New Tool Enables ISA Firewall IPSec Tunnel Mode to DHCP Branch Offices

Oren reports on the ISAserver.org message boards:

I created a windows service that will monitor a DNS name associated with a Remote site’s IP address and when the DNS changes, will updated the ISA Server’s entry (DynDNS for the remote site is ideal for this).  This currently works with IPSec VPN tunnels as described in the DLink article.  It does not work with other types of network objects, including PPTP/L2TP Remote Sites, though if someone wants to contribute it, it shouldn’t be too hard to support those too.

I’ve put the files here:

http://novotny.org/files/IsaSite2SiteRemoteIpChecker.exe
http://novotny.org/files/IsaSite2SiteRemoteIpChecker-src.zip

I haven’t yet created a ReadMe, so here it is:

1) It requires .NET 2.0 on the machine running the service.  It can be run from the ISA Server directly or another domain machine.  If .NET 2.0 isn’t installed, the setup program will prompt you and allow you to install it (it’ll d/l the .net installer from Microsoft’s servers).

2) The machine needs to have the ISA Server Management tools installed.  There is currently no installer check for this, but I’m sure you’ll get a nasty error if you try to start the service without it being there 🙂

3) During setup, it will prompt you for a service account name/password.  You must use a domain account that has Administrator Access to the ISA Server.

4) The Service installs as manual startup to allow you a chance to configure the settings file first.  In the install directory there is a file called settings.xml.  It should be self-explanatory, but it lets you specify a series of mappings.  Each mapping has the IsaServer hostname, Remote Site Network Object name (not sure if this is case-sensitive, but it may be) and RemoteDns name that corresponds to the remote gateway.

There is also a .config file that lets you specify the update check interval.  The default is 30 seconds, but you can change it as you like.  Keep in mind that DNS TTL’s play in here, and even DynDNS has a TTL of 60s, so there’s little point in having it much less than 30.

5) After setting your mapping(s), you can start the service and change the startup to Automatic.  If you change the settings.xml file, the service will automatically pick up the change.  Changing the .config file requires a service restart.

For enhanced diagnostics, you can set the EventHeartbeat to True and the service will write an event to the Application log every refresh interval.  The app currently logs a before/after event in the Application log when changing an IP address, so you should be able to confirm the change there.

There’s also a console app that you can run a one-time update with. 

Disclaimer: I’ve tested this on my ISA Server, but it’s a standard edition and I’m not sure how Enterprise Edition might affect things.  I also disclaim all liability for using this code — use it at your own risk.  I’ve provided the source code if you’d like to review it prior to use.  It’s a VS 2005 solution.

Security issue: Make sure that the settings.xml and .config files have appropriate ACL’s on them to prevent unauthorized users from modifying the files and thereby updating ISA Server’s configuration.

If you find any bugs, please be sure to include as much information as you can, including looking for relevent events in the Application Log. 

To any site moderators, if you find this tool useful, please feel free to host the source/binaries on your system.  I’m happy to contribute a tool that others might find useful.

Thanks!!!

Tom

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top