Tom Shinder’s Trek through Small Business Server 2003 Service Pack 1 – Part 2: The CEICW from the Welcome Page to the Router Connection Page

Tom Shinder’s Trek through Small Business Server 2003 Service Pack 1 –
Part 2: The CEICW from the Welcome Page to the Router Connection Page
by Thomas W Shinder MD, MVP

If you would like to read the other articles in this series than please check out:

• Tom Shinder’s Trek through Small Business Server 2003 Service Pack 1 – The Totally Unofficial and Non-Authoritative Guide on ISA Firewall Installation on SBS 2003 SP1 (Part 1)
• Tom Shinder’s Trek through Small Business Server 2003 Service Pack 1 – Part 3: The CEICW from the Network Connection Page to the E-mail Retrieval Method Page
• Tom Shinder’s Trek through Small Business Server 2003 Service Pack 1 – Part 4: E-mail Domain Name Page to Completion of the CEICW
• Tom Shinder’s Trek through Small Business Server 2003 Service Pack 1 – Part 5: Checking DNS and Certificate Settings and Installing the ISA Firewall

In the first part of these series on my experiences with installing and configuring the ISA firewall on a SBS 2003 SP1 computer, I went over some of the security issues related to running the ISA firewall on the same machine as the core corporate assets. I also discussed issues involved putting NAT devices or simple stateful packet inspection firewalls in front of the co-located SBS 2003 SP1/ISA firewall. If you missed that article, check it out at http://isaserver.org/articles/200sbsinstallpart1.html

In this article I’ll begin my trek through the installation and configuration of SBS 2003 SP1. The installation is a clean installation. I will not discuss upgrade scenarios in this series. While I realize that this isn’t the most common deployment scenario, it allows me to discuss the salient points of the CEICW and subsequent ISA firewall installation and configuration. Amy Babinchak has said to me that there are interesting and significant issues involved with the upgrade scenario, and that she’d be happy to work with me on an article series covering upgrade scenarios. You good look forward to that later this year.

I’m not going to start at the beginning. The SBS 2003 SP1 installation wizard for the basic operating system setup is very straightforward and there’s little I can add by writing about it here. Also, this article series needs to stay in line with the networking and ISA firewall components because those are our primary areas of focus at www.isaserver.org. Therefore, I will begin the discussion where you run the CEICW after the SBS 2003 SP1 core operating system installation is complete.

The reason why I start with the CEICW is that the decisions made during this process have profound effects on subsequent ISA firewall configuration. This makes sense since the SBS 2003 SP1 installation wizard uses the information you provide during the CEICW process to configure the Publishing and Access Rules for the ISA firewall components. So, even if you understand the CEICW process implicitly, it will still be worth your while to follow along with the reasoning I use as I go through the CEICW. This will provide you with the needed context as I move to the analysis of the post-ISA firewall installation’s System and Firewall policies.

Note that throughout my discussions on ISA firewall and SBS networking configuration I will provide my opinions on what I consider to be configuration decisions representing the best level of security, reliability and performance. These are my opinions, and I recommend you do things my way. However, just because I say these are the best ways of doing things doesn’t mean its the only way. Andy Goodman (SBS MVP) provides an excellent review of the CEICW using alternate configuration options over at http://www.12c4pc.com/sbs2k3/sbs2k3-n2.htm. Andy’s coverage of the subject is definitely worth checking out as he discusses and demonstrates options that I will bypass in my discussions.

An Obligatory Rant about Split DNS

While this article series focuses only on the CEICW and ISA firewall components of the installation, I do want to discuss one extremely important topic before moving forward. There is one installation wizard page that appears before you get to the CEICW that I found particularly irritating and misleading. Figure 1 shows the Internal Domain Information page. Here you configure the DNS and NetBIOS names for the Active Directory domain and also name the SBS SP1 computer.

What bothered me about this page was the explanatory text:

“We recommend using the extension .local for the full DNS name for your internal domain. Because .local is not registered for use on the Internet, your internal domain and your public Internet domain (such as .com or .net) remain separate. This is more secure and avoids name resolution issues [italics mine]”

Figure A

Just about everything in the statement is factual. It’s true that the .local domain is not a legal Internet top level domain name. It’s true that if you use the .local domain that you won’t use the same names to access resources based on your location. It’s true that using.local internally can simplify, in the correct circumstances, name resolution for hosts on the internal network. However, what is definitely NOT true is that using the .local top level domain name is more secure than using the same domain name for both internal and external name resolution.

It’s not such a big deal that the Wizard provides this information. The wizard tries to make things as easy as possible and tries to communicate most effectively to the greatest number of people. The problem is with them throwing in the security angle, surely no one would want to use the same domain name for both internal and externally accessible resources if it compromises security.

