The ISA 2004 Firewall ISP Co-location Configuration

by [Published on 18 July 2004 / Last Updated on 20 May 2013]

One of the more unusual configuration options for the ISA firewall is what I call the "ISP co-location" configuration. I wrote about this configuration for the ISA Server 2000 firewall in an article Configuring an ISP Co-located Web/SMTP/ISA Server. I called this an ISP co-location configuration because in an ISP co-lo environment you typically don’t have the option to install a server with multiple interfaces. So, if you want to run your ISP co-located Web, FTP and SMTP server, you need to do it with a single NIC. Check out this article for how to create the single NIC colo config with your ISA 2004 firewall.

 

The ISA 2004 Firewall ISP Co-location Configuration

By Thomas W Shinder M.D., MVP

Got questions? Discuss this article over at
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=29;t=000025

One of the more unusual configuration options for the ISA 2004 firewall is what I call the "ISP co-location" configuration. I wrote about this configuration for the ISA Server 2000 firewall in an article Configuring an ISP Co-located Web/SMTP/ISA Server. I called this an ISP co-location configuration because in an ISP co-lo environment you typically don’t have the option to install a server with multiple interfaces. So, if you want to run your ISP co-located Web, FTP and SMTP server, you need to do it with a single NIC.

Get the New Book!

This is an interesting configuration because the question is whether the ISA 2004 firewall software can be used effectively to protect the publicly accessible resources on the ISP co-located machine. If you’ve been following this space, you know that I strongly recommend against installing extraneous software on the ISA 2004 firewall. Each extraneous application or service installed on the ISA 2004 firewall increases the attack surface on the firewall and increases the chance of compromising resources on the ISA firewall.

However, the ISP co-located setup is a bit different. The ISP will usually provide some rudimentary stateful filtering support, such as that provided by a PIX or Netscreen. While these firewalls provide network layer filtering, they fall down when it comes to the task of strong stateful application layer inspection. For this reason, you may be able to gain some significant benefits from using the ISA 2004 firewall software on the co-located Web, FTP and SMTP server.

While I refer to this as the ISP co-location configuration, you can also use it in other scenarios. For example, suppose you want to bring a powerful ISA 2004 stateful application layer inspection firewall into your network. The problem is that you have to deal with people who have swallowed the Myth of the Hardware Firewall, hook, line and sinker (check out http://isaserver.org/articles/2004tales.html for more information on this subject). One way to get your ISA 2004 firewall into the mix is to put the ISA 2004 firewall in a DMZ segment between the two "hardware" firewalls. By using the ISA 2004 firewall in an ISP co-location configuration in the DMZ, you’ll be able to get real stateful application layer inspection protection while mollifying the "hardware" firewall guys’ flagging egos.

The ISP co-location configuration uses a single physical NIC and a second "virtual" NIC. The virtual NIC is the Microsoft loopback adapter. The loopback adapter isn’t connected to an actual physical NIC, but you can configure the loopback adapter with IP addressing information in the same way you configure a physical NIC. The ISA 2004 firewall software sees the loopback adapter as a physical interface and you can use this interface to support publishing scenarios.

The reason for installing the virtual NIC in the ISA 2004 firewall is so that you can "trick" the firewall into thinking it’s acting as a firewall. You could install a single NIC in the ISA 2004 firewall, but then you lose a significant amount of firewall functionality, because the ISA 2004 firewall software will assume that you want to run the firewall in Web Proxy mode only. In contrast, when you install the loopback adapter on the ISA 2004 firewall, the firewall software recognizes this as an actual interface and you can then fully leverage the strong stateful application layer inspection provided by the ISA 2004 firewall software.

In this article we’ll focus on the ISP co-location configuration. The figure below shows the lab setup you can use with your VMware or Virtual PC virtual networks to perform the proof of concept testing for this setup. You can test the configuration from a host on the same segment at the physical interface of the ISA 2004 firewall, or you can test from a host that’s on the WAN side of your Internet router.

