Configuring ISA Server Interface Settings.

by Jim Harrison [Published on 30 April 2001 / Last Updated on 20 May 2013]

Before you install ISA, you have to properly set up the networking properties for that machine. Mistakes made either during or after installing ISA server can render your once proud server unresponsive.

Before you install ISA, you have to properly set up the networking properties for that machine.  These are critical to ISA functionality because ISA the server firewall service works at the same level (kernel mode) as the TCP/IP drivers in the system.  Mistakes or changes here either during or after installing ISA server can render your once proud server unresponsive.

I'll take you through a simplified setup of your server with some explanations for each step and how it relates to the other settings we make.

We start with some basic assumptions and terminology definitions:

  • You have at your disposal, an ISA server with two Network Interface Cards (NICs), one connected to your internal network and another (not yet) connected to the Internet.  We'll do that later on.
  • You have access to a DNS server (internal or external) that can resolve Internet names.  Your internal network needs some method of resolving Internet names.
  • You already have the required IP settings for your NICs.
  • You have some basic knowledge of Windows 2000 networking.  I make the distinction because W2K networking is somewhat different from NT4 / W9x.
  • Firewall interfaces are often referred to as "north" and "south", to indicate the public and private networks, respectively.  I've adopted this style for these instructions.

Setting the Interface Order

The first thing we want to do is to make sure the network interfaces are bound in the right order.  Since name resolution efficiency is dependent on this setting, we want to make certain that it's absolutely correct.

  1. Right-click My Network Places and select Properties.  You'll get a display similar to the picture below.  Right-click each network interface represented inside and rename them according to their usage.  North represents the Internet side and South represents the internal side of the ISA server.

  1. Click on Advanced from the menu bar and select Advanced Settings.  This gives you a display similar to the next picture.  The first thing to do here is to make sure the South interface is listed first in the top pane.  If not, select it and click the "up" arrow on the top right to move it into the lead. File and Printer Sharing and Client for Microsoft Networks should both be bound to the south interface (selected).

 

Securing the North Interface

The next thing to do is make sure we don't make this machine available to all those nasty guys that make ISA server necessary in the first place.

  1. Select the North interface and unbind (unselect) those same services (File and Printer Sharing and Client for Microsoft Networks).  We don't need or use these services on the Internet and we want to make the machine as "Internet-safe" as possible before you install ISA.

It'll look like the following picture:

  1. Click OK to close it.

Configuring IP Settings on the North Interface

Now let's set up each interface

  1. Right-click the North interface and select Properties.  Verify that the Client for Microsoft Networks and File and Printer Sharing services are unbound as shown.  Note that you shouldn't see the "QoS Packet Scheduler" until ISA is installed and running.

 

  1. Scroll down in the top pane and double-click Internet Protocol (TCP/IP).  Select Use the following IP address: and enter the appropriate IP settings for your Internet connection.  Leave the DNS server's addresses blank.  Trust me; it will work when we're done.

 

  1. Click the Advanced button and you can enter additional IP addresses here, if you have them.  Make sure they are correct for your Internet connection before continuing.

 

  1. Click on the DNS tab.  The only thing we're doing here is to uncheck the Register this connection's address in DNS checkbox.  This will disable the DHCP client service's attempts to auto-update the DNS servers with its own record for this interface.

  1. Click on the WINS tab and deselect Enable LMHOSTS Lookup and select Disable NetBIOS over TCP/IP to close the last security holes in our external interface.

 

  1. Now click OK three times to close all the properties windows for the North NIC.
  2. Click OK to close it.

Configuring IP Settings on the South Interface

Next on the hit parade is the South, or internal-facing NIC.  We'll make many of the same settings there, but security will be much more lax.

  1. Right-click the South interface and select Properties.  You'll see the following picture. Leave the bindings as they are; we want this interface to be totally functional in all respects.    Note that you shouldn't see the "QoS Packet Scheduler" until ISA is installed and running.

