Tom Shinderís ISA Server Questions of the Week
August 5, 2002
In this weekís edition we cover the following questions:
QUESTION: Backing Up Enterprise Policies and Fixing Remote MMC Problems
I've configured ISA server (on Windows 2K advanced Server, in ADS environment in an ARRAY) in fault tolerance mode (for web proxy Clients) in my organization.
Please tell me:
- How to take backup of ISA server in this environment.
- I'm unable to run ISA Mgmt tool on other PC, It says that domain could not be found, when I try to connect to enterprise and arrays.
Backing up Enterprise Policies presents a little different issue than backing up array policies. The reason for this is that the Enterprise Policy is stored in the Active Directory. For this reason, there may be no reason at all for you to ever need to back up the Enterprise Policy. You certainly back up your Active Directory on a regular basis and you most likely have fault tolerance built into your directory services infrastructure.
However, if you like, you can back up your Enterprise Policy independently of the Active Directory. Just do the following:
- Right click on your Enterprise node and click the Back Up command.
- Type a file name in the Select location of configuration backup text box and type in a comment.
- Click the Backup button.
Note that when you back up the Enterprise policy you are not backing up the array policy at the same time! You will need to back up the array policy separately. Also be aware that the integrated backup feature included with ISA Server only allows you to restore to the same machine. You cannot use this file on another machine, or on the same machine as part of a disaster recovery scheme. The integrated tool is for incremental backups only that you can use if you need to regain a working configuration after making changes to a current installation. If you need to back up your current settings, check out some of the tools available at ftp.tacteam.net/isaserver and at http://jalojash.org/isatools/default.htm
Your problem with the ISA Management MMC snap-in is a common one. The ISA Server management console works fine on the ISA Server computer itself, but sometimes has problems on other computers. I highly recommend that you use Terminal Services to manage the ISA Server, but if you find you just have to use the MMC, check out the FAQ at the www.isaserver.org site. You can use the Search box and type in "mmc" (without the quotes) and you should find some help with this problem.
QUESTION: Using Alternate Ports for Publishing Servers
I have a Microsoft Small Business Server in my small company and all we can afford is an ADSL 256 connection to the Internet. The provider (phone company) says they limit "entrant" ports for security reasons. That is to say that everything one would need to connect to the server from outside e.g. WEB SERVER, FTP SERVER; VPN etc. Also, we are using an Alcatel Speedpro ADSL router as our connection to the internet.
How could I make it work so Web, FTP, VPN would work on another port other than 80, 21 for example?
Also, could you recommend a book that clearly shows the steps needed to restrict users to www.playboy.com from 10am - 3pm? I tried myself doing this but...
Also, I have five WinXP clients that cannot ping nor tracert to www.microsoft.com for example. I already enabled IP Routing on the ISA Server but my clients still cannot ping nor tracert even though the server can.
Thatís a lot of questions for one short email!
You first problem is that you ISP doesnít allow server publishing. I suppose you need to pay for a "corporate account" or something like that in order to get a static IP address and allow inbound access to services. Since your ISP is blocking inbound access to common Internet service ports, such as TCP 21, 25, 80, 110, 119 and 143 publishing services on the commonly known ports is not possible.
The solution is to publish services on alternate ports. The procedure is different for each service. For example, for Web publishing, you need to change the Incoming Web Requests listener port to something other than TCP 80. Then your external network users need to use the alternate port number to access your servers.
Server Publishing for SMTP and POP3 would be a bit different, since you donít need to configure a particular "listener" for these services. You need to create a Protocol Definition that uses the alternate port, and then you need to configure the service on the internal network to listen on that same port. You have to configure the service on the internal network to use the same port because ISA Server will not perform port redirection when you use Server Publishing Rules. The external network user will also need to use the alternate port number as well.
This can get a little complicated or unwieldy when youíre working with services that you donít have complete control over. For example, letís look at the SMTP service. You can change the port the internal SMTP server listens on to something like TCP 2525. Then you can create a Protocol Definition that allows inbound access to TCP 2525 as its Primary connection (no Secondary connection is required). After you create the Protocol Definition, you create a Server Publishing Rule that uses this new SMTP Protocol Definition.
