Announcement

Collapse
No announcement yet.

need help to setup ISA Server 2006, no internal internet

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • need help to setup ISA Server 2006, no internal internet

    Hello,

    I am trying to learn ISA server in my work environment, as I'm replacing a Cisco PIX 506 with this new ISA 2006 box.

    However, I'm having some problems getting it to work.

    It's installed on a fresh copy of Win2k3 standard.

    This server has 2 NICs.

    It's on a domain network, we have 2 DC, 1 of the DC has DHCP.

    I've followed the guide on this page http://blog.msfirewall.org.uk/2008/0...work-card.html

    I setup the external NIC to the IP, net mask, gateway and dns provided by our T1 provider.

    Internal NIC is setup as the same internal IP as my Cisco PIX 506 - 192.168.2.1, so that our internal workstations don't need to change anything. Gateway left blank, DNS point to internal DNS/Domain controllers.


    Routing and Remote Access enabled. (am i supposed to enable this??)
    Basic firewall enabled on the external NIC. I just used the wizard and selected "NAT / VPN access"

    Added new access rule to ISA to allow all outbound connections.

    I am able to browse the internet on the ISA 2006 box, but our internal workstations have no access to internet.

    But internal workstations can ping to ISA box as well as T1 router (external IP)

    Am I missing something here?? Please help!

  • #2
    Re: need help to setup ISA Server 2006, no internal internet

    You shouldn't touch the RRAS.
    You shouldn't configure DNS on the external NIC (re-read the link again)
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: need help to setup ISA Server 2006, no internal internet

      thanks!

      I just read the link again and removed the DNS setting on external NIC.

      I also disabled RRAS. I'll give it a try after work hours today.


      With ISA Server, can I easily replicate what the PIX 506 does?

      I'll need to assign a public IP to the terminal server, one to the web server, another one to a test server. How can this be done? It was easy on the PIX with a few access rules to open up the port and a static route from external to internal.

      What book do you suggest if I want to learn more about ISA 2006? or should I start from 2004?

      many thanks!

      Comment


      • #4
        Re: need help to setup ISA Server 2006, no internal internet

        I'm not sure what you mean with Replicate?

        however, if you want to make a site (or whatever) public available you can use the publishing wizards.
        Pretty easy to use.

        For the books, you don't need to start with ISA 2004. I suggest you read the Dr. Tom Shinder's ISA Server 2006 Migration Guide.
        Nice book to read
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: need help to setup ISA Server 2006, no internal internet

          I agree with Dumber re: books, the Tom Shinder one is very good. ISA Server 2006 Unleashed is OK but much more high-level.

          Don't disable RRAS - ISA requires it. What you need to do is let ISA configure RRAS during install and it sets up RRAS the way it needs it.
          BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
          sigpic
          Cruachan's Blog

          Comment


          • #6
            Re: need help to setup ISA Server 2006, no internal internet

            I think i must have broken it during the install.

            I installed ISA Server right after Win2k3, I didn't setup the NICs or add windows services like RRAS before ISA install.

            Should I remove ISA and redo it?

            What's the correct procedure to install ISA ?

            Comment


            • #7
              Re: need help to setup ISA Server 2006, no internal internet

              Yeah, I would probably uninstall ISA and remove the RRAS role. Then configure the NICs correctly and re-install ISA. ISA will install and configure RRAS as it requires it to be setup. It is critical to get the NIC configuration right before installing ISA though.

              My usual setup procedure is:-
              1. Install Win 2K3
              2. Patch fully up to date
              3. Configure NICs for ISA
              4. Install ISA
              5. Patch ISA up to date
              6. Then you should be ready to start configuring for your network

              Note that if you are making ISA a Domain Member (That's a whole new topic!) it's probably best to do this after step 2. You shouldn't need to create a rule to allow access to Windows/Microsoft update as this site is allowed by default.
              BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
              sigpic
              Cruachan's Blog

              Comment


              • #8
                Re: need help to setup ISA Server 2006, no internal internet

                Indeed. It's about the same procedure I follow.
                Make sure that ISA is joined to the domain.
                Although there are a lot of discussions about it if it's safe to join ISA to the domain it will give you a lot of benefits like authentication for example (there are other ways to resolve this though)

                Check this out for Domain membership;
                http://blogs.isaserver.org/shinder/2...-the-question/
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: need help to setup ISA Server 2006, no internal internet

                  great, i'll reinstall ISA and see what happens. something must be broken when i was turning things on and off.

                  and yes this ISA box is joined as a domain member.

                  Comment


                  • #10
                    Re: need help to setup ISA Server 2006, no internal internet

                    Let us know how you get on.

                    I'm an advocate of ISA being a domain member as well, but it is and remains a topic of much discussion and is not really relevant to the original question in this thread.
                    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                    sigpic
                    Cruachan's Blog

                    Comment


                    • #11
                      Re: need help to setup ISA Server 2006, no internal internet

                      I finally got it working now!!! I removed ISA and reinstalled it, it worked.

                      Also got RDP to work for the terminal server, it's all good now.

                      ISA is quite easy to use actually, much easier than the Cisco PIX command line interface...

                      thanks for the help guys!

                      Comment


                      • #12
                        Re: need help to setup ISA Server 2006, no internal internet

                        Great to hear you solved it
                        Marcel
                        Technical Consultant
                        Netherlands
                        http://www.phetios.com
                        http://blog.nessus.nl

                        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                        "No matter how secure, there is always the human factor."

                        "Enjoy life today, tomorrow may never come."
                        "If you're going through hell, keep going. ~Winston Churchill"

                        Comment


                        • #13
                          Re: need help to setup ISA Server 2006, no internal internet

                          Well done.

                          ISA is a great product IMO, it's a bit scary at first but much more intuitive than Cisco and the like.
                          BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                          sigpic
                          Cruachan's Blog

                          Comment


                          • #14
                            Re: need help to setup ISA Server 2006, no internal internet

                            Indeed. ISA is great to learn. Now i need to figure out how to make it more secured.

                            What kind of hardware do you guys run ISA on? How important is hard drive redundency? I deployed it on a Dell 1U 1750, but it doesn't have a raid controller, it runs on a single scsi hard drive.

                            Comment


                            • #15
                              Re: need help to setup ISA Server 2006, no internal internet

                              Well I don't manage one or multiple ISA servers
                              However I support many colleagues and customers with there ISA server issues.

                              To make it more secure you might check out SCW (Security Configuration Wizard)
                              Please review:
                              http://technet.microsoft.com/en-us/m...hardening.aspx
                              http://www.isaserver.org/tutorials/W...-Firewall.html

                              Although I'm do not advice a virusscanner on a firewall (ISA in this case) you might check this out:
                              http://technet.microsoft.com/en-us/l.../cc707727.aspx
                              The reason for this is that I also don't advice to do any web surfing on the firewall itself.

                              About the capacity planning you might check this URL out:
                              http://www.microsoft.com/isaserver/capacityplanner.swf

                              Backups:
                              An ISA server is usually quite simple to rebuild (basically install OS, network settings and install ISA) you might backup the ISA configuration and the certificates.
                              Usually an firewall is quite a static configuration.
                              However if you want to check out some software which should able to do this then check this out:
                              http://www.winfrasoft.com/BackupForISA.htm
                              Marcel
                              Technical Consultant
                              Netherlands
                              http://www.phetios.com
                              http://blog.nessus.nl

                              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                              "No matter how secure, there is always the human factor."

                              "Enjoy life today, tomorrow may never come."
                              "If you're going through hell, keep going. ~Winston Churchill"

                              Comment

                              Working...
                              X