Forefront Edge Security - General Forum

MagicJack. . .ISA 2004 blocking VOIP access somehow??

Tue, 20 May 2008 05:59:23 Z

I just got a MagicJack and was hoping to test it on our network, but I can't get it to work behind our ISA 2004 firewall. The tech support says that our network is blocking ports 5060-5070 somehow.

I checked with our ISP's and they are not blocking those ports.

We have a dual wan router outside our ISA. When I connect a machine directly to that subnetwork, the magicjack works fine, so it has to be something with our ISA firewall setup.

I created an outgoing rule to allow ALL from a specific host (where testing the Magicjack), but it still doesn't work. I even tried disabling ALL (incoming/outgoing) other rules. Still nothing.

What can be blocking this from working when I am specifically allowing access?

ISA NTLM Default Domain in Credential Dialog

Thu, 26 Nov 2009 14:00:50 Z

When ISA 2006 SP1 is asking a user to authenticate to a published site using NTLM in Internet Explorer (and IE pops up a username password prompt) is it possible to make ISA assume a particular domain name if the user just types "username" instead of "domain\username"?

I understand the default - which may be the clients behaviour - is to assume the name of the site, eg "sharepoint.blah.com\username" and that if this then falls back to "Basic Auth" I can set this in the web listeners properties - however this setting does not affect NTLM auth. I need NTLM for domain joined machines and users, so they get logged in automatically.

These problematic client machines are not in the domain, so I cannot just get Integrated Auth(Kerberos/NTLM) to sign them in without prompting at all.

412 Precondition Error with ISA Server

Wed, 25 Nov 2009 16:30:22 Z

Hi

We are running ISA 2006 through an external firewall and having a problem getting to one website (www.funkyhampers.com)

If anyone going through the proxy server browsing to funky hampers they get an 412 Precondition error however if I plug my laptop directly into the external firewall I can browse to the site no problems.
Even the ISA server itself is getting this message, I have checked the HTTP config and firewalls but can't figure this one out.

Can anyone shine a light on this?

Thanks
Dave

Access internal website via external names

Mon, 23 Nov 2009 14:49:48 Z

I have a 2006 ISA server with 3 NICs, one internal, one external and one not used. A week ago the external NIC died so I switched the external network over to the "spare" NIC and all was well or so I thought. Prior to this issue I was able to access websites hosted internally with their external names. http://www.mysite.com worked both internally and externally. Since the NIC change this no longer works.

Yes the websites work with internal IPs/names and yes they work from outside the network with external names. And yes I know I can setup internal names in my local DNS but I'd rather not have to do this twice one for inside and once for outside.

Anyone have any idea why this no longer works or how to get this working again?

TIA
Rob

ISA 2004 - Different subnets on one WAN NIC?

Tue, 24 Nov 2009 14:31:37 Z

Finally nail down the issue with the Ping issue, here comes another problem:

When we were with old ISP, the WAN IPs are in the subnet, so there is no problem to add them onto on WAN nic, with the new ISP, the IPs they give to us are on different subnets - how can I put them onto one WAN NIC?

Here is the information provided to us:

IP: 64.201.56.97 - this should be our WAN IP.
Default Gateway: 64.201.56.96, Subnet Mask: 255.255.255.254

Routed Block: 64.201.56.104/29
Useable addresses 64.201.56.105-110 - this is the IPs we want to assign to the Servers, Subnet Mask 255.255.255.248

If we put 64.201.56.97 AND 64.201.56.105 onto the same WAN NIC, it won't work because they're on different subnets.

Please advise!
Thanks a lot

ISA 2004 - can't ping second external IP on the ISA server from outside

Thu, 19 Nov 2009 15:03:15 Z

There are two NICs on our ISA Server 2004 - one external, one internal.

We used to have one external IP, and everything is working fine, I can ping the external IP address from outside.

Now we added the second external IP on the same NIC, and I still can pint the first IP, but can NOT ping the new one - I have restarted the ISA server box. And I created a second web listener using the new IP for publishing another webserver, but it's not working either, it's probably relate to the Ping issue.

Any advise?

application filter on non-standard port

Sun, 22 Nov 2009 18:34:28 Z

e.g i am using a non standard port 1000 for http traffic

firewall rule - public ip:1000 map to private ip:1000

will this connection be subject to http application layer filter ?
if not how to made the application filter applied ?

