ISA Server2000 Learning Notes 2004-01-11 Click: 3731 ISA Server2000 Learning Notes The following I hope to help the friends who are interested in ISA ===================== =========================
ISA Server2000 Learn Notes
One: Microsoft Internet Security and Acceleration Server 2000 Introduction ISA includes two versions: Standard Edition and Enterprise Edition. Including three modes: firewall mode, Cache mode, and integration mode, can be integrated with Win2K, define policies according to computers, users, and groups, which can be managed through the MMC interface, and can manage ISAs locally and remotely. The ISA's firewall is divided into three levels. The bottom is IP Packet Filters, which is static, for the specified port, not allowing to block pass, then for policy rules, this can be understood as dynamic package filtering, allowed in secondary When connecting, dynamically open the corresponding port (ie, when you use it, you will open this port, and unlike IP packet filters, it is the application layer filter, which can be used for the contents such as email. Filter. ISA's cache function is very powerful, can be defined as an automatic download definition plan, which can be downloaded according to the high and low access frequency, can be distributed on multiple ISAs. When using the ISA Enterprise Edition, the company's management provides larger Flexibility, you can unify the company's policy, or define the policy separately for each array
2: Installing Microsoft Internet Security and Acceleration Server 2000 Before installation, you must first consider the installation mode (firewall mode, Cache mode, and integrated mode), while also thinking about the client, because the client can be divided into a firewall customer. End, web clients, and SNAT clients. For a small company, a typical installation is an ISA installation two network cards, partitions the internal LAN and Internet, for a large company, may require multiple ISA composition arrays. At the same time, for the WEB behind the firewall, the release of the Mail server should also be considered, you are installed directly on the ISA, mix the domain (Perimeter Network.), Or within the company. If you want to install the ISA Enterprise, you must first install Enterprise Initialization Utility, add Schema in the AD, if you are installing the ISA Standard Edition, it is saved in the registry of the Server itself. If the company used Proxy Server 2.0 before, you can consider directly upgraded to isa.
Three: Setting the Internet Access ISA client is divided into firewall client, web client, and SNAT clients, their usage occasions are different, and the main differences have the following points: 1. Snat users can only pass IP The address is controlled, it is anonymous access, which cannot use the USER-based rule control, while the firewall user and web user can (in the default, ISA allows web anonymous access, but you can use, request user authentication before access 2. Firewall users can only install (requires client installer) on WinX machines, while SNAT customers and web customers can cross the operating system platform, the web only browser requirements 3. How to have Web / FTP / Mail Servers provide external services, they must be used as SNAT users 4. SNAT users do not support network applications that require quadratic connections unless specified in IP filter. 5. SNAT users need to solve DNS resolution issues, which means your intranet There are DNS servers or to allow DNS Query Operation in IP Filter. 6. Snat users and firewall users can also be web users, but web users only support HTTP / HTTPS / FTP services. 7. For SNAT users, even Protocol Rule Allows "Any IP Traffic.", It is only open ISA pre-defined Protocol, as for yourself in your own, such as QQ. Note If this application uses only a single port, it is only necessary to define directly, if multiple ports are used, they must be defined in the IP filter. If your network external connection is dialing, only Web Proxy and FireWall Clients can use on-demand dialing. For NAT users, they must first establish a connection. Web users and firewall users can also configure the use of automatic discovery ISA. You need to set up the corresponding settings in DHCP (A Special Web Proxy Autodiscovery Protocol entry) and DNS (Both a host (a) Record of the ISA Server Computer and an Alias (CNAME) Record Named WPAD Pointing to the Isa Server Computer.) : Setting Access Policies for user access to whether the user is allowed, ISA exams the order of Protocol-> Site and Content-> IP filter-> routing rule, first examine whether there is Protocol Rules to refuse access, if not, check if there is a clear allowable If there is, pass, other cases refuse. Site and Content / IP FILTER is also judged. Routing rule is mainly used to determine whether to transfer access requirements to the previous ISA or directly on the Internet. special:
1. For a specified protocol, if you have a SNAT access, if there is no clear rejection (here the rejection refers to the IP address), the ISA will find a clear license, if the license is for the user, The SNAT customer will be rejected (because SNAT is anonymous). If the license is for IP, if the client is within this IP address range, the Protocol is filtered through. 2. For the Web Proxy Client User (Fill in the ISA as a proxy server), it is allowed to be anonymous, and the protocol he allows to run is HTTP / HTTPS / FTP. For this case, we can request an outbound web to be authenticated in the ISA setting, or add a permission protocol in Protocol because the Web allows anonymity, so a deny does not prevent his access, plus allowed, ISA will Match him, he will rejection because of mismatch. 3. For FireWall / Web Client, it is managed by the user. Only NAT is managed by IP. It is observed on ISA. FireWall / Snat Client belongs to flash session, but Firwall Client has username and machine name, SNAT this Both are empty, he only has the client's IP address. In general, if you want to access external websites, there must be two conditions, one is the protocol rule license, and the other is the Site and Content license. Under the default condition, ISA will automatically create a site and content license for you to use In protocol rule, there is no concept of the order, but Deny is higher than Permit's power in the ISA control element including: Plan Schedules, Bandwidth Priority Bandwidth Priorities, Target Set Destination Sets, Customer Set Client Address Sets, Protocol Definition Protocol Definitions, Content Group Content Groups, And Dial Dial Dial - Up Entries. You can combine them into a variety of rules (Routing Rules, Publishing Rules, and Bandwidth Rules) For destination addresses with paths, ISA's different clients have different processing. If you want to publish the server on the ISA server itself, you must With IP Filter, it can also be used to block some IP attacks in the outside world.
5: Setting ISA Server Cache Cache to speed up the user's Internet access speed, you can use Routing Rules to specify who needs Cache, and why send directly on the Internet, why send the request to the previous level ISA. For the cache of the ISA itself, you can control its size (must be installed on NTFS); whether cache dynamic content; whether cache http and ftp content; automatic update frequency and definition plans to automatically download frequently accessible Internet content. If the ISA itself is relatively small, you can also adjust the memory size assigned to the Cache to improve performance.
Six: Releases internal Server If you want to release the internal Server, use pubishing rules (this is actually Protocol Rules, only when you need it), if Server is on the ISA, you should use IP Packet Filters. In the release of Server, the most important thing is Web Server and Mail Server Seven: ISA security control ISA, you must have corresponding permissions, if you have multiple ISA Server in the company, Firewall users, you only need to set DNS simple settings, using Round Robin Distribution, for SNAT customers, you need to set NetWork Load Balancing (this requires advanced server version and data center version). For enterprise settings and array settings, you can back up the settings to a file and can recover at any time. Using ISA you can build a VPN two from the company, and allow mobile users to access the company's information through VPN, which actually uses Win2K's Routing and Remote Access services (ISA only adds to PPTP and L2TP in IP Packet Filter). Several packages filtered), you can further set up the appropriate service, such as increasing the DHCP renewal agent to get the remote user to get the correct local area network DNS / WINS configuration, the remote user actually does not actually log in to the company's domain , Access security for VPN must be enhanced. If you feel that there is a problem, you can delete 4 IP filters created by Wizard, then Disable Routing and Remote Access, finally re-established by Wizard.