The loopback adapter is assigned a bogus address. In the example discussed in this article, we’ll use the IP address 10.0.0.1/24. Note that the bogus internal interface does not have a DNS or default gateway address assigned.

The external interface of the ISA 2004 firewall has a real IP address and a default gateway. This configuration is important because the external IP address must be reachable, and the default gateway address is required so that the ISA 2004 firewall can respond to requests made by Internet hosts. The DNS server address should be that of a DNS server that can resolve Internet host names, because the co-located ISA 2004 firewall/Web/FTP/SMTP server needs to be able to resolve Internet MX domain names to send outbound mail. Note that you can also use the ISA 2004 firewall’s SMTP Message Screener in this configuration.

If you plan to use this design in a DMZ configuration where the ISA 2004 firewall is located between two so-called "hardware" firewalls, I recommend that the route relationship between the DMZ segment and the back-end firewall be a route relationship and not a NAT relationship.

You will perform the following steps make this configuration work:

  • Install the loopback adapter on the machine that will be the co-located ISA 2004 firewall and configure its IP addressing information
  • Install the IIS services on the machine that will be the co-located ISA 2004 firewall, disable socket pooling for those services and bind the services to the IP address on the loopback interface
  • Install the ISA 2004 firewall software
  • Disable the Web Proxy and Firewall client listeners on the Internal interface
  • Create the Web and Server Publishing Rules
  • Create an Access Rule that allows SMTP outbound from the Local Host Network to the External Network
  • Test the Configuration

Note:
About 98% of the articles on this site describe procedures that I use to implement real-world installation and configuration for ISA firewalls. However, about 2% of the articles represent what I consider "lab experiments". These lab experiment articles show the procedures required to get the job done, but have not been tested by me or anyone else I know in a production environment. It extremely important to note that the reason why I provide a lab setup for most articles is so that you can perform the procedures in your own lab before implementing them in your own production environment. I hope that I have not given the ISAServer.org community the false impression that all the articles on this site are lab setups only, because that is not the case. The overwhelming majority of the content I provide on this site has withstood production network testing.

Install the loopback adapter on the machine that will be the co-located ISA 2004 firewall and configure its IP addressing information

The first step (after installing Windows Server 2003 on a machine with a single NIC) is to install the Microsoft loopback adapter. This is a painless procedure and is done using the Add/Remove Hardware applet.

Perform the following steps to add the loopback adapter:

  1. On the ISA 2004 firewall machine, click Start and point to Control Panel. Click Add Hardware.
  2. On the Welcome to the Add Hardware Wizard page, click Next.
  3. On the Is the hardware connected page, select the Yes, I have already connected the hardware option. Click Next.
  4. On the The following hardware is already installed on your computer page, select the Add a new hardware device option from the Installed hardware list. Click Next.
  5. On the The wizard can help you install other hardware page, select the Install the hardware that I manually select from a list (Advanced) option. Click Next.
  6. On the From the list below, select the type of hardware you are installing page, select the Network adapters option and click Next.
  7. On the Select Network Adapter page, select the Microsoft entry from the Manufacturer list. Click the Microsoft Loopback Adapter entry from the Network Adapter list. Click Next.

  1. On the The wizard is ready to install your hardware page, click Next.
  2. Click Finish on the Completing the Add Hardware Wizard page.
  3. Right click the My Network Places icon on the desktop and click Properties.
  4. Right click on the adapter representing the loopback adapter entry on the Network Connections page. Click Properties.
  5. On the adapter’s Properties dialog box, select the Internet Protocol (TCP/IP) from the This connection uses the following items list. Click Properties.
  6. On the Internet Protocol (TCP/IP) Properties dialog box, select the Use the following IP address option and enter 10.0.0.1 in the IP address text box. Enter 255.255.255.0 in the Subnet mask text box. Click OK.
  7. Click OK in the adapter’s Properties dialog box.

