Quick Reference Guide to Configuring ISA Server Interfaces Part 1 – Configuring the Internal Interface.








“How do I configure the ISA Server interfaces?”



There are many opinions on how the ISA Server interfaces should be configured. Many of them are right; some of them are wrong. If you want the definitive guide on how to configure DNS for ISA Server, check out Jim Harrison’s seminal article on ISA Server and DNS at http://www.isaserver.org/pages/tutorials/dns-4-isa.htm.

In this article I’ll expand and highlight some issues I think are important and those that seem to come up a lot on the Web boards. Before reading this, please read over Jim Harrison’s article so that you have the proper context.

Internal Interface Configuration.


The following two screen shots show the main internal interface Properties dialog box.


Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder


Amazon.com






Nothing significant you need to deal with here. Note that there are no gateways configured. This is as it should be.



Click on the DNS tab.





If you need to add more internal network DNS servers, you can do it here.

An interesting issue came up regarding how unqualified requests are handled by the ISA Server. Jaime Pirnie, our esteemed Game Board leader, wrote on the Web boards that he had a problem with a Nimda virus variant. The virus sent a request to www and the ISA Server treated this as an unqualified request and appended the primary DNS suffix to the request and forwarded it to his internal network server!

Jaime provided a fix for this, but I wonder if we could get around this problem by selecting the Append these DNS suffixes (in order) option and then putting in a bogus DNS suffix. I haven’t tested this yet, but if anyone has any information on this issue, please write to me or post the info to the Web boards.

As the matter stands now, how ISA Server handles name resolution on the behalf of Web Proxy and Firewall clients is a bit of a mystery.

Make sure that you have a checkmark in the Register this connection’s addresses in DNS checkbox if you are running Dynamic DNS on your internal network. Note that if the ISA Server is a Domain Controller and is acting as a VPN server, then you should not enable DDNS. The reason for this is that the VPN interface will register in the DDNS and create much havoc.

Click on the WINS tab.





You should always have a WINS server on the internal network. Even though Windows 2000 putatively does not require NetBIOS and WINS, there are just too many Windows features that are dependent on NetBIOS name resolution. Therefore, unless you’ve completely sanitized your network against NetBIOS, tested your design, and confirmed that everything works without NetBIOS, you should include a WINS server.

Because you probably need NetBIOS, make sure you have Enable NetBIOS over TCP/IP enabled. You can disable NetBIOS by selecting the Disable NetBIOS over TCP/IP option. However, if you do this, your Win9x clients will not be able to access shared resource on the ISA Server.

Windows 2000 clients can use TCP port 445 (direct hosting) to access shared resources on the ISA Server. Downlevel clients cannot. This is a significant issue if you need to install the Firewall client on downlevel clients from a share on the ISA Server. If NetBIOS is not enabled, the downlevel clients will not be able to connect to shares on the ISA Server.

Summary

Configuration of the internal interface of the ISA Server is easy when you have the proper network infrastructure in place. That means you need an internal DNS and WINS server. You will run into complications and various difficult to solve problems if you don’t have the appropriate supporting infrastructure.

Note that interface configuration is also not a “one-stop shop”. One size won’t fit all. The configuration of the internal interface of the ISA Server depends on what services you need to support. Think about what you need to accomplish and configure the interface based on the observations in this article. You’ll be glad you did!

In part two of this article we’ll explore the configuration of the external interface of the ISA Server. The external interface is configured very differently, so don’t miss it!

I hope you found this article interesting and/or helpful. If you have any questions on the issues brought up in this article, please post them on the www.isaserver.org message boards. You can also write to me at [email protected] and I’ll get to you as soon as I can. Please put the title of this article in the subject line. Thanks! –Tom.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top