ISA Server 2004 “gotchas”

After having to abort last week’s attempt to replace an aging Microsoft Proxy Server 2.0 installation with Microsoft Internet Security and Acceleration (ISA) Server 2004, last night I had another go and I’m pleased to say that the ISA Server is now up and running. There are still some minor issues that I need to resolve, but here’s a summary of the key points that affected me:

  • It’s important to configure the underlying network correctly – i.e. check the binding order of the various network interfaces, disable unwanted services on the external interface, only configure one interface with a default gateway (the external interface), only configure one interface for DNS and check that there is a valid route configured back to each internal network. Jim Harrison has written an excellent article on configuring ISA Server interface settings.
  • By default, ISA Server 2004 will not let any traffic pass (on any interface) – i.e. it is secure by default.
  • Do not configure the ISA Server to use both internal and external DNS servers. The ideal solution is to configure DNS forwarding from the internal DNS server(s) to the ISP’s DNS servers and create an access rule to allow outbound DNS traffic. If DNS is configured incorrectly, then the server may have difficulties contacting Active Directory which will have a consequential effect on authentication.
  • Configure individual access rules to allow all required outbound network services and consider the order of the rules (i.e. is one rule denying access before another is processed). Multiple rules can be configured for different user sets and schedules.
  • In general, access rules are used to allow outbound access whilst internal resources are “published”.
  • When publishing HTTP(S) servers, make sure that there is an appropriate web listener configured.
  • When publishing SMTP (or other) servers, there is no web listener, but there must be an appropriate network listener configured. Generally, internal SMTP servers will be configured only to allow mail to be received from certain hosts, so it may be necessary to make the traffic appear as if it originated from the ISA Server. Thomas Shinder has written an excellent article on troubleshooting SMTP server publishing rules.
  • If restricting access to certain users, ensure that integrated authentication is enabled and authentication is required.

Leave a Reply