A member of the ISAserver.org mailing list shared a “duh” moment with us last week. To help make him feel better, Jim Harrison shared his own recent “duh” moment. It went something like this:
“I guess e need to have another round of <duh> moments to make Joe feel better about himself – I’ll start.
I filed a bug some months ago because every time I applied an ISA patch through an external RDP session, I’d lose the session and would have to jump on the console to complete the installation. Needless to say, this would drop ISATools.org until I could go home.
Just this week, it suddenly occurred to me why this failed and yes; it’s “by design”, and not entirely that of ISA Server.
I don’t use system policies to allow RDP from the Internet. Instead, I:
- server-publish to the internal IP
- use custom ports for the listener
- bind TS to the internal NIC only
When the ISA services stop, so do any server publishing or web listeners.
Although system policies provide for inbound RDP in lockdown mode, because I didn’t allow TS to bind to the external NIC, I was breaking myself whenever I’d try to update ISA from “outside”.
Needless to say, the bug has been closed as “no repro”…”
Now I can top Jim’s bonehead moment. My daughter came to visit and I needed to create a guest wireless DMZ for her. No problem, right? All I need to do was plug the WAP into one of the ISA Firewall’s ports, create an ISA Firewall Network for the Network ID that would represent the wireless DMZ, and then create an Access Rule that allowed users on the wirless DMZ access to the Internet.
Or so I thought. She couldn’t get out to the Internet. I ran pings, tracert’s, arp‘s and the rest to determine connectivity. I could tell that I had network connectivity because I was getting arp replies. I then tested on another machine on another ISA Firewall Network and discovered that the DNS server assigned by the WAP’s DHCP server was down. OK, so I changed that DNS server address and did an ipconfig /renew & ipconfig /release. It still didn’t work.
So, what was the problem? Can you guess. It was right under my nose, and it’s a mistake I often make, and it usually takes me 15-20 minutes to figure it out. The answer? I forgot to create a Network Rule to connect the DMZ network to the Internet!
So, next time you think you’ve made a bonehead mistake, don’t worry about it. We all do it 🙂
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP — Microsoft Firewalls (ISA)