Solved

ISA 2006 Setup

Posted on 2010-09-15
29
845 Views
Last Modified: 2012-05-10
Greetings,

Can anyone give a quick walk through on setting up an ISA server 2006,

I need to put in a firewall, and have a brand new clean server 2003 install, and ISA Server 2006, but can't seem to get any internet connection from or through the ISA server except from the Built in RPD port configured during setup.

I'd like to end up with the ISA server acting as a Firewall/VPN server/Router for a small SBServer 2003 network. I do not want to use the Included 2004 ISA server nor install ISA on the SBServer.
SBServer will be Behind the ISA server and optimaly _not_ doing any routing or additional security relating to Firewall Services.



please explain the initial steps to configure
1 the 2003 Server needed services before installing ISA
2 any Setup options ISA 2006 needs
3 Basic rules to allow web traffic from the ISA server to the Internet, than Internal Traffic out to the internet,
4 an example of passing external traffic into the SBServer for Exchange or RWW.

just an example or two for rules, and general guidelines should be adequate.  I'm just hitting a stumbling block after the ISA install not matter what rules I set can't see the net, or Internal network. but the system policy for RDP is working it appears to be the only working thing on the server.

I haven't set up an ISA server in 3-4 years and I'm pretty sure I'm just making a dumb mistake somewhere.

thanks in Advance.
Harel
0
Comment
Question by:R. Andrew Koffron
  • 11
  • 9
  • 8
29 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
As an aside, ISA doesn't do any routing, thats not its job - the host operating system would deal with that if you needed it. this is a key concept - ISA is NOT a router.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Also, I assume you have the ISA as the default gateway for everything.
That you have an allow rule for dns from internal to external
that you have added the ISA server ip address and port 8080 into everyone's web browser proxy settings
that you have deployed ISA 2006 sp1
that there is absolutely NO mention of any ISP dns setiings anywhere at all on any computers nics except the SBS server's forwarder tab in the dns service
0
 
LVL 10

Expert Comment

by:Encrypted1024
Comment Utility
Just a few quick tips to get you going.
- Install server OS with 2 NIC's.
- Set static IP for internal NIC with no default gateway.
- Get Server connected to the internet.
- Install ISA
- Run the network setup wizard from within ISA.
That should get you connected to the internet and routing traffic. You can configure the proxy settings and what not afterwards.
 
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
Comment Utility
so I install; everything seems fine on the Server 2003 server, with and without Routing and Remote Access.  but either way, once I install ISA nothing works except the RDP policy the setup makes when I install from a remote machine.

set binding order to ensure internal is the top. and only TCP/IP is on

I create an access rule, allow, all outbound protocals, from all networks(including local hosts) to External.still nothing.

from the RDP session the server still can't see anything on the net to run updates or anything else.

I can RDP into the server from any address I add to the Remote Management Computers group


0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
As per my previous comments - have you set the ISA ip address and the port number 8080 into each of the client computers web browser proxy settings?

Also - I assume you have bought full licenses for your ISA Server 2004? You cannot use the ISA server license that comes with SBS 2003 on a separate server as this breaks the licensing agreement. To use the ISA 2004 license with SBS2003 the ISA must be installed on the SBS server.
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
Comment Utility
yes it's a legal ISA 2006 Lic. not the Premium tech disk from SBS.

I've got the inside address set in the 192.x.x.x range. and the external with a static ISP IP address.

I don't have anything actually using the ISA server because it can't see the internet to even get updates.

can't view any web pages or RDP out from the server.  it only allows incoming RDP only from my IP. can't seem to make anything else work.

I don't pretend to be an ISA expert, but it seems like the ISA server "might" be more effective if it can run updates, and see the web.  it is however VERY secure considering it currently only communicates on one port to one IP I guess in this case I'd like to lower the security a little bit.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
OK - so you have checked the basics from my blog about how to setup the dns and the nics correctly?
Confirm the web browser in ISA has its proxy settings amended to use a proxy server - enter the INTERNAL ip address of the ISA server and use port 8080 (the default ISA proxy port) and tick the bottom box to exempt local addresses. Save the settings.

You should NEVER set a rule that allows ALL networks. Be specific else the whole exercise is pointless.
Three rules I have as a minimum when I first deploy - then I amend these to be specific rules for specific purposes.

1. Access rule - allow all protocols FROM localhost and internal TO localhost and internal - all users. We can cut this down later.

