Announcement

Collapse
No announcement yet.

New SBS 2003 Premium install, ISA Server queries

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • New SBS 2003 Premium install, ISA Server queries

    Evening all,

    I'm in the process of installing a new SBS 2003 R2 Premium system. I've dealt with SBS Standard before so I'm happy with 90% of what needs to be done. What I've not dealt with before is ISA Server. I know that in order to get online, the Microsoft Firewall Client needs to be installed on workstations.

    Normally I'd want to spend a decent amount of time planning the installation, trying it out and testing it thoroughly before deploying it at the business, but in this instance we just don't have the time to do it. Due to a hardware failure on Monday with the old server, we now have until Thursday (a week today) to get it in place. If necessary, I will install Server 2003 Standard on the new server and restore the old system from a backup, but I'd rather move to SBS now if we can.

    Background - this is my mother's business and I'm usually available whenever she's in the office (she works evenings as it's a tuition centre) should any problems occur. She uses an XP Pro laptop and has six XP Pro desktops used by the pupils using a generic user account.

    What I'm wondering is, if I install the Firewall Client, what happens whenshe takes her laptop home and connects to the wireless? Will she still be able to use the Internet - ideally without having to reconfigure the browser each time.

    Also, with ISA and the Firewall Client, do I still point the clients to the server as the default gateway (with a DHCP option), or does the client take care of that?

    I would greatly appreciate any insights people may have relating to either of those queries (or indeed to what I'm trying to do in general). Unfortunately my research hasn't really turned up anything useful other than a thread on Expert Sexchange from 2005 with no answer, just a (now dead) link to another website - if this has already been answered on this forum then I would appreciate if someone would provide a link to it, as my searches aren't turning up any answers.

    Thanks in advance, beer coupons will be printed shortly

    Edit: I should add that the server has 2 NICs and that the Internet connection is connected to one of them, rather than being connected to the LAN backbone.

    Edit: Also, if it makes a difference, the subnet in use on the LAN in the office will be different to the subnet in use at home.
    Last edited by gforceindustries; 25th August 2011, 21:22.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

  • #2
    Re: New SBS 2003 Premium install, ISA Server queries

    You don't need the Firewall Client on the machines unless you are using any kind of custom or complex protocols on the client PCs. Default on SBS 2003 Premium is that authentication is enabled, so all clients need to be Web Proxy clients (I.e. have the proxy configured in the browser), so there would be some browser tweeking between sites. You can however turn off the need for authentication so that SecureNAT clients can access the internet.

    My preferred option however would be to create a DHCP reservation for your Mum's laptop, and add a custom rule in ISA allowing internet access from that IP which would bypass the need for authentication from that PC. I used to run SBS 2003 Premium at home and did this for my work laptop so I could easily use it at home.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: New SBS 2003 Premium install, ISA Server queries

      Originally posted by cruachan View Post
      Default on SBS 2003 Premium is that authentication is enabled, so all clients need to be Web Proxy clients (I.e. have the proxy configured in the browser), so there would be some browser tweeking between sites.
      Rather than configuring the proxy address in the browser, can I use WPAD instead? That way all I would have to enable in the browser would be automatic detection, which at the office would result in going via ISA and at home would be direct.

      As for default gateways, do I still need to set the default gateway of the desktops? If I do not install the Firewall Client, then presumably yes? If I do install the client, then do I need to set it?

      What about the laptop?

      Can I have some clients with the Firewall Client installed and others without it?

      We mainly want SBS to get Exchange, however as I'm sure you can appreciate, we would like to implement ISA in order to block access to unapproved websites for the pupil workstations. Other applications besides the browser will need to access the Internet and I currently have no way of knowing whether or not they will read IE's proxy settings, or will just buy a one way ticket aboard the Fail Bus...

      Thanks for your insightful response, you've given me a clear direction to head in. Your beer coupon is sat on the printer awaiting collection
      Last edited by gforceindustries; 26th August 2011, 00:37.
      Gareth Howells

      BSc (Hons), MBCS, MCP, MCDST, ICCE

      Any advice is given in good faith and without warranty.

      Please give reputation points if somebody has helped you.

      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

      Comment


      • #4
        Re: New SBS 2003 Premium install, ISA Server queries

        Yep, WPAD will work as well.

        The Firewall Client is optional, clients (of the ISA Server) are either Firewall Clients (They have the software installed), Web Proxy (Using the ISA Server as a browser proxy) or SecureNAT (Internet Access is NATed through the ISA Server). SBS 2003 creates a default configuration for ISA 2004, but this can be changed to suit your needs.

