isa 2006 - http diffserv - query

hi im trying to understand about - specify diffserv preferences in isa 2006.

i can see the tabs:
- general - enables traffic prioritization via web traffic & routers that support (qos) for eg

- priorities - what are the list of values so i know what to add ?

- url's - what kinds of 'url's am i adding ?

- domains - i assumed i will add the local domain and any other domain im attached/linked to ?

- networks - the networks listed as below & i assume they are there because of my initial configurations already in place, due to allowing my internal users internet access & that i have also configured a vpn remote client at home ?

- external
- internal
- quarantined vpn clients
- vpn clients
mikey250Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

infoplateformCommented:
Hi :

General : Name of Rule

URLS : specify the uRLS which you want to allow or deny

Domains : offcourse you local domain like abc.com

networks : for internet for local users  - internal to external , for vpn for external users - external to local host + internal
Keith AlabasterEnterprise ArchitectCommented:
Mikey  

Diffserv is only relevant if you have Diffserv setup on all of your internal routers. If you do not, the Diffserv option within ISA is meaningless. It is similar to the dual ISP options in TMG - if you do not have dual ISP's, you don't use the options.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mikey250Author Commented:
hi infoplateform, in isa 2006 the 'general tab' has a tickbox available supporting the following:

- enables traffic prioritization via web traffic & routers that support (qos) for eg

URLS: ok so if i wish to block: facebook, yahoo, amazon, google, im aware that the 'www' is a big place so what about the other websites that i dont know

- im also aware that some companies do say dont use the work pc for internet use at all

- im also aware that some companies also provide a few or a single pc specifically in another office, just for personal internet use ie standalone pc not part of the network, so if a problem occurs its just a host pc that can be resolved at a later date.

- im also aware that that may not be ideal, so is there some standardized 'url' that would be added as a result of what you say, to 'allow/deny' ?

Domains : off course you local domain like abc.com - ok

networks : as the networks in place here on isa 2006 were there already when i looked i assume, whatever i configure on isa 2006 is put here by default so it is something i would not touch unless not added for whatever reason ?
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

mikey250Author Commented:
hi keith,

"Diffserv is only relevant if you have Diffserv setup on all of your internal routers. If you do not, the Diffserv option within ISA is meaningless. It is similar to the dual ISP options in TMG - if you do not have dual ISP's, you don't use the options."

- ok!

yes i saw on the 'general' tab where it also stated:  enables traffic prioritization via web traffic & routers that support (qos) for eg.

i have 2 routers so if i connected routers to act as pretend isp's via my single netgear router box, as this is all i have for testing and although not ideal because i only have a single 'public address' and not 2, so i cannot really simulate anything properly which i realise.  also i would activate 'qos' as you state, assuming my routers have this feature within its 'ios'.

ive only ever know of 2 isp's being used for 'fault tolerance' ie one goes down, one comes up, just like, hsrp for example.  as im new to isa 2006 completely im trying to gain some insight as i go along!!!  unless the company business requires use of both isp's!!

question 1.  would my above comments be a good assumption ?
Keith AlabasterEnterprise ArchitectCommented:
ISA does not support two external interfaces - ergo it does not support two ISP's. The replacement product, TMG DOES support two ISP's through its load-balancing functions. With this you can either failover from one ISP to the other or use both ISP's simultaneously.

For ISA, you would need a dual-wan router on the outside of ISA and it would have to carry out the failover functions on ISA's behalf.
mikey250Author Commented:
apologies i mixed both your sentences together without realising you were distinguishing between isa not using 2 isp's because they cannot and the upgrade version tmg which can.  i have not touch tmg yet but wanted to evolve onto this another time ages away yet!!

i understand what you mean!!

thanks!!
Keith AlabasterEnterprise ArchitectCommented:
No problem. I have been the MS TechNet Moderator for ISA and now TMG for many years and fairly much the resident expert on ISA & TMG for many years but I still learn things now and then about them.

ISA is no longer a supported product but there are still lots of them out in the field.
mikey250Author Commented:
thanks!!!  thats why i chose isa 2006!

i suppose my real question is as ive only wanted to provide internet access just for my internal domain users, which i have and configured a vpn via a laptop.  i just wanted to know if that is all i want to use isa 2006 for at this moment in time.  is what i have done ok ie on the firewall ?

all the other questions i have are for the progressing onto the other stuff around isa 2006.
Keith AlabasterEnterprise ArchitectCommented:
Check the basics first - read my article.

http://www.experts-exchange.com/Microsoft/Windows_Security/A_1477-Configuring-ISA-2004-2006-Forefront-Threat-Management-Gateway-for-basic-networking-and-DNS-settings.html

All ISA settings can be left at basic - and the DEFAULT network relationship between internal and external in the gui - networks - is NAT, not ROUTE.