Install the IIS services on the machine that will be the co-located ISA 2004 firewall, disable socket pooling for those services and bind the services to the IP address on the loopback interface

Now we’re ready to install the IIS services. In this example, we’ll install the IIS World Wide Web (W3SVC or WWW service), the FTP service and the SMTP service. Many of you might be interested in other services that are included with Microsoft Exchange, but I consider installing Microsoft Exchange on the same machine as the ISA 2004 firewall as "going over the top". If you want the Exchange Server fully protected by the ISA 2004 firewall, then put the Exchange Server behind the ISA 2004 firewall and make special arrangements with your co-lo facility.

Perform the following steps to install the IIS services on the ISA 2004 firewall machine:

  1. On the ISA 2004 firewall machine, click Start and point to Control Panel. Click the Add or Remove Programs link.
  2. In the Add or Remove Programs window, click the Add/Remove Windows Components button on the left side of the page.
  3. On the Windows Components page, select the Application Server entry in the Components list, then click Details.
  4. In the Application Server dialog box, select the Internet Information Services (IIS) entry in the Subcomponents of Application Server list and click Details.
  5. In the Internet Information Services (IIS) dialog box, put a checkmark in the File Transfer Protocol (FTP) Service, SMTP Service and World Wide Web Service checkboxes. Click OK.
  6. Click OK in the Application Server dialog box.
  7. Click Next on the Windows Components page.
  8. Click OK in the Insert Disk dialog box.
  9. In the Files Needed dialog box, enter the path to the Windows Server 2003 i386 folder in the Copy files from text box. Click OK.
  10. Click Finish on the Completing the Windows Components Wizard page.

The next step is to disable socket pooling for each of these services. Socket pooling allows the IIS services to listen on the same port number on all interfaces. This has some performance advantages for dedicated IIS machines. However, socket pooling is the death knell for IIS services machines that also run the ISA 2004 firewall software. In order to get our Web and Server Publishing solutions working on the ISA 2004 firewall, we need to disable socket pooling before configuring the services to listen on the internal IP address (the IP address assigned to the loopback adapter) of the ISA 2004 firewall.

Perform the following steps to disable socket pooling for the IIS WWW service:

  1. On the Windows Server 2003 installation CD-ROM, locate the \SUPPORT\TOOLS folder and copy that to the local hard disk on the ISA 2004 firewall.
  2. In the SUPPORT folder copied to the hard disk of the ISA 2004 firewall, double click the SUPTOOLS.MSI file.
  3. Click Next on the Welcome to the Windows Support Tools Setup Wizard page.
  4. Select the I Agree option on the End User License Agreement page.
  5. Enter your user information on the User Information page.
  6. Use the default directory on the Destination Directory page and click Install Now.
  7. Click Finish on the Completing the Windows Support Tools Setup Wizard page.
  8. Click Start and then click Run. In the Run dialog box, enter cmd in the Open text box and click OK.
  9. At the command prompt, enter httpcfg set iplisten –i 10.0.0.1 and press ENTER. You will see the response HttpSetServiceConfiguration completed with 0.
  10. At the command prompt, enter httpcfg query iplisten and press ENTER. You will see what appears in the figure below (note in the figure that I made a typo on the first query; that’s why I think the command line "blows", I never make a typo when selecting a menu option ;-)

Now let’s disable socket pooling for the IIS FTP service:

  1. At the command prompt, enter net stop msftpsvc and press ENTER.
  2. At the command prompt, navigate to the \InetPub\Adminscripts folder. Enter cscript adsutil.vbs set /msftpsvc/1/DisableSocketPooling 1 and press ENTER. You will see what appears in the figure below.

  1. At the command prompt, enter net start msftpsvc and press ENTER.

The also service that needs socket pooling whacked is the SMTP service. Perform the following steps to disable the IIS SMTP service:

  1. At the command prompt, enter net stop smtpsvc and press ENTER.
  2. At the command prompt, navigate to the \InetPub\Adminscripts folder. Enter cscript adsutil.vbs set /smtpsvc/1/DisableSocketPooling 1 and press ENTER. You will see what appears in the figure below.

  1. At the command prompt, enter net start msftpsvc and press ENTER.

Now let’s bind the WWW, FTP and SMTP services to the internal IP address of the ISA 2004 firewall:

  1. On the ISA 2004 firewall, click Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager.
  2. In the Internet Information Services (IIS) Manager console, expand the Web Sites node and right click on the Default Web Site and click Properties.
  3. In the Default Web Site Properties dialog box, click the Web Site tab. In the IP address drop down box, select 10.0.0.1. Click Apply and then click OK.

  1. Expand the FTP Sites folder and right click the Default FTP Site and click Properties.
  2. In the Default FTP Site Properties dialog box, click the FTP Site tab. On the FTP Site tab, select 10.0.0.1 from the IP address list. Click Apply and then click OK.
  3. Right click the Default SMTP Virtual Server and click Properties.
  4. In the Default SMTP Virtual Server Properties dialog box, click the General tab. Select 10.0.0.1 from the IP address drop down list.
  5. Click the Access tab. On the Access tab, click the Authentication button in the Access Control frame.
  6. In the Authentication dialog box, place a checkmark in the Integrated Windows Authentication checkbox. This will allow users who authenticate to relay through the published SMTP server. Note that this will not be an open SMTP relay. Unauthenticated users will not be able to relay through this published SMTP server. Mail sent to remote domains you configure on this SMTP server will not require authentication. This allows Internet SMTP servers to send mail to this machine without authenticating. For example, you might want to host relay services for MX domains for your customers. You can use the remote domains to forward mail to their servers; when their servers are down, your SMTP server can host mail until their servers come back online. Click OK.
  7. Click Apply and then click OK.
  8. In the left pane of the IIS console, right click on the server name, point to All Tasks and click Restart IIS.
  9. In the Stop/Start/Restart dialog box, select the Restart Internet Services on <servername> and click OK.

  1. Open a Command Prompt window. At the command prompt enter netstat –na and press ENTER. Notice that TCP ports 21, 25 and 80 are listening on IP address 10.0.0.1. We know that socket pooling is disabled for these ports (services) because they are not listening on address 0.0.0.0.

Install the ISA 2004 firewall software

The loopback adapter is installed, the IIS services are installed and configured and socket pooling has been disabled. Now were’ finally ready to install the ISA 2004 firewall software.

Perform the following steps to install the ISA 2004 firewall software:

  1. Double click the isaautorun.exe file on the ISA Server 2004 CD-ROM. On the autorun page, click the Install ISA Server 2004 link.
  2. Click Next on the Welcome to the Installation Wizard for Microsoft ISA Server 2004 page.
  3. On the License Agreement page, select the I accept the terms in the license agreement option. Click Next.
  4. On the Customer Information page, enter your User name, Organization and Product Serial Number. Click Next.
  5. On the Setup type page, select the Complete option and click Next.
  6. On the Internal Network page, click the Add button.
  7. In the address ranges dialog box, click the Select Network Adapter button.
  8. In the Select Network Adapter dialog box, remove the checkmark from the Add the following private ranges… checkbox. Put a checkmark in the checkbox to the left of loopback adapter in the adapter list. Click OK.

  1. Click OK in the Setup Message dialog box informing you that the Internal network was defined based on the ISA 2004 firewall’s routing table.
  2. Click OK in the address ranges dialog box.
  3. Click Next on the Internal Network page.

  1. Accept the default setting on the Firewall Client Connection Settings page. Click Next.
  2. Click Next on the Services page.
  3. Click Install on the Ready to Install the Program page.
  4. Click Finish on the Installation Wizard Completed page.
  5. Click Yes on the Microsoft ISA Server page informing you that you must restart the firewall.
  6. Log on as administrator after the ISA 2004 firewall restarts. Close the Web browser window Protect the ISA Server Computer after logging on.

Disable the Web Proxy and Firewall client listeners on the Internal interface

Since there is no actual Internal network, and no Internal network clients, there is no reason to enable the Web Proxy and Firewall client listeners. These listeners have the potential for causing conflicts with Web publishing rules and could use resources that we’d rather have available to the services hosted on the ISA 2004 firewall. For these reasons we will disable the Firewall client and Web Proxy listeners on the Internal network.

Perform the following steps to disable the Web Proxy and Firewall client listeners on the Internal interface:

  1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name in the left pane. Expand the Configuration node and click on the Networks node.
  2. On the Networks node, click on the Networks tab in the Details pane. Right click on the Internal network and click Properties.
  3. In the Internal Properties dialog box, click the Web Proxy tab.
  4. On the Web Proxy tab, remove the checkmark from the Enable Web Proxy clients checkbox.
  5. Click on the Firewall Client tab.
  6. On the Firewall Client tab, remove the checkmark from the Enable Firewall client support for this network checkbox.

  1. Click Apply and then click OK in the Internal Properties dialog box.

Create the Web and Server Publishing Rules

In order for remote users to access the services located on the ISA 2004 firewall, we must use Web and/or Server Publishing Rules. Web Publishing rules are used to published Web protocols. The Web protocols are HTTP and HTTPS (SSL). Although not strictly considered a Web protocol, you can also publish download-only FTP sites using Web publishing rules. All other services must use Server Publishing Rules. Both Web and Server Publishing Rules expose the incoming connections to the ISA 2004 firewall’s deep, stateful application layer inspection mechanisms.

We will create one Web Publishing Rule and two Server Publishing Rules. The Web Publishing Rule will be used to allow remote connections to the Web server located on the ISA 2004 firewall, and the Server Publishing Rules will be used to allow remote connections to the SMTP and FTP services.

In the following example, the Web Publishing Rule will allow us to connect to the Web site using the external IP address of the ISA 2004 firewall. However, I want to strongly emphasize to you that you should not publish Web sites using the IP address on the external interface of the ISA firewall as its "public" name. If you do this, users will be able to access the published Web site using the IP address, instead of the FQDN of your site. Allowing access to your Web site via an IP address potentially exposes you to worms and other anonymous scan-based attacks. In fact, I recommend that you never allow published sites to be accessible via an IP address. However, I’m lazy and don’t want to go into the details of how to setup the DNS or HOSTS file entries required for a secure solution. I’ve gone into those details in many of the other publishing articles I’ve done on this site.

Perform the following steps to create the Web Publishing Rule:

  1. In this Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node.
  2. On the Tasks tab in the Task Pane, click the Publish a Web Server link.
  3. On the Welcome to the New Web Publishing Rule Wizard page, enter Web Server in the Web publishing rule name text box. Click Next.
  4. On the Select Rule Action page, select the Allow option and click Next.
  5. On the Define Website to Publish page, enter the IP address that the Web server listens on in the Computer name or IP address text box. In this example, the Web server is listening on IP address 10.0.0.1, so we enter that value into the text box. In the Path text box, enter /*. Click Next.

  1. On the Public Name Details page, select the This domain name (type below) option in the Accept requests for drop down list. In the Public name text box, enter the IP address on the external interface of the ISA 2004 firewall. Note that we are using the IP address for the public name for demonstration purposes only. I recommend that you never publish a publicly accessible Web site in a way that can be accessed via its IP address. In the Path (optional) text box, enter /*. Click Next.

  1. On the Web Listener page, select a Web listener from the Web listener list. If you do not have a Web listener configured, then you will need to create one. In this example we have not yet created any Web listeners. To create a new Web listener, click the New button.
  2. On the Welcome to the New Web Listener Wizard page, enter HTTP Listener in the Web listener name text box. Click Next.
  3. On the IP Addresses page, put a checkmark in the External checkbox. This setting will allow the ISA 2004 firewall to accept incoming requests to this Web listener on all addresses bound to the external interface. Click Next.
  4. On the Port Specification page, accept the default settings. The Enable HTTP checkbox should be selected and the HTTP port should be set at 80. Click Next.
  5. Click Finish on the Completing the New Web Listener Wizard page.
  6. Click Next on the Select Web Listener page. Notice that the Web listener we created now appears in the Web listener drop down list.