        I don't really use the firewall client, never had the need, so I'm not as familiar with it as the other client options. This article written by Tom Shinder at isaserver.org explains it much better than I could. I read it as the Default Gateway is optional for Firewall Clients, but seeing as they will also be DHCP clients (I assume) then I'd leave the option there.
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        sigpic
        Cruachan's Blog

        Comment


        • #5
          Re: New SBS 2003 Premium install, ISA Server queries

          UTFW! You don't need to do anything. The CEICW configures ISA for you (if you select it to configure your Firewall - something I recommend, as opposed to uPNP) The firewall client configures WPAD for you and knows to switch itself "off" and disconnect the proxy when you are off domain.
          One brickbat, download the latest ISA2004 service pack before you start or you might not be able to get to the Internet to do so when you install ISA.
          But ISA 2004 is getting a bit long in the tooth.....
          TIA

          Steven Teiger [SBS-MVP(2003-2009)]
          http://www.wintra.co.il/
          sigpic
          Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

          We donít stop playing because we grow old, we grow old because we stop playing.

          Comment


          • #6
            Re: New SBS 2003 Premium install, ISA Server queries

            Originally posted by teiger View Post
            You don't need to do anything. The CEICW configures ISA for you (if you select it to configure your Firewall - something I recommend, as opposed to uPNP) The firewall client configures WPAD for you and knows to switch itself "off" and disconnect the proxy when you are off domain.
            That makes life easier

            Originally posted by teiger View Post
            But ISA 2004 is getting a bit long in the tooth.....
            I have no budget - I use what I can get
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment


            • #7
              Re: New SBS 2003 Premium install, ISA Server queries

              Originally posted by gforceindustries View Post

              I have no budget - I use what I can get
              There are plenty of open source firewalls (like IPCOP etc) that you can stick in front of an SBS.
              Much as I love ISA, and I regret MS dropping it from SBS and then dropping it altogether, you should stick something else as a gateway.
              What budget would you have for an intrusion, if it happened?
              TIA

              Steven Teiger [SBS-MVP(2003-2009)]
              http://www.wintra.co.il/
              sigpic
              Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

              We donít stop playing because we grow old, we grow old because we stop playing.

              Comment


              • #8
                Re: New SBS 2003 Premium install, ISA Server queries

                Originally posted by teiger View Post
                There are plenty of open source firewalls (like IPCOP etc) that you can stick in front of an SBS.
                You're quite right that there are a lot of very good FOSS firewalls out there, but I really don't have the budget to dedicate a piece of hardware to running one of them. I'd rather not have my DC as the edge server (SBS or otherwise), but beggers can't be choosers

                Originally posted by teiger View Post
                What budget would you have for an intrusion, if it happened?
                None. I would reinstall compromised systems (in an environment this small, that might as well be all of them just to be safe) and recover data from backups and the company would just have to survive without computers for a day or two.
                Gareth Howells

                BSc (Hons), MBCS, MCP, MCDST, ICCE

                Any advice is given in good faith and without warranty.

                Please give reputation points if somebody has helped you.

                "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                Comment


                • #9
                  Re: New SBS 2003 Premium install, ISA Server queries

                  Then I am sorry to inform you that you are surplus to requirements and that you can pick up you P45 on the way out
                  Also the company doesn't need computers either as, if continuing for two days has no cost/budget, they are also surplus to requirements.

                  PLEEEASE don't take this seriously!
                  TIA

                  Steven Teiger [SBS-MVP(2003-2009)]
                  http://www.wintra.co.il/
                  sigpic
                  Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

                  We donít stop playing because we grow old, we grow old because we stop playing.

                  Comment


                  • #10
                    Re: New SBS 2003 Premium install, ISA Server queries

                    Lessons have gone ahead in the past when the office had no electricity - the way the lessons work is that pupils complete each activity on paper first and then on the computers; this way they develop handwriting and computer skills, as well as reinforcing the topics they are learning. They also then repeat the exercises a third time for their homework. It would be very inconvenient to not have computers available but it is doable and I can have a PC reinstalled with Windows and the educational software within a couple of hours.

                    But yes it is quite a challenge delivering the best possible system with no budget
                    Gareth Howells

                    BSc (Hons), MBCS, MCP, MCDST, ICCE

                    Any advice is given in good faith and without warranty.

                    Please give reputation points if somebody has helped you.

                    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                    Comment

                    Working...
                    X