MS ISA 2006 SP1 server - After installation procedure/directions...

I have installed a server 2003 STD R2 SP2 with MS ISA 2006 SP1...

What are the necessary steps in order to secure the ISA server as much as I can? Is there any guidelines for this?

I will use it in a back-to-back topology as the internal ISA... It has 2 network interfaces, one attached to the local network (internal) and the other attached to a private (not public) DMZ network...

Some questions:
-) In each of the network interfaces (TCP/IP settings), do I have to eliminate the DNS entries?
-) Enable LMHosts lookup or not?
-) Enable Netbios in local? I believe I must disable it for the DMZ interface...
-) Enable File&Printer sharing in local? I believe I must disable it for the DMZ interface...
-) Enable Client for MS Network in local? I believe I must disable it for the DMZ interface...
-) What are the basic settings in ISA (Firewall rules and other) which I must do for sure?
-) Is it preferred to install the Firewall client in the clients? What about the servers?

Thank you for your help...
agortsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Bruno PACIIT ConsultantCommented:
Hi,

Except you need to copy files on some share on the ISa server you should disable "print & file sharing" on ALL NICs of ISA server.

Added to that, if your ISA server is standalone (not domain member) and you don't need to reach some file server from your ISA server you can also disable "Microsoft Network client" on ALL NICs.

The external NIC (what you call DMZ NIC but from ISA point of vue it's the external NIC) should only have IP enable, nothing else.

Make things so that is your ISA server needs to resolve internals names it can do that using DNS and avoid using any NetBIOS process. That means you should disable NetBIOS over IP.

If your ISA server is not member of a domain you don't really needs internal name resolution. So in this case you'll only have to configure external DNS. About DNS server, it makes no difference if you configure them on a NIC or on another... In fact Windows collects all the DNS servers that are configured on any NIC and build a common ordered table. So even if you have declared external DNS server on the internal NIC configuration they will be interrogated...

If your ISA server is a member of a domain you NEED to resolve internal DC names and internal DNS SRV records. In this case you have to declare internal DNS server on IP configuration in ISA and not declare external DNS servers at all. You have to mek things so that your internal DNS servers are able to resolve external names also (by using DNS forwarders as an example).
If you declare external and internal DNS servers on ISA you're can not know which DNS server (external or internal) ISA will interrogate first. If ISA interrogate an external DNS at first to resolve an internal name, and if your DNS domain name uses a private suffix (like ".local" as an example), the external DNS server will always answer that the domain name doesn't exist at all. As this answer will always be authoritative ISA server will not try to interrogate other DNS and will trust the authoritative answer... and will not find your internal domain.

One of the settings you have to do at installation is to declare all the internal subnets of your LAN. That means all the IP ranges that can bea reached by any IP route on the internal side of ISA. ISA will then automatically suppose that any other address is external.

About the basic rules... all depend of what sort of traffic will go through your ISA server. After installation all traffic are blocked until you create the matching rules.

You might not need to install the firewall clients. Most of the time the network configuration do not need to have Firewall clients installed.

If your network configuration is made so that the ISA server is declared in the IP routes of your internal routeurs, or as the default gateway of computers on the same subnet, then you don't need firewall client.

If you want to use ISA for classical Web protocols (HTTP, HTTPS) you can declare the ISA server as the web proxy in Internet Browsers on your computers instead of using Firewall client.

You will need Firewall client if you want to allow non web protocol for some particular users. In this case, to allow some users and not the others you have to use authentication. Many protocols don't implement authentication natively so to create a rule for these protocols with authentication you NEED the firewall client on concerned computers.

Have a good day.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
agortsAuthor Commented:
Thank you for your reply...

1) Is there any reason why I would like to make my intISA server as a member of my internal domain?

2) I would like to know each request from what user (of domain) came... Is this a reason for installing the firewall client? Is this a reason for the intISA to be a member of the domain?
0
Bruno PACIIT ConsultantCommented:
Hi,

About your question 1):
Let's talk about Web protocol (HTTP/HTTPS/FTP): If you want to make rules so that some users are allowed to go on Internet while other users are denied you'll have to authenticate your users and the bes way to do that is havong your ISA server a member of your domain.
If ISA server is not a member of the domain and you have some rules that need authentication then your users will have a popup requesting credentials as soon as they'll got on Internet.
If your users are already authenticated in the domain and if ISA is member of the domain then Internet Explorer is able to give automatically the credentials to ISA so that your users are authenticated without having a popup when going on Internet.

About your question 2):
If you want to use the ISA log to identify the user name that requested a specific URL YOU NEED your users to be authenticated by ISA. About Web protocols (HTTP/HTTPS/FTP) there are 2 way to authenticate users :
The first way is to configure Internet Explorer on client computers to use ISA as a web proxy server. The second way is to install the Firewall Client on your client computers.
Whatever the way (proxy of firewal client) is you want authentication to be automatically given to ISA without any credential popup on the client computer you NEED ISA to be member of the domain.
The firewall client is in fact really usefull for protocols other than Web protocols. In this case, if you want that a specific user be able to send non Web protocols to Internet you'll need the firewall client. For example, if one of your users need to reach a POP3 server on Internet to read an external mailbox, and if this user must be able to do that from any computers of your network you would create a rule allowing POP3 protocol for the specific user and you'll have to install the firewall client on the computers this user can use because POP3 doesn't support any proxy functionnality and can not give authenticatyion to ISA.

Have a good day.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.