8: Use H.323 GateKeeper, please don't understand, please advice.
Nine: Monitoring and optimizing ISA ISA has 45 alarms, when the alarm triggers, writes Win2K event logger and select E-mail delivery and stop launching ISA services. ISA's LOG is divided into IP filters, firewalls, web proxy three files, generated every day (of course you can limit its total number), and place it under the Log Directory of ISA under default. For ISA's operational efficiency, the easiest way is to review ISA's run report (how do you want to set ISA to generate reports), you can also define for ISA bandwidth allocation, ISA is a so-called dynamic allocation, Give priority access to priority, on this basis, the priority is met, rather than directly assigning a fixed bandwidth to the user.
Ten: Running Basic, you can use ISA Server Reports / Event Viewer / Performance Monitor / NetStat / Telnet / Network Monitor (Network Status) / The Routing Table (routing information) is to troubleshoot errors. For complicated errors, you can set the ISA to the simplest mode, see if you can connect to the internal and external networks, then add settings to the settings, find the root of the problem. The simplest form is as follows: 1. Activate the Packet Filtering Enabled, set a simple file, allow two-way IP package 2. Create a protocol rule, allow all IP Traffic, 3. Create a site and content, allow access to all Website and Content 4. Restore Application Filters and Routing Rules into default settings 5. Check that the LAT table contains all clients 6. Activate IP Routing in IP Packet Filters to ensure that protocols with secondary connections are successfully routed. 7 Check the ISA's external network card to ensure the correct gateway, and the internal network card should not set the gateway 8. The client is connected to the ISA as a SnAT to determine its gateway address is ISA's intranet Address Appendix: FAQ (information from www.isaserver. ORG) Q: What is Microsoft Isa Server? This is an enterprise-class security, acceleration, and multi-level display management server with full functional characteristics. ISA Server provides secure, fast, manageable Internet connectivity. ISA Server includes an extensible, multi-layer corporate firewall, which is capable of dynamic packet filtering, transparent, SecureNat, "smart" data perceived application filter, system hardening, and built-in intrusion detection. Its high-performance cache accelerates the web access speed, while saving bandwidth and can be enlarged to obtain effective, dynamic load balancing. Uniform, flexible management tools provide multi-layer policies for users, applications, destinations, plan, and content types. It also integrates with Windows 200 virtual private network (VPN, Virtual Private Networking), and bandwidth control. ISA Server is an extension and customized platform that includes a wide range of software development kits (SDK) and multiple applications for managing, application filters, web filters, and cache control. (API).
Q: Does Microsoft Internet Security and Acceleration Server 2000 belong to a firewall or cache server? ISA Server can be configured to integrate firewalls and cache solutions, but also deployed into dedicated firewalls or dedicated caches. Organizational institutions seeking powerful firewall solutions can fully provide security for their network systems with dynamic packet screening, intrusion detection, system reinforcement, and "intelligent" application filter provided by this product. The organization of an urgently needed cache solution can improve the network implementation of improvement and enhancement by using the advanced cache characteristics provided by ISA Server.
Q: What advantages will be brought about by a firewall with a cache solution? Even in the case where the organizational choice separates the firewall and the cache function, ISA Server can simultaneously provide a single point access policy and management capabilities for outbound and inbound traffic. On this basis, the organization can properly reduce the training cycle of the system and network administrators, and reduce product management and maintenance workloads accordingly.
Q: Is it necessary to implement the cache function to sacrifice ISA Server as a firewall security? Never do it. The cache belongs to a smart storage engine that helps managers to increase network access performance by means of using objects that are frequently retrieved. The web cache is based on the web proxy engine implementation, and the web proxy engine enables HTTP connection characteristics, filtering functions, and tasks such as content screen displays and URL blocking such with security.
Q: Do ISA Server needs to support by Active Directory? Active Directory does not implement the necessary conditions for ISA Server security and acceleration. However, the clients seeking to creating and deploying access policies within a hierarchical manner or using clients for load balancing and fault-to-generating correlation arrays need to be applied to Active Directory. Customers can fully realize array deployments with Active Directory, and establish trust relationships with existing domains to limit the change in the minimum level. In this case, you need to implement comprehensive migration for Active Directory.
Q: Can I migrate from Microsoft Proxy Server 2.0 to ISA Server? Yes, there is indeed an effective way to implement an upgrade of customers who can run Proxy Server 2.0. The powerful firewall and cache feature of ISA Server will provide relevant support for specific situations for Proxy Server 2.0 applications. Of course, ISA Server is a new product based on Microsoft Windows 2000 operating system security and reliability, and has new architectures specifically designed for corporate security and cache requirements.
Q: What is the current third party support for ISA Server? Safety and performance requirements between different organizations are often large. To provide customers with the most extensive selection, Microsoft has worked closely with those manufacturers in network security and management. Third-party manufacturers will provide compatible, complementary software products including site classification, virus detection, monitoring and remote management and content analysis.
Q: Can ISA Server support support for VPN (virtual private network)? can. ISA Server helps you create a virtual private network (VPN) and provide security for them on this basis. In the case of using the Wizard program, ISA Server will configure the built-in virtual private network services available to Windows 2000 Server to help organizations facing remote sites and mobile users with links to cost-effective principles.
Q: ISA Server Enterprise Initialization Tool (ISA Server Enterprise Initializer) can modify the Active Directory architecture, ask: As of now, is there a complete list of the above modifications? Please refer to the scheme.ldif file in the cdroot / ISA directory ... This file is an import file generated for architecture updates ...
Q: Can a single daily capacity exceed 4 GB? The file capacity in non-NTFS volumes is primarily subject to the maximum file capacity allowed by related disk rolls. The maximum file capacity applied to the FAT16 volume is approximately 2 GB.
Q: How do I perform a full-delete operation on installed ISA? Run the executable RMisa.exe in the / i386 directory.
Q: How do I back up the Destination collection in ISA? Right-click your server name in ISA MMC, then click Backup.
Q: Is ISA Server to provide support for Autodial as MSProxy 2.0? ISA 2000 has this feature. In the Beta 3 version of the product, the above features will be automatically applied. If you need to use Autodial, you should first run a VBS script located on the / SDK / Samples / Admin / Scripts folder on the ISA CD. Of course, you must also edit the script in advance according to your own needs. Q: What major improvements will you bring to you by using ISA Server? Comprehensive Integrated SOCKS V.4.3A Filter Program Get Improved Mail Server Wizard New Virtual Dedicated Network Wizard PPTP Support Characteristic Performance Adjustment This new user interface (UI) for SMTP filtering program is updated to update COM and application filter interface addition Predetermined protocols include improved document features, full documentation event messages, and performance counters
Q: When will I download ISA Server, what qualitative conditions are there? Please http://www.microsoft.com/isaserver/ download ISA Server copies. ISA Server's test version is valid for 120 days after installation.
Q: How much RAM capacity is needed for ISA Server, how to modify this capacity value? In the default, ISA Server RC1 will cache 50% of available memory spaces for RAM proxy. If you need to modify the above memory, open the Cache Configuration property, and click on the mouse on the Advanced (Advanced) tab, then "percentage of memory capacity can be used for cache characteristics" prompts, The percentage value is reduced from 50% (default) to 5%. After the above modification is completed, restart the Microsoft Web Proxy service, you will see that the memory occupancy has been significantly reduced.
Q: How do I assign BANDWIDTH Quota (bandwidth quota) for each user For example, whether the information download capacity of the user "john" can be limited to 500 meg per month, and on this, the user's Internet access request will be rejected? ISA Server is currently unable to provide related support for this feature, but you can install third-party accessory programs with relevant features to ISA Server. To review the list of third-party products, visit the following Web site http://www.isaserver.org/.
Q: Can I achieve remote management for ISA servers (from running ISA management console from PC with administrator roles)? It can be implemented, but must ensure that the relevant PC runs the Win2000 operating system.
Q: Can ISA provide relevant support for "Content Boot Protocol" (CVP)? ISA cannot provide the above support. In the case of use of ISA, you must have a stand-alone email virus protection. Although there is a third-party product available in the market, you still have the required support for the desired feature http://www.isaserver.org/ site.
Q: Please provide the exact interpretation of WPAD.DAT. The WPAD.DAT file is mainly used by Internet Explorer to get the required information so that the client browser is allowed to implement Internet access functions by using the ISA Server Agent service. Running Internet Explorer to implement Internet access, you can configure by using DNS or DHCP, but team members must use DHCP to provide WPAD.DAT configuration for clients. Q: Can I create arrays with ISA Server Standard Edition? Standard Edition cannot provide relevant support for arrays.
Q: I have four sites (including a headquarters site and three branches sites), and each of them is equipped with a CPU and run Proxy Server 2 at their respective locations. These sites have a stand-alone Internet access feature, but the network interconnection between each other is implemented via Frame Relay (Frame Relay). If I want to implement unified management from the headquarters position to the above four sites, and establish the corresponding corporate strategy, then which software products need to be purchased for these sites? Is it necessary to purchase only a business version to meet the needs, or you must purchase a business version and three standard editions at the same time? You need to purchase four enterprise licenses for this purpose.
Q: How do I view my ISA Server version? Click the mouse on the Computer (S) node, you will see the contents of the related version and product IDs in the right pane.
Q: Is the ISA Server Standard Edition integrate with NT 4.0, how to set out outbound access by user or group? You cannot install ISA Server on a computer based on a Windows NT operating system. This product must be installed on a computer that is Win2K as operating system. Standard Edition can be installed based on the Win2k Server product family, while the Enterprise Edition needs to be supported by Advanced Server or Datacenter Server. All versions of the ISA Server can be installed in a computer with Windows NT 4.0 domain members, and ISA Server can also apply for security policy-based SAM databases. Since ISA Server needs to create an array for yourself, if you installed an ISA Server Enterprise Edition, you cannot create an array.
Q: Does the firewall client belong to the component of the ISA package? Completely correct. The firewall client is the part of Proxy Server 2.0 as the WINSOCK Proxy client.
Q: What is your company's RAM and hard disk capacity recommended by your company? Is 512MB of RAM capacity sufficient, or still need to purchase more RAM memory? 512 MB RAM capacity is undoubtedly more than enough for software installation. Be sure to run the System Monitor and generate logging for cache performance and other built-in ISA count parameters to master the performance performance under the relevant configuration.
Q: When ISA is installed in the RRAS chassis case, what is the product to be applied to RRAS? Although ISA replaces the RRAS packet filtering, how will the product take full use of RRAS on routing operation, virtual private network (VPN) and request dialing characteristics? Especially under the premise of completing the ISA installation operation, how should RRAS remote access policies and related configurations with VPN or dial-up connection? ISA has a very close collaborative relationship between ISA and RRAS. In fact, after trying the VPN wizard program, you will be aware of the changes that occur on the RRAS server. RRAS and ISA operate primarily in parallel, if there is an occasional conflict between the two, then the result is inevitably ISA get priority. Q: It is said that there is a relationship between the "fish and bear's paw" between the SECURENAT and the firewall clients on the ISA Server. The white paper and other related documents provided by your company have enabled me to make many clients to use ISA Server with the firewall client. At the same time, I also allow the client to apply ISA as a proxy server without having to install a dedicated firewall software. However, proxy features apply only to HTTP and other Internet Explorer parameters. And I understand the ISA Server is that the client that does not use the firewall client is inevitably the SecureNAT client, and all requests should be interpreted if the IP configuration gateway parameter is correctly entered correctly. I would like to ask: Is there anyone who can tell me the specific way to apply this function? Your client IP address will consist of a dedicated address similar to 192.168.0.1-255. One of these addresses may be used as an internal NIC address of ISA, such as 192.168.0.1; and external NIC addresses may be specified by ISP for you, for example, 207.69.188.185. In the case where the internal client attempts to implement access to the host, the gateway address it is equipped with a gateway page is set to 192.168.0.1 for a WEB page. This shows that the host is not in the local net and must be accessed through ISA. Open port communications can only be performed between ISA and Internet and feed back the information that meets the requirements through the 8080 ports to the relevant client or anywhere you specified. This is basically a mode of NAT. Between the client and the Internet Remote Host, there is no port that is open to port communication. The use of firewall clients can have exactly the same configuration, but port communications is allowed to perform port between the client and the Internet. Suppose you mainly use the Publishing Wizard to implement the release of the mail server. On this basis, you will find that the internal address that the server appears in the session with the Winsock session period. In view of the use of the mail server, the above case is exactly necessary. From this point of view, "release" by setting the mail server to the firewall, it is bound to help implement information transceiver functions on the dedicated port.
Q: I seem to be unable to prepare the day's report. ISA has generated these reports, and I am difficult to perform open and browse it. Surprisingly, all previously generated reports (before the day) can be opened and browsed. ISA Server basically generates reports based on log summary. Specifically, a log summary is generated 12:30 AM a day, and then the relevant report is generated on this basis. Therefore, even if you set the program to generate the "current" report, the system will not provide you with the day data before 12:30 AM next day.
Q: One of what I noticed is that INTS is still unable to have a dedicated IP address and a client that has enabled NAT's client. Is it what I ignored? You need to activate the IP routing function in the IP Packet Filter Properties. The above operation can also activate NAT to ICMP. Q: The reporting function cannot work properly. Is it what I did wrong? Be sure to make sure you are actually executing report generation operations, rather than just browsing in the "Monitoring / Reports" section. To generate a related report, do the following: Point the mouse to "Monitoring Configuration"> "Report Jobs" Right-click on the mouse and select "New"> "Report Job" (Report Work) Press the Wizard Program to fill in the configuration requirements (start generation report: Start Now) After a few seconds, you can get the required report now, return "Monitoring / Reports" section> "Reports" (report) Part of the newly generated report can be seen. Each content (summary and web usage, etc.) have a related report.
Q: When I install ISA RC1 in the cache mode, I can't perform access to my web page; and when I install the product in integration mode, although all functions are in normal state, but I can't call the relevant configuration. . what on earth is it? This is probably because you install ISA in the cache mode, then this product will not be able to perform transparent proxy operations, which is especially necessary when you have a manual installation agent function in the client. Of course, in the integrated mode, the NAT with security will be automatically proxy all access to the call request without the need to configure a client side.
Q: I hope to achieve networking with the ISA server with the ISA server, mainly because the product is working well on the server installed, but I need to control it from the PC that runs Windows 2000 Professional operating system. Excuse me: Is the above idea feasible? You need to run the ISA installer on the PC that is Win2k Prof for the operating system and selects only the management function section of the product. At the same time, users who have the right to perform login operations must also be a higher priority account, including Enterprise Admin (Schema) administrators.
Q: The ISA server stops failure (for example, the power plug is not cautious) in the case of the ISA firewall server, switch, and various servers and other PCs have been enabled. What happened? Whether the server and the PC located at the end of the above link relationship can continue to receive Internet traffic, whether the ISA server will automatically shut down for any device located at its latter? If the relevant configuration sequentially the router -> ISA-> Switch -> Other servers, then the network card will be charged in the case of the ISA computer, and thereby causing the data package to recover the processing task interrupt ...
Q: I have installed ISA Server, and it takes a long time to connect with the server. The time required to consume approximately 40 to 45 seconds before starting to call the web page. Excuse me, what is this? If you are using the firewall client, then the product does exist in programs that may result in the above delay; unless the user has a local administrator qualification or belonging to the client's own function, the above delay will be difficult to avoid. We will resolve the above problems after the RC2 release. Q: My DSL router has a static IP address, and ISA Server external interface also has a static IP address. The external interface of ISA Server is default network custom networks to the IP address of the DSL router. Currently, these two IP addresses are from one subnet with 16 IP addresses. In the IP address of the subnet, two have been occupied by the DSL router and the ISA Server external interface, and there are two of the network numbers and broadcast IP addresses. The subnet mask of the DSL router and the ISA Server external interface is 255.255.255.240. Now, I need to grasp the specific method of assigning the remaining IP address to the computer belonging to the internal network. My internal network is using 10.0.0.0.0.0.0.0.0.0.0 network with 255.255.255.0. All computers are implemented in the same network through a hub and a switch. Although you cannot assign an IP address for the client on the internal network, you can place a third network card into ISA Server and use these addresses to build a peripheral network (DMZ). Since these addresses are unable to use the network ID that is fully consistent with the external interface, you must include all of the subnet.
Q: ISA initialization installation does not allow me to access the ICMP (Internet Report Control Protocol) through its own server. The external and internal network cards can respond to ICMP, but they cannot pass through the server. I created a rule that opens all objects in accordance with the operating instructions provided by Isaserver.org, so that all services (Telnet and FTP, etc.) are running normally, except if ICMP is available. Activate the IP routing function. Configure the relevant client to the SecureNAT client. On this basis, the ping operation can be performed by ISA Server.
Q: I encountered technical issues during the implementation of migration from ISA RC1 to ISA Evaluation (120). After installing Release Candidate 1 (RC1) Upgrade, the firewall and web agents still cannot take effect. Other ISA service functions can run normally. The above problem is in the EVENT log (Event Log) is 14079. To this end, I first run RMISA and re-executed the installation operation on the basis (starting from the ISA Server 2000 evaluation version), but the problem is still the same. Since then, I am in order to run RMISA first, and then re-execute the practices for the installer (starting from ISA RC1), so all service functions can work properly. Whenever ISA Server is upgraded to the latest version, be sure to reinstall the firewall client, which helps to solve the problem.
Q: How to install the ISA Server plugin on a non-ISA server to implement remote management features? Please run the installer and use custom installation, then you can select only the management console check box. The desired plugin will automatically complete the installation and generate related shortcuts in the Program folder.
Q: I have Proxy 2.0 on W2K AS equipped with SP1 and want to upgrade it to ISA Server. In addition, I also have a VPN (virtual private network) running in the Proxy box and install Exchange Server (5.5) at the backend of the Proxy. According to the above, when I execute an upgrade operation, which filtering and allowance conditions should be clearly defined? Do I have to upgrade a computer equipped with WSP client software? Get retention and deleted projects mainly depend on the ISA Server installation mode and the group membership that executes the ISA Server installation operation. For details, please refer to the product upgrade guide with the ISA Server CD. Different installation modes and group membership "Indence" can lead to significant differences in functional features, for this purpose, you must master the relevant operating specifications before performing the upgrade operation. The Winsock Proxy client is fully able to coordinate with ISA Server. I have neither I see that any problems caused by using this product. Since the Exchange Server can function properly because of the configured securent client, you don't have to set it to the Winsock client. This product can continue to act as a firewall client even if you have executed certain special configuration modifications to WSPCFG.ini files. Of course, I still recommend that you remove the Winsock Proxy client software from Exchange Server, which can first configure the product as a SNAT client and observe it normally. Q: I need to configure ISA Server on their own network system. I have three servers in total, of which a firewall is used for web support, and there is a storage database. In view of this, can I get a document related to the implementation of network configuration between the above server and ISA servers? ISA Server should be placed on the edge of the network system, and the web server is placed in DMZ located between Internet and internal networks and placed the database server over the internal network. After the above work is completed, create a packet filtering program on the ISA Server located between the internal network and the DMZ to limit traffic sent to the internal database server, and ensure that only the web server has a database access through the downstream firewall. Calling the ability.
Q: I received the following error prompts in the event log firewall "Cannot Bind SMTP Requests To Port 25 Because IT IT IS ALREADY IN USE BY Another Process" (because of other processes, the SMTP request is not bound) To this port). Excuse me, what does this mean? This may be due to the "simple mail transport protocol, SMTP" with an error that is automatically installed with IIS. Please disable this service function in the Service Control Panel.
Q: I just finished RC1, I found 14120 error calls in the event log (Lat and Windows routing tables did not match), what is this? Just regenerate "LAT TABLE" on the ISA console.
Q: I have a technical issue on ISA and Outlook Express 5. I can't implement access calls to my hotmail account - and I received the error message as: "Proxy Error (Logon Failure: UnkNown User Name or Bad Password.)" (Agent Error [Login Failure: Unknown User Name Or password errors]). How should I solve this problem? Add the Hotmail Web site to the list of special cases and use the Winsock client (currently for the firewall client) to its implementation. This can successfully solve the above problems (and also have a SNAT option). Q: During the installation operation, I received the following error prompt "Cannot Start Service Isacntl" (Unable to launch the ISACNTL service). Excuse me, what does this sentence mean? This usually means that you have enough memory capacity, or the relevant architecture is not fully replicated. Please run RMISA from the i386 directory, reboot the system after full uninstall, and try again.
Q: I can't continue to launch Web Proxy Service on ISA RC2. Related Error Information Display: Microsoft Web Proxy Service: Error 2148074254: No Credentials Are Available In The Security Package (Microsoft Web Proxy Service: Error 2148074254: No credentials in the secure package). To this end, I have unloaded ISA and re-executed the installation operation, but the problem is still the same. Excuse me, is there a way to solve the above problems? Find the executable RMisa.exe in the ISA product CD and try to run the program. It can delete all registry entries inserted by ISA.