Load Balance Inbound POP/IMAP/SMTP connections to Exchange 2007 with ISA 2006?

Thu, 19 Nov 2009 14:44:50 Z

We have an ISA 2006 Cluster handling inbound traffic to our Exchange 2007 CAS servers. It handles load balancing for web traffic nicely, but it seems to be absent for the POP/IMAP/SMTP connections. Is there a way to acheive this with 2006 or Forefront Edge Security? It just seems silly when ISA can load balance front end web servers, but it can't do the same for client mail traffic.

Forefront TMG 2010 (ISA) Enterprise Vs Standard features

Thu, 19 Nov 2009 05:59:15 Z

Hi all
Where can I find a list of the difference between Forefront TMG 2010 (ISA) Enterprise Vs Standard features.

I have manage a network that is global and have 60+ gateways. We are currentlly using another product for HTTP filtering.

I do not require Load balancing or an Array setup, but I would like to manage the 60+ System from one console ie (Forefront Server Security Management Console)

Senario 1
I have URL Filtering enable to stop users accessing a gambling site but management require access to the Lotto Results and I am asked to unblock http://thelottoresults.com
I would like to add the url and the overide rule is then replicated to all servers

Can I manage the multple std TGM 2010 servers from one console

Thanks Jeff

Configuring ISA Server to allow SIP softphone traffic

Thu, 06 Nov 2008 20:00:20 Z

Hello there people.

We have here a Windows Server 2003 R2 Service Pack 2, connected to the internet through ADSL, and ISA Server 2004 (version 4.0.2161.50) installed on it.

We are now using a third-party VoIP solution to communicate with our customers (it's a service called PABX Virtual, from a brazilian company named Locaweb), and we use a softphone called eyeBeam, from CounterPath.

We are using the service for some months now, and it works great most of the time. But, sometimes we have some problems, especially with a new PSTN number we've just contracted with our SIP provider Locaweb. The two most common problems are:

We hear the caller voice but the caller can't hear us.
The caller dials our PSTN number, then he/she reaches the virtual PBX recording, dials the wanted option and then the call is lost.

After some tests, our provider said that we are probably blocking some port here on our network. They told us to allow access specially to the range 10.000-20.000 UDP. However, since the beginning we did configured ISA server to allow these and other ports:

Ports 5060-5061 TCP
Ports 5060-5061 UDP
Ports 10000-20000 UDP

But we've never been 100% sure if the way we did it is correct. We've tried a lot of combinations, but the actual configuration is something link this:

- We've created two new user-defined protocols:

1. CounterPath eyeBeam (in):

5060-5061, TCP, Direction: Inbound
10000-20000, UDP, Direction: Receive Send
5060-5061, UDP, Direction: Receive Send

2. CounterPath eyeBeam (out):

5060-5061, TCP, Direction: Outbound
10000-20000, UDP, Direction: Send Receive
5060-5061, UDP, Direction: Send Receive

- Then we've created an Access Rule like that:

Action: Allow
Protocols: CounterPath eyeBeam (in) and (out)
From: All Networks (and Local Host)
To: All Networks (and Local Host)
Users: All Users
Schedule: Always
Content Types: All

We did tried with more appropriate sources and destinations (From and To fields), but at that time we ended trying a more "wide" and desperate approach.

Do you have any clue what should be the correct configuration for using our VoIP solution behind ISA Server? Thanks in advance for any help.

Best regards,
Pedro.

SecureNAT entries in Sessions section...

Tue, 17 Nov 2009 12:12:01 Z

Hi all;

In my network all of the clients are Web Proxy without the Gateway address. Now, when I check the Sessions tab of the Monitoring section, I can see several clients are SecureNAT? Why this happens?

Thanks

Trouble joining TMG EE to array

Fri, 06 Nov 2009 14:35:57 Z

I have a machine I'm trying to join to an existing EE array. It always fails with the message:

Error: 0xc0040431
Forefront TMG services failed to start after a array join or an array disjoin. Check alerts, fix the configuration, and attempt to restart the services.

It seems like it isn't waiting long enough for a particular service to start. Just wondering if anyone else had this issue and a potential workaround?

Rob

TMG 2010 Ships!

