Configuring ISA Server for Incoming Ping Responses
Dieter Rauscher [MVP ISA Server]
By default after installing ISA Server you can’t ping the ISA Server’s external interface. This is due to ISA Servers handling of incoming ICMP ping query packets. They are all dropped. In most cases there’s no need to change that behavior. I would say it’s one more little security feature. Thereby ISA Server is hidden to intruders who use ping to detect server presence. Also, if you don’t use any publishing rules, your ISA won’t be found by port scan attacks. When using publishing scenarios of course, it will be detected by specific port scans or port attacks. But that is not topic of this article.
In exceptional cases it is necessary to configure the ISA Server to respond on external incoming ping requests. But my recommendation is not to change the default setting unless you’ve a good reason.
Without any configuration you get this when pinging the external interface of the ISA Server:
(Don’t wonder about Windows Version 5.2.3718. It’s a second Windows Server 2003 in front of ISA Server.)
To understand my current environment here is my ipconfig:
To enable ping response, we need to create a new packet filter based on a predefined IP Packet Filter definition:
Type a name to identify your Packet Filter
Yes, we want to allow transmission….
The guys from Microsoft made our life easier…there’s a predefined Filter available.
In the first step of this tutorial we use the default IP address. We’ll take a closer look to that screen in the next part.
It’s up to you to set further restrictions. Only this computer means that only the typed-in IP address is able to get a ping response.
The last wizard screen provides a short summary.
Now let’s do another ping – if we made our work correct we’ll get a different ping screen than above.
Great! It works!
As shown in ipconfig ISA Server has several external IP Addresses. Let’s try to ping the second one (192.168.69.71):
Oh no! Something must be wrong…..?
No. It’s OK. It’s normal. Remember, I mentioned at the screen Apply this packet filter to that we’ll have a closer look at the other options later. Now it’s time to do so.
As shown in the screen above both relevant IP Packet Filters (marked) are configured to use Default external IP address. That’s the point. The default IP address of ISA is always the first IP address of the NIC. Don’t be confused about the pre-defined Packet Filter ICMP ping response (in). That packet filter is necessary to receive the ICMP ping replies for outbound ICMP ping query request from ISA machine itself to the internet only.
If we want to use another IP, we have to configure two new IP Packet Filters.
First we define a IP Packet Filter ICMP outbound for all types and codes:
In the next screen we select “Allow packet transmission”.
Now it’s time to tell ISA that we want to get the second IP address published:
Finish wizard by clicking Next.
Let me show you the important screens for the second IP Packet Filter we need:
Let’s have a look to the result:
Yeah! Nice! It’s done.
If you want to use an other IP address, you know what to do, don’t you?
Dieter Rauscher [MVP ISA Server]
