Tom Shinder's Questions of the Week, July 18 2002
This week we tackle the following problems:
ISA Server and Pure IPSec Tunneling
NLB Doesn’t Fail Over
SMTP Mail Relay and Mail Essentials Design
What About a Unihomed Firewall?
Locked Up ISA Server Box
SecureNAT Client Can't Access the Web!
Let's have at it!
QUESTION: ISA Server and Pure IPSec Tunneling
I configured my ISA Server with the Help of your great book and also by reading many of the www.isaserver.org articles. But now I’ve got a really difficult scenario for me to solve. So I write to you hoping you can help me a little with this.
I want to build up a IP-Sec encrypted connection based on ESP Triple DES with MD5 Integrity, Diffie-Hellman Group: Triple DES with Group 2 (1024 bit) with Rekey Timeout: 2 hours
The official IP of the VPN Concentrator at the SAP Side is xxx.xxx.xxx.165 (Tunnel Endpoint SAP - Site)
Saprouter official IP Address xxx.xxx.xxx.129
The IP of my ISA Server is xxx.xxx.xxx.242 (Tunnel Endpoint ISA - Site )
I want to publish an official IP xxx.xxx.xxx.250 and forward the Traffic to internal 172.20.16.33 ( Saprouter Software on this Server )
Based on SAP Paper i should build it up with a Pre-shared Secret of Key 24 Characters they have sent to me.
My Problem is now that I tried to do this with a Microsoft Document Q252735 about the IP-Sec Policy but RRAS is also in Action and i don't know how to set up the correct Packetfilters Rules etc. in ISA and Routing in RRAS. After about 25 tries I gave it up
Thanks for helping.
Good question! That one comes up a lot on the www.isaserver.org Message boards. What it sounds like you want to do it create a pure IPSec tunnel between two ISA Servers. If that’s why you want to do, then take my advice and don’t make a 26th attempt. Pure IPSec tunnels and ISA Server don’t get along and you won’t be able to make it work. However, there’s no problem creating L2TP/IPSec tunnels between your VPN gateways.
QUESTION: NLB Doesn’t Fail Over
I currently have two Microsoft ISA Servers running on Windows 2000 Advanced Server, in stand-alone mode, since our environment does not allow the deployment in Array mode.
Do you know what needs to be done to link the state of the ISA server to the Windows network load balancer? Failover only seems to happen when the following is typed in the command window "wlbs stop", irrelevant whether the ISA proxy service is up or not. Do I need to write a separate script for this? Many thanks for your urgent response
You don’t include too many details in this question, but I’ve never required a script for failover. We’ve implemented NLB for inbound and outbound access without any problems. Note that the same machines cannot be used to provide WNLB for inbound and inbound access, though. But each time we take a server down, it takes about 10-15 seconds for the failover to take place for the SecureNAT, Firewall and Web Proxy clients. You might be running into NLB specific issues rather than ISA Server issues. Check out our article at http://www.isaserver.org/pages/articles.asp?art=316 where we talk about NLB and some of the issues you might run into when things are working.
QUESTION: SMTP Mail Relay and Mail Essentials Design
I enjoyed this article in a great deal as it solved some of my problems (http://www.isaserver.org/pages/articles.asp?art=347). Actually, this is one of the articles that has been most useful to me in a greater extent. WELL DONE. I have read the article a few times and I will keep reading it. Now to my questions:
- Is the 2nd ISA (Internal) part of the internal Domain where the Exchange is? And if yes, is it in the same segment.
- Is the 3rd Relay also part of this same domain or in a workgroup? I understand from the article that they are in the same segment but I was not sure if they are in the same domain.
- Are the 1st and 2nd SMTP relays also in the internal domain or are they in a workgroup.
These questions become pertinent to me to enable me address some issues concerning the configuration am putting together at the moment. Security is my biggest worry here.
Thanks for the compliments on the article. I’ll tell you, MailEssentials has saved our own Web services provider. Its sucks up all the same and user mailboxes are free of crud about enlargement practices and burning DVDs.
Now to answer your questions:
- The internal ISA Server is a member of the internal network domain. This allows us to control outbound access using user/group membership. I didn’t draw out the details, but the Exchange Server is not on the same network segment as the internal interface of the ISA Server. It’s a couple of hops away.
- The computer acting as Relay 3 is a stand-alone Windows 2000 Server that is not a member of any Windows 2000 domain. Although it appears that Relay 3 is on the same segment as the Exchange Server, that’s not the case. Relay 3 is on the same segment as the internal interface of the ISA Server but on a different segment from the Exchange Server.
