Top 12 mistakes while configuring ISA Server

by Shijaz Abdulla on 03.05.2009 at 18:17

This article used to exist on www.shijaz.com before it was taken down in May 2009. Originally published in August 2007.

 

This article lists some of the common configuration mistakes and gives information on how to avoid them.

  1. There is no such thing as a single interface firewall

A firewall has a minimum of two network interfaces. This means you need at least *two* NIC cards in your ISA box if you want it to work as a firewall. Theoretically you can run ISA on a box with a single NIC, but that will do little to secure your network. You might just use it as a proxy that your users can connect to the Internet with.

Tom Shinder of isaserver.org says: “Deploying a single-NIC ISA Firewall is like giving a soldier a Desert Eagle .50 and no ammo.”

In short, you’re not using ISA as a real firewall if you don’t have two interfaces on it!

  1. Specify the default gateway on that published server!

You need to specify the internal IP address of the ISA server as the default gateway on the server that you want to publish on ISA. Or, make sure that there are appropriate static routes in place.

  1. Rules that contradict each other

As can be seen from the diagram below, ISA processes your access rules in the order that you specify them, i.e. rule #1 processed first, then 2, 3, etc. If ISA finds that rule #1 is satisfying the conditions required for the access requested by the user, it skips all remaining rules and grants (or denies) access. However, if the condition is not matching for the current rule, it moves on to the next rule and so on.

If you happen to place a rule that ‘allows internet access to all users’ BEFORE a rule that ‘denies internet access to Peter’, then Peter will still have internet access. It might look simple but these mistakes happen all the time.

image

  1. IP Addresses

image

The external interface and internal interfaces on the ISA firewall must belong to separate IP ranges. You cannot have internal and external interface IP addresses from the same IP range.

IP Spoofing: In case there is an internal router that splits the internal network into two (see diagram above), and ISA Server is in one of these networks, make sure that ranges on either side of the internal router are entered in the Internal network address range on ISA. For example, if you have two internal (protected) networks 192.168.2.0/24 and 10.10.0.0/16 separated by a router, and the ISA is at (say) 10.10.0.4, the Internal range on ISA should ideally include 192.168.2.1-192.168.2.254 as well as 10.10.0.1 to 10.10.255.254.

  1. Installing a service on Port 80 of the ISA Server

Avoid installing any service to listen on port 80 of the ISA Server as this is used by the Web Proxy service. A common mistake is installing a website to listen on port 80 on the ISA Server. Usually this is the result of installing certain third party components (like Trend Micro OfficeScan, which has a web-based console) installed on the ISA Server.

When port 80 is used for listening by another service, Web Proxy may run into problems or clients may be unable to access the other service running on port 80. A symptom of this problem is when you see results under Logging in the Monitoring console where the Source Network, Destination Network, Protocol fields are blank, but the Port field contains 80 and the Action field may be Failed Connection. ISA Console also generates an alert when this happens.

  1. SMTP Fix-Up: ISA and Cisco PIX

When using ISA behind Cisco PIX (ISA being a second firewall), make sure you disable SMTP fixup on the Cisco PIX if you plan to publish Exchange behind ISA (see diagram). This can be done by typing the following command at the Cisco PIX console:

no fixup smtp protocol 25

write mem

Note: SMTP Fixup prevents you from telnetting on port 25 that is NATed on PIX to ISA Server, and NATed (published) on ISA Server to Exchange Server. When a telnet attempt is made, you get some asterisks (220*******************************************************0*2******0***********************

2002*******2***0*00) in the output. This can be avoided by disabling smtp fixup as explained above.

  1. FTP is allowed, but users can’t put files on the remote FTP server

You create a rule to Allow FTP from Internal to External so that your users can access FTP sites on the internet. But still your users still can’t write/delete files on the FTP server? It’s because you have to explicitly specify it!

Right click on the rule and click Configure FTP. Clear the check mark next to Read Only.

  1. Care while Installing Windows 2003 Service Pack 1 / Service Pack 2 and the Scalable Networking Pack

You are running ISA Server 2004 Standard Edition. One fine day, you decide to install Windows 2003 Service Pack 1 on your ISA Server. RPC traffic is blocked. You may not be able to browse the active directory for users from the ISA Server. Occasionally you get an error popup for RPC related errors.

When you see these symptoms, its time to install ISA Server 2004 Standard Service Pack 1!

If you install Windows Server 2003 Service Pack 2 or the Scalable Networking Pack, make sure that you read my KB article 555958.

  1. Scheduling limitations that you need to be aware of

This is not a configuration mistake, but is something of an expectation that requires clarification. When you create a rule in the access policy that has a schedule (In the rule properties, select the Schedule tab), there are two things that you cannot do:

i. Once you have created a schedule and applied changes, you can’t edit it. You will probably need to create a new schedule object.

ii. Your schedule limits cannot be in half hours, i.e. you can configure a rule to apply between 2 PM to 3 PM but not between 2.30 PM to 3.30 PM.

  1. Common name on Certificates

When you issue certificates from your CA (or obtain a commercial certificate), the common name should be the published name, i.e. DNS name that you would use to access the website/OWA/etc from outside. For example, if you are publishing a server webserver01.mydomain.local, and users will access thi
s using the internet name www.shijaz.com, then your SSL certificate common name should be “www.shijaz.com”. Else, your users will get a warning stating that “the name of the server does not match the name on the certificate”.

  1. More than one Default Gateway

Never specify more than one default gateway on the ISA Server. Do not specify the default gateway on both the internal and external NICs.

  1. DNS Server on more than one NIC

Never specify DNS on more than one NIC. For DNS best practices on ISA Server, see this article.

TIP: Keep a backup!

Keep an XML backup of your ISA configuration before you try out something with the access rules or the configuration. This will help you easily restore your ISA configuration in case you mess it up!

Also note that when you change the Network Template, you lose ALL your Access Rules and Network Rules!

Trackback Permanent Link

2 Responses to Top 12 mistakes while configuring ISA Server

  1. Ahmed says:

    i have a problem with network share on ISA Server ,copy starts and some files are transferred then stops with fade icon with grey x (like that of offline files)

  2. Abid says:

    I am trying to allow access to our private network which is already in sort of a metro VPN, with its own firewall/router

    i wanna have 2 NIC on the ISA, 1 for internet access so ppl can VPN and route all VPN traffic to private networks’s gateway and onward to global resources..

    any ideas how to put this into action
    **note i my exp is limited to administration of AD and other kind of servers…not networking., so layman terms are very appreciated lol

Leave a Reply