DSL Router and ISA Server on SBS 2003 R2

Hey everyone! I hope all of you are well...

I have never used ISA server before so I really need help.

I have a "2Wire" (that's the name brand) DSL Router that has a built in
Firewall. I also have a SBS 2003 R2 Premium server
with ISA on it. I don't want to use the firewall on the DSL Router. I want
the 10 user network to use the ISA Firewall.

I was thinking that I would wire the network as follows...

I would run one cable from the DSL router directly to one of the two NIC's
in the ISA server and it would have a public DHCP IP address. (DMZ Mode)

Then I would run another separate cable from the Other NIC on the ISA Server
to the HUB (Switch) on the network thereby creating two segments on the LAN.
I think DHCP would come from the SBS ISA server and it would tell the work
stations to use the ISA server as the default gateway and that would give
everyone Internet Access.

Am I correct? Is this the way to do this?

Please advise....

Bikini Browser

The correct way to do this is:
Internal NIC connected to switch with all workstations
External NIC connected to the DSL router....with a Static IP. Basically turn off the DHCP function on the router and assign the NIC connecting to it a static IP in the same subnet as the Routers LAN address

Go into the Web Interface of DSL router, you should be able to disable its firewall function.

Then just run the connect to the internet wizard on the SBS and it takes care of ISA configuration (assuming that ISA came with the SBS Software as a part of the premium package)


--
Cris Hanna [SBS-MVP]
-------------------------------------------------
Microsoft MVPs
Independent Experts (MVPs do not work for MS)
Real World Answers
---------------------------------------------------------
Please do not contact me directly regarding issues

"Bikini Browser" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
Hey everyone! I hope all of you are well...

I have never used ISA server before so I really need help.

I have a "2Wire" (that's the name brand) DSL Router that has a built in
Firewall. I also have a SBS 2003 R2 Premium server
with ISA on it. I don't want to use the firewall on the DSL Router. I want
the 10 user network to use the ISA Firewall.

I was thinking that I would wire the network as follows...

I would run one cable from the DSL router directly to one of the two NIC's
in the ISA server and it would have a public DHCP IP address. (DMZ Mode)

Then I would run another separate cable from the Other NIC on the ISA Server
to the HUB (Switch) on the network thereby creating two segments on the LAN.
I think DHCP would come from the SBS ISA server and it would tell the work
stations to use the ISA server as the default gateway and that would give
everyone Internet Access.

Am I correct? Is this the way to do this?

Please advise....

Bikini Browser

Hi,

Don't put the external NIC of your server in a DMZ, this will bypass all
firewall functions of your 2Wire Intelligent Gateway leaving ISA as your only
firewall. Use the built in firewall and forward only the required ports for
OWA, RWW, etc from the router to your external NIC as necessary (if you don't
intend to use these services, don't forward them). Run the CEICW and SBS as
the DHCP server will instruct all workstations to use the SBS box as the
default gateway and ISA will use the 2Wire as it's default gateway in turn.

Regards Colin.

"Bikini Browser" wrote:

> Hey everyone! I hope all of you are well...
>
> I have never used ISA server before so I really need help.
>
> I have a "2Wire" (that's the name brand) DSL Router that has a built in
> Firewall. I also have a SBS 2003 R2 Premium server
> with ISA on it. I don't want to use the firewall on the DSL Router. I want
> the 10 user network to use the ISA Firewall.
>
> I was thinking that I would wire the network as follows...
>
> I would run one cable from the DSL router directly to one of the two NIC's
> in the ISA server and it would have a public DHCP IP address. (DMZ Mode)
>
> Then I would run another separate cable from the Other NIC on the ISA Server
> to the HUB (Switch) on the network thereby creating two segments on the LAN.
> I think DHCP would come from the SBS ISA server and it would tell the work
> stations to use the ISA server as the default gateway and that would give
> everyone Internet Access.
>
> Am I correct? Is this the way to do this?
>
> Please advise....
>
> Bikini Browser
>
>
>

Hi Cris,

I've got to ask - why disable the router's firewall ? This puts all firewall
duty onto ISA. Surely keeping the router's (limited) firewall on and
forwarding the required ports is a better way to go ? I can't see the point
of disabling an extra level of security just for the sake of it.

Regards Colin.

