Thursday, February 17, 2011

The Dune

There's a desert. In the desert, there's a commodity which the whole world wants. Once you have had a taste of it, you get addicted and cannot be without it.

The desert is ruled as a fiefdom where there is a Baron who rules over the land and the people of the land. The natives of the land are treated as dirty, filthy, uncouth creatures who have weird traditions and silly beliefs. The Baron has his men mine the commodity for sale to the rest of the world.

There's an all-powerful king who is the leader of the world. He controls all the supply of this commodity. He controls the Baron and the appointment, change of guard and exit of who rules this land.

The king derives his power from his powerful army/weapons. The army is made strong and ruthless by having them serve in extremely hostile and inhuman conditions in terrible parts of the world. The king believes that although many will die while on those assignments - those who survive will be thoroughly ruthless and amongst the strongest.

A mafia controls the trading of the commodity. This mafia and its men are even more powerful than the king, because they know they can choke the supply of the commodity and thereby choke the king's hold over the rest of the world.

A Duke of this region has become powerful and has started having an army which is becoming as strong and may become even stronger than the king's army. The king plots to assassinate this Duke.

The local urban population of the desert areas suffer under the rule of the king's Duke but do not rise up in rebellion because they are busy trying to live their lives and hoping to rise up above their economic levels to match the foreigners.

I don't know if the above sounds like a story of the current world scenario... but it is my introduction to a wonderful story of a book called "Dune" written by Frank Herbert in 1965. Wonderful book, sci-fi mixed with politics and religion - a great read!

Thursday, February 10, 2011

ISA Server 2004 Enterprise Edition - Installation, configuration tips and tricks

I recently upgraded one of our servers from ISA 2000 to ISA 2004 (yeah, yeah, I know that sounds like really old technology) - but so it was.

Found that the upgrade was a far more bigger headache than it should have been because of some changes in the way ISA 2004 works as compared to the earlier version. Hence, here are some tips and tricks that may help you save some time and not spend few days scratching your head.
  1. Make sure the Windows server is up to date and is 32-bit, mine was Windows 2003 32-bit.
  2. Install the latest Windows service pack.
  3. You can't or shouldn't preferably install ISA on your Domain controller. 
  4. You can join the ISA machine to your domain which we did.
  5. Your ISA machine will normally have two network cards - one for the internal LAN and the other for the external WAN.
  6. It is very important that you only specify the DNS servers of your internal LAN and not the external DNS servers of your ISP. In other words, your internal LAN card will have your internal DNS servers but your external WAN card should not have any DNS servers specified.
  7. If this is not followed, your ISA Server will lose the domain credentials once you reboot the server and all systems will stop - the event viewer will have a "RPC Server unavailable" error along with many other consequential errors. This link is a good example of the errors you will encounter - http://www.eggheadcafe.com/aspnet_answers/isaenterprise/Aug2006/post27617673.asp
  8. Do not specify a Default Gateway on your internal LAN card.
  9. The default gateway on your external WAN card will be the Router IP.
  10. The old ISA stored all its configuration data in Active Directory on the DC. ISA 2004 stores its data in an LDAP version of AD called ADAM. 
  11. This data is stored in what is called a Configuration Storage Server. Hence you cannot join the old ISA server enterprise as another array.
  12. As a first step, you need to install the Configuration Storage Server. We installed this on the ISA machine itself - preferably install on a different machine for better redundancy.
  13. Once this is installed, go ahead and install ISA Server 2004 and also the latest Service Pack 3.
  14. ISA 2004 comes with a migration wizard that you can run on ISA 2000 and export the configuration as an XML file. Preferably run this wizard on the ISA 2000 server itself and export all the configuration to an XML file.
  15. Please note that NO RULES are exported and cannot be migrated. The Export will basically take care of all the destination sets, protocols, etc.
  16. Export at the root level and import also at the root level of the enterprise in ISA 2004.
  17. This import will create the Enterprise policy which existed in ISA 2000 as a similar enterprise policy in 2004 with the objects but sans the rules.
  18. For the ISA machine to allow internet access, you will need to configure DNS resolving.
  19. On your domain's DNS server, go to Forwarders and for "All other DNS Domains" - add the IP addresses of your ISP's DNS servers. This essentially means that your network will route the internet access requests to your DNS server for resolving which in turn will retrieve the same from your ISP's DNS servers.
  20. Once you have configured the DNS server for forwarding - create your DNS servers as Network Objects in ISA Server 2004 i.e. as Computer objects - give their name and IP address.
  21. Now you want to create a rule "Forward DNS Requests to ISP" which ALLOWS all traffic from your INTERNAL DNS SERVER Computers to External Network and for ALL USERS. 
  22. Once this is done - you can check by opening the command prompt on your ISA machine and typing NSLOOKUP followed by a domain like google.com. IF all is setup well, you should get a response from your internal DNS server with the IP address of the requesteed domain.
  23. Set the default gateway on the network card of your DNS server machine to point to the ISA Server box. 
  24. This is a good link to better understand the DNS configuration - http://technet.microsoft.com/en-us/library/cc302590.aspx
  25. After this create an Network object for your internal domain (say ABC.com) and specify the IP range that your domain is using (for example 192.168.0.0 to 192.168.0.255).
  26. Create a NETWORK RULE to take all traffic from Internal Network to External Network as NAT.
  27. Add an Enterprise Rule to ALLOW all HTTP / HTTPS / SMTP / POP3 protocols from Internal Network to External Network for all users.
  28. Go to your Array server node, under configuration, bind the Internal Network with the ABC.com object that you specified. This tells the ISA machine which are the internal IP addresses.
  29. Under Configuration - General - Firewall Client configuration - change the "Outlook" entry from 0 to 1.
  30. Under network properties - allow Web Proxy clients and set authentication to integrated, preferably with "Must authenticate" set to true.
  31. Under the same tab, define the Proxy client settings for automatic configuration and give the name of your machine for resolution - isa.abc.com for example.

If all goes well, by this time, you will have your ISA Server functional and a client computer should be able to access the internet through your firewall. It's a good time to back up your configuration!