The problem is that this statement is patently untrue. The belief that using the same domain name for internal and external domains is a security issue is based on misconfiguring the split DNS required for using the same domain name for both the internal and external network domains. It is untrue because a core tenet of a well design split DNS infrastructure is that the internal and external zones authoritative for the internal and external domain names have no relationship other than the domain name.

This is why there is no security issue with using the same domain name for external and internal domains. The only way you would run into security problems is if you, for some reason, decided to do a zone transfer from your internal DNS zone to your external DNS zone. If you did configure such a zone transfer, you could put the privacy of your internal naming infrastructure at risk. However, there’s no reason in the world to ever configure such a zone transfer, so imagined security issues related to mirrored DNS zone information is bogus at best, and misleading at worst.

There are many advantages to using the same domain name for internal and external zones. However, in the SBS single server environment where it’s likely that you’ll be hosting Web and other resources at an ISP or Web hosting service, the split DNS can make things more complicated. However, you can still deploy a fine-tuned split DNS infrastructure while leaving your Active Directory domain’s top level top name .local. In a future article I’ll go through the step by step procedures to make this happen so that you can benefit form the elegant transparency provided by a split DNS infrastructure.

Until then, check out this article on split DNS if you want to learn more about it: Supporting ISA Firewall Networks Protecting Illegal Top-level Domains: You Need a Split DNS! http://www.isaserver.org/tutorials/2004illegaltldsplitdns.html

The Welcome to the Configure E-mail and Internet Connection Wizard Page

Now with that rant out of the way, let’s get started with the CEICW. The first page of the wizard is the Welcome to the Configure E-mail and Internet Connection Wizard. Read the information on the page and click Next.

Figure 1

The Connection Type Page

On the Connection Type page you select the type of connection you use to connect to the Internet. Broadband is a general term used to indicate that the SBS computer will not need to dial a connection itself to connect to the Internet. This does not mean that no device on the network will need to dial-up to establish a connection.

For example, you might have an ISDN router, or even a PPPoE DSL connection that’s established via a NAT router or simple stateful packet inspection firewall in front of the SBS computer. While those are considered dial-up connections, the SBS computer isn’t doing the dialing so they’re considered direct connect broadband by the wizard. This is small technical issue but something to keep in mind when interpreting the options on the Connection Type page.

In the example used in this series we’ll use a FiOS connection (15Mbps fiberoptic link), which uses a PPPoE interface to connect to the Internet. A FiOS NAT device is used in front of the SBS computer to establish the PPPoE link over the FiOS network. Since our SBS computer is using this NAT device as its default gateway and isn’t dialing the connection itself, we’ll choose the Broadband option and click Next.

Figure 2

Have Questions about the article? Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=46;t=000045

The Broadband Connection Page

On the Broadband Connection page you specify how the SBS computer connects to the broadband (more accurately, non-direct dial-up) network.

The A local router device with an IP address option is used when you have a NAT device or a simple stateful packet inspection firewall in front of the SBS computer. Not sure why they thought it was important to mention that the “router” (NAT devices aren’t really routers) has an IP address. I suppose they might not want to confuse people using layer 2 transparent firewalls.

The A connection that requires a user name and password (PPPoE) option is used if you are directly connecting the SBS computer to the Internet (via a DSL or FiOS modem) and the connection requires a PPPoE link to establish the Internet connection. It’s important to note that the Windows Server operating system considers the PPPoE link as a dial up link and creates a dial-up connectoid to support the PPPoE connection. I suppose they didn’t want to imply that this is a dial-up link because it might confuse people who tend to think of dial-up connections as those made by analog modems (which are true modulators/demoduators, in contrast to DSL and Cable “modems” which are not modems at all but are actually network architecture bridges).

The A direct broadband connection option is used when you connect the broadband architecture “modem” directly to the SBS computer. This is most likely going to be a cable network connection, since cable networks don’t use PPPoE. You plug the cable “modem” into the SBS computer’s Ethernet jack and the external interface of the SBS computer receives IP addressing information from the cable network ISP.

I highly recommend that you do not use this option. The ISA firewall component can cause issues with cable modem networks when using DHCP for IP addressing information on the external interface. You’re much better off by using a cable NAT device or simple stateful packet inspection firewall in front of the SBS computer and let that front-end device handle the DHCP duties. Then you’ll be able to use a static address on the external interface of the SBS computer and have a more reliable ISA firewall experience.