Now all external clients will be able to send mail via SMTP to the internal server if they send it to the IP address on the external interface of the ISA Server that listening for incoming messages on TCP 2525. You can configure external network clients that are under your administrative control to use TCP 2525. However, your SMTP server wonít be very helpful if you need it to receive mail from Internet SMTP servers. The reason for this is that Internet SMTP servers are going to use the default SMTP port, and will not be able to forward mail to your domain.
There is a solution for this, and your dynamic IP address problem too. You can use a DNS forwarder, such as www.tzo.com or www.dyndns.com. These services allow you to publish services using a FQDN. You install the DDNS client software on your computer (even one behind the ADSL router) and when your external IP address changes, the change will be noted at the DDNS server for resource records for your domain.
You can even purchase port forwarding services, so that external network clients wonít have to manually enter the alternate port numbers youíre using. They can use the default service port numbers to send messages and the port forwarding feature will forward the requests to the alternate port number youíre using on your server. This is extremely useful if you wish to publish your on SMTP server.
The ICMP issue is a common one. Iíve seen this question asked since ISA Server was in beta. In the almost two years since I first saw this question, Iíve not ever read an answer to the problem. Iíve never encounter an ICMP problem that didnít responds to creating the appropriate packet filters, enabling IP Routing, and making the client a SecureNAT client. If someone ever solves this problem, Iíll be sure to post the answer as a FAQ at the site.
QUESTION: Outbound Mail Uses Wrong Source IP Address
I've encountered a problem running an email server (Alt-N Technology's Mdaemon v.6.0.2) behind a Microsoft ISA firewall. Inbound mail works fine but all outbound mail includes the default external address of the ISA server, not the translated address of the internal mail server. Many companies use reverse DNS to verify the source of email and since the default external address of the ISA server does not match MX records email is bounced. What can I do to correct this problem? I'm rather new to ISA but have used other firewall products in the past i.e. Checkpoint, Cisco Pix.
This is a common SMTP server publishing issue. When you publish a particular server on the internal network, you might expect that that when messages are send outbound from that SMTP server on the internal network that the source address on the external interface of the ISA Server would be the same as the one you use in the Server Publishing Rule. Unfortunately, thatís not the case. The source address should be the default IP address on the external interface of the ISA Server (that is to say, the IP address on the top of the list of IP addresses bound on the ISA Serverís external interface).
I say *should* be since Iíve seen my own ISA Server use the first or second IP address on the external interface. Rumor is that this might be related to the VPN server configuration, but I have no independent verification of this issue.
Iíve never used reverse lookups on my SMTP servers for this reason. Itís a poor manís security method and not only is it ineffective, it creates just this kind of problem. Personally, my feeling is that if the SMTP admin is so weak as to implement this feature as a security option, I donít care if my mail gets there! However, my opinion isnít what matters. Itís what the customer wants that counts.
The solution to this problem is to use the old Proxy Server 2.0 method of publishing your SMTP server. You install the Firewall client on the SMTP Server, and then you use the ProxyBindIp entry in the wspcfg.ini file. Jim Harrison does an excellent job explaining the Firewall client and the configuration file settings in his article on the Firewall client over at http://www.isaserver.org/pages/articles.asp?art=60
I donít have a specific article up yet on this configuration (although Iíll get one put together soon), but you might be able to gain some helpful nuggets of information on how to deal with this from my article on FTP server publishing on alternate ports. Check it out over at http://www.isaserver.org/pages/articles.asp?art=2 Once you get the SMTP server published using the Firewall client setup, youíll be able to bind an IP address on which youíll send and receive SMTP messages.
QUESTION: SSL Doesnít Work on Incoming Web Requests Listener
We found your book informative as well as widely cited on related web sites. Keep up the good work. We are having an ordeal in setting up the following scenario:
We need to publish a web site to the Internet. We have IIS and ISA. We need to use SSL 128 bit encryption on the Internet. We have a web server (IIS 5.0) on PC#1.
Microsoft Certificate Services is installed on PC#1. We wish to create our own certificate. We have ISA Server on PC#2 which also serves as the firewall for our in-house network.
The steps (and the problem) we have accomplished are as follows:
- We create a certificate with a key on PC#1 (the IIS and Certificate Services PC).
- We export this certificate from PC#1 and import the certificate on PC#2 using the MMC snap-in.
The systems tell us that the export/import processes are successful.
- When we go to configure the ISA (PC#2) to use the certificate, we get the message "There are no certificates configured on this server."