Tue, 17 Nov 2009 23:12:31 Z

http://blogs.technet.com/isablog/archive/2009/11/17/forefront-threat-management-gateway-2010-release.aspx

Jim Harrison Forefront Edge CS

Weird problem while I connect to my network by Remote Desktop

Mon, 16 Nov 2009 19:28:01 Z

I use ISA Server 2006 with latest Service Pack and patch. I configured VPN on my ISA Server and connect to my network by using Remote Desktop connection.

I use this configuration for several months. But for several week I have a weird problem. When I create the VPN session everything works well but when I execute the Remote Desktop Connection, the connection establishes but I can only see a black screen. In this situation, if I create a second RDP connection everything works well.

At first I thought this is the problem of the server that I want to connect, but I have this problem on my all of the servers. Then I thought maybe the problem relates to the RDP application on my client, but I can connect to my another VPN server on another network. So, I think this is the problem of the ISA server...

Any idea?

Thanks

-Reza

ISA 2006 AD Group Filtering Causes 403 Forbidden Error for OWA with RSA SecurID

Fri, 13 Nov 2009 14:46:19 Z

I have an ISA 2006 server within the DMZ, so it is a single-homed server acting only as a reverse proxy for our internal OWA website. The ISA server is a member of the internal domain, and the ports for AD communication have been opened on the intranet firewall so that the ISA server can communicate with the internal domain controllers and internal DNS. RSA SecurID tokens are required for users to have two-factor authentication.

When the OWA publishing rule is set to allow the predefined ISA user group for "All Authenticated Users", there is no problem accessing the internal OWA site. When the OWA publishing rule is modified to contain only a specific AD user account or contain the AD group for remote users, the logon fails with the error "403 Forbidden. The server denied the specified Uniform Resource Locator (URL), Contact the server administrator. (12202)". After the credentials are entered, the page indicating that the session is being redirected appears right before the error is displayed.

In the ISA logs, the following error is received, generated by the "Default Rule" rather than the OWA publishing rule:

Denied Connection ISASERVER 11/13/2009 9:30:12 AM

Log type: Web Proxy (Reverse)

Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL).

Rule: Default rule

Source: Internal (<Client_IP>)

Destination: (<ISA_IP>:443)

Request: GET http://webmail.domain.com/

Filter information: Req ID: 02a41bfb; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=yes, valid=yes, updated=no, logged off=no, client type=public, user activity=yes

Protocol: https

User: (SecurID)<username>

Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Object source: (No source information is available.)

Cache info: 0x0

Processing time: 1 ms

MIME type:

One thing I have noticed during testing is that if I remove the RSA authentication from the Web Listener that the OWA Publishing Rule uses, and instead just use the AD forms based authentication, users are able to log in when only a specific AD group is defined in the publishing rule. When RSA authentication is enabled, the RSA credentials are validated as the page displays the redirection page, which then fails with the 403 Forbidden error. Is there additional security or configuration that is required for the RSA authenticaiton redirection page to work?

NLB error in ISA 2006

Fri, 19 Sep 2008 10:51:29 Z

Hi,

We want to use ISA 2006 with NLB for publishing Exchange 2007 environment.

Server ISA001 is installed both as a CSS and ISA server. Single network adapter template is applied to the network.

The second node ISA002 gets added to the array. The problem starts when we configure NLB for the servers.

The intra-array communication fails. CSS server is not able to obtain membersip status from ISA002.

We are using CISCO 4948 switch.

I had earlier posted this problem at Exchange server forum. They had advised me to come here.

Please help.

Anshu

Anshu

replacing hardware load balancer by ISA 2006 EE array

Wed, 11 Nov 2009 10:59:47 Z

Hi,
Office Communication Server 2007 R2 enterprise edition servers within a pool do require a hardware loadbalancer. Internal clients connect to the pool. Now, would it be possible to use an ISA 2006 array instead of a hwardware loadbalancer infrastrcuture ? (I guess ISA Firewall client has to be installed on clients as well). The requirements for hardware loadbalancer are: http://technet.microsoft.com/en-us/library/bb870398.aspx (or at the bottom) - Is ISA 2006 able to fulfill these requirements ? Support for that ?

Thanks

Load Balancer Requirements for Office Communications Server 2007 Enterprise Pools
This topic lists requirements for a hardware load balancer deployed in an Office Communications Server 2007, Enterprise pool.

