Hi Paul,

Of course! A book is a must [Big Grin]

I thought a second Ed. of the ISA2000 book would have been good, but my publisher didn't [Frown]

Thanks!
Tom

(in reply to tshinder)
Post #: 36
RE: Discussion of the Getting Started with ISA2004 article - 29.Jan.2004 3:21:00 PM   
unclehughie

 

Posts: 70
Joined: 31.Dec.2001
From: Montreal, Canada
Status: offline
Tom
Ah, those publishers never know what's good for them!
The new SBS2003 Standard Version - that is, Win2K3, Exchange Server 2003, Sharepoint Services and five Outlook 2003 client licences, but without ISA Server 2000 and SQL Server - is a great bargain. Also, the 2003 version allows you to run additional member servers in the SBS domain. I notice also that in ISA Server 2004, you no longer have to go with static packet filters to co-locate servers: you just use a publishing rule. This raises two interesting possibilities:
1. Install SBS2003 as the domain controller and put ISA 2004 on a separate member server connected to the Internet.
2. Install ISA 2004 on the SBS domain controller itself if you don't have a separate Win2K3 Server available.
What do you think?

(in reply to tshinder)
Post #: 37
RE: Discussion of the Getting Started with ISA2004 article - 29.Jan.2004 4:26:00 PM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
It's a shame you can't rename the default networks. btw : we're going to implement this on our production network ( 6 locations connected with gigabit fibers ) 4500 users.
So IT BETTER RUN! lol

Anyway we're also very enthousiastic about the ISA server 2004. It looks good , it feels good and it performs even better !

Kind regards,
Lex Penrose

(in reply to tshinder)
Post #: 38
RE: Discussion of the Getting Started with ISA2004 article - 29.Jan.2004 8:11:00 PM   
jmunyan

 

Posts: 803
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline
Orin, I don't think I quite follow you. How would this be different in practice than using the ISA 2k public dmz? Is it simply that the traffic goes through the fw engine and is 'statefully' inspected?

Thanks,

John

quote:
Originally posted by Oren Trutner [MSFT]:
quote:

Originally posted by jmunyan:
One more question:

Will ISA 2k4 support affinity on multiple private to public SNATS?

I had a nasty situation with ISA 2K where when publishing mulitple mail servers (each with their own SNAT) outbound mail regardless of mapping was stamped with the default source address of the firewall (first address in the binding order).

This caused me much grief and ultimatly resulted in an unsuccessful implementation as reverse look ups to host had only an n-1 chance of resolving correctly.

So will the new product correct this deficiency?

Thanks,

John

As Tom indicates, the quick answer is no.

However, one thing you can do with ISA Server 2004 is assign the mail servers public IP addresses, and have them routed directly to the Internet. ISA Server 2004 allows these servers to reside in a NAT-ed network and still be routed, as an exception to the rule.

This will resolve the source address issue at the cost of dedicating a public IP address to a mail server.


(in reply to tshinder)
Post #: 39
RE: Discussion of the Getting Started with ISA2004 article - 29.Jan.2004 8:36:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by jmunyan:
Orin, I don't think I quite follow you. How would this be different in practice than using the ISA 2k public dmz? Is it simply that the traffic goes through the fw engine and is 'statefully' inspected?

Thanks,

John

quote:
Originally posted by Oren Trutner [MSFT]:
quote:

Originally posted by jmunyan:
One more question:

Will ISA 2k4 support affinity on multiple private to public SNATS?

I had a nasty situation with ISA 2K where when publishing mulitple mail servers (each with their own SNAT) outbound mail regardless of mapping was stamped with the default source address of the firewall (first address in the binding order).

This caused me much grief and ultimatly resulted in an unsuccessful implementation as reverse look ups to host had only an n-1 chance of resolving correctly.

So will the new product correct this deficiency?

Thanks,

John

As Tom indicates, the quick answer is no.

However, one thing you can do with ISA Server 2004 is assign the mail servers public IP addresses, and have them routed directly to the Internet. ISA Server 2004 allows these servers to reside in a NAT-ed network and still be routed, as an exception to the rule.

This will resolve the source address issue at the cost of dedicating a public IP address to a mail server.


Hi John,

ALL traffic moving through the firewall now is statefully filtered and inspected. Nice!

Tom

(in reply to tshinder)
Post #: 40

Page:   <<   < prev  1 [2] 3 4   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> RE: Discussion of the Getting Started with ISA2004 article Page: <<   < prev  1 [2] 3 4   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts