Firewall Specific - These Q & A's are specific to the ISA Server firewall

ISA Server 2000 Frequently Asked Questions (FAQ) topic 

[8] Cache specific - These Q & A's are specific to the ISA Server caching product

Updated: Jul 01, 2002

[15] Errors - Various ISA Server error messages. What they mean and how to get rid of them

Updated: Dec 11, 2002

[39] Firewall Specific - These Q & A's are specific to the ISA Server firewall

Updated: Aug 10, 2004

[49] General info - General questions about ISA Server

Updated: Aug 10, 2004

[13] Installation issues - Tackles various installation problems questions

Updated: Jul 06, 2001

[32] Setup - General ISA Server setup questions

Updated: Jul 27, 2004

How do I enable PING through my ISA firewall? (2004) 

The client machine must be a SecureNAT client and IP Routing must be enabled on the ISA firewall.

To turn on IP routing, follow these steps:

1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2. In the ISA Server Management console tree, expand ISAServer, where ISAServer is the name of the ISA Server that you want.
3. Expand Configuration, and then click General.
4. In the details pane, click Define IP Preferences under Additional Security Policy.
5. In IP Preferences, click the IP Routing tab.
6. Click to select the Enable IP routing check box, and then click OK.

http://support.microsoft.com/default.aspx?scid=kb;en-us;838251

How do I make the Cisco VPN client work from behind the ISA Server? 

1. Protocol Definitions: 10000 UDP Send-Receive 500 UDP Send-Receive 2. Disable Firewall Client 3. Properties of Cisco connection entry: Enable Transparent Tunneling Allow IPSec over UDP (NAT/PAT)

How in the world do I get the Cisco VPN client to work through the ISA Server? 

Check out http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=002752 Some other links about the same subject: - http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=001902 - http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=002752 - http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=000503 - http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=000495 - http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=000570 The basic setup is: 1. Create two protocol definitions: - UDP Port 500 Send Receive : this is for the IKE protocol (key negotiation). - UDP Port XXXX Send Receive : this is for the UDP encapsulated ESP packets. The administrator of the VPN gateway should be able to tell you the exact portnumber to use. 2. Next, create a protocol rule who allows those two created protocols. 3. One thing you must keep in mind is that the client must be a SecureNAT client and that the firewall client must be disabled when setting up the VPN connection. Also, when certificates are involved disable filtering of IP fragments on ISA. BTW --- in general, any IPSec implementation who supports NAT Traversal or UDP encapsulated ESP should work from behind ISA. Many thanks for Stefaan Pouselle for this valuable information!

Can I deploy only the firewall functionality? 

Yes, you can deploy the firewall as a locked-down security solution. As part of the setup process, you can select the ISA Server mode: firewall, cache, or integrated. In firewall mode, you can secure network communication by configuring rules that control communication between your corporate network and the Internet. You can also publish internal servers, securely sharing data on your internal servers with Internet users. In cache mode, you can improve network performance and save bandwidth by storing commonly accessed objects closer to the user. You can also publish internal Web servers. Integrated mode combines the features of both firewall and the cache, ensuring security and enhancing performance. In all modes, you can benefit from ISA Server enterprise policy management, real-time monitoring and reporting features.

Does ISA Server support stateful inspection? 

Yes. ISA Server supports three layers of filtering for complete comprehensive security: packet-level filtering, circuit-level filtering, and application-level filtering. Circuit-level filtering, commonly referred to as "stateful inspection," is the process of inspecting packets as they reach the firewall, keeping state information, and allowing or disallowing them to pass the firewall based on the access policy. ISA Server adds application filters that provide filtering at a higher communication layer, based on "smart" inspection of specific application commands. This allows the blocking of specific SMTP commands, filtering RPC access based on requested interfaces.

How do you exclude clients from having SecureNAT access? 

Create a Client Set containing that machine's IP address. Then use a rule and deny access based on the Client Set.

Is an incoming ping to an internal client possible? 

Incoming ping to internal clients is not possible. Only Internal S-NAT clients can ping outside ISA.

If I wanted incoming http requests to go only to certain machines, how would I do that - packet filters ? 

Create a Web Publishing rule.

When I go to the control panel and try to update the Firewall client. I get this error: 'The server is not responding when client requests an update' 

Try hard coding the name.
IP (of internal ISA interface) servername (netbios, not FQDN, like server1
and not server1.domain.com)
Example: 172.16.1.45 NTSERVER1 - If this works then it should be okay. Some purists might suggest using the
LMHOSTS file instead.
Reinstall the client or check the port settings. Make sure other services are not interfering.

Is there a way to connect a Novell Server to the internet using the ISA Server? 

If it has an IP address then you can use Secure NAT to enable it to communicate to the Internet.