Q: I have installed the ISA Server Standard Edition on a Windows 2000-based independent server. Thus, the firewall in the Windows NT domain receives an error message number (not available) numbered 407. Excuse me, how should I solve this problem? Configure the Protocol and site / Content (Protocol and Site / Control) rules and make sure that the Win2k is a computer for the operating system as a NT domain member.
Q: I can't get a web connection to the client without a proxy setting. Excuse me, what is I ignored? The client gateway has been set to the ISA Server built-in adapter address. Given that the gateway cannot be applied by the agency setting, I can conclude that the relevant protocol and site / content rule can provide support for access calls. If the situation is different, then the client is inevitably a Win98-based computer. All sites are opened for all network clients (this may have been listed as default sites / content rules, please confirm on the console) and open all protocols. If you are using a dial-up connection and have a SNAT client, then remember this secret: Right-click the route node in the left pane and select the dial-up connection to the firewall main route node.
Q: After the installer is completed, the web proxy and firewall services cannot start normally, and the system restart is not supported. The error code provided by the Event Viewer is displayed as # 7031: "The Microsoft Web Proxy Service Terminated Unexpectedly" (Microsoft Web Proxy Service is unexpectedly terminated). Excuse me, what is this? When I encountered this problem, I was forced to use the RMisa.exe program provided by the ISA Server CD using the ISA Server CD. After the program is running, reboot the system and try again. In the case where the computer RAM capacity and the available disk space are in short, the above problems occurred relatively high. Another effective solution is to disable IIS, or simply remove it from your computer. If the above method still does not help, reinstall the operating system and ISA Server. Q: When I am disabled in the browser, the following error prompts will be received when the ISA client performs installation and configuration operations: "The ISA Server Denies The Specified Uniform Resource Locator (URL). (12202 (ISA Server refuses the designated unified resource address [URL]. [12202]). Excuse me, what is this? If you use the browser while you try to access the web site while trying to create a static packet filtering program that can be created to open 80 outbound ports, or use ISA Server inside "Interface IP address configures the browser as the Web Proxy client.
Q: The following is an error message that appears when ISA service restarts: "The Microsoft Web Proxy Failed to Log Information To File Webxxxxxxxx.log" (Microsoft Web Proxy cannot enter the webxxxxxxx.log file). Excuse me, what is this? Disable the index and compression characteristics in the ISA log folder and the selected status of the compressed / index item is canceled in the ISA-Server MMC.
Q: When the ISA is running, the NIC upgrade operation will usually lead to failure. WINDOWS tends to provide "|" files when performing an upgrade operation for the internal adapter. Excuse me, how should I prevent the above problems? Terminate the ISA service function, then the driver upgrade can be implemented.
Q: When I tried to start the required service manually, I received the following error message: "Error 1747 - The Authentication Service IS UNKNOWN" (Error 1747-Unknown Authentication Service). Excuse me, what does this mean? On the basis of disseminating the original listener binding relationship, then re-bound together. You may need to reconfigure the relevant publishing rules and packet filtering programs. Any object you created may have an original IP address that has a binding relationship.
Question: How to publish your network (reverse network agent) using ISA? For example, you want to publish the following two network sites for Internet users to access: publicsite.mydom.com privateism.mydom.com/employeinfo belongs to your domain A reliable DNS server produces DNS records for your public site and private site, and pointing them to the external interface of the ISA server. A records are generated in the destination set, such as: For requests to the public site, the target machine identity / host identity includes the computer name type, such as PUBLICSITE.MYDOM.COM, and there is no relative path. For the second case, a record is generated in the destination set, such as: For request to the private site, the target machine identity / host ID includes the computer name type, such as: privateESite.mydom.com, and Plus relative path / Employeeinfo / *. Then create a website publishing rule for each of these two sites, which is used to send a request for the corresponding server. Name: Any friendly name, such as: For "Destination Address", select "Name" in "Selected Target Set"; request to the public site is in the drop-down list. Action: Re-route the request to the host address. In the Target Sites Input box, enter the computer name or IP address of the internal website server that carries the public site. Suitable for: any request. For private sites: Name: Any friendly name, such as: For "private information site destination address", select "Name" in "Selected Target Set"; access to private information sites is in the drop-down list. Action: Re-route the request to the host address. In the Target Sites Input box, enter the computer name or IP address of the internal website server hosting the private site. Suitable for: Select whether you want to limit the client, user, group or any user who wants to limit its access. Question: Every time I want to disconnect the connection, ISA is always to connect again for a long time. I have closed the activity cache, and there is no application that will periodically submit the Internet request information, and all the NetBIOS requests that may cause this issue to my router are also closed. So what is the reason for forcing ISA to connect again? When ISA is installed, a DNS package query filter is installed with it by default. This filter is to allow DNS queries to pass through routers. To disable this filter, your router should support the default timeout setting without connection.
Question: If you have selected the support package filtering, I can't browse the network. The information I got is DNS error. I am using IE5 used on the ISA server. Other computers connected to the ISA server can browse the Internet this way. How do I solve this problem? In the readme file of the ISA server, you can find that you should use the browser on the ISA server, you should configure the IP address of the internal network card to the proxy settings.
Question: I want my ISA server to connect to the Internet by using my Internet provider, but the drop-down box in the ISA Server Configuration window does not display the dial-up entry I have configured. The pull-down box is blank. Some people know what this problem is going on? Strategy elements, dial-up portions, view / create dial-up connections. You should be able to select the Internet dial-up connection you set.
Question: Does any way deletes some protocol definitions that are bundled with the ISA server? I am using SNAT, but I don't want users to use certain embedded definition functions such as ICQ, AOL, and more. How do I solve this problem? Right-click "Enterprise", then select Properties and change the custom policy. Problem: ISA server and Exchange 5.5 servers are separated. How should I set the default gateway on the DNS and Exchange 5.5 servers? Your DG should be set to your ISA server's internal network card address. Your DNS entry should be set to your nearest upstream DNS server. If you have provided you with the main DNS for your company, use those addresses (even if they are in the firewall). However, if DNS is provided by an ISP, or other external resources, you can use their address directly. Also note that you should use a firewall client program on your MS Exchange server, which will connect to an Internet mail or an Exchange conflict. Please refer to how to configure the Exchange server inside the firewall, which is located in the Microsoft KnowledgeBase article.
Question: When I check the log file, the displayed user is anonymous. I am using ISA to install a cache server. How can I do to let their username appear in a log file? In the firewall and web proxy client, if you have an anonymous access policy, then there is no authentication. To resolve your question, you need to confirm "ask unauthenticated ..." in "Outgoing Web Requests" (requiring not authenticated ...) settings.
Question: I want to format my PDC and build my network. I don't know if there is a way to back up approximately 250 items I save in ISA. Right click on your server name in ISA MMC, then click " Backup.
Question: Can I share files via Isa? You can support NetBIOS on TCP / IP (TCP / UDP 137-9) through ISA to implement this feature.