You need an absolute minimum of three access rules for Internet Access for internal users

1. Allow DNS from internal to external
2. Allow other protocols from internal to external - up to you whether you authenticate these and also up to you whether you put this as a single rule or a rule for each protocol. In here you would create additional rules allowing traffic FROM vpn users TO internal & external
3. Deny all (in by default as the last rule)

Personally I have about 70 rules+ as I like to check traffic and manage it more easily.
DON'T forget to put the settings - either by .pac file, group policy or manual (.pac file is best) for the web browser proxy settings.
mikey250Author Commented:
hi keith ive just read through your 'url' and it appears ive done exactly that although just a couple of queries:

your comments:
"All ISA settings can be left at basic - and the DEFAULT network relationship between internal and external in the gui - networks - is NAT, not ROUTE."

- ive just checked my 'network rules' and prior to my configuratons there was only one default rule that i saw or at least assumed was by default. now i have 2 more rules added, totally 3.  ive also checked out of those 3, 2 of them are configured as 'route' and the 3rd one is configured as 'nat'. which states 'internet access'.  so i assume that is correct as i only have one 'configuration nic' issue mentioned below that msbpa detected!!

your comments:
"In summary, on the ISA Server machine only the external Nic has a default gateway set"  - ok understood

 "and only internal DNS Server ip addresses are used on both ISA Server Nics. - im reading this part but not sure what you mean ?

"Use DNS Forwarders to forward name resolution requests to external resolvers" - yes i understand - im currently using my 'residential netgear router box' as my internet connection for test purposes so i other than just receiving internet access, i have not got a package that allows my internal/dns to communicate with there dns other than using my isa/external nic to provide the actual internet connection. so i have ignored the 'forwarders'.

you mention on your example - route - p add 192.168.3.0 mask 255.255.255.0 192.168.5.254, which i did not get at first, but i do now.

originally i had a router attached to my isa/internal nic1 and although my isa was joined to domain successfully and internal domain users had internet access.

i had added on my isa: route -p add 10.0.0.0 mask 255.255.255.0 192.168.100.1 - my 10.x.x.x/24 network is my internal range and the 192.168.100.1 was the connection of my router external int fa1/0.  as my router/internal was: 10.0.0.1/24

- i then ran: msbpa and showed a ''configuration issue'' issue with: 192.168.100.0 - x.x.x.x as above.

- i never did find out why, so i removed my router instead!!! would you know why!!!!!!!!!!!?

- even though i have removed the router and 192.168.100.x/24 altogether, my isa msbpa still detects this address.........!!!!!!?
Keith AlabasterEnterprise ArchitectCommented:
You REALLY need to get a manual or go on a course.... :)

None of the ISA nics can have the ISP or any external DNS ip addresses assigned to them. You place the INTERNAL dns server ip address on the ISA internal nic. You leave the external ISA nic dns entry BLANK or you can place the internal dns ip address in the ISA external nic as well. Your choice - but best practicce is to leave the ISA external nic dns entry blank.

Your forwarders will point to the IP address of the residential router I guess.

Correct - by default build, ISA has onlty one rule - the default deny all.

My example was exactly that - an example - you replace the 192.168.x.y address in the example with your own internal ip address range. i.e. 10.0.0.0 etc

Paste the output of an ipconfig /all and the output from a route print taken from the ISA server. Let's have a look at it.
mikey250Author Commented:
you mis-interpret me regarding the isa nics'  it was just a suggestion i put out there although i have not done this because im aware my dns does not know and will not know my isp dns!!:)

yes my isa 2006/internal nic has always had the primary dns set pointing towards my only master dc/ad/dns/dhcp/gpo server!!

yes my isa 2006/external nic - dns entry has always been blank!!

the reason for my suggestion was as i have never done vpns via isa 2006 ever, i was also wondering if, as my actual internet connection is of a residential hardware rather than a (proper) business type, because i was not sure if my dns did need to be able to communicate with my isp dns, otherwise at the time i was thinking then my work would be of a waste.

but due to other experienced experts telling me it should still work and i do not need to be communicating with my isp dns i excepted this. but like i said it was just an idea i through out there as you clearly know your stuff!!

as im short of funds i cannot buy a book, but definately this is something i will buy.  any suggestions on the best step by step book i can get so i can absorb the knowledge instead of an enclopedia ?:)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.