Welcome to Sydney Windows Infrastructure User Group Sign in | Join | Help
in Search
Home Blogs Forums Photos Files Roller Calendar

SWIUG

Chris Mohan's ISA Braindump

Many thanks to Chris Mohan for an excellent talk and also for puttting together this great ISA Braindump..

Excellent resources and places to read about ISA

Http://www.isaserver.org

ISA Server Product Team Blog

http://blogs.technet.com/isablog/default.aspx

Internet Security and Acceleration (ISA) Server TechCenter

http://www.microsoft.com/technet/isa/default.mspx

Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2

http://www.microsoft.com/technet/solutionaccelerators/mobile/deploy/msfp_5.mspx

Virtual Labs

http://technet.microsoft.com/en-us/bb499665.aspx

Avoiding things going too wrong when playing with ISA:

  1. Review your ISA rules and understand what they do and who they affect
  2. Plan, Plan PLAN before you make changes - include the network, Exchange and security team (if they aren't all you)
  3. Make sure all the Exchange stuff works internally (OWA, RPC over HTTPS, activesync) before working on the ISA
  4. Make sure DNS name resolution works internally and externally

Couple of questions asked during the ISA talk (from memory)

Question how to control Mac machines?

They can only be SecureNAT clients and use rules which allow unauthenticated traffic (the All Users group)however basic authentication (clear text username and passwords accross the network!) can be used as an option within networks > webproxy > authentication then added in Basic Authentication.

First, you'll want to make sure that you're publishing the WPAD file via DNS and/or DHCP (I personally do both).

Once you've done that, having OS X autoconfigure is easy! Open up the Network preference and select the network connection that you want to work with. Go to the Proxies tab.

Under the "Select a proxy server to configure", scroll all the way to the bottom and then select "Automatic Proxy Configuration". To the right, for the URL specify the path to the WPAD configuration file (even though it specifies a .pac file):

http://server.domain.tld:8080/wpad.dat

Make sure "wpad.dat" is in lower-case, ISA is case-sensitive!

That is all there is to it.

Do you need the Mutually authenticate the session when connecting with SSL check box?

Although not strictly necessary, you can select the Mutually authenticate the session when connecting with SSL check box. Doing so lets the RPC proxy server (or HTTP forward proxy server) authenticate the connecting client by using the client's certificate as well as the server certificate. When you select this option, the client must provide the expected server Principal name to the server's Security Support Provider (SSP) module. If you use Microsoft standard syntax, use the "msstd:" prefix followed by the FQDN of the RPC proxy server

In place upgrade from ISA 2004 to ISA 2006

Upgrade Guide for ISA Server 2006 Enterprise Edition

http://www.microsoft.com/technet/isa/2006/Upgrade_Guide_EE.mspx

Setting up NLB with virtual machines?

Vmware Workstations has problems doing this in unicast mode, but MS Virtual server works fine. So use Virtual server to go Enterprise ISA 2004/2006 load balancing mad if you want to play with arrays :-)

A rough guide to the Test network I was playing with at the demo – very handy to have around for testing new rule sets before dropping them on a production network!

Test Network

1- 2003 server Domain Controller running Certification Services in Enterprise Root mode

1 - 2003 server Running Exchange 2003 SP2 has a web certificate issued to the default web site and RPC over HTTP option installed

Configure RPC over HTTP-S on a Single Server http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm

1 - 2003 server running ISA 2006 with support pack. 2 network cards one for the internal network and the other external

basic rules are below

1 - XP SP 2 machine running Outlook 2003 SP3 - Join this server to the domain, ensure it automatically receives a Root certificate, and then set it up to use outlook via HTTPS. Then test OWA is working correctly. Once it all working correctly, swap it to the external network connected directly to the ISA’s external interface. Drop in some host file entries for the external published OWA /RPC

Rules in order

  1. Allow: DNS from DC to external for all users
  2. PUBLISH: SMTP from External to Exchange server ip address
  3. Allow: SMTP Outbound from Exchange server to external for all users
  4. PUBLISH: Outlook Web Access (SSL) from External to Exchange server SSL certificate
  5. How to publish Outlook Web Access (OWA) on ISA 2006 http://www.shijaz.com/isaserver/isa2006_publish_owa.htm
  6. Allow: HTTP & HTTPS from Internal network to External network for authenticated users
  7. Default Deny All rule
Published Wednesday, 24 October 2007 8:56 AM by Derrick

Comments

No Comments
Anonymous comments are disabled

This Blog

Post Calendar

<October 2007>
MoTuWeThFrSaSu
24252627282930
1234567
891011121314
15161718192021
22232425262728
2930311234

Post Categories

Syndication
Powered by Community Server, by Telligent Systems