Prerequisites for a Load Balancer Connecting to a Pool
Before a hardware load balancer can connect to the Office Communications Server Enterprise pool, you must configure the following:

A static IP address for servers within your pool.
Using a load balancer in SNAT (source network address translation) mode is recommended for ease of deployment, however be aware each SNAT IP address on the load balancer limits the maximum number of simultaneous connections to 65,000. If you deploy load balancer in SNAT mode, ensure you configure a minimum of one SNAT IP address for each group of 65,000 users. (The open number of connections generally corresponds to the number of active users.) For example, in a deployment supporting 100,000 users, you would configure two SNAT IP addresses.
If you use a DNAT (destination network address translation) load balancer for your Enterprise pools, the following is required:
Each pool must reside in a distinct IP subnet from other pools, because the Front End Servers in each pool must reside in this distinct IP subnet.
For a pool in the expanded configuration, only the Front End Servers must be placed in this distinct IP subnet. All other roles – the Web Conferencing, A/V Conferencing and Web Component Servers – must reside outside the distinct IP subnet for the Front End Servers. There is no additional restriction on how these other roles can be placed on the network.
A VIP address and associated DNS record for the load balancer. See the DNS (Domain Name Service) section for more information.
Important:
The following requirements apply to all load balancers that are deployed in an Office Communications Server 2007, Enterprise pool. For information about configuring and deploying a particular brand and model of hardware load balancer, see the documentation that is included with the product of your choice.

A load balancer for an Office Communications Server 2007, Enterprise Pool must meet the following requirements:
Expose a VIP Address through ARP (Address Resolution Protocol). The VIP must have a single DNS entry, called the pool FQDN and must be a static IP address.
Allow multiple ports to be opened on the same VIP. The following ports are required.
Table 77 Hardware load balancer ports that are required for Office Communications Server 2007
Port Required Virtual IP Port Use
5060
Load balancer VIP used by the Front End Servers
Client to server SIP communication over TCP

5061
Load balancer VIP used by the Front End Servers
Client to Front End Server SIP communication over TLS

SIP Communication between Front End Servers over MTLS

135
Load balancer VIP used by the Front End Servers
To move users and perform other "pool" level WMI operations over DCOM

444
Load balancer VIP used by the Front End Servers
Communication between the internal components that manage conferencing and the conferencing servers

443
Load balancer VIP used by the Web Components Server
HTTPS traffic to the pool URLs
Provide TCP-level affinity. This means that the load balancer must ensure that TCP connections can be established with one Office Communications Server in the pool and all traffic on that connection will be destined for that same Office Communications Server.

Each Front End Server must have an IP address that is directly routable within the internal network (specifically to allow communications between Front End Servers across different pools).

The load balancer must provide a configurable TCP idle-timeout interval with its value set to 20 minutes or greater. This value must be 20 minutes or higher because it should be above the following values:

Maximum SIP connection idle timeout of 20 minutes (this is the major determining value).

SIP Keep-alive interval 5 minutes.

Maximum REGISTER refresh interval of 15 minutes in absence of keep-alive checks.

Enable TCP resets on idle timeout; also disable TCP resets when servers are detected to be down.

Front Ends within a pool behind a load balancer must be capable of routing to each other. There can be no NAT device in this path of communication. Any such device will prevent successful RPC between Front End Servers within a pool.

Front Ends behind a load balancer must have access to the Active Directory environment.

Front Ends must have static IP addresses that can be used to configure them in the load balancer. In addition, these IP addresses must have DNS registrations (referred to as Front End FQDN).

Any computer running Office Communications Server 2007 administrative tools must be able to route through the load balancer to both the Pool FQDN as well as the Front End FQDN of every Front End in the pool(s) to be managed. In addition, there can be no NAT device in the path of communication to the Front Ends to be managed. Again, this is a restriction enforced by the usage of the RPC protocol by DCOM.

The load balancer should support a least-connections-based Load balancing mechanism. This means that the load balancer will rank all Office Communications Server servers based on the number of outstanding connections to each of them. This rank will then be used to pick the Office Communications Server to be used for the next connection request.

The load balancer must allow for adding and removing servers to the pool without shutting down.

The load balancer should be capable of monitoring server availability by connecting to a configurable port for each server.
Important:
The monitor for ports 135 and 444 should open TCP connections to port 5060 or 5061 for determining server availability. Attempting to monitor ports 135 and 444 on the servers will cause the load balancer to incorrectly detect these servers to be available because these ports are open even though Office Communications Server is not running.

