Configuring the ISA Firewall to Support TZO Dynamic DNS Services

Configuring the ISA Firewall to Support TZO Dynamic DNS Services

by Thomas W Shinder MD, MVP

Dynamic DNS (DDNS) services enable users with dynamic IP addresses to register domain names users on the Internet can use to reach published resources. These DDNS services are a tremendous boon to small and home business users who would like to take the reins and run their own Internet accessible services. Examples of services you can make available over the Internet include:

Examples of services you can make available over the Internet include:

• Exchange Outlook Web Access (OWA)
• Exchange Outlook Mobile Access (OMA)
• Exchange ActiveSync (EAS)
• SMTP servers
• POP3 servers
• IMAP4 servers
• Web servers
• FTP servers
• NNTP (news) servers
• VPN servers
• And lots more!

DDNS services solve the problem of being able to reach servers on your network from the Internet when your public IP address changes. For example, you might want to use the ISA firewall’s fantastic secure Exchange RPC publishing feature so that you can use the native Outlook MAPI client without incurring the overhead of upgrading to Exchange 2003 and Outlook 2003 just to get RPC over HTTP. The ISA firewall’s advanced RPC filter insures that you can connect securely over the Internet using the native Outlook client, regardless of what version of Outlook you might be using.

The secure Exchange RPC filter allows you to connect to any version of Exchange from any version of Outlook. I use it every time I’m on the road from airports and hotel broadband networks and I can assure you, once you deploy it, you’ll wonder how you ever lived without it. The secure Exchange RPC publishing feature is one of the ISA firewall’s features that confirms the ISA firewall stands head and shoulder’s above any other firewall when it comes to providing secure remote access to Exchange Server services. In fact, you do yourself and your organization a disservice if you allow remote access to Exchange without an ISA firewall in front of it.

The challenge for small and home business users is that when their IP address changes, they have no simple mechanism for determining what the new IP address is and subsequently they’re not able to connect to resources on their network.

For example, suppose you’re about to go on a trip and want to connect to the Exchange Server on your home office network. You create OWA and secure Exchange RPC publishing rules so you can reach the Exchange Server from your hotel and airport. You note down the IP address you currently have and configure Outlook to use that address and also to use it for OWA.

Now you leave your home office and go to the airport. You try to connect to the Exchange Server and find that you can’t. The IP address on the external interface of the ISA firewall has changed! No one is at home, so they can’t run a utility like www.whatismyip.com to tell you what your new address is, so you’re out of luck and without mail.

Note:
There are even more problems with this scenario. In order to configure Outlook correctly, you’ll need a real fully qualified domain name for the Outlook client to connect to. Also, if you want to use OWA securely, you need to use SSL to SSL bridging. SSL requires that the certificate bound to the ISA firewall’s Web listener have a name matching the name you use when you issue a request from a Web browser. You can’t put IP addresses in for the subject name on the certificate.

The solution is a DDNS service. DDNS services can be a key component of your split DNS infrastructure, which is something very important to the small and home business user who can’t host his own DNS server. This is especially important for users of small  business server who accept the installation defaults which encouraged inexperienced users to use the .local illegal top level domain.

For more information on a split DNS on how it can provide exceptional value for small businesses and home users, check out Supporting ISA Firewall Networks Protecting Illegal Top-level Domains: You Need a Split DNS! at http://isaserver.org/tutorials/2004illegaltldsplitdns.html

TZO is a DDNS service I’ve been using since the late 1990s and I consider one of the best, if not the best, DDNS provider available. We’ve had zero downtime with TZO and registering new domains with them is quite easy. For more information about their service, check out www.tzo.com

Note:
This article does not apply to Microsoft Small Business Server. SBS has its own way to doing things and you should follow the product documentation on how to configure the ISA firewall to provide remote access to services through the on-box ISA firewall.

Have Questions about the article? Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000806

Configuring the ISA Firewall to Support TZO DDNS Services

You can install the TZO client software in one of two places:

• On the ISA firewall itself
• On a SecureNAT client located behind the ISA firewall

I prefer to put the TZO client software on a SecureNAT client behind the ISA firewall because the ISA firewall should run only the ISA firewall software. The only exception to this is software designed specifically for the ISA firewall. Software designed for the ISA firewall should not increase the attack surface on the firewall, so I’m willing to make an exception in that case.

The procedure for allowing the TZO client to communicate with the TZO DDNS servers is the same regardless of the location, with the exception that the source location in the Access Rule is different. In the following example I’ll demonstrate how to create the Access Rule allowing outbound access from the TZO client to the TZO DDNS servers on the Internet:

1. In the ISA firewall console, expand the server name and click Firewall Policy.
2. Click the Tasks tab in the Task Pane and click the Create New Access Rule.
3. In the Welcome to the New Access Rule Wizard page, enter a name for the rule. In this example we’ll enter Outbound to TZO DDNS. Click Next.
4. On the Rule Action page, select the Allow option and click Next.
5. On the Protocols page, select the Selected Protocols option from the This rule applies to list and then click Add.
6. In the Add Protocols dialog box, click the New menu and click Protocol.