Question: My clients and other servers are using the ISA server and treat them as their gateway, which allows them to access the Internet. However, the ISA server itself does not access Internet at all. Is the other feature such as WWW, FTP, SMTP, POP, PING? How do I remedy? 1. Do not install a firewall client program on the ISA server. This is Microsoft does not support. 2. You don't need to use the ISA server itself as a web proxy client. In order to run the application to run in the ISA server, you must configure the packet filter. For example, if you want to allow an external web server to access, create a packet filter that allows TCP 80 external request. It is easy.
Question: How to transfer port to the internal client when using ISA for SecureNat? Suppose firewall client programs are not required. For example, I want the internal client to receive all the packages for TCP and / or UDP ports 5000-6000. You need to use the server publishing function. The reason is: If the SecureNat's port connection needs to open the second port, the connection will be lost. Solving the problem is: Either you write a single application filter or use a third-party software.
Question: I installed ISA Beta1 on a computer that is W2K and two NICs. I also installed the terminal service function on that machine. I installed ISA's way to use TS, but in the installation process, I lost the network sharing function of the terminal service function and server tool. Does anyone know why this is this? How do I solve this problem? The filter for installing a TCP port 3389 can be. Question: Can I open today's use report and log report? I am trying to open a today's report. I set the result of the report to "immediate", and the term is set to "Today". Computer display report has been successfully generated (status 0). But when I tried to open the report in "Monitoring / Report / Note", the cursor turned to the hourglass, and there was no more. I am trying to save the report to the hard drive. I open the "Save As" dialog and do the appropriate operation, but no files are generated. The report is based on the "log summary" from the log file. In the folder of the monitoring configuration / log file, right-click on the folder of the log file, click Properties, then click the Log Summary tab to ensure that "supporting the daily and monthly summary". Although the log file is updated every day, the log abstract is generated at 12:30 noon every day. Wait until 12:30 in noon, you can open the report. Check the / Microsoft ISA Server / ISASUMMARIES folder to confirm that the summary list has been generated.
Question: When I try to connect to the ISA server via a remote administrator mode (I have installed ISA management tools in the internal client), I get the error message is the permissions rejected. Can someone help me solve this problem? Use other profiles to log in. Your profile may have already collapsed. Delete your original configuration file (Windows 2000 Professional) and create a new configuration file.
Question: Can I use dynamic packet filtering functions on ISA? If you can start this feature? You can support dynamic packet filtering function by using access policies or publishing rules. The information obtained from the ISA Help System is: When you support pack filtering, you will be blocked, unless they are available: either by using the IP package filter static, or Dynamic provision by using access policies or issues rules.
Problem: When the SMTP gateway is on the ISA server, there is a way to enter the standard in the input SMTP Filter, so that the Message Screner scans port 25? I use MSSMTP service as my Exchange server gateway. The SMTP server is located on the ISA server computer. If the SMTP server is not on the ISA server, the SMTP filter runs normally. SMTP filters are an application filter. If the data is transmitted to a local computer, the application filter will not intercept data transmission. For example, on the same computer, you can't have an SMTP filter and SMTP server at the same time. The SMTP server should be installed after the firewall instead of mounting on the firewall.
Question: Has anyone a successful opening report? There is no data in my report. The report file is there, but the content is empty. If you are a support report, and open the function of the creation report, the report should be generated according to your plan. The report is based on the log abstract to check the Logsummaries folder to determine if there is an error.
Question: I want to configure the client that belongs to my domain (Outlook 2000) to send and receive our ISP Internet mail (POP3 / SMTP). We are connected to the Internet through the newly installed ISA 2000 (CR1). What is the method to implement this feature (which is valid for the client and server)? Create two custom-enable port 25 and port 110 for two-way communication of IP packet filters. Select "any remote host" or enter the IP of the mail server they connect to. This will create a WINSOCK, or a firewall, connection, enable the client to communicate with the remote host. The above steps should be work. Question: Do I need to install a local IIS SMTP server on the current ISA server? You need to install an IIS SMTP server in your internal network and publish that server. After you posting the server, by configuring your internal mail server name or IP address to "Smart Host", you can complete the configuration SMTP service to save information sent to your internal mail server.
Question: How should I configure my ISA server to make it a proxy? Tool => Internet Options => Connection Tag => LAN Setup Button => Select "Using Proxy Server" check box => Enter your internal interface address and port 8080 => Click OK
Question: I am busy publishing my site as quickly as possible. But I can't make my ISA server present my own network site (this site is based on IIS, located on the same computer). In order to implement both network site servers and ISA servers on the same computer, you should change the properties of the network site to the port number that uses the internal interface and not 80. Although the port 80 can be used in the internal interface in the instance learning document at the end of the helper file, we have never tried. Therefore, it is recommended that you use the port 88 and the IP address of the internal interface in the network site. After the finish is finished, please restart the network site and release your website using the Network Site Publishing Wizard. Although the internal interface is being used to port 88, the user can still use port 80 at the external interface, because the network agent service is listed in that port. Note Creating a target set for your website before using the Network Site Publishing Wizard.
Question: What is the recommended cache capacity for 100 users? Microsoft is recommended to assign 10 - 20MB of memory for each user.
Question: I have two offices, each with a dedicated connection and an ISA server, each ISA server selects the installation of the integrated mode. I would like to install a gateway to the gateway's VPN connection between the two ISA servers, implement data transfer of each site to the Internet, and transmitted data transmission like reaching other sites, and this data transfer is from VPN to the purpose . Can I achieve this feature on the ISA server? If you can, how to solve this problem? Yes, you can do this. What you need to do is to run "Install Local ISA VPN Server" on one of the servers to create a .vpc file. Your configuration must ensure that the initialization of the connection can be made at both ends. After you create a .vpc file, use the .vpc file you have created and run "Install Remote ISA VPN Server" on other ISA servers. This will create a connection request interface, which will allow each ISA server to connect to other servers. This will also increase the static routing table entrance, which is activated when the connection request interface is activated when the remote network request is generated.
Question: I need some information about how to install 3 network cards on the ISA server and make DMZ to perform mail transit domain functions. I hope to prevent any access to the MS Exchange server in my internal network. Is there a way to solve this problem? Set the transfer in DMZ, then place the mail server to the internal network. Then, publish internal mail servers and only allow access to the server IP address listed in DMZ. This way, you can ban any non-transfer station machines from accessing internal servers. Question: How do I support the username in the log file without "anonymous" in the case where the firewall client program is not installed? In order to support the username in "Session", select "Properties" on the desired array. , Then select "Outbound Network Request". Under "Connection", select the check box for "Requirement Verify Anonymous User Identity". When prompted, restart the service, then the user list appears in their domain. There is no need for a firewall client program and a NetBIOS protocol.
Question: How do I configure DHCP to implement an automatic detection feature of the ISA server? Click "Start", point to Programs, and point to Administrative Tools, and then click "DHCP". In the control tree, right-click "Apply DHCP Server", click "Setup Predefined Options", then click "Add", click "Add", in the Name, enter "WPAD". In "Code", enter "252". In the Data Type, select "String" and then click "OK". In the "String", lose http: // computer_name: AutodiscoveryPortNumber / wpad.dat. The computer name is a fully verified ISA server domain name or array, and the automatic detection port number is used to issue a port number for automatic detection information. This port is either outlet number of outbound network requests or an additional port to publish an automatic detection. Right-click on "Server Options" and click Configure Options. Confirm the check box for selecting the option 252.
Question: How can I provide verification feature in my published network site? For the IIS WWW service itself, ISA servers only support basic access and anonymous access. If you want to support other authentication patterns, you need to configure in the ISA Server Listening option. More information on verification can be obtained from the following Website: http://www.microsoft.com/technet/isa/isadocs/cmt_cmtauth.htm
Question: Netscape users are identified by using the "basic" verification function. How do I improve the identity of identity? Select your server, right click, select "Properties" -> Outbound Network Request "-> Select Your Listener -> Edit" -> Select "Basic Verification".
Question: I have a multi-address system. An external IP and two from the subnet for internal IP. I have allocated all three addresses to my external interface. When I support the package filtering function, the two IPs of the internal routing subnet mentioned earlier are not accessible from the Internet. When the package filter is forbidden, it is possible. I use these two IPs on my DNS server. Is there a way to solve this problem? Have you supported the route? You need to create a packet filter for each IP address.
Question: Can I only configure the function of the firewall? Yes, you can configure the firewall to lock down the security solution. As part of the installation process, you can choose ISA server mode: firewall, cache, or integration. In the firewall mode, you can guarantee network communication by using the rules that control your unit's network and the rules of the Internet. You can also publish internal servers, securely share data on your internal server with Internet users. For cache mode, you can improve network performance and save bandwidth by using objects that are often accessed by users. You can also post the internal web server. The integrated model combines the characteristics of both, that is, firewalls and cache guarantees security and enhancement performance. In all modes, you can benefit from ISA server policy management, real-time monitoring and alarm characteristics. Question: Is ISA Server Support Status Detection? Yes. To ensure comprehensive security, the ISA server supports three-layer filtration: data cladding filtering, link layer filtration, and application layer filtering. Link layer filtering is usually referred to as "state detection", that is, when the package arrives at the firewall, the detection package, monitor status information, allows or does not allow the process of accessing the policies based on the access policy. The ISA server adds an application filter based on a "smart" detection of a specific application command to provide filtering function at a higher communication layer. This allows specific SMTP commands to implement modularization based on RPC access based on the request interface.
Question: How do you prohibit customers from providing SecureNat access? Generate a client settings containing that machine IP address, then use a rule that refuses to access the client settings.
Question: Can I ping the client within the network? External is impossible to ping the internal client. Only the internal S-NAT client can ping the external ISA.
Question: If I want to make HTTP requests can only access some machines, how do I set pack filtering function? New web publishing rules can be created.
Question: When should I get to the control panel to update the firewall's client? The error message I got is: the server has not responded to the update request. Re-enter its name. IP (internal ISA interface) server name (NetBIOS, non-FQDN, image: "Server1" instead of "server1.domain.com"), for example: 172.16.1.45 NTServer1 - Will it? Some people may also recommend using the LMHOSTS file instead. Reinstall the client or check the port settings. Take care to ensure that other services are not hindered.
Question: How can a method can use the ISA server and a Novell server to connect to the Internet? If you have an IP address, you can use Secure Nat to access the Internet.
Question: What is the benefit of using a firewall client program without using SecureNat? Using Secure Nat, you can manage it only by using IP (specific to IE). For example, the ISA server cannot distinguish if the user is logged in to the system. With a firewall client program, you can control users by using their user login names and group names they belong. This allows you to convert the IP into a user login name and the group name you belong to you can achieve better control, regardless of which PC login is logged in.
Question: When using Snat, I always receive information about "Login Failure". Why is this, and how do I solve this problem? Define a new agreement: TCPIP Outgoing Port 7175 Secondary Connections: 51200-51201 udp incoming 51200-51201 UDP OUTGOING 51210 TCP incoming 51210 TCP OUTGOING Question: No matter how I do, use NNTP through Outlook Express is not working! I am sure that the agreement has been defined when installing ISA, but why is it not working? Uninstall the FW client, then reinstall the FW client. If the message also prompts you the same problem, then reinstall the FW client should be.
Problem: Can I configure the service function of the firewall to implement all internal addresses to be any connection? (For example, there is no restriction) Now I can only allow access to records defined in the protocol definition container. operating. Only the Secure Nat client has this limit. The firewall client program can access any information. If you don't implement this feature, you need to reinstall the FW client.
Question: I installed the firewall on the Win2K client to try it. I didn't decide that I will use it now, but after I am uninstalled, ISA servers still refuse my visit. I tried again to install, uninstall, but it still doesn't have any improvements. Does anyone know how to solve it? You need to find the parameters about the ISA server in your browser settings. Reference: LAN Settings -> Proxy Server. Alternatively, in a better case, the configuration of the browser before installing the firewall client program is restored.
Question: How do I configure MSN Instant Messenger to work at the backend of the ISA server? The easiest way is to use the firewall client program to dynamically allow access to any port being used. If you use S-NAT, you need to newly define a port information ... (55xx?) Protocol. If you plan to use NetMeeting, you may need to configure the ISA Gatekeeper section, you also need to configure NetMeeting with GateKeeper. Normally, when Netmeeting uses GateKeeper, the remote NM client needs to set their NM to use the gateway, whether they are at the getkeeper backend and whether their GateKeeper is properly configured to your GK routing request.
Question: CUTEFTP cannot be connected to the FTP site. It runs the login program and determines that it has been successfully connected, but running the PWD instruction is always timeout. How to solve this problem? Generate a new protocol to define a second connection to the TCP external port 21 and TCP external port 20.
Question: Quicken 2000 has been installed on the client (within LAT). I am trying to connect to the Internet to get bank records. My problem is that it is prompted to detect the existing network. How to solve this problem? Complete the Internet connection installation wizard under the EDIT menu in Quicken. Make sure your default browser sets the use of the ISA server as its agent, Quicken will use these settings.
Question: How can I execute access to SETI @ HOME in the backend of the ISA server? It is forbidden to use the HTTP proxy in the proxy server settings and use the Socks agent, and then simply type your name of your ISA server in the Socks Host column. You don't need to type any information in the SOCKS username and password column. The port is default 1080.
Question: How can I connect to a remote SQL server when I run locally? I can't connect to the SQL Enterprise Edition, and I can't generate DSNs for remote SQL servers. How to solve this problem? Open port 1433
Question: I am using RRAS NAT now to bring my Linux and Windows users to the British. When I installed ISA and prohibited using RRAS NAT, how to do the same function as the above? Snat (part of the ISA server). In this case, the system will automatically provide a strategy. Problem: Everyone knows how to use Yahoo Messenger Voice Chat. I have just connected Yahoo, but the voice chat cannot connect to their servers. How to solve this problem? If Java is based on Java, it may be because port 8000 or port 8500 and TCP port. To this end, you will need to define a clear protocol and rules. Check and make sure what port is using? You may need to run NetMon to track.
Problem: Unless I allow all IPs to be transmitted, I can't make REAL Player Clients online browsing. Does anyone have successfully run REAL Player? You don't need to open any special ports. There is a protocol and rule to REAL Player, and to run the REAL Player, this protocol and rule are must be.
Question: I am trying to post my internal FTP server running on the backend of the ISA server. I have configured a custom protocol for port 21 and port 20, but it still does not work, what might be? You need to open the internal dynamic external port 1025-5000 to any port with filtering.
Question: How do I configure ISA to allow internal users to use AOL Instant Messenger? There is an access protocol pre-defined for AOL Instant Messenger. Support this access protocol, restart your firewall service, it should be possible.
Question: How do I install ISA servers to allow remote clients to accept DNS services? For example, what protocol should be allowed or filter? If you want the Internet client to use your DNS server, turn on Internal Port 53 / UDP. If you want the Internet server to transfer zone information from your DNS server, you also need to open the inner port 53 / TCP. Make sure your DNS server allows access to external IP addresses.
Problem: Whether it is easy to run ISA can complete the transfer of all network data? Disable the use of package filtering, support NetBIOS for external IP. All data transmission is allowed in the protocol rules.
Question: How do I install QuickTime so that it runs at the back side of the ISA server? Install the firewall client program. After starting installation, install QuickTime, in the installation window, keep blank when you ask about proxy server information.
Question: How do I set up to allow the internal client to make external PPTP operations through my ISA server? Support routes and PF selection "PPTP through the Firewall" checkbox for PPTP Call New PF
Question: After each time I change the protocol rules, the firewall service function must be restarted, and the change in the rules will affect the transmission of network data. Do I really need to restart the firewall service? You don't need to restart the firewall service, but you may take a while before the policy takes effect. I think this is a problem caused by an ISA read registry or AD.
Question: I installed the policy of controlling network access and also configured the browser. Navigator 4.75 Requires Verification (User Name / Password), then locked, or report is a memory error. How do I solve this problem? The reason is the use of ISA integration verification. In ISA MMC, find the ISA computer name and right click. Select "Properties" and click the "Outline Web Request" tab. Then select the "Integrated Security" checkbox. 1) You can don't select this check box, so there is no verification. But after this, you will not know who is using which services are using, because users are anonymous in log files, and the result is not accessible by using their username. 2) You can not select a comprehensive security check box, but you can select the "Basic Verification" check box. This allows you to control and access all other browsers. Note that only IE3.x and its above are supported to integrate NTCR verification. Question: Some people have suggest that I can access Symantec Live Update through ISA? First, it is also the most important thing to make sure you use the latest version of LiveUpdate. I used 1.5, but when I upgrade to 1.6, it is normal. I have followed the following: 1. Allow users to use HTTP and FTP access through the proxy server. 2. Configure LiveUpdate with the proxy server and ask the user to enter the account and password to verify the identity. Until I let it use the Internet Explorer configuration, LiveUpdate is only properly executed. (These can be configured by the LiveUpdate Applet in the control panel).
Question: I am trying to publish SSH (port 22) servers based on UNIX servers running on my ISA firewall back side. However, SSH is not in the list of published rules agreements. Is there any other way to solve this problem? Just create a new definition protocol and set enough publishing rules.
Question: Use the new ISA server, can you limit their access to the Internet by using the user account? Yes. If you have installed the firewall client program, you can control access via the user / group member. However, if you don't have a firewall client application, you have to use the network proxy server or use secure NAT. You can control access to network protocols (HTTP, FTP, HTTPS, and GOPHER) that are using the network proxy server, but if you use security NAT to other protocols, you will not be able to control user / group access.
Question: Many users have downloaded programs, programs and details like http ports, can be found at http://www.technetva.com/httport/index.htm, and another example is SOCKS2HTTP, which can be at http: // Www.totalrc.com/ found. They converted the SOCKS V.5 request to HTTP requests and established a transmission channel via HTTP proxy, which virtually open almost all TCP ports. I have tried to limit the use of application content rules, but there is no effect. How do I solve this problem? HTTP port and socks2HTTP programs are like simple build a connection to the proxy server and send the following string to proxy servers: Connect URL: Port http / 1.1 user-agent: mozilla / 4.0 (compatible; msie 5.0 Windows NT) URL: Port is an unauthorized user wants to connect. The ISA server is to support this connection method, but by using the default settings only allow this method to the destination ports 443 and 563, the internal user cannot abuse the ISA-server agent, so your users are probably connected to your network. server. What you have to do is masked to allow your users to create access to the IP address of the proxy server they connect. You also have to consider the connection to the default proxy server port: 8080, 3128 and SOCKS 1080 access. Another solution is to allow only a predefined destination port. Other should be shielded by you www.http-tunnel.com and similar services. You should also pay attention to the internal clients may also install software on their home PC and establish a connection there. Question: I just installed ISA on a Win 2K server, connecting to the Internet by using a cable modem. I want to know if I can use FTP for the S / NAT client? If possible, how can I find related information? The SNAT client access FTP is no problem. But you must make sure you are allowing your SNAT client to access the Site / Content (Site / Content) rules and protocol rules for FTP. Question: I am trying to connect a website through the port 3000 and use SSL (https: // www ...: 3000). When I am allowed to be filtered, I can't connect to the website. But when you are forbidden, I can visit it. How can I establish a connection with the website in the case of allowing packet filtering? The ISA server only allows the port 443 and 563 (Secure-News) tunnel connections. If a client tries to connect to a safe running on a port, the port is not 443 or 563, the connection will fail. Question: How do I install the ISA server to reject or allow access to users based on IP addresses? In the Site and Content Rules, Protocol Rules, you need to select and specify that access is by using the username being used or through the IP address. In some cases, the combination of both may be more effective. We take the following steps to solve the problem. In the Site and Content Rules, we specify that access is by using the IP address, in the Protocol Rules, we specify access to the use of user accounts. We do this to solve the problem: Allow anyone to access the Internet at any time through our internal network, but at work hours, only the dial-up access is allowed. Problem: If I want to allow all IPs to transfer data, I can set and set a rule called "Allow all" for port 0-60000, but is there more easier ways? You only need to be guided "Protocol" Property page Select "All IP Data Transfer". This will open all of the external protocols.
Problem: How do caches ensure bandwidth demand and information availability? Cache is relatively close to the user's web page content to reduce bandwidth requirements. By the cache meets frequent request responses, bandwidth usage may be reduced by 40%. The cache can also provide content to the user, even if the source of these content is offline or unavailable. Question: What is the reverse cache, and ISA Server supports it? The reverse cache is another term refers to a cache before the web server or e-commerce application. It is called "reverse" because it is executed by the administrator of the web server, not the customer executive, is the process from the server to deliver the process or removal of the cache. ISA Server supports reverse cache and allows administrators of the web server to manage and distribute their content, thus shortening the customer's response time. Question: Isa Server 2000 to cache requirements (recommended) What is the rules and restrictions of the processor (companies and ISP installations) will increase the load of the processor. Therefore, if you plan to make it unobstructed, you need more memory. You may want to determine the position of the bottleneck by running. If the load is small, 250MB will be just. But if the load is large, you will need 1GB. You can also use Proxy 2 algorithm: 100MB 5 MB per customer. Question: I have developed a set of predetermined content download tasks. Is there a way to view these cached pages to verify that the scheduled download is running correctly. The only way to access the Web cache is to access the API (included in the ISA SDK) by cache API. Responsible Editor: Aron