"Cris Hanna [SBS-MVP]" wrote:

> The correct way to do this is:
> Internal NIC connected to switch with all workstations
> External NIC connected to the DSL router....with a Static IP. Basically turn off the DHCP function on the router and assign the NIC connecting to it a static IP in the same subnet as the Routers LAN address
>
> Go into the Web Interface of DSL router, you should be able to disable its firewall function.
>
> Then just run the connect to the internet wizard on the SBS and it takes care of ISA configuration (assuming that ISA came with the SBS Software as a part of the premium package)
>
>
> --
> Cris Hanna [SBS-MVP]
> -------------------------------------------------
> Microsoft MVPs
> Independent Experts (MVPs do not work for MS)
> Real World Answers
> ---------------------------------------------------------
> Please do not contact me directly regarding issues
>
> "Bikini Browser" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
> Hey everyone! I hope all of you are well...
>
> I have never used ISA server before so I really need help.
>
> I have a "2Wire" (that's the name brand) DSL Router that has a built in
> Firewall. I also have a SBS 2003 R2 Premium server
> with ISA on it. I don't want to use the firewall on the DSL Router. I want
> the 10 user network to use the ISA Firewall.
>
> I was thinking that I would wire the network as follows...
>
> I would run one cable from the DSL router directly to one of the two NIC's
> in the ISA server and it would have a public DHCP IP address. (DMZ Mode)
>
> Then I would run another separate cable from the Other NIC on the ISA Server
> to the HUB (Switch) on the network thereby creating two segments on the LAN.
> I think DHCP would come from the SBS ISA server and it would tell the work
> stations to use the ISA server as the default gateway and that would give
> everyone Internet Access.
>
> Am I correct? Is this the way to do this?
>
> Please advise....
>
> Bikini Browser
>
>

"Colin" <(E-Mail Removed)> wrote in message
news:8162310F-533A-48B4-851B-(E-Mail Removed)...
> Hi Cris,
>
> I've got to ask - why disable the router's firewall ? This puts all
> firewall
> duty onto ISA. Surely keeping the router's (limited) firewall on and
> forwarding the required ports is a better way to go ? I can't see the
> point
> of disabling an extra level of security just for the sake of it.

If I left the "router" there, I would probably leave it fully
functional,..but the problem is that it is creating a Back-to-Back DMZ
between it and the SBS/ISA. That is fine if you know how to deal with
that,...but most of the time such things get in the way of the admins more
often than they usefully stop anything "bad" from happening.

In most cases I would throw out the "router"and the ISA would *be* the
"router" for me. Unless the Connections uses PPPoE then the SOHO "router"
would probably deal with that better and so I would keep it,...although my
first choice there would be to ditch the ISP and get a Connection that
didn't use PPPoE and had a true Static Public IP#(s),...and I don't mean the
"sticky IP" crap which is just a DHCP Reservation.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------

While I'm not terribly opposed to multiple layer firewalls, it can make troubleshooting particularly painful for the inexperienced and I think the OP said that was his plan, to use ISA vs the router's firewall.

--
Cris Hanna [SBS-MVP]
-------------------------------------------------
Microsoft MVPs
Independent Experts (MVPs do not work for MS)
Real World Answers
---------------------------------------------------------
Please do not contact me directly regarding issues

"Colin" <(E-Mail Removed)> wrote in message news:8162310F-533A-48B4-851B-(E-Mail Removed)...
Hi Cris,

I've got to ask - why disable the router's firewall ? This puts all firewall
duty onto ISA. Surely keeping the router's (limited) firewall on and
forwarding the required ports is a better way to go ? I can't see the point
of disabling an extra level of security just for the sake of it.

Regards Colin.

"Cris Hanna [SBS-MVP]" wrote:

> The correct way to do this is:
> Internal NIC connected to switch with all workstations
> External NIC connected to the DSL router....with a Static IP. Basically turn off the DHCP function on the router and assign the NIC connecting to it a static IP in the same subnet as the Routers LAN address
>
> Go into the Web Interface of DSL router, you should be able to disable its firewall function.
>
> Then just run the connect to the internet wizard on the SBS and it takes care of ISA configuration (assuming that ISA came with the SBS Software as a part of the premium package)
>
>
> --
> Cris Hanna [SBS-MVP]
> -------------------------------------------------
> Microsoft MVPs
> Independent Experts (MVPs do not work for MS)
> Real World Answers
> ---------------------------------------------------------
> Please do not contact me directly regarding issues
>
> "Bikini Browser" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
> Hey everyone! I hope all of you are well...
>
> I have never used ISA server before so I really need help.
>
> I have a "2Wire" (that's the name brand) DSL Router that has a built in
> Firewall. I also have a SBS 2003 R2 Premium server
> with ISA on it. I don't want to use the firewall on the DSL Router. I want
> the 10 user network to use the ISA Firewall.
>
> I was thinking that I would wire the network as follows...
>
> I would run one cable from the DSL router directly to one of the two NIC's
> in the ISA server and it would have a public DHCP IP address. (DMZ Mode)
>
> Then I would run another separate cable from the Other NIC on the ISA Server
> to the HUB (Switch) on the network thereby creating two segments on the LAN.
> I think DHCP would come from the SBS ISA server and it would tell the work
> stations to use the ISA server as the default gateway and that would give
> everyone Internet Access.
>
> Am I correct? Is this the way to do this?
>
> Please advise....
>
> Bikini Browser
>
>

I agree with that, Cris. Back to back firewalls are not for the
inexperienced. And I would use ISA rather than the firewall provided with a
DSL "router".

"Cris Hanna [SBS-MVP]" <(E-Mail Removed) t>
wrote in message news:(E-Mail Removed)...
While I'm not terribly opposed to multiple layer firewalls, it can make
troubleshooting particularly painful for the inexperienced and I think the
OP said that was his plan, to use ISA vs the router's firewall.

--
Cris Hanna [SBS-MVP]
-------------------------------------------------
Microsoft MVPs
Independent Experts (MVPs do not work for MS)
Real World Answers
---------------------------------------------------------
Please do not contact me directly regarding issues

"Colin" <(E-Mail Removed)> wrote in message
news:8162310F-533A-48B4-851B-(E-Mail Removed)...
Hi Cris,

I've got to ask - why disable the router's firewall ? This puts all
firewall
duty onto ISA. Surely keeping the router's (limited) firewall on and
forwarding the required ports is a better way to go ? I can't see the
point
of disabling an extra level of security just for the sake of it.

Regards Colin.

"Cris Hanna [SBS-MVP]" wrote:

> The correct way to do this is:
> Internal NIC connected to switch with all workstations
> External NIC connected to the DSL router....with a Static IP.
Basically turn off the DHCP function on the router and assign the NIC
connecting to it a static IP in the same subnet as the Routers LAN address
>
> Go into the Web Interface of DSL router, you should be able to disable
its firewall function.
>
> Then just run the connect to the internet wizard on the SBS and it takes
care of ISA configuration (assuming that ISA came with the SBS Software as a
part of the premium package)
>
>
> --
> Cris Hanna [SBS-MVP]
> -------------------------------------------------
> Microsoft MVPs
> Independent Experts (MVPs do not work for MS)
> Real World Answers
> ---------------------------------------------------------
> Please do not contact me directly regarding issues
>
> "Bikini Browser" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
> Hey everyone! I hope all of you are well...
>
> I have never used ISA server before so I really need help.
>
> I have a "2Wire" (that's the name brand) DSL Router that has a built
in
> Firewall. I also have a SBS 2003 R2 Premium server
> with ISA on it. I don't want to use the firewall on the DSL Router.
I want
> the 10 user network to use the ISA Firewall.
>
> I was thinking that I would wire the network as follows...
>
> I would run one cable from the DSL router directly to one of the two
NIC's
> in the ISA server and it would have a public DHCP IP address. (DMZ
Mode)
>
> Then I would run another separate cable from the Other NIC on the ISA
Server
> to the HUB (Switch) on the network thereby creating two segments on
the LAN.
> I think DHCP would come from the SBS ISA server and it would tell the
work
> stations to use the ISA server as the default gateway and that would
give
> everyone Internet Access.
>
> Am I correct? Is this the way to do this?
>
> Please advise....
>
> Bikini Browser
>
>

I have pretty much the same configuration as described here. I have ISA
2004, but I'm not currently using it as after I installed it and the "wizard"
came up I could not longer connect to the internet from the client
computers/devices (XP, Linux, Vista x64, Mac OS X, PS3, network printer that
can grab updates from it's web site, HP iPAQ, Linksys WAP, etc). My DSL
router is a Westell 6200 and has an optional USB connection (which it
recommends for higher speeds), but I'm currently just using a regular 10/100
NIC for the DSL modem and an integrated (it's a Dell Optiplex computer)
10/100 NIC for the internal network.