Figure 1

7. On the Welcome to the New Protocol Definition Wizard page, enter TZO into the Protocol Definition name text box and click Next.
8. On the Primary Connection Information page, click the New button.
9. In the New/Edit Protocol Connection dialog box, set the Protocol Type to TCP. Set the Direction to Outbound and set the Port range settings as From 21330 and To 21333. Click OK.

Figure 2

10. Click Next on the Primary Connection Information page.

Figure 3

11. Click Next on the Secondary Connections page.
12. Click Finish on the Completing the New Protocol Definition Wizard page.
13. In the Add Protocols dialog box, click the User-Defined folder and double click TZO and then click Close.

Figure 4

14. Click Next on the Protocols page.
15. On the Access Rule Sources page, click Add.
16. You have two choices at this point. If you have installed the TZO client software on the ISA firewall device itself, then you would click the Networks folder and double click Local Host. In this example we have installed the TZO client software on a SecureNAT client on the default Internal Network, so we will create a Computers entry for this host so that we allow only this host outbound access to the TZO protocol. Start the process by clicking the New menu and then clicking Computer.

Figure 5

17. In the New Computer Rule Element dialog box, enter TZO Client in the Name text box. In the Computer IP Address text box, enter the IP address of the SecureNAT client on which the TZO client software is installed. In this example we’ll enter 10.10.10.100 and click OK.

Figure 6

18. In the Add Network Entities dialog box, click the Computers folder and double click the TZO Client entry and click Close.
19. Click Next on the Access Rule Sources page.
20. On the Access Rule Destinations page, click Add.
21. In the Add Network Entities dialog box, click the New menu and then click Computer Set.

Figure 7

22. In the New Computer Set Rule Element dialog box, enter TZO DDNS Servers in the Name text box. Click the Add button and then click Computer.
23. Now this is where things get tricky. I queried my ISA firewall logs for TZO connections for the last month and copied those results to Excel and turned on the auto filter feature to find the addresses the TZO client connected to. The summary appears in the figure below. I will assume that these are the IP addresses of the TZO DDNS servers. I’m checking with the folks at TZO to determine if there are others and if there are, I’ll update this article with the additional addresses.

Figure 8

24. In the Name text box enter TZO DDNS Servers. Enter 216.235.248.67 in the Computer IP Address text box to enter the IP address of the first TZO DDNS server and click OK. Repeat the procedure to add the following addresses:

    216.243.64.169
    216.75.195.44
    64.27.166.100
    64.27.166.101

25. Your list should now look like the figure below. Click OK.

Figure 9

26. In the Add Network Entities dialog box, click the Computer Sets folder and double click the TZO DDNS Servers entry and click Close.

Figure 10

27. Click Next on the Access Rule Destinations page.
28. Click Next on the User Sets page.
29. Click Finish on the Completing the New Access Rule Wizard page.
30. Your Access Rule should look like that in the figure below

Figure 11

31. Click Apply to save the changes and update the firewall policy and Click OK in the Apply New Configuration dialog box.

Now that was a lot of work and you don’t want to do that all over again. You can back up that list of servers or you can back up the entire ISA firewall configuration. I highly recommend that you back up the entire ISA firewall configuration after each time you click the Apply button to save the changes to firewall policy. This is one of the most common mistakes made by ISA firewall admins – they forget to backup the ISA firewall policies after each change to the firewall policy.

Perform the following steps to backup the ISA firewall configuration:

1. In the ISA firewall console, right click the server name and click Back Up.
2. In the Backup Configuration dialog box, enter the name for the back up in the File name text box. I typically use the date and time in the file name, so in this example I’ll enter 060420051129AM and then click Backup.
3. In the Set Password dialog box, enter a password and confirm the password and click OK.
4. Click OK when you see that The configuration was successfully backed up.

That’s it! Your TZO client will now be able to communicate with the TZO DDNS servers.

Bonus Files:
I’ve included two files you can download with this article. The TZODDNSServers.xml file can be used to import the TZO computer set we created in this article. The TZOProtocolDefinition.xml file can be used to import the TZO Protocol Definition we created in this article.

Have Questions about the article? Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000806

Summary

In this article we reviewed the concept of dynamic DNS services and how they can be used to improve the remote access experience for small business and home office workers. We then discussed the TZO DDNS service and how to configure the ISA firewall to enable the TZO client to communicate with the TZO DDNS servers. Included in the discussion was how to configure the ISA firewall to support the TZO client when the client is installed on either the ISA firewall itself, or on a SecureNAT client located behind the ISA firewall on an ISA firewall Protected Network.