Why not assign Gateway address in ISA server's Internal Adapter?

Wed, 11 Nov 2009 21:26:27 Z

Hi all;

Why not assign Gateway address in ISA server's Internal Adapter?

Thanks

-Reza

Dns server issue

Mon, 02 Nov 2009 14:17:06 Z

Dear All, We have 2 AD intergrated DNs servers.And in DNS server we have put forwarders to resolve the the external queries.This dns servers are used by ISA 2006 EE to name resolving.It was working fine. Recently we have some issue with ISP link.So when ISP link goes down and coming up like Variation is there.So once this happens suddenly our DNS server not able to resolve external queries.It is able to resolve internal queries.Then if i restart the dns service also it is not resolving.SO the only thing is to restart then only it will work fine. Thanks Sudhir

Installing ISA 2006 CSS on a Windows 2003 Domain Controller with DNS

Mon, 09 Nov 2009 16:17:01 Z

Is there a trick to installing the ISA 2006 CSS on a Windows 2003 Domain Controller with DNS? We keep getting a failure at the creation of the ADAM instance, and I see that it is a supported configuration. The best practices analyzer even says it is supported, so why would it have a problem?

Have done all the suggested things, (running the CD from hard drive, all updates applied, etc.) but no luck.

Error: Setup failed to install ADAM (0x80070002)

ISA 2006 EE
Windows 2003 R2 EE (with all updates)
VM with Windows 2003 DC & DNS
PDC for ISA domain
single processor
single NIC
plenty of RAM and HD space

Any suggestions?

Can't get NAT Address setting to change traffic

Thu, 05 Nov 2009 20:03:19 Z

I have a TMG RC running on Server 2008 R2. One NIC for public connection, one for private. I have 3 IP's assigned to the public NIC, two of which are NLB clusters. Everything works fine EXCEPT getting the NAT Address Selection to actually impact data.

I've set up a network rule that anything coming from the mail server uses NAT address .3 (3rd IP assigned to public NIC, it is an NLB cluster). The traffic in the log still shows everything going out on the default IP of the TMG gateway.

Am I missing something simple? Does this work in the RC?

Rob

RDP to W2K8 R2 through ISA 2004 VPN

Thu, 05 Nov 2009 05:36:19 Z

Hi Folks

I have an ISA 2004 VPN connection and can successfully RDP to my Windows 2003 Servers. However I cannot RDP or ping any Windows 2008 R2 Servers from VPN connection. This have me puzzled as I can successfully RDP and ping all servers (Win03, Win08) when on LAN.

Does this issues have to do with ISA 2004 or some settings of Windows 2008 R2? I was told to post this issue on the ISA forum to narrow/determine nature of issue.

Rayhaan.

Strange HTTP Redirect / DMZ IIS

Tue, 20 Oct 2009 14:57:50 Z

We have a fairly large new IIS server (win 2008 x64) that hosts a number of websites (replacing 2003 box behind pix). We have a BUNCH of "http redirects" setup at the IIS level and also some in META code. We just moved this server behind an ISA 2006 firewall (in DMZ) and now none of the redirects work. For instance if I hit a site www.domainA.com which has an HTTP Redirect to www.DomainB.com and both of these sites are on the same server then a few thousand requests start looping for DomainA.com. We think this behavior is related to host headers not passing around properly.
ISA shows a HTTP Status Code of 304 Not Modified and error info 0x580
I also see the following entries related to cache.
0x40801012 (Request includes the IF-MODIFIED-SINCE header. Request includes the VIA header. Request includes the IF-NONE-MATCH header. Response includes the LAST-MODIFIED header. Response should not be cached.)
There are no deny actions reported in the log just thousands of "allow connection" over and over again.
The browser received this message from the ISA server.
Error Code: 500 Internal Server Error. The number of HTTP requests per minute exceeded the configured limit. Contact the server administrator. (12219)
We need to know how to fix this. I know I could create a rule to deny www.domainA.com and then send the request to www.domainB.com however we need to do this at the server for many reasons. It was never an issues when we used a pix firewall and windows 2003. Detailed help would be great. Thanks

new version ISA

Mon, 02 Nov 2009 15:27:38 Z

hi
what is the new version of ISA?

