Setup - General ISA Server setup questions

ISA Server 2000 Frequently Asked Questions (FAQ) topic 

[8] Cache specific - These Q & A's are specific to the ISA Server caching product

Updated: Jul 01, 2002

[15] Errors - Various ISA Server error messages. What they mean and how to get rid of them

Updated: Dec 11, 2002

[39] Firewall Specific - These Q & A's are specific to the ISA Server firewall

Updated: Aug 10, 2004

[49] General info - General questions about ISA Server

Updated: Aug 10, 2004

[13] Installation issues - Tackles various installation problems questions

Updated: Jul 06, 2001

[32] Setup - General ISA Server setup questions

Updated: Jul 27, 2004

I made a change in the Web Proxy configuration settings in the Firewall Client tab on the ISA firewall. I clicked the "Configure Now" button on the Firewall client machine, but the changes are not made to the browser. What''s up with that? 

You need to first update the Firewall client settings on the Firewall client computer by clicking the Test Server or Detect Now button. Then clck the Configure Now button. The Test Server and Detect Now buttons pull the wspad information from the ISA firewall, and then the Configure Now button applies the Web browser settings included in the wspad information.

I've published my OWA Server through ISA Server and its working. However, OWA log in is very slow. Is there a way to speed this up? 

Yes -- there seems to be some issues with using integrated authentication through the ISA Server for OWA log in. We recommend that you use Basic Authentication and SSL for your OWA site. The SSL link will protect the free text username and password from being detected by intruders that may be sniffing the line.

How do I perform a silent installation of the Firewall client for Win2k and Windows NT client computers? 

Try this: \\%isaserver%\MSPCLNT\SETUP.EXE /v"/qb+/r:n" Many thanks to Lemonwater925 for this tip!

How can you do web publishing (reverse web proxy) with ISA? 

PublicSite.mydom.com PrivateSite.mydom.com/EmployeeInfo

Have DNS records created on the responsible DNS server for your domain for PublicSite and PrivateSite and point them both to the ISA server's external interface.

In the destination sets Create one and give it a descriptive name like: For requests to PublicSite In the Destinations tab: / Computer name type in what the host header will contain. eg: PublicSite.mydom.com and no path for this one.

For the second one: Create a destination set with a friendly name like: For access to the Private info site. In the Destinations tab: / Computer name type in what the host header will contain. eg: PrivateSite.mydom.com and in the path type in /EmployeeInfo/*

Then create a web publishing rule for each which sends requests for these headers to the proper server. Name: Any friendly name like: For Public site Destination: Selected destination set Select the name : For requests to PublicSite in the drop down list. Action: Redirect the request to a hosted site: In the Destination site area type in the ComputerName or IP address of the internal Web server hosting the Public site. Applies to : Any request.

For the Private site: Name: Any friendly name like: For Private info site Destination: Selected destination set Select the name : For access to the Private info site. in the drop down list. Action: Redirect the request to a hosted site: In the Destination site area type in the ComputerName or IP address of the internal Web server hosting the Private site. Applies to : Select client sets or users or groups or any user based on if you want to restrict access or not.

Each time I would disconnect, ISA would force a reconnect every couple of minutes. I have turned off active caching, do not have any applications running that would request information from the Internet periodically and have also turned off all netbios requests to my router just in case that was causing the problem. What might be causing this auto redial? 

By default when ISA is installed it has a DNS query packet filter installed with it. This filter is allowing DNS queries to pass through to the router. After disabling this filter your router should adhere to the default timeout settings, and not redial.

I am unable to browse the network if I have the Enable Packet filtering box ticked. I get a dns error. I am running IE5 on the same computer as the ISA Server. Other machines connecting to the ISA server can browse OK with this box ticked. How can I solve this? 

In the readme file for ISA Server, you can find out that to use the browser on the ISA Server, you should configure the proxy settings to point to the IP address of the internal adaptor.

I want my ISA server to connect to the internet by using a dial up entry to my internet provider. The dropdown boxes in the ISA server configuration screens do not show the dial up entries I have configured. They're just empty drop down boxes. Anyone know what seems to be the problem? 

Policy elements, Dial-up entries, View/Create Dial-up connections.

You should be able to choose your pre-built dial-up Internet connection.

What is the recommended cache size for 100 users? 

Microsoft recommends 10 – 20MB per user.

I have two offices with dedicated connections at each and I have an ISA server at each setup in integrated mode. I would like to be able to set up a gateway-to-gateway VPN connection between the two ISA servers and have traffic bound for the "internet" at each site routed out and traffic that is destined to go over the VPN to the other site routed correctly as well. Can this be setup with ISA server and if so, any ideas as to how? 

Yes, you can do this. Just run the "Set Up Local ISA VPN Server" on one of the Servers to create a .vpc file. Be sure to configure it so that both ends can initiate a connection. After you create the .vpc file, go to the other ISA Server and run the "Set up Remote ISA VPN Server" using the .vpc file you've created.

This will create demand dial interfaces that will allow each of the ISA Servers to establish connections with one another. It will also add static routing table entries so that the demand-dial interfaces are activated when requests for the remote network are made.

I need some info regarding installing the ISA Server with 3 NICs and implementing the DMZ as a MailRelay zone. In the way I would like to prevent any access to the MS Exchange Server inside my Internal Network. Any idea how to implement this? 

Put the realay in the DMZ, and then put the mail server on the internal network. Then, publish the internal mail server and allow access only to the IP address of the server on the DMZ. In this way, you prevent any machine that is not the relay from accessing the internal server.