So i get a call from a good client of ours that their ISA server has died, so after some discussion we quickly installed a new server that they had sitting around and we loaded ISA server onto it.
One rule of thumb i didn't really abide by was to make sure the the external network card was disabled while i was loading the server onto the domain. One thing i've always had to deal with when installing ISA onto an SBS machine it disabled the other network card. But thats not REALLY too much of an issue. I would disable the external network card untill after you have added the server to the domain (If its aDC then not to worry). After the installation of ISA 2004 i kinda struck a flash back moment where GOD DAMN IT i forget which rules to put in for proper access, so of course i put in the ALLOW ALL ANYWHERE rule in to allow the client access to get their shit underway. From here i had to add rule after rule to get all their services running again.
One thing i did notice was when i restricted the ALLOW ALL ANYWHERE rule to only people from a specific group, some shit started failing in the log (Monitoring the log is you FRIEND USE IT!!). So i had to load a few other rules to allow the DNS server to access External DNS servers. Also adding rules for MAIL which was beign forwarded to a smart host from Exchange then from the Smart Host to the internet. After awhile i found that i had RULES FOR AFRICA in my ISA. What to do?
What i did was watch the monitoring logs again and deletd the rules that never showed up for a day, very tidy indeed. Listed below are the rules i have setup that i believe allows default access to systems to keep your hair intact when dealing with ISA.
1.DENY ALL TO EXTERNAL for ALL USERS
2.ALLOW ALL TO EXTERNAL for specific internet users
3.ALLOW ALL TO INTERNAL form LOCAL HOST
4.ALLOW ALL TO INTERNAL form INTERNAL
5.ALLOW DNS TO EXTERNAL form local DNS Servers (there is a system rule for DNS from local to external)
6.ALLOW SMTP TO EXTERNAL form Mail Server or Smart Host
7.ALLOW SMTP FROM External to Mail Server for External SMTP delivery
8.ALLOW Any other service you require.
If you require VPN Users to access a rule then you must add the VPN Users group to the FROM section of the rule.
If all else fails then ISAServer.org is your friend, thanks Tom.
-Fr33ze
No comments:
Post a Comment