ISA Server cannot load the property page

Tue, 27 Oct 2009 21:25:56 Z

In System Policies, under Remote Management | Ping and Diagnostic Services | ICMP, all of the networks have disappeared in the To and From tabs respectively. I get the error message "ISA Server cannot load the property page. Error: 0x80070002. The system cannot find the file specified."

When I try to add a network such as Internal and save, I get "The changes cannot be saved. Error: 0xc0040357" and "The Network referenced by Policy Rule Allow ICMP (PING) requests from selected computers to ISA Server does not exist."

I am running Microsoft ISA Server 2006 Version: 5.0.5723.493 on Win2003 Server EE SP2.

I have tried recreating the mmc to no avail...

Any thoughts?

ISA LOAD BALANCING

Fri, 23 Oct 2009 07:12:35 Z

Guys,

We have some performance issue going on ISA servers, its two nodes configuration running as load balancing, the version is ISA 2004 enterprises sp3,

What would be the best way to stop this load balancing manually so that we could make one node down and do the windows fragmentation as suggested by microsoft for our performance issue.

Do we need to stop service manually in ISA console? what would be the best practise?

any suggestion on this?

http redirector????

Wed, 28 Oct 2009 07:56:45 Z

Hi,

I need to enable http redirector filter for ISA 2006 as our clients are not being filtered by websense when using firewall client. I can't find this filter anywhere. Please help.

Many thanks

FTP denied access and ISA 2006

Thu, 22 Oct 2009 05:16:54 Z

Hi,

I've created a rule that allows FTP traffic from internal to external for everyone under firewall policy. Now FTP access works in IE but I'm trying to access this through one of the FTP client software called Core FTP (free). I've specified proxy details but still am not getting through ISA.

Looking at monitoring in ISA, I get 59 An unexpected network error occurred. Source is from client and destination is ISA. So I'm not even getting through ISA. Also user is anonymous. Looks like user is not being authenticated either?

Please advise.

Can ISA server filter traffic that are not coming to its NIC ?

Mon, 26 Oct 2009 11:01:02 Z

hi:

I want to know if ISA can filter traffic on the network that are not directly connected to the ISA Server !!!
I dont know how to exactly explain it !!!

I have a network that i want to filter traffic to some servers , I have connected ISA server to one of the switch ports , And i want to know that , Can isa Server filter traffic that are not comming to its NIC ? or no ?
Thank you.

Network is my LOVE

Wake on Lan trough ISA 2006 SP1

Mon, 05 Jan 2009 16:38:43 Z

hi to all,

i need to enable WOL trough ISA.

I Have created a rule to allow the UDP 9 from source to destination, but the packet is discarded with the following code:

FWX_E_BROADCAST_PACKET_DROPPED

Thank a lot for the help.

ISA 2006 + AD groups Sync

Sat, 24 Oct 2009 07:11:47 Z

Hi,

For some reason when I make changes to AD groups, ISA 2006 does not replicate the changes down. Is it possible?

publish exchange2007 owa, activesync, pop AND imap with single nic configuration?

Fri, 23 Oct 2009 20:47:29 Z

We have isa 2006 sp1 deployed on server 2003 fully patched. ISA is currently a single nic configuration. We use it for proxy for a few servers. We will be transitioning to exchange 2007 next month. I have a test deployment of ex2007 up, with separate CAS/hub box, separate mailbox server and a separate w2003 domain controller which also has ex2003 mailboxes. I have successfully published OWA and activesync using our production isa box with its single nic configuration.
I need to be able to also publish pop and imap (both over ssl). I don't have much isa server experience, as you can tell by now.
I know I read somewhere that if I installed an exchange 2007 publishing wizard, I could use it for pop, imap, owa and activesync but find that not to be the case.
It seems I have to have a dual nic config in isa to be able to publish the pop and imap?

NLB ISA EE 2006

Tue, 29 Sep 2009 12:32:41 Z

Hi people!

I have big problem in my environment.

2 ISA with NLB.

1 NIC Internal
2 External (DMZ)
3 Intra-array

My problem occours replication communication beetween nodes of NLB.

The NLB use NIC internal for communications and my lan network starts to drop packets, because the

communication occurs by internal lan.

I need configure communications beetween by NIC dedicated intra-array..