2. Access rule - allow dns from internal to external - all users

3. Access rule - allow http & https from internal & localhost to external - all users

Save the Changes and apply the policy.

Now try it from the ISA itself.

If it still fails, post the output from an ipconfig /all and a route print from the ISA server.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Place those three rules at the TOP of the policy
0
 
LVL 10

Expert Comment

by:Encrypted1024
Comment Utility
Before you set any rules, you need to set up the networks. Run the wizard and it will work. (assuming your server could surf the internet before ISA was installed).
 

ISA.png
0
 
LVL 10

Expert Comment

by:Encrypted1024
Comment Utility
That should get you routing. You can adjust the firewall rules and proxy settings after. Of course if you couldn't connect to the internet from your ISA machine before instlling ISA, you won't now either. That should be tested first.
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
Comment Utility
Still can't see the web from the ISA server, tried both your recommendations.

with and without routing and remote access setup.

currently without R&RA getting
Error Code 12206: Proxy chain loop  

useing the ISP supplied DNS and DGW, on the external, and Nothing for DNS or DGW on the internal.

ran the edge firewall wizard for unrestricted access to the net,
0
 
LVL 10

Expert Comment

by:Encrypted1024
Comment Utility
Could you connect to the internet on that server before you installed ISA?
0
 
LVL 10

Expert Comment

by:Encrypted1024
Comment Utility
P.S. don't worry about RRAS, it is not needed for ISA.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 16

Author Comment

by:R. Andrew Koffron
Comment Utility
yeah the server seemed totally normal, before ISA installation, it only takes a few minutes to uninstall, and reinstall, I've tested it several times, without ISA it's totally normal.

once I install ISA no web traffic. rules to allow other services seem to work, I was able to allow out bound DNS (nslookup works to external servers), RDP to other external servers works. but no web traffic.

0
 
LVL 10

Expert Comment

by:Encrypted1024
Comment Utility
Did you ever get it routing with RRAS and no ISA? (not that I would recomend this but it is a troubleshooting question).
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
if your NICS are set up like this you have not a cats chance in hell of making ISA work correctly.

*** useing the ISP supplied DNS and DGW, on the external, and Nothing for DNS or DGW on the internal. ***

That does not conform to Windows best-practice, let alone what ISA requires as a pre-requisite to work properly.




0
 
LVL 16

Author Comment

by:R. Andrew Koffron
Comment Utility
@Encrypted1024 yeah RRAS works fine without ISA

@keith_alabaster I've tryed the DNS on the internal and the external nic both. seems to have the same result.  if I move the DGW the machine can't get internet without ISA installed.
 
I guess I'm failing to understand something in the documentation. So I posted a question, telling me to read the documentation again, isn't helping. pointing out that it doesn't work isn't helping either.   At this point I'm assuming there's a glitch someplace, or I'm having a fundimental misunderstanding of a concept.  I'm not stupid and I can read. thanks for your time. but general "refer to the documentiation" type advice can be kept to your self. specific "refer to page 6 paragraph 3" advice would be very welcome.

0
 
LVL 10

Accepted Solution

by:
Encrypted1024 earned 500 total points
Comment Utility
keith_alabaster is right, the dns should be configured on the inside NIC, but that shouldn't stop traffic from flowing. Technically ISA doesn't need to have DNS configured at all to pass traffic without authentication.
Lets say you start from scratch. You need to go through a few basic steps to get going:
- Install Server with 2 NICS
- Assign IP and GW to external NIC, temporary put DNS as well
- Test connection to internet.
- Assign IP to internal NIC that is accessible from your internal network.
- Change DNS to internal NIC if you have an internal DNS server, if not, leave on outside NIC
- Ping internal IP of server from test workstation.
- Install ISA with defaults
- Run network setup wizard, (choose unrestricted outbound traffic for testing)
- Assign the internal IP of ISA as the GW on your test PC.
- Surf internet
 
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
Comment Utility
This is exactly what I did initially and ISA blocks web addresses even when I set allow all from all networks to all networks.

