Configuring ISA 2004, 2006, Forefront Threat Management Gateway for basic networking and DNS settings
Published:
Browse All Articles > Configuring ISA 2004, 2006, Forefront Threat Management Gateway for basic networking and DNS settings
I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime that I will blog this so that I don't keep retyping the same thing over and over again. Having been asked about it again, now is a good time to get on with as it is not hard to do.
In respect to DNS, the approach is simple and is based upon ensuring that ISA Server uses a consistent source for its name resolution. This does not mean that ISA can only use DNS, far from it, but setup correctly it means that ISA only uses controlled - and secured - resolution services. In respect to networking, this information does not really apply to ISA as a product but follows standard networking techniques of which ISA expects to be present and configured correctly. I will take the standard implementation of an ISA Server that has two or more NICs inserted and follows the best-practice guideance that states that ISA will be a member of an Active Directory based domain.
ISA Server - despite views to the contrary, is not a router. It uses the routing tables that are formed by the host operating system through local subnets, routing protocols if implemented, static routes and default gateways. Therefore before ISA or FTMG is even installed, network connectivity should be checked between itself (localhost) and the resources that the ISA/FTMG host will need to communicate with.
The purpose of a default gateway is to provide a gateway - by means of an ip address - where all traffic will be sent if the final destination is not located within the local subnets and the network doesn't have any instructions. For example, if the local subnet is 10.5.0.0/16 then a data packet sent to 12.5.5.5 will not be deliverable and will eventually timeout. If we add a default gateway at 10.5.6.6, then the network will know that if it cannot deliver the packet locally on the 10.5.0.0 subnet then it should send the traffic to the gateway address. Basic networking and no suprises there. However, what IS surprising is what many people do when they introduce a second or third NIC - they add a default gateway to the new NICs.
Lets take a second (incorrect) example:
ISA External Nic 1 - 10.5.0.1 mask 255.255.0.0 default gateway 10.5.6.6
ISA Internal Nic 2 - 192.168.5.1 mask 255.255.255.0 default gateway 192.168.5.5
Remember, a default gateway is where ALL traffic is sent if the host does not know what to do a packet. So, in this case, a packet destined for 12.5.5.5 would still not be deliverable locally as neither the 10.5.0.0 or the 192.168.5.0 networks know how to deal with it. The host would see it has a default gateway - but would not know which one to use. WE know that if the host uses the gateway at 10.5.6.6 then the traffic will likely be delivered but the host computer does NOT know and will take a 50/50 guess with each packet. Some will be delivered and some won't but either way it will not work corectly, efficiently or consistently. So bottom line, regardless of how many NICs, only use one default gateway and select the one that gives you access to the most addresses. In practically every scenario imaginable, this will be the Nic that gets you to the Internet and in ISA's case, it will ALWAYS be the external Nic.
If there are multiple LAN subnets internally then the method to follow is to use specific, persistent static routes on the ISA Server for these subnets.
Lets look at this example where internally there is a router that also has another internal subnet behind it:
ISA External Nic 1 - 10.5.0.1 mask 255.255.0.0 default gateway 10.5.6.6
ISA Internal Nic 2 - 192.168.5.1 mask 255.255.255.0 NO default gateway
Internal router External Nic 192.168.5.254
Internal router Internal Nic 192.168.3.254
The ISA Server needs to know that to deliver traffic to the 192.168.3.0 subnet, it must forward traffic to the internal routers external IP adrress on the ISA's local subnet. to do this, a static route would be added on the ISA Server host at the cmd prompt as follows:
route add -p 192.168.3.0 mask 255.255.255.0 192.168.5.254
# Tells ISA server that any traffic it receives for the 192.168.3.0 subnet can be delivered if it sends it to the 192.168.5.254 address. this can be repeated for each and every other subnet that might be available through the ISA's internal Nic.
From the ISA Server command (CMD) prompt, test this connectivity......
For DNS setiings, personally I use the same settings on both the internal and external NICs of the ISA Server. These DNS settings point to the IP addresses of the INTERNAL DNS servers. At NO time should the external ISA Nic be populated with the IP address of the ISP or other external resolvers. Within the ISA external NIC TCPIP advanced settings, the DNS entry should be set to NOT register with the DNS Server. In addition, in the WINS section, the external NIC should also have the Netbios over tcpip setting set to disabled.
All of this is fine assuming that DNS itself is set up correctly. the comment made above about not using the ISP DNS Server ip addresses also holds true for all of the internal servers and work station clients. All machines should only have reference to the internal DNS Server IP addresses for primary and secondary; this is why the recommendation is to have, where possible, more than one AD server.
Name resolution for the entire domain - including the ISA Server(s) is performed by the internal DNS Servers. However, they only know about the addresses that they have been told about. To look up or resolve addresses that are outside their area of responsibility, they use either Root Hints or forwarders. A Forwarder is the IP address of one or more external DNS Servers and this is normally where the ISP DNS IP addresses come in. by opening the DNS Manager snap-in, found in Administrative Tools on your AD Servers, you can right-click the DNS Server Name and choose properties. Open the forwarder tab and you can enter the ISP DNS Server IP addresses.
At this point, you can install ISA Server knowing the basics are setup and communication is good between the various components. Just remember to create an Access rule allowing DNS from the internal DNS servers to external.....