Help me... I need shutdown a Isa server, because user's don't worked!

publish internal crm 4 (port:5555) by isa 2006

Wed, 21 Oct 2009 15:04:52 Z

Hi All,

I´m Trying to publish my crm 4.0 by isa 2006, so i read this post http://blogs.technet.com/isablog/archive/2008/07/23/publishing-microsoft-crm-4-0-through-isa-server-2006.aspx.

Internally i access to crm by port 5555 (http://srvcrm:5555) and i want to publish crm by port 443. It means isa receive request to port 443 and redirect to port 5555.

what would be the IFD Configuration for me?

Authentication Strategy : IFD + on Premise

IFD Internal Network Address and Subnet Mask : x.x.x.x - 255.255.255.0

IFD Domain Scheme : HTTPS
IFD App Root Domain : externaldomain.com:433
IFD SDk Root Domain : externaldomain.com:433

AD Domain Scheme : HTTP
AD App Root Domain : srvcrm:5555
AD SDK Root Domain : srvcrm:5555

Is this ok?

Thanks.

ISA 06, Exchange 07 OWA & Win2k8

Fri, 09 Oct 2009 15:40:18 Z

I have a problem when I try to access OWA it doesn't let me in. But if i ping my exchange server then try OWA it works fine. It's the strangest thing. If I try to log the traffic on the ISA server I don't see traffic until I ping the server first.

After about 3-5 minutes of an idle connect to reverts back to not working then I have to ping it again.

Ideas?

Thanks
-B

Help with latest version of ISA

Wed, 14 Oct 2009 00:00:50 Z

Hi,

I've been doing a bit of a research on the latest version of ISA and i'm a little confused on the product line. From what I can understand MS forefront TMG is the next version of ISA and it only runs on windows 64-bit version. My problem is that I can only see MS forefront TMG for medium size business on the volume licensing service center website. Our business has more than 400 users so this version wouldn't be suitable for us. I need to a product that will accommodate our needs. I basically need to run latest version of ISA with windows 2008, preferably 32-bit platform. Please help?

Thanks,
James

ISA server 2006 - FTP server problems

Tue, 06 Oct 2009 13:27:52 Z

Hi

I have a problem with ISA server 2006, Windows Server 2003 R2 and FTP session.

A FTP server is published through the ISA server. When the FTP client uploads lots of small files the session halts after around 30 secs. When uploading large files (200 mb) everything is going fine.

I have ran some different test and the result seems to be that the ISA server is the problem.

Anyone who have experienced this problem ?

Forefront TMG 2010 Release Cadidate Has Hit The Web!

Sun, 11 Oct 2009 15:14:11 Z

Hi All,

I’m happy to share with you that the Forefront TMG 2010 RC is available for download. Please see the following blog post for more information about the RC content. The actual download location is here.

We are also in the process of updating our Connect web site with German and Japanese versions of TMG RC. If you speak either of these languages, we would be very happy to hear your feedback about them.

As always, thank you for your continued support.

Jim Harrison Forefront Edge CS

ISA 2006 BEHIND ASA FIREWALL AND DNS MESS

Thu, 17 Sep 2009 17:51:18 Z

I have configured ISA 2006 as edge firewall behind ASA , right now i have configured ISA to use internal and external dns through network cards, which has created a big mess , internal users are not able to access websites, often they have click refresh button and then they can access, since ISA does not know which is internal dns query and which is external , i around 10 sites and routing is done through CISCO router , i have configured persitant routes in ISA to handle traffic , i unchecked IP ROUTING feature from ISA , my DOMAIN controllers are in same network as ISA server , but domain controler points to cisco routers as gateway , so in return , when i remove external dns to forward external dns traffic from internal users to outside it does not work, in past if we were to forward dns trafic from DC to external dns , you would need to define ISA as default gateway.
From ASA all traffic is allowed, but i still feel UDP 53 PORT should be opened exceptionally for dns forwarding traffic , for some reason i cannot get name resolution done through AD.

I have configured NAT Rule on ISA From internal to external and both adapters are using private IP adresses , if we use route then some traffic like pop 3 does not work.

Microsoft Input is required on this.

Regards,

Salman Gilani

Redirecting client to a specific homepage with ISA or similar tools.

Tue, 13 Oct 2009 16:21:22 Z

There is a network on a public library which client can access to the internet via wireless connection. The problem is we want them to see a specific homepage when they try to access the internet to show them the rules they have to consider while using internet via our servers. Is there any where in ISA or any other similar program that provide this service?

Thank you in advance.