Tom Shinder’s ISA Server Questions of the Week
By Thomas W Shinder, M.D.
This week we cover the following issues:
QUESTION: Trying to Route to a LAT Segment
Here is the question: I use RASPPPoE from Robert Schlabbach and I'm trying to use it under ISA. It works fine except for routing. ISA refuses to route packets to addresses in the local subnet.
I activated routing through demand-dial with no luck. ISA keeps blocking the IP traffic that is suppose to go through even if I opened all ports to all IP traffic. If I try to ping ISA server, it answers. Protected computers don't.
I'm using routable addresses (184.108.40.206 with a subnet mask of 255.255.255.248).
As I write this, I realize it may be because the addresses are in the LAT (too late for tonight to try). Should they not be in the LAT?
It sounds like you are trying to use public addresses on your LAT segment. ISA Server won’t allow you to route between the external network and LAT hosts. Any communications between LAT hosts and the external network will always go through the IPNAT service. That is to say, you will always have to use NAT between the external network and the Internet.
You can still use your routable addresses, but you’ll have to put them on a DMZ segment. You can create a trihomed DMZ, and put one of the adapters on the DMZ segment. Then you create packet filters that allow inbound and outbound access to and from the DMZ segment. Note that with a 29 bit subnet mask you only have three bits for your host IDs. However, if this is *before* you’ve subnetted your block, you’ll have to use a 30 bit mask. That means you only have 2 bits for your host IDs, and you can’t use the top and bottom address. That leaves two addresses, one for your DMZ NIC and one for a server on the DMZ segment.
QUESTION: Metering and Blocking Internet Based on Usage
I want to limit the amount users can download through the ISA Server. If a user goes over a certain amount, I want to be able to block their access to the Internet. Is there a way to do this?
I wasn’t aware of a way to do this, but M Benton from Australia was kind enough to send me this interesting information:
I currently have ISA server set to allow only authorized access to the Internet. We also run an accounting software package that collects data from the ISA server logs called "Gaia NetCharger" with which we use to set a limit to the amount of MB a user can download in a set time frame, if the user reaches this limit it will take that user out of the appropriate AD security group that gives the user access to the internet, therefore denying further access to the internet until the gaia account has been reset, until then the user will get the ISA server Enter Network Password prompt, which of cause will still deny access, is it possible change this default ISA prompt so that instead the user gets a web page that explains the reason for the denied access. ie; excess internet usage.
P.S Gaia Netcharger can be found at WWW.sbss.com.au, it has loads of functions and works well with ISA server, especially in a educational environment."
QUESTION: Publishing Multiple SMTP Servers
I am curious to about the specifics of publishing two SMTP relay servers in through the external ISA 2000 server. I read in your book, that when publishing a server using server publishing rules you are limited to only one service (one port 25) per external interface of the external ISA Server. Is the same true when publishing the SMTP relay servers using the Secure Mail Servers publishing wizard? In the configuration in this article does the external ISA server have more than one external interface? Are the SMTP servers using Network Load Balancing? I am planning on publishing dual SMTP relay servers as well as primary and secondary DNS servers. Will my situation require two external interfaces on the external ISA 2000 Server? I apologize for not waiting to see if Part 2 of this article answers my questions.
Good questions! I’ll get around to doing part 2 of the article in the future, but until then, let me answer your questions.
It’s true that with Server Publishing Rules, you must have an IP address on the external interface of the ISA Server for each instance of the service you want to publish. If you want to publish two SMTP servers, you’ll need two IP addresses on the external interface. Make sure you disable the IIS SMTP service on the ISA Server itself, or else you get port contention and the Server Publishing Rules won’t be able to bind TCP port 25.
You don’t need to use NLB when publishing two SMTP servers or when publishing two DNS servers. You tell your registrar the IP addresses to use for your two authoritative DNS servers when you host your own public DNS servers. These are the IP addresses on the external interface of the ISA Server that you’re using to publish the DNS servers. Look at the figure below:
When Internet hosts need to resolve a name within one of your domains, they’ll get the IP addresses of your public DNS servers. If one of the DNS servers is unavailable, they’ll try the second IP address. That’s why you don’t need to configure NLB for your DNS servers.