The Internet seems to be working fine for both the Win 2k3 SBS R2 server and
all the client computers/devices. However, when I run the connection wizard
it gives me an error during "Network setup". I have it continue on and
everything else seems to setup just fine. I had a Westell 2200 DSL modem
that is also a firewall/router that I used to set to "Bridged Ethernet" mode
and turned its DHCP off and connected it to a Linksys VPN firewall/router.
That was nice because I could see my static IP address, the DNS IPs, the
gateway IP and all that jazz as it was assigned to me by my ISP (I didn't
have to type it in manually). The thing is that my ISP requires a PPPoE
authentication (which the Linksys router supported). I posted on another MS
forum and was told that the Win2k3 PPPoE doesn't work properly? Is this
true? I guess the real question is how do I get my Win2k3 SBS R2 server
setup with (hopefully) just the DSL modem so that I can sell the Linksys VPN
router as I should no longer need it?

There are lots of options as you mentioned in this thread. Just opening up
the ports that are needed on the DSL modem is an option and I did turn off
the DHCP on the modem and plugged in a static IP address for the external
ethernet adapter on the modem's subnet (so that I can get to the setup page,
which I couldn't do with the Linksys router in the way). There is an "IP
Passthrough" mode which, I guess, allows all IP traffic through to the SBS
computer (but, that's what ISA is for, right?). There's the "bridged
ethernet" mode which does create a PPP device with the static IP info (just
as on the Linksys router) when I type "ipconfig /all" in a command window.
Also, should the modem be set to static or dynamic NATing? I set it to
static. I have no idea if this is right.

I'd like to find out what is causing the error on the setup wizard for the
Network setup. Is there a log for that somewhere that I could take a look
at. It doesn't give out right away, the progress bar moves along steadily
for a while until the error message pops up.

I'm also having problem with my SBS created certificates when I "https:"
into the SBS machine from an outside (or internal) computer. DNS seems like
it might be hosed up too because my browsers can't find "http://companyweb".
In addition to all that, Exchange won't send messages out even when I set it
up to use my ISP's mail server as a "smarthost" instead of DNS. I also
cannot connect to the Exchange server from either my Vista x64 machine or my
Mac OS X machine (using Entourage 2004). It WAS working, but it somehow got
hosed up. I can connect from a WinXP laptop, though even though the laptop
is not part of the SBS domain (I have to type in the username and password
for Exchange separately, but it connects!).

So, do I through the system out the window and just stick with my Linksys?
:-) Just kidding. Really, I'd like any help I can get. As you can imagine,
these forums are pretty much the only resource I have since Microsoft support
costs a small fortune and my ISP doesn't support an SBS 2k3 network (which,
to me, is such a "cop out"... because they will setup home networks for a
small additional charge... they won't touch my Linux computer though...
probably not the Mac either).
--
Brian Millikan
Computer/Software Engineer
Microsoft Control Applications (Dialog-Based) Specialist / Hardware Driver
Development / User-Level Hardware Device Interfaces



"Colin" wrote:

> Hi,
>
> Don't put the external NIC of your server in a DMZ, this will bypass all
> firewall functions of your 2Wire Intelligent Gateway leaving ISA as your only
> firewall. Use the built in firewall and forward only the required ports for
> OWA, RWW, etc from the router to your external NIC as necessary (if you don't
> intend to use these services, don't forward them). Run the CEICW and SBS as
> the DHCP server will instruct all workstations to use the SBS box as the
> default gateway and ISA will use the 2Wire as it's default gateway in turn.
>
> Regards Colin.
>
> "Bikini Browser" wrote:
>
> > Hey everyone! I hope all of you are well...
> >
> > I have never used ISA server before so I really need help.
> >
> > I have a "2Wire" (that's the name brand) DSL Router that has a built in
> > Firewall. I also have a SBS 2003 R2 Premium server
> > with ISA on it. I don't want to use the firewall on the DSL Router. I want
> > the 10 user network to use the ISA Firewall.
> >
> > I was thinking that I would wire the network as follows...
> >
> > I would run one cable from the DSL router directly to one of the two NIC's
> > in the ISA server and it would have a public DHCP IP address. (DMZ Mode)
> >
> > Then I would run another separate cable from the Other NIC on the ISA Server
> > to the HUB (Switch) on the network thereby creating two segments on the LAN.
> > I think DHCP would come from the SBS ISA server and it would tell the work
> > stations to use the ISA server as the default gateway and that would give
> > everyone Internet Access.
> >
> > Am I correct? Is this the way to do this?
> >
> > Please advise....
> >
> > Bikini Browser
> >
> >
> >