I suspect there is a problem but not sure how to trouble shoot it since reading several soca and walk throughs but still can't see the net from ISA server it seems to work when I publish ports through to SBS server.
0
 
LVL 10

Expert Comment

by:Encrypted1024
Comment Utility
Are your client computers on the same subnet as your ISA internal NIC? If you have an aditional router between them you will have to add a static route on your ISA server pointing at your internal router.
Use route add command.
Make sure you have NAT turned on it ISA if you are using private internal IP's.
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
Comment Utility
the ISA server it self can't see any web stuff, like to run updates. it's sort of irrelevant if the clients can use it. I can't run an ISA server that isn't even able to get it's own updates.

for example (PIP=Public IP, IIP = Internal IP)

Server setup is Server 2003 (not R2) Fully updated. No additional services installed. RRAS turned off
   External nic
     IP       PIP.PIP.PIP.92
     SNM  255.255.255.248
     DGW PIP.PIP.PIP.94

     DNS1 IIP.IIP.IIP.253 (internal SBS Server NIC with ISP DNS configured in forwarders tab)
     DNS2 -empty
  Internal NIC
    IP        IIP.IIP.IIP.254
    SNM   255.255.255.0
    DGW -Empty

    DNS1 IIP.IIP.IIP.253 (SBS internal)

Net works fine, and RRAS works fine if I configure it.

Installed ISA 2006,  Ran Edge firewall wizard to allow unrestricted access  to the net, and various other rules suggested in previous posts. no dice can't hit the net, NSLOOKUP is resolving IPs from names off SBS server ( Currently SBS server is routing the network through PIP.PIP.PIP.91 ISP ).

I can't think of any reason the ISA server would have a problem with getting DNS from a routing SBS server.

At this point I just need to get the ISA server to browse the web and I think I can get the rest.

0
 
LVL 10

Expert Comment

by:Encrypted1024
Comment Utility
Change the DNS on ISA External NIC to ISP DNS. If your SBS can't Route, then it can't look up DNS, so it can't work. Fix one problem at a time. Get the internet working, then get routing working.
After changing your DNS, If it still won't browse, then play with the proxy settings in your browser.Try toggling auto detect on and off as well as setting static settings.
0
 
LVL 16

Author Closing Comment

by:R. Andrew Koffron
Comment Utility
OK. I really am becoming convinced that the problem isn't the basic setup. I've read and re-read the docs, and keith_alabaster's out line. I've uninstalled it and re-installed it at least 10 times. I've tried pretty much every combination of bindings, and services I can think of.

Even using rules I'd never put into production. like allow all, from all, to all. The server stops working as soon as I install ISA, and no matter how many rules I make it doesn't seem to work.

I'm going to split the point on this one. since the setup was explained and I asked for that initially thinking I just made a dumb mistake.  I'll open another for trouble shooting the web rules/network  problem.

@keith_alabaster thank you for your blog post it did help, and cut through a lot of crud in other documents.
Sorry if I seemed ungrateful for that. My initial question was for a walk through, and I guess I wasn't clear enough that I was asking because a basic normal setup wasn't working.

@Encrypted1024 thanks for the clear simplified steps and understanding I was trying to troubleshoot an issue that doesn't make much sense.
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
Comment Utility
Administrator's  I meant to split the points on this and don't see how to change it.
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
Comment Utility
I did take your advice, and I read and re-read what you posted, and I set it up like 10 times with all sorts of variations. of the advice you and Encrypted1024 gave. but at the end of the day, no matter what I tried the ISA server could not see the internet to even get updates.

I got a little short tempered with the "generic read the documents" advice as I had read them, more than once. and was attempting to trouble shoot a problem. that I'm pretty sure is a bad NIC or something fundamentally corrupt in the OS possible a corrupt TCP/IP stack.

it'll cost me less and be faster to scratch and rebuild than to try troubleshooting the existing problem, and even if the problem remains at least I'll be able to 99.9% rule out hardware core OS issues. at this point.

Tonight I'm going to buy a couple more NICs and replace the existing. and do another 100% clean install of the OS, no amount of reading documentation is going to fix a hardware or corrupt OS issue. and I'm now pretty sure that's the problem.

But you did answer my posted question. and you deserve the points(I know your a genius and don't need these points but right is right) , I should have more clearly stated I was trying to troubleshoot a specific problem, and had managed to setup previous ISA servers, and HAD read and attempted all the basic recomended procedures and was STILL unable to connect from the ISA to the web.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Have a look at my profile here to get my contact details - hit me up at some point and I walk walk you through it step by step. This is not the right place to do it i.e. practically by email. I have getting on for 300 ISA and FTMG installations behind me of all flavours and scenarios. I doubt yours will be one I haven't come across before. We just need to get the Windows basics right first, the rest comes easily.
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
Comment Utility
I'm re-installed and have same issue on 2 new network cards I'm SURE i'm just having a brain fart and missing some crucial step I'm failing to understand, I'm going to open a new question.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now