Configuring ISA 2004 on Windows 2003

Discussion in 'Software' started by mojorisin, Nov 9, 2006.

  1. mojorisin

    mojorisin Kilobyte Poster

    415
    17
    41
    Hi Guys

    About to setup a new ISA server looking for any input you might have on best practice

    The Server has a P4 3Ghz processor with 1gb of ram and 2 80gb sata drives and 2 gigabit NIC's

    i have called one internal and one external

    To start with we will only be using the web caching facility but would like to have the server setup correctly at the start so as future uses would be possible

    would like the users to connect to the isa server and on the internal nic and then the traffic routes over the external nic to the router

    Any thoughts on the best setup or anything that i shouldnt miss out

    your thoughts please :biggrin

    cheers
    Mojo
     
    WIP: Microsoft 365 Identity and Services MD-100
  2. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,373
    89
    190
    hmmm, like to see the responses on this, will be looking at doing the exact same setup on the weekend (but using 1 NIC)
     
  3. mojorisin

    mojorisin Kilobyte Poster

    415
    17
    41
    we are currently using isa 2000 in a single nic box and only using the webproxy caching facility so would like the new box to go a bit further
     
    WIP: Microsoft 365 Identity and Services MD-100
  4. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Here are a few tips:

    - Consider installing the ISA server in a workgroup to limit exposure to the domain if the server is compromised. If it must be a domain member (eg for group policy) consider putting it in a seperate forest and make a one way trust from your internal forest to the isa forest.

    - Remove all sites from the Allowed Sites configuration group except what is needed for updates, eg *.windowsupdate.com

    - On the public interface, disable all services except tcp/ip. Also, make sure to disable NetBIOS over TCP/ip and disable lmhosts lookup.

    - Disable all services and features that are not needed.

    - Disable error reporting. no need to allow someone to grab the unencrypted errorr reports sent outbound.

    - No web browser on the ISA server. Disable IE. If you really really need a browser, use something like Firefox to reduce the risk.

    - Make sure to disallow unencrypted firewall clients.

    Also, Microsoft has an ISA Server best practices analyzer, dl from here:

    http://www.microsoft.com/downloads/...B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en

    And here is the ISA Server 2004 hardening guide from MS:

    http://www.microsoft.com/downloads/...B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en

    And of course all the usual server security practices should be done, eg no guest account, physically secure the server, etc.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  5. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,749
    200
    246
    - Consider installing the ISA server in a workgroup to limit exposure to the domain if the server is compromised. If it must be a domain member (eg for group policy) consider putting it in a seperate forest and make a one way trust from your internal forest to the isa forest.

    this is infact a bit of scaremongering on MS part, and even the venerable Tom Schinder does not feel any security compromise could be attained by the ISA being a part of the domain (its a domain member with relativly limited access to the database not a DC!, for ease of managability and group management within ISA being part of a domain is often the best possible method for deployment.


    If you want to use both nics and routing your already out of the proxy mode and into full blown firewall mode, however you could just allow all traffic out and in to treat it as a proxy of sorts with no firewall capabilities

    if you want it in a sole proxy mode drop one nic into it and divert your browsers accordingly

    Spice, some good tips there, nice one mate!
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  6. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,897
    182
    221
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  7. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Thanks Pheonix, AJ for the info regarding workgroup vs domain. The article is excellent and really illustrates how domain is the way to go for ISA Server.

    Thanks!

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  8. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,897
    182
    221
    No problem for that. I gotta admit I was with you regarding workgroup V Domain, but if Dr Tom says it's OK then that deffo is good enough for me.
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  9. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,878
    181
    256
    For best functionality, detailed reporting and ability to define rules for users and groups make sure you install the firewall client on the clients - do not install the firewall client on the ISA server itself.

    By default ISA will block all traffic, you will need to create protocol rules, site and content rules etc before it will let you out. With ISA you do not open/close ports, you create rules which either allow or deny Internet access to specific protocols.

    Check out http://www.isaserver.org for articles and step by step instructions. It is by far the best ISA resource on the net.

    If you need to access the internet from the ISA server itself, you need to put the internal address of the ISA server as the proxy server in your browser - Port 8080.

    Best tip - have fun!
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  10. mojorisin

    mojorisin Kilobyte Poster

    415
    17
    41
    Anyone know how to give access to VNC remote control software on the ISA server ?

    I can get the web interface to show the login prompt but then it says "Network Error:no route to server "

    Must admit i found ISA 2000 easier to configure than this one :oops:
     
    WIP: Microsoft 365 Identity and Services MD-100
  11. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,897
    182
    221
    ISAServer.com to the rescue again. We did this the other day :D
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  12. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,878
    181
    256
    Just being pedantic AJ but that link is www.isaserver.org not .com :wink:
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  13. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,897
    182
    221
    Padantic. You. Never mate.:biggrin:biggrin

    At least the link goes to the right place.8)
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  14. mojorisin

    mojorisin Kilobyte Poster

    415
    17
    41
    cheers guys forgot to look there wont do it again :biggrin

    had been a long day of head scratching by that point

    knuckle have been rapped :biggrin
     
    WIP: Microsoft 365 Identity and Services MD-100

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.