This article lists some of the common configuration mistakes and gives information on how to avoid them.
- There is no such thing as a single interface firewall
A firewall has a minimum of two network interfaces. This means you need at least *two* NIC cards in your ISA box if you want it to work as a firewall. Theoretically you can run ISA on a box with a single NIC, but that will do little to secure your network. You might just use it as a proxy that your users can connect to the Internet with.
Tom Shinder of isaserver.org says: “Deploying a single-NIC ISA Firewall is like giving a soldier a Desert Eagle .50 and no ammo.”
In short, you’re not using ISA as a real firewall if you don’t have two interfaces on it!
- Specify the default gateway on that published server!
You need to specify the internal IP address of the ISA server as the default gateway on the server that you want to publish on ISA. Or, make sure that there are appropriate static routes in place.
- Rules that contradict each other
As can be seen from the diagram below, ISA processes your access rules in the order that you specify them, i.e. rule #1 processed first, then 2, 3, etc. If ISA finds that rule #1 is satisfying the conditions required for the access requested by the user, it skips all remaining rules and grants (or denies) access. However, if the condition is not matching for the current rule, it moves on to the next rule and so on.
If you happen to place a rule that ‘allows internet access to all users’ BEFORE a rule that ‘denies internet access to Peter’, then Peter will still have internet access. It might look simple but these mistakes happen all the time.
- IP Addresses
The external interface and internal interfaces on the ISA firewall must belong to separate IP ranges. You cannot have internal and external interface IP addresses from the same IP range.
IP Spoofing: In case there is an internal router that splits the internal network into two (see diagram above), and ISA Server is in one of these networks, make sure that ranges on either side of the internal router are entered in the Internal network address range on ISA. For example, if you have two internal (protected) networks 192.168.2.0/24 and 10.10.0.0/16 separated by a router, and the ISA is at (say) 10.10.0.4, the Internal range on ISA should ideally include 192.168.2.1-192.168.2.254 as well as 10.10.0.1 to 10.10.255.254.
- Installing a service on Port 80 of the ISA Server
Avoid installing any service to listen on port 80 of the ISA Server as this is used by the Web Proxy service. A common mistake is installing a website to listen on port 80 on the ISA Server. Usually this is the result of installing certain third party components (like Trend Micro OfficeScan, which has a web-based console) installed on the ISA Server.
When port 80 is used for listening by another service, Web Proxy may run into problems or clients may be unable to access the other service running on port 80. A symptom of this problem is when you see results under Logging in the Monitoring console where the Source Network, Destination Network, Protocol fields are blank, but the Port field contains 80 and the Action field may be Failed Connection. ISA Console also generates an alert when this happens.
- SMTP Fix-Up: ISA and Cisco PIX
When using ISA behind Cisco PIX (ISA being a second firewall), make sure you disable SMTP fixup on the Cisco PIX if you plan to publish Exchange behind ISA (see diagram). This can be done by typing the following command at the Cisco PIX console:
no fixup smtp protocol 25
Note: SMTP Fixup prevents you from telnetting on port 25 that is NATed on PIX to ISA Server, and NATed (published) on ISA Server to Exchange Server. When a telnet attempt is made, you get some asterisks (220*******************************************************0*2******0***********************
2002*******2***0*00) in the output. This can be avoided by disabling smtp fixup as explained above.
- FTP is allowed, but users can’t put files on the remote FTP server
You create a rule to Allow FTP from Internal to External so that your users can access FTP sites on the internet. But still your users still can’t write/delete files on the FTP server? It’s because you have to explicitly specify it!
Right click on the rule and click Configure FTP. Clear the check mark next to Read Only.
- Care while Installing Windows 2003 Service Pack 1 / Service Pack 2 and the Scalable Networking Pack
You are running ISA Server 2004 Standard Edition. One fine day, you decide to install Windows 2003 Service Pack 1 on your ISA Server. RPC traffic is blocked. You may not be able to browse the active directory for users from the ISA Server. Occasionally you get an error popup for RPC related errors.
When you see these symptoms, its time to install ISA Server 2004 Standard Service Pack 1!
If you install Windows Server 2003 Service Pack 2 or the Scalable Networking Pack, make sure that you read my KB article 555958.
- Scheduling limitations that you need to be aware of
This is not a configuration mistake, but is something of an expectation that requires clarification. When you create a rule in the access policy that has a schedule (In the rule properties, select the Schedule tab), there are two things that you cannot do:
i. Once you have created a schedule and applied changes, you can’t edit it. You will probably need to create a new schedule object.
ii. Your schedule limits cannot be in half hours, i.e. you can configure a rule to apply between 2 PM to 3 PM but not between 2.30 PM to 3.30 PM.
- Common name on Certificates
When you issue certificates from your CA (or obtain a commercial certificate), the common name should be the published name, i.e. DNS name that you would use to access the website/OWA/etc from outside. For example, if you are publishing a server webserver01.mydomain.local, and users will access thi
s using the internet name www.shijaz.com, then your SSL certificate common name should be “www.shijaz.com”. Else, your users will get a warning stating that “the name of the server does not match the name on the certificate”.
- More than one Default Gateway
Never specify more than one default gateway on the ISA Server. Do not specify the default gateway on both the internal and external NICs.
- DNS Server on more than one NIC
Never specify DNS on more than one NIC. For DNS best practices on ISA Server, see this article.
TIP: Keep a backup!
Keep an XML backup of your ISA configuration before you try out something with the access rules or the configuration. This will help you easily restore your ISA configuration in case you mess it up!
Also note that when you change the Network Template, you lose ALL your Access Rules and Network Rules!