- Relay 1
- and Relay 2 are stand-alone Windows 2000 Servers and are not members of any domain.
Good luck on your deployment!
QUESTION: What About a Unihomed Firewall?
This is most likely not the way to ask this question, but hey, it's worth a try. My colleagues and I are trying to solve a design issue with ISA server. This is the case:
There are two companies located in the same building. They use the same network infrastructure, separated by VLAN's. So, they cannot access the network from each other and they have there own Active Directory.
The two Companies have decided to connect to the internet and want to make it a joint investment. The companies both have 20 employees, give or take one or two. They want to use the same internet connection in a separate VLAN. The sample bitmap file, in zip-format, gives an overview of the desired configuration.
Can you help us out. Can this be done, or are we on the wrong way? For both companies, the investment of separate internet connections is not desirable.
Also, a few considerations:
- Can user authentication be used for both domains on the ISA Server?
- Would it be possible to configure ICQ, Windows Messenger, etc. by user account on the ISA server in this design?
- The ISA server is equipped with one Ethernet controller. Do we have to change this.
I hope that you can provide us with the proper answers, thank you for your time and advice and I bought your today to get some answers.
Its good that your companies are interesting in sharing the connection. It’ll bring the cost down for both of you! Now to answer your questions:
- User/group based authentication can be used by both domains. However, you’re going to have to join the ISA Server to one of the domains, and then create a trust relationship between that domain and the other domain. You might not be interested in doing this if there is in fact no trust between the domains.
- You won’t be able to configure Winsock protocols that go through the Firewall service with the unihomed ISA Server you have setup in the diagram. You can set up a unihomed ISA Server for Web Proxy services, but it won’t work with Winsock services (Firewall service requests). Some people will tell you that this works, but you’ll have weird problems and neither I nor Microsoft will help you with them
- Yes. You need to add a second network card to the ISA Server so that you can use it as a Firewall. You’ll end up with a back to back ISA Server configuration with the PIX being the external firewall and the ISA Server being the internal firewall.
The primary limitation you guys will run into is the trust relationship. It doesn’t sound like you want to create that kind of relationship between your two companies. Because of this, you might use internal IP addresses and client address sets for access control, or you can create users/groups on the ISA Server. If you mirror the domain usernames and passwords on the ISA Server, you should even be able to use the Firewall client. This is a scenario I haven’t tested out yet. I’ll put it on the list!
QUESTION: Locked Up ISA Server Box
Hi there. I was wondering if you could shed some light on an issue we ran into this morning. This morning our ISA server crashed and locked up for the 1st time since we've had it running live in production.You couldn't even view event view information so my boss simply brought the box down at 7:30am today and then it seemed to work find once it was back up. Any ideas on what caused our box to lock up to the point where we had to bring it down? Here are some of the events that have been logged:
Event source: MS firewall
Event ID: 5
The MS firewall failed to log information to file fwsextd20020715.log in path c:\program files\microsoft ISA server
Source: MS firewall
Event ID : 5
Source: MS ISA report generator
Event ID 21028
ISA report generation error: Not enough space on disk. [could this one be the issue? That it ran out of disk space, got into a loop, and locked up the machine?)
Thank you very much for your help/input!!
Interesting question! Let’s look at what the help file says about these errors:
The %1 failed to log information to file %2 in path %3. The data is the error code. For more information about this event, see ISA Server Help.
The server failed to find the correct location for logging information. This information may be missing or incorrect.
Open ISA Management and check the log properties to verify that file information is correct in the corresponding logging service. To do this, in the ISA Management console tree, click Servers and Arrays, click Name, click Monitoring Configuration, and then click Logs. Check the property sheet where logging is enabled for this service.
Completely and totally Undocumented!!!
It does sound like a problem with the log files. Did you run out of disk space? That can always cause bad things to happen on any server, including ISA Server. Another possibility is that your log files are corrupt. If that’s the case, you can move the log files to another location and let the ISA Server start over again with clean logs. Remember that you really don’t need the log files to create reports after the log summaries are created. Reports are created using information in the log summaries. It’s a good practice to remove the log files from the ISA Server as soon as the log summary is created (this assumes you’re using file based logging and not database logging).
QUESTION: SecureNAT Client Can't Access the Web!