 

  1. Scroll down in the top pane and double-click on Internet Protocol (TCP/IP) to bring up these settings:

 

  1. Enter an IP address that's appropriate for your internal network.  The best thing here is to choose from the pre-defined "private" ranges defined in RFC-1918.  These addresses are non-routable on the Internet.  Using Internet-routable addresses for the internal network will cause much hate and discontent with ISA later on.  Also notice that there is no Default Gateway

The RFC-1918 addresses fall into three groups:

10/8

IP range = 10.0.0.1 - 10.255.255.254

Subnet mask = 255.0.0.0

One subnet, 16,777,214 hosts

172.16/12

IP range = 172.16.0.1 - 172.31.255.254

Subnet mask = 255.240.0.0

14 subnets, 983,038 hosts

192.168/16

IP range = 192.168.0.1 - 192.168.255.254

Subnet mask = 255.255.0.0

One subnet, 65,534 hosts

 

The reasoning behind the assignments is amply explained in RFC 1918 and in various TCP/IP instruction books.

Note also, that the 192.168/16 range is often further sub netted (as in the example above):

192.168.0/24

IP range = 192.168.0.1 - 192.168.255.254

Subnet mask=255.255.255.0

254 subnets, 254 hosts

 

  1. Enter the DNS server that you will be using for internal name resolution.  If you have built a W2K AD domain, the DNS server for that domain should be listed first.  If you use a separate DNS server for Internet name resolution, AND your AD DNS server is a root server, then enter the second DNS server's IP address as the Alternate.
  1. Leave the Default Gateway empty.  "There can be only one":
  1. If you will have more than one back-end subnet (192.168.0, 192.168.1, etc.), you must define a static route in the ISA for the back-end network.  The simplest way to do this is to create a classless route.  For instance, if you used the 192.168/24 definition, you would type the following in a command window:

Route -p add 192.168.0.0 mask 255.255.0.0 192.168.0.1

What this does is tell the ISA server's TCP/IP stack to route traffic destined for any subnet within the 192.168/16 range to the ISA's back-end interface.  Of course, it you're using a router to join the back-end subnets, replace "192.168.0.1" with the appropriate IP address for the router interface used by this ISA server.

  1. Select the DNS tab.  If your internal DNS server supports dynamic updates (AD-supporting DNS servers MUST do that), check the "Register this connection's address in DNS" checkbox; otherwise, uncheck it.  Leaving this selected (it is by default; I don't use DDNS) will cause the ISA server's DHCP client to try to register this IP address with the listed DNS server.

 

  1. Select the WINS tab and notice that the Enable NetBIOS over TCP/IP is checked.  Leave it that way.  Notice that the Enable LMHOSTS lookup is a global setting; changing it for one interface affects all of them.

 

  1. Close all property windows by clicking "OK" on each.
  1. Open a command window and type "ipconfig /all".  You should see a report very similar to this one:

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : myisaserver

        Primary DNS Suffix  . . . . . . . : mydomain.com

        Node Type . . . . . . . . . . . . : Hybrid

        IP Routing Enabled. . . . . . . . : Yes

        WINS Proxy Enabled. . . . . . . . : No

        DNS Suffix Search List. . . . . . : mydomain.org

Ethernet adapter South:

        Connection-specific DNS Suffix  . :

        Description . . . . . . . . . . . : NETGEAR FA310TX Fast Ethernet Adapter (NGRPCI)

        Physical Address. . . . . . . . . : 00-A0-CC-41-6E-41

        DHCP Enabled. . . . . . . . . . . : No

        IP Address. . . . . . . . . . . . : 192.168.0.1

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . :

        DNS Servers . . . . . . . . . . . : 192.168.0.2

Ethernet adapter North:

        Connection-specific DNS Suffix  . :

        Description . . . . . . . . . . . : NETGEAR FA310TX Fast Ethernet Adapter (NGRPCI) #2

        Physical Address. . . . . . . . . : 00-A0-CC-40-F4-5C

        DHCP Enabled. . . . . . . . . . . : No

        IP Address. . . . . . . . . . . . : 123.123.123.170

        Subnet Mask . . . . . . . . . . . : 255.255.255.248

        Default Gateway . . . . . . . . . : 123.123.123.168

        DNS Servers . . . . . . . . . . . :

        NetBIOS over Tcpip. . . . . . . . : Disabled

  1. Connect your North interface to your Internet router, switch, or DSL modem as the case may be.
  1. If you get all the pretty lights indicating that the North NIC is properly connected to the world, try to ping the ISA server's default gateway (The IP entered in the "default gateway" for the North NIC).  If all has gone well and you followed the instructions to this point, you should get 4 returns for your time investment.
Advertisement

Featured Links