Is there something we are leaving out? Is there some Registry setting we need to inspect to tell ISA server where to find the certificate? Currently the certificates are in the Personal\Certificates as well as in the web proxy store.
Any assistance would be greatly appreciated
SSL problems seem to be very common with the ISA Server listeners. Iím not sure why this is the case, but certificate issues on the ISA Server come up quite a bit. When you need to configure a server certificate for the Incoming Web Requests listener to use when itís impersonating the internal network Web server, you need to import the certificate into the machine store on the ISA Server. Neither the Web Proxy store, nor any of the user stores, will be used to impersonate the Web server. You must use the machine store.
If you did import the certificate into the ISA Serverís machine store and it still doesnít show up in the console, try closing out the ISA Management console and opening it up again. This often fixes the problem. Sometimes you have to do more. Try restarting the ISA Server computer. Then open the ISA Management console after you log on and see if the certificate appears.
Some people report that you have to open the certificate and select a particular set of uses for the certificate. By default, the certificate should be good for all properties that server certificates are good for (I donít have the list in front of me). This comes from Microsoft Q article Q292569. The relevant quote is:
If the "Intended Purposes" field of the certificate is set to "All" rather than a list of specific purposes, the following steps must be followed before the certificate can be recognized by ISA Server: In the Certificate Services snap-in, open the Properties dialog box of the relevant certificate. Change the Enable all purposes for this certificate option to the Enable only the following purposes option, select all of the items, and then click Apply
Iíve not noticed this step to be required, but if things arenít working for you, give it a shot!
QUESTION: Outbound PPTP VPN Connection Problems
Iím facing problem in configuring ISA server to allow clients to connect to VPN server located in Internet (located outside our network). The ISA Server is connected to the Internet through a leased line with 2 NIC cards on it. One is connected to internal network other is connected to the leased line through a router. Iím able to browse & send mails (i.e. http, POP3, & SMTP are working fine.)
Initially we were using ISDN dialup for Internet connectivity through a modem & single NIC for internal network connectivity & it was possible to connect to VPN servers from Internal clients with 2 packet filters enabled (PPTP call & PPTP receive)
One more point is that we have to enable the Firewall client till the clients make connection with VPN server. Once itís connected to the VPN server we have to disable the firewall client. If I disable the firewall client before making the connection, then I wonít be able to connect to VPN server. But with new leased line connection, we are not able to make connection to VPN server.
If I revert back to ISDN line, VPN works fine.
What configuration I have to make on ISA server to access VPN server from clients through Leased line.
Some things to consider when working with VPN clients behind the ISA Server:
The client must be a SecureNAT client in order to connect to a PPTP VPN server on an external network. The reason for this is that the Firewall client does not support non-TCP/UDP protocols. A machine can be both a Firewall and SecureNAT client, but you do need the SecureNAT client configuration for it to work.
The PPTP passthough checkbox must be enabled (as seen in the figure below). This checkbox enables the "hidden" PPTP application filter. If this checkbox isnít enabled, you wonít be able to connect to a PPTP VPN server on an external network.
Network address issues can be a problem, especially if the client is a Firewall client. The reason for this is that if the destination network ID is different than the local network ID, the Firewall client will intercept the request since the communication is to a host not on the LAT. When the destination is not on the LAT, the Firewall client assumes that the packet should be handled by the Firewall client so that the ISA Server can proxy the request to a remote, non-local network host.
I suspect the LAT issue is the reason why you have to disable the Firewall client before connecting to the remote network. One solution for this problem would be to include the remote networkís network ID in your LAT. However, including this network ID in the LAT is a global change, which would apply to all clients on your network. You might not find this desirable. If so, you can configure a local LAT by creating a locallat.txt file. Check out the ISA Server Help File for instructions on configuring a locallat.txt or check out Q268326 for detailed instructions.
Now why doesnít your VPN work with the leased line, but it works with the ISDN link? It could be that you still have the ISDN link set as the Primary connection in the Firewall routing properties dialog box. In the figure below youíll see a grayed out option that says Use dial-up entry. If that is still checked, the leased line wonít be used.
However, if you have disabled that option, you may need to reinstall ISA Server Iíve found that sometimes it problematic to switch from dial-up to dedicated connection on the same box. This isnít always the case, but if Iíve tried everything else, a reinstall seems to fix the problem.