Many thanks to Chris Mohan for an excellent talk and also for puttting together this great ISA Braindump..
Excellent resources and places to read about ISA
Http://www.isaserver.org
ISA Server Product Team Blog
http://blogs.technet.com/isablog/default.aspx
Internet Security and Acceleration (ISA) Server TechCenter
http://www.microsoft.com/technet/isa/default.mspx
Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2
http://www.microsoft.com/technet/solutionaccelerators/mobile/deploy/msfp_5.mspx
Virtual Labs
http://technet.microsoft.com/en-us/bb499665.aspx
Avoiding things going too wrong when playing with ISA:
- Review your ISA rules and understand what they do and who they affect
- Plan, Plan PLAN before you make changes - include the network, Exchange and security team (if they aren't all you)
- Make sure all the Exchange stuff works internally (OWA, RPC over HTTPS, activesync) before working on the ISA
- Make sure DNS name resolution works internally and externally
Couple of questions asked during the ISA talk (from memory)
Question how to control Mac machines?
They can only be SecureNAT clients and use rules which allow unauthenticated traffic (the All Users group)however basic authentication (clear text username and passwords accross the network!) can be used as an option within networks > webproxy > authentication then added in Basic Authentication.
First, you'll want to make sure that you're publishing the WPAD file via DNS and/or DHCP (I personally do both).
Once you've done that, having OS X autoconfigure is easy! Open up the Network preference and select the network connection that you want to work with. Go to the Proxies tab.
Under the "Select a proxy server to configure", scroll all the way to the bottom and then select "Automatic Proxy Configuration". To the right, for the URL specify the path to the WPAD configuration file (even though it specifies a .pac file):
http://server.domain.tld:8080/wpad.dat
Make sure "wpad.dat" is in lower-case, ISA is case-sensitive!
That is all there is to it.
Do you need the Mutually authenticate the session when connecting with SSL check box?
Although not strictly necessary, you can select the Mutually authenticate the session when connecting with SSL check box. Doing so lets the RPC proxy server (or HTTP forward proxy server) authenticate the connecting client by using the client's certificate as well as the server certificate. When you select this option, the client must provide the expected server Principal name to the server's Security Support Provider (SSP) module. If you use Microsoft standard syntax, use the "msstd:" prefix followed by the FQDN of the RPC proxy server
In place upgrade from ISA 2004 to ISA 2006
Upgrade Guide for ISA Server 2006 Enterprise Edition
http://www.microsoft.com/technet/isa/2006/Upgrade_Guide_EE.mspx
Setting up NLB with virtual machines?
Vmware Workstations has problems doing this in unicast mode, but MS Virtual server works fine. So use Virtual server to go Enterprise ISA 2004/2006 load balancing mad if you want to play with arrays :-)
A rough guide to the Test network I was playing with at the demo – very handy to have around for testing new rule sets before dropping them on a production network!
Test Network
1- 2003 server Domain Controller running Certification Services in Enterprise Root mode
1 - 2003 server Running Exchange 2003 SP2 has a web certificate issued to the default web site and RPC over HTTP option installed
Configure RPC over HTTP-S on a Single Server http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm
1 - 2003 server running ISA 2006 with support pack. 2 network cards one for the internal network and the other external
basic rules are below
1 - XP SP 2 machine running Outlook 2003 SP3 - Join this server to the domain, ensure it automatically receives a Root certificate, and then set it up to use outlook via HTTPS. Then test OWA is working correctly. Once it all working correctly, swap it to the external network connected directly to the ISA’s external interface. Drop in some host file entries for the external published OWA /RPC
Rules in order
- Allow: DNS from DC to external for all users
- PUBLISH: SMTP from External to Exchange server ip address
- Allow: SMTP Outbound from Exchange server to external for all users
- PUBLISH: Outlook Web Access (SSL) from External to Exchange server SSL certificate
- How to publish Outlook Web Access (OWA) on ISA 2006 http://www.shijaz.com/isaserver/isa2006_publish_owa.htm
- Allow: HTTP & HTTPS from Internal network to External network for authenticated users
- Default Deny All rule