General info - General questions about ISA Server

ISA Server 2000 Frequently Asked Questions (FAQ) topic 

[8] Cache specific - These Q & A's are specific to the ISA Server caching product

Updated: Jul 01, 2002

[15] Errors - Various ISA Server error messages. What they mean and how to get rid of them

Updated: Dec 11, 2002

[39] Firewall Specific - These Q & A's are specific to the ISA Server firewall

Updated: Aug 10, 2004

[49] General info - General questions about ISA Server

Updated: Aug 10, 2004

[13] Installation issues - Tackles various installation problems questions

Updated: Jul 06, 2001

[32] Setup - General ISA Server setup questions

Updated: Jul 27, 2004

How do I turn off spoof detection in the ISA firewall? (2204) 

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
3. HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/FwEng/Parameters
4. If the Parameters subkey is not displayed, follow these steps to create this subkey:
5. Click the FwEng subkey.
6. On the Edit menu, point to New, and then click Key.
7. To name the key, type Parameters, and then press ENTER.
8. Right-click Parameters, point to New, and then click DWORD Value.
9. To name the value, type DisableSpoofDetection, and then press ENTER.
10. Right-click DisableSpoofDetection, and then click Modify.
11. In the Value data box, type 1, and then click OK.
    
    Warning This setting disables IP Spoof Detection on the ISA Server 2004-based computer. To enable IP Spoof Detection, set the DisableSpoofDetection value to 0. This is the default value.
12. Exit Registry Editor, and then restart the ISA Server 2004 services.

http://support.microsoft.com/default.aspx?scid=kb;en-us;838114

Sometimes I have to restart the ISA firewall computer after installing the ISA firewall software. What's up with that? 

When you install Microsoft Internet Security and Acceleration (ISA) Server 2004 on a Microsoft Windows 2000-based computer or on a Microsoft Windows Server 2003-based computer, you receive the following message:

You must restart your system for the configuration changes made to Microsoft ISA Server to take effect. Click Yes to restart now or No if you plan to restart later.

However, if you subsequently remove and then reinstall ISA Server 2004, you are not prompted to restart your computer.

CAUSE:
This behavior occurs because of the configuration changes that the ISA Server 2004 Setup program makes to Windows. The ISA Server Setup program modifies the following registry subkey to set the value of the SynAttackProtect registry entry to 2:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters

To take effect, this registry change requires that you restart the computer. However, if you subsequently remove ISA Server 2004, the Setup program does not remove this registry entry. Therefore, when you later reinstall ISA Server 2004, you are not prompted to restart the computer.

MORE INFORMATION:
If you install ISA Server on a Windows 2000-based computer where the value of the SynAttackProtect registry entry is already set to 2, you may still be prompted to restart your computer when the Setup program completes the installation. This behavior occurs because the Microsoft SQL Server 2000 Desktop Engine installation updates Microsoft Data Access Components (MDAC) from version 2.5 to version 2.7. This MDAC update operation requires that you restart Windows. However, MDAC is only updated when you first install ISA Server 2004. If you remove and then reinstall ISA Server 2004, you do not have to restart Windows, because the correct version of MDAC is already installed.

http://support.microsoft.com/default.aspx?scid=kb;en-us;838133 

I am using a cable or DSL connection to my ISP. They assign me an address via DHCP. I can't get an addresss from my ISP for my ISA firewall's external interface. How do I fix this? 

1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2. In the console tree, click Firewall Policy.
3. In the details pane, click Show System Policy Rules.
4. Click Allow DHCP replies from DHCP servers to ISA Server.
5. In the details pane, click Edit System Policy.
6. Click the From tab.
7. Click Add.

If you know the IP address of the external DHCP server, follow these steps:

1. In the New list, click Computer.
2. In the New Computer Rule Element dialog box, type a name for the DHCP computer rule element in the Name box, type the IP address of the DHCP server in the Computer IP Address box, and then click OK.
3. Expand Computers, click the DHCP computer rule element that you just created, click Add, and then click Close.

To add the external network instead of the specific DHCP server, expand Networks, click External, click Add, and then click Close.

Note:
Microsoft recommends that you add the specific DHCP server instead of the external network to make the ISA Server computer less susceptible to external attacks.

1. Click OK, and then click Apply to save the changes and update the configuration.

Note:
This procedure is for renewals only. If you do not have an IP address, you may want to allow DHCP traffic from any network until an address is leased. If you do not already have a lease, the "specific DHCP server" setting in step 8 will not work because Windows will be forced into DHCP Discover mode. This mode is strictly for broadcast traffic.

I'm seeing a lot of requests being made by FetchAPI (Fetch API). Who is that? 

FetchAPI is the active caching feature grabbing pages for you automatically via the Scheduled Content Download service.

How do I access SNMP servers like MRTG from the ISA Server firewall itself? 

No problem! Stefaan Pouseele has the answer for you here:

So, to access an external SNMP resource (no trap) you need the following packet filters:

Packet Filter 1:
Packet Filter Name : SNMP over TCP
Enabled : True
Filter Mode : Allow
Filter Type : Custom
Protocol : TCP
Direction : outbound
Local Port : Dynamic Port
Remote Port : 161

Packet Filter 2:
Packet Filter Name : SNMP over UDP
Enabled : True
Filter Mode : Allow
Filter Type : Custom
Protocol : UDP
Direction : send receive
Local Port : Dynamic Port
Remote Port : 161

I'm getting a lot of 503 errors. Anything I can do to fix this? 

1. Open ISA Managment 2. Go to the Properties of the server 3. Go to Outgoing Web Request 4. Click on the Configure Button 5. Set the Maximum or change to unlimited 6. If the customer change the setting from unlimited to maximum the Default is zero

How do I publish TCP printers? 

You have to Server Publish your internal printer. The basic steps are: 1) make sure the internal printer is configured as a SecureNAT client (default gateway points to ISA internal interface). 2) create two protocol definitions: one for TCP port 721 Inbound and one for TCP port 515 Inbound. 3) create two server publishing rules and use as Mapped Server Protocol the above created protocol definitions.

How do I publish an Oracle 8 Server using Server Publishing Rules? 

Good question! Slav Pidgorny (a Microsoft ISA Server MVP) has put together an excellent article on how to publish Oracle 8 servers. You can find it at http://www.winnetmag.com/Articles/Index.cfm?ArticleID=24863

How do I publish an Oracle 8 Server using Server Publishing Rules? 

Good question! Slav Pidgorny (a Microsoft ISA Server MVP) has put together an excellent article on how to publish Oracle 8 servers. You can find it at http://www.winnetmag.com/Articles/Index.cfm?ArticleID=24863

How can I use the browser on the ISA Server to access the Internet?  

Configure the browser to be a "pseudo" Web Proxy client. In the browser proxy configuration dialog box, use the server name "localhost" (without the quotes). Why do I call it a pseudo Web Proxy client? Because this works even if you have no Protocol Rules in place to allow outbound access to HTTP! Test this out right after you install ISA Server. Do not configure any Protocol Rules and configure the browser to use "localhost" as the Proxy.