  1. On the User Sets page, select the default option, All Users, and click Next.
  2. Review your settings on the Completing the New Web Publishing Rule Wizard page and click Finish.
  3. Click Apply to save the changes and update the firewall policy.
  4. Click OK in the Apply New Configuration dialog box.

The next step is to create the SMTP Server Publishing Rule:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, click the Firewall Policy node.
  2. On the Firewall Policy node, click the Tasks tab on the Task Pane. Click the Create a New Server Publishing Rule link.
  3. On the Welcome to the New Server Publishing Rule Wizard page, enter SMTP Server in the Server publishing rule name text box and click Next.
  4. On the Select Server page, enter the IP address that the SMTP service on the ISA 2004 firewall listens on. In this example, the IP address is 10.0.0.1 and we’ll enter that value into the text box. Click Next.
  5. On the Select Protocol page, select the SMTP Server entry in the Selected protocol list. Click Next.

  1. On the IP Addresses page, put a checkmark in the External checkbox. This allows the ISA 2004 firewall to accept incoming connections to any IP address bound to the external interface of the firewall. Click Next.
  2. Click Finish on the Completing the New Server Publishing Rule Wizard page.

Now we’ll complete our publishing rules with an FTP Server Publishing Rule:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, click the Firewall Policy node.
  2. On the Firewall Policy node, click the Tasks tab on the Task Pane. Click the Create a New Server Publishing Rule link.
  3. On the Welcome to the New Server Publishing Rule Wizard page, enter SMTP Server in the Server publishing rule name text box and click Next.
  4. On the Select Server page, enter the IP address that the SMTP service on the ISA 2004 firewall listens on. In this example, the IP address is 10.0.0.1 and we’ll enter that value into the text box. Click Next.
  5. On the Select Protocol page, select the SMTP Server entry in the Selected protocol list. Click Next.

  1. On the IP Addresses page, put a checkmark in the External checkbox. This allows the ISA 2004 firewall to accept incoming connections to any IP address bound to the external interface of the firewall. Click Next.
  2. Click Finish on the Completing the New Server Publishing Rule Wizard page.
  3. Click Apply to save the changes and update the firewall policy.
  4. Click OK in the Apply New Configuration dialog box.

Create an Access Rule that allows SMTP outbound from the Local Host Network to the External Network

In the current example the SMTP service is configured to allow authenticated users to relay through it to other e-mail domains. The ISA 2004 firewall must be configured with an Access Rule that allows outbound access from the Local Host Network to the External Network so that it can forward the SMTP messages to Internet SMTP servers. Note that we are not allow anonymous SMTP relay. Anonymous SMTP relays can be used by spammers to send spam through your SMTP server. The result can be excessive bandwidth usage and cost, and even worse, being placed on a blacklist by a dreaded RBLer.

Perform the following steps to create the SMTP outbound access rule from the ISA 2004 firewall:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, click the Firewall Policy node and then click the Tasks tab on the Task Pane. Click the Create New Access Rule link.
  2. In the Welcome to the New Access Rule Wizard page, enter Outbound SMTP in the Access Rule name text box. Click Next.
  3. On the Rule Action page, select the Allow option and click Next.
  4. On the Protocols page, select the Selected protocols option from the This rule applies to list. Click the Add button.
  5. In the Add Protocols dialog box, click the Common Protocols folder and then double click on the SMTP protocol. Click Close.
  6. Click Next on the Protocols page.

  1. On the Access Rule Sources page, click the Add button.
  2. In the Add Network Entities dialog box, click the Networks folder and double click the Local Host network. Click Close.
  3. Click Next on the Access Rule Sources page.
  4. On the Access Rule Destinations page, click the Add button.
  5. In the Add Network Entities dialog box, click the Networks folder and double click the External network. Click Close.
  6. Click Next on the Access Rule Destinations page.
  7. On the User Sets page, accept the default entry, All Users, and click Next.
  8. Click Finish on the Completing the New Access Rule Wizard page.
  9. Click Apply to save the changes and update the firewall policy.
  10. Click OK in the Apply New Configuration dialog box.