It’s for similar reasons that you don’t need to configure NLB for your SMTP relay servers. You’ll configure two SMTP Server Publishing Rules that will forward requests to your two SMTP servers. You will create Host (A) and Mail Exchange (MX) records for each of the SMTP mail relay servers. If the first SMTP relay is unavailable, the SMTP client on the Internet (most likely another SMTP server) will use the second SMTP server as noted in the MX records. Note that the MX records allow for fault tolerance, but not necessarily load balancing. You can get a rudimentary level of load balancing if you set your preference levels in the MX records to be the same value.
The bottom line is that you only need a single external interface, but you need multiple IP addresses bound to the external interface of the ISA Server.
QUESTION: Publishing Outlook Web Access
I am a newbie to ISA so please forgive me if I use incorrect terminology. Here is what I want to accomplish. I want to publish OWA so that our outside sale people can access their mail. Here is what I think I should do: Create an ISA server on a Windows 2000 Server with 2 NICs, 1 internal, 1 external. Make the external IP address public and get a domain name associated with it. Follow the steps outlined in your article on publishing OWA and viola. Does this sound correct?
Sounds like your on the right track! Please make sure your users access the OWA site using a FQDN, and not an IP address. While you certainly can use Web Publishing Rules to publish sites using IP addresses in the Destination Set, it does introduce complications and unexpected happenings. Microsoft recommends against using IP addresses in Web Publishing Rules and I’m 100% with Microsoft in this recommendation.
Security is usually an issue when accessing OWA sites. There is a small problem with Internet Explorer 6.0 that seems to cause problems when using integrated authentication to access the OWA site. You can roll the dice and try Internet Explorer SP1 and hope it doesn’t break anything, or you can use SSL and basic authentication. The best way to handle this is to use a Server Publishing Rule to publish your Web site. The Server Publishing Rule would publish TCP 443 and forward the requests to your OWA server. You’ll have to install a certificate on the server and make sure the Web browsers trust your root. Also, make sure that you disable IIS on the ISA Server.
You don’t have to use SSL, but it helps you get around the problems with Internet Explorer 6.0 and integrated authentication. You can use Basic Authentication on OWA sites, and the credentials and data will be protected by the SSL session.
QUESTION: Deploying a Unihomed Web Caching ISA Server
Would it be possible to have aan ISA 2000 server installed only in cache mode, with one NIC installed. We already have a Cisco Pix Firewall, so we only want to use and need the cache funtions of ISA 2000. If possible, how? Looking forward for an answer.
ISA Server does support the unihomed Web caching server configuration. With this configuration, the ISA Server has a single NIC and you configure that NIC with an IP address of a gateway that can route Internet bound requests to the Internet. Since you already have the PIX installed, I assume that box is your Internet gateway. Just make sure your routing infrastructure is configured to route Internet bound requests to the PIX device and that the ISA Server is able to leverage that infrastructure.
One thing you’ll encounter with this configuration is a very large number of 14120 errors. These errors don’t represent a problem, but they can obscure other entries in your Application Log. You can leave the problem as it is, or you can disable the Resource Allocation error alert in the Alerts node of the ISA Management console.
QUESTION: Configuring the ISA Server as an FTP Client
I´m contacting you as my last chance to solve my ISA related problem. I´ve installed and configured ISA server with 2 NICs in a mixed environment. On my ISA box I need to have a virus signature update service which downloads virus update via ftp. The problem is that I can not setup my ISA correctly to be able to connect from ISA server to an external ftp site (ftpav.ca.com). I¡ve already tried all available configs from isaserver.org and other places on the Internet but I did not succeed. I really appreciate any kind of help or config example.
Configuring the ISA Server as an FTP client brings up an important ISA Server concept. Its important to understand that you must create packet filters to support applications and sometime services on the ISA Server itself. An exception to this is that you can make the Web browser a Web proxy client by configuring the browser to use the IP address of the outgoing Web requests listener or 127.0.0.1. But if you want to use an SMTP client, a POP3 client, or an FTP client on the ISA Server, you need to create packet filters to make things work.
For FTP, you need packet filters that will support either the PORT mode or the PASV mode client. Best to stick with PORT mode. To make this work, you need to create a couple of packet filters. Like these:
If you want to increase your security a bit, you can go to the Remote Computer tab and add the IP address of the remote FTP server you’re connecting to. The first packet filter allows the FTP server to send you data over the data channel and the second packet filter allows you to make an outbound connection to the FTP server’s control channel. This pair of filters will support PORT mode connections. You don’t want to allow PASV mode connections from the ISA Server itself.