In summary, on the ISA Server machine only the external Nic has a default gateway set and only internal DNS Server ip addresses are used on both ISA Server Nics. Use DNS Forwarders to forward name resolution requests to external resolvers.
In respect to DNS, the approach is simple and is based upon ensuring that ISA Server uses a consistent source for its name resolution. This does not mean that ISA can only use DNS, far from it, but setup correctly it means that ISA only uses controlled - and secured - resolution services. In respect to networking, this information does not really apply to ISA as a product but follows standard networking techniques of which ISA expects to be present and configured correctly. I will take the standard implementation of an ISA Server that has two or more NICs inserted and follows the best-practice guideance that states that ISA will be a member of an Active Directory based domain.
ISA Server - despite views to the contrary, is not a router. It uses the routing tables that are formed by the host operating system through local subnets, routing protocols if implemented, static routes and default gateways. Therefore before ISA or FTMG is even installed, network connectivity should be checked between itself (localhost) and the resources that the ISA/FTMG host will need to communicate with.
The purpose of a default gateway is to provide a gateway - by means of an ip address - where all traffic will be sent if the final destination is not located within the local subnets and the network doesn't have any instructions. For example, if the local subnet is 10.5.0.0/16 then a data packet sent to 12.5.5.5 will not be deliverable and will eventually timeout. If we add a default gateway at 10.5.6.6, then the network will know that if it cannot deliver the packet locally on the 10.5.0.0 subnet then it should send the traffic to the gateway address. Basic networking and no suprises there. However, what IS surprising is what many people do when they introduce a second or third NIC - they add a default gateway to the new NICs.
Lets take a second (incorrect) example:
ISA External Nic 1 - 10.5.0.1 mask 255.255.0.0 default gateway 10.5.6.6
ISA Internal Nic 2 - 192.168.5.1 mask 255.255.255.0 default gateway 192.168.5.5
Remember, a default gateway is where ALL traffic is sent if the host does not know what to do a packet. So, in this case, a packet destined for 12.5.5.5 would still not be deliverable locally as neither the 10.5.0.0 or the 192.168.5.0 networks know how to deal with it. The host would see it has a default gateway - but would not know which one to use. WE know that if the host uses the gateway at 10.5.6.6 then the traffic will likely be delivered but the host computer does NOT know and will take a 50/50 guess with each packet. Some will be delivered and some won't but either way it will not work corectly, efficiently or consistently. So bottom line, regardless of how many NICs, only use one default gateway and select the one that gives you access to the most addresses. In practically every scenario imaginable, this will be the Nic that gets you to the Internet and in ISA's case, it will ALWAYS be the external Nic.
If there are multiple LAN subnets internally then the method to follow is to use specific, persistent static routes on the ISA Server for these subnets.
Lets look at this example where internally there is a router that also has another internal subnet behind it:
ISA External Nic 1 - 10.5.0.1 mask 255.255.0.0 default gateway 10.5.6.6
ISA Internal Nic 2 - 192.168.5.1 mask 255.255.255.0 NO default gateway
Internal router External Nic 192.168.5.254
Internal router Internal Nic 192.168.3.254
The ISA Server needs to know that to deliver traffic to the 192.168.3.0 subnet, it must forward traffic to the internal routers external IP adrress on the ISA's local subnet. to do this, a static route would be added on the ISA Server host at the cmd prompt as follows:
route add -p 192.168.3.0 mask 255.255.255.0 192.168.5.254
# Tells ISA server that any traffic it receives for the 192.168.3.0 subnet can be delivered if it sends it to the 192.168.5.254 address. this can be repeated for each and every other subnet that might be available through the ISA's internal Nic.
From the ISA Server command (CMD) prompt, test this connectivity......
For DNS setiings, personally I use the same settings on both the internal and external NICs of the ISA Server. These DNS settings point to the IP addresses of the INTERNAL DNS servers. At NO time should the external ISA Nic be populated with the IP address of the ISP or other external resolvers. Within the ISA external NIC TCPIP advanced settings, the DNS entry should be set to NOT register with the DNS Server. In addition, in the WINS section, the external NIC should also have the Netbios over tcpip setting set to disabled.
All of this is fine assuming that DNS itself is set up correctly. the comment made above about not using the ISP DNS Server ip addresses also holds true for all of the internal servers and work station clients. All machines should only have reference to the internal DNS Server IP addresses for primary and secondary; this is why the recommendation is to have, where possible, more than one AD server.
Name resolution for the entire domain - including the ISA Server(s) is performed by the internal DNS Servers. However, they only know about the addresses that they have been told about. To look up or resolve addresses that are outside their area of responsibility, they use either Root Hints or forwarders. A Forwarder is the IP address of one or more external DNS Servers and this is normally where the ISP DNS IP addresses come in. by opening the DNS Manager snap-in, found in Administrative Tools on your AD Servers, you can right-click the DNS Server Name and choose properties. Open the forwarder tab and you can enter the ISP DNS Server IP addresses.
At this point, you can install ISA Server knowing the basics are setup and communication is good between the various components. Just remember to create an Access rule allowing DNS from the internal DNS servers to external.....
In summary, on the ISA Server machine only the external Nic has a default gateway set and only internal DNS Server ip addresses are used on both ISA Server Nics. Use DNS Forwarders to forward name resolution requests to external resolvers.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)