Test the Configuration

Now we’re ready to test the configuration. In the first test, we’ll use Outlook Express to send mail to the SMTP service on the ISA 2004 firewall. The Outlook Express client is configured to authenticate with the SMTP server using the default Administrator account on the ISA 2004 firewall machine. In a production environment you would create user accounts on the ISA 2004 firewall machine that external users can use to relay mail through the firewall.

I’ll send an e-mail message to the my own user account on Hotmail. We see the following lines in the real time log viewer on the ISA 2004 firewall when sending the message. The lines in red indicate the incoming connection from the Outlook client to the ISA firewall. Notice that the connection is allowed by the SMTP Server rule. The lines in blue show an outgoing SMTP connection that is allowed by the Outbound SMTP rule. This connection is the one associated with sending the mail outbound to the Hotmail site. The last entry in the file is the DNS lookup the ISA 2004 firewall does to find the MX record information for the Hotmail site. It’s likely that this took place before the outgoing mail, but the log file listed it as taking place at the same time as the outgoing mail because the lookup response was so quick.

When we go to the Hotmail site to retrieve the message, we see what appears below. You see that the message was received by ISALOCAL from xpprosp1 and then the hotmail.com server received the message from ISALOCAL. Notice that the IP address listed for ISALOCAL actually represents the IP address on the external interface of the network router and not the IP address of the ISALOCAL machine itself.

Received: from ISALOCAL ([209.30.181.91]) by mc4-f12.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Tue, 13 Jul 2004 21:15:13 -0700
Received: from xpprosp1 ([192.168.1.172]) by ISALOCAL with Microsoft SMTPSVC(6.0.3790.0); Tue, 13 Jul 2004 23:12:36 -0500
X-Message-Info: JGTYoYF78jHHLX5R9IFBtsCYF3X+PLrD
Message-ID: <000801c46958$ca281700$ac01a8c0@msfirewall.org>
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Return-Path: tshinder@tacteam.net
X-OriginalArrivalTime: 14 Jul 2004 04:12:36.0626 (UTC) FILETIME=[CB8CD720:01C46958]

Now let’s test the FTP site functionality. Put some files in the FTPROOT directory on the ISA firewall. Then from the external client open a command prompt and enter ftp 192.168.1.70 and press ENTER. Enter Administrator for the user and press ENTER. Enter the Administrator’s password and press ENTER. Enter dir and press ENTER. You’ll see a list of files. To download a file, you can use the GET command. To upload a file you can use the PUT command.

Let’s try a PUT command. We’ll put the boot.ini file located in the root directory on the client on the FTP site. The figure below shows the command sequence. Notice that there’s a 550 Access is denied message. What’s up with that?

The answer is that the ISA 2004 firewall is a firewall, not a packet filter or a NAT server. The default settings are the secure settings, and its much more secure to allow downloads only, as allowing uploads to an FTP site can put a server at extreme risk of compromise. We must make a change to the FTP Server Publishing rule to allow FTP uploads.

Perform the following steps to make the required changes:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, click on the Firewall Policy node and then right click on the FTP Server Server Publishing Rule. Click on the Configure FTP command.

  1. Remove the checkmark from the Read-only checkbox. Click Apply and then click OK.

  1. Click Apply to save the changes and update the firewall policy.
  2. Click OK in the Apply New Configuration dialog box.

Now we’ll log off the FTP site and log on again. Try the PUT command again and you’ll see what happens in the figure below.

The final test is to use the Web browser on the external client to access the Web site. Enter http://192.168.1.70 into the Address bar and press ENTER. You’ll see the default Web site.

Get the New Book!

Summary

In this article we went over the theory and practice of creating a single NIC ISA 2004 firewall. This type of setup may be of use in an ISP co-lo configuration or when you need to put an ISA firewall between two packet filter-based firewalls. The single NIC configuration allows you to use many of the firewall features on the ISA firewall that would otherwise be unavailable in a true single NIC configuration.

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=29;t=000025 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our 'Real-Time Article Update' by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.

Advertisement

Featured Links