I need help! I did the following but the SecureNAT client can’t browse the Internet through the ISA Server:
- Create a domain controller
- Create an ISA server 2000 and join it the domain
- Configured the DNS on the Domain Controller to forward the request to the External DNS ( ISP 's DNS )
I configured the TCP/IP client as follows:
- Gateway IP = internal ISA IP
- DNS IP = Internal DNS IP ( The Domain controller IP )
I can browse the Internet if I configured the Client Internet Explorer with the LAN settings (Proxy IP = internal address of the ISA Server, Port Number = 8080)
Sounds like your basic setup is good. You don’t have the ISA Server on your domain controller, so I have to give you five social credits for that one!
The basic problem here is that the SecureNAT client can’t access Web sites via the browser, but the Web Proxy client can. There are two likely reasons for this problem:
- DNS configuration and DNS Protocol Rules
- Authentication issue
Your SecureNAT client is configured to use your internal DNS server for name resolution and the DNS server is configured to use your ISP’s DNS server as a Forwarder. That’s all good. You don’t mention if you have a Protocol Rule in place that allows the internal network DNS server to resolve Internet host names. You should have a Protocol Rule that allows both the DNS Query and the DNS Zone Transfer protocols outbound for the internal network DNS server.
I also wonder how your ISA Server is configured for DNS. Is the ISA Server configured with both the internal DNS server and the ISP’s DNS server’s addresses? If so, that might explain why the Web Proxy client configuration is working, while the SecureNAT client configuration is not working. The ISA Server will perform proxy DNS services for Web Proxy clients, so if the ISA Server is able to query the ISP’s DNS server, it doesn’t even need a DNS protocol rule to allow the query. There is a DNS packet filter created during installation that will allow the ISA Server itself to perform DNS queries.
On the other hand, your problem could have nothing to do with DNS problems. The Web Proxy client can send credentials to the Web Proxy service. The SecureNAT client can’t. If you require authentication for Site and Content Rules, your SecureNAT clients will fail. If you force authentication at the Outgoing Web Requests listener, your SecureNAT client requests will fail.
One way to get around this problem is to configure the HTTP Redirector filter to pass requests from Firewall and SecureNAT clients directly to the Internet server. This allows HTTP requests from SecureNAT and Firewall clients to bypass the Web Proxy service. However, if you require authentication for HTTP requests (via access controls placed on the protocol rule), then the request from the SecureNAT client will fail and there’s no workaround for that problem.
QUESTION: Using ISA Server as a FTP Proxy Server
Hi, Tom. I saw a reply from you on Google groups about using ISA as an FTP proxy, and I hoped that you could offer some assistance.
We want FTP clients to use the ISA server as a PROXY. The ISA server is NOT the clients default gateway. We are NOT using the firewall clients. We want to configure FTP clients to use the ISA server as a proxy when going out to the Internet. When I say client, I mean to say using the command line or other FTP software such as WS-FTP. Can this be done?
Thanks in advance for any help.
ISA Server provides good support for FTP clients on the internal network. In fact, all three types of ISA Server clients: SecureNAT, Firewall and Web Proxy, can take advantage of FTP.
You say you do not want to configure the clients to use the ISA Server as their default gateway. You don't need to configure the ISA Server as the default gateway for all SecureNAT clients; you just need to configure the SecureNAT clients with a gateway address that will forward Internet bound request to the internal interface of the ISA Server. However, it sounds like you don't want to use the SecureNAT client configuration.
Another option is the Firewall client configuration. The Firewall client configuration is far superior to the SecureNAT configuration because of the increase flexibility and wider protocol support supported by the Firewall client. Remember that only the Firewall client can take advantage of complex protocols (those requiring secondary connections) without the aid of an application filter. However, the FTP access application filter supports both SecureNAT and Firewall clients. Again, it sounds like you don't want to use the Firewall client configuration since you're not installing the Firewall client.
The last option is the Web Proxy configuration. With the Web Proxy client configuration, you send FTP requests inside HTTP that are sent to the Outgoing Web Requests listener port 8080. The Web Proxy service "unwraps" the request and forwards it as an FTP request. This allows the Web browser to be an FTP client. Note that FTP requests that are handled by the Web Proxy service can only use FTP download; you can't upload through the Web Proxy service. Some FTP client software allows you to leverage the Web Proxy service, most don't.
So, with your situation, you want to allow things like the command line FTP client to use the ISA Server for FTP. There's no option that I'm aware of that allows you to configure the client itself as a FTP client, per se. However, if the client software allows a SOCKS proxy configuration, you should be able to configure the FTP clients to use the SOCKS application filter on TCP port 1080 to access FTP sites. In that way, you avoid configuring the client as a Firewall, Web Proxy or SecureNAT client, and you should still be able to access the Internet.