Figure 3

The CEICW provides a lot of help on which connection type to use and the infrastructure required for that configuration. We see an excellent description of the A local router device with an IP address option after selecting the option. Note the comment regarding the SBS computer with a single interface. If you’re going to install the SBS computer with a single network interface, then there’s little to no reason for using the ISA firewall on the SBS computer. In fact, I can safely state that all SBS 2003 SP1 computers that have the ISA firewall software installed must have at least two network interfaces installed.

Figure 4

You can click the Display a network diagram if you’re not sure of the correct network layout for this option. There are two diagrams in the window with the Router connection with 2 network adapters being the one represented in this article series. The Router connection with 1 network adapter diagram shows a unihomed (single-NIC) SBS computer configuration. Again, if you decide to go with a single NIC configuration, then I recommend that you not bother with the ISA firewall software on the SBS computer.

Close the network diagram window and click Next on the Broadband Connection page.

Figure 5

The Router Connection Page

Now here’s where things get really strange. On the Router Connection page you’re supposed to put information required to connect the router to the ISP. Why would the SBS configuration have anything at all to do with the NAT device or simple stateful packet inspection firewall configuration?

The Preferred DNS server text box should contain the address of the DNS you want to use first to resolve Internet host names. The obvious decision is to select the IP address used by the DNS server installed on the SBS computer as the primary DNS server. But if you do this, the wizard spazzes out.

What I do not want to do is enter an external DNS server address here. The same is true for the Alternate DNS server entry. In fact, I don’t want to use an alternate DNS server, since if the DNS server on the SBS computer fails, I’m going to have a lot more problems than just resolving Internet host names. Since the wizard won’t allow you to enter the IP address of the DNS server on the SBS computer, just put in bogus IP addresses for the Preferred and Alternate DNS servers. Note that the figure below has the same IP address for the Preferred and Alternate DNS servers. You actually cannot do this as the wizard will complain that the addresses are the same. I later entered 2.2.2.2 in the Alternate DNS server text box, but forgot to redo the screen shot.

Later I’ll reveal why the CEICW asked for these DNS server addresses. It was a real shock to me what they were trying to accomplish and they really should include this information in the wizard so that people more versed in Windows networking concepts can make intelligent decisions regarding this option. I’ll discuss this issue later when we fix the DNS server settings.

The reason for not using external DNS servers is that if you have both internal and external DNS servers configured on the SBS computer, there is a possibility that name resolution will fail because of how Windows Server 2003 handles DNS queries. Another reason why you don’t want to use an external DNS server is that you can’t always trust the security of these external DNS servers. The Windows Server 2003 DNS server is secure by default, so you don’t have to worry about common DNS exploits such as DNS cache poisoning. In contrast, most ISPs are using non-Windows legacy DNS servers that are very open to DNS attacks. It’s more secure to allow your DNS server to perform recursion than to trust an untrusted DNS server.

Of course, this advice varies with your knowledge of your ISP’s DNS server configuration. If you have a trusted, professional and technically competent ISP, then you can trust their DNS servers. However, this still doesn’t obviate the problem of domain name resolution failures when you configure the SBS computer to use internal and external DNS servers.

In the example used in this article we’ll enter bogus information in these text boxes and later fix these settings after fixing some of the settings on the DNS server installed on the SBS computer.

Enter the IP address on the internal interface of the NAT device or simple stateful packet inspection firewall in front of the SBS computer in the Local IP address of router text box. In this example, the internal interface of the FiOS NAT device is 192.168.1.60, so I’ll enter that address.

Since we’re focusing on the ISA firewall software in this series, we can ignore the My server uses a single network connection for both Internet access and the local network checkbox. Click Next on the Router Connection page.

Figure 6

A dialog box appears informing you that you will need to configure the NAT device or simple stateful packet inspection firewall in front of the SBS computer to allow inbound connections from the Internet to the ports that the ISA firewall software will be configured to listen. What ports you need to enable inbound depends on what services you want to be able to access from the Internet. We’ll get into the specifics of NAT device configuration at the end of the ISA firewall installation and a discussion of the Publishing and Access Rules created by the CEICW.

Most of the information you’ll require for configuring the inbound connections through the front-end NAT or simple firewall device can be found in the Getting Started Guide, Appendix C Network Configuration Settings.

Click OK to dismiss the information dialog box.

Figure 7

Have Questions about the article? Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=46;t=000045

Summary

In this, part 2 of our series on installation of the SBS 2003 SP1 server with the ISA firewall, we began the discussion with a short rant on the value of the split DNS infrastructure and shot the misconception regarding security risks of a split DNS infrastructure out of the water. We then began the CEICW and walked through the wizard up to the Router Connection page. In the next article in this series we’ll continue to walk through the CEICW and provide detailed analysis of each decision during the process. See you then! –Tom.