Masuk
Microsoft.com
 
Microsoft
 
 
 
Microsoft >
ISA Rules

Locked ISA Rules

  • 01 Oktober 2007 11:27
     
     
    Masuk untuk Memilih
    0

    Hi Guys,

     

    What kind of ISA rules need to be made in order to configure the right policy for OCS.

    Are all the rules access rules or are some publishing rules?

     

    I'm deploying OCS using ISA 2006.

     

    regards, Mark

       

    Semua Balasan

    • 02 Oktober 2007 19:43
       
       
      Masuk untuk Memilih
      0

      Hi Mark,

      The edge server deployment doc ( http://www.microsoft.com/downloads/details.aspx?familyid=ED45B74E-00C4-40D2-ABEE-216CE50F5AD2&displaylang=en) has all the ports etc. documented for what needs to be opened.

       

      While that doc only talks about using ISA to publish the ABS, you can just follow the firewall configuration guidelines for ISA as well.

       

      Regards,

      Matt

       

       

         
      • 04 Oktober 2007 6:33
         
         
        Masuk untuk Memilih
        0

        Hi Matt,

         

        Thanx, but the onlt thing i need to now is what type of rules to make within a 3 leg ISA config.

        Should trafic from internet to the edge server be publishing rules or access rules?

         

        Regards, Mark

         

           
        • 04 Oktober 2007 22:49
           
           
          Masuk untuk Memilih
          0

           

          For your address book config you need to do a web publishing rule. I have it set to not forward the original header and Requests appear to come from the ISA Server.

           

          HTH,

          Calvin

             
          • 04 Oktober 2007 23:04
             
             
            Masuk untuk Memilih
            0

            Looking again I see that you are trying to publish everything through ISA (more than just the reverse proxy stuff)

             

            I can't say anything about the rest of the rules. Any non-web stuff will be still published rules but I ran into a problem publishing some parts. Anything that ran over port 443 (Access Edge, Web Conferencing, and AV Edge) but wasn't actual web http(s) traffic was getting blocked and I couldn't get ISA to quit filtering it. ISA is so trained to expect port 443 to be HTTPS it wouldn't allow the other traffic to go on that port.

             

            In my situation then I put the non-reverse proxy traffic through our PIX so I could avoid ISA for it. So my outside config looks like this:

             

            1) https using ISA for Reverse proxy (Address book etc.)

            2) ports 5061 and 443 through our pix to the edge server on a natted DMZ vlan for Access edge traffic

            3) port 443 through the pix to the edge on natted DMZ vlan for Web conferencing traffic

            4) ports 443, 3478UDP, 50000-5999TCP, 50000-59999UDP direct to the world on a real IP on the edge server for AV traffic.

             

            Not sure if this helps or not...maybe someone else has ISA publishing 443 properly and can give some info on that but I didn't get it working and I had the option of using the pix for that traffic so it worked fine.

               
            • 17 Oktober 2007 15:43
               
               
              Masuk untuk Memilih
              0

              Hi,

               

              I also had this problem with ISA 2006.

               

              My solution to get this traffic through ISA-Server was to create a "normal" publishing rule (Non-Web Server Publishing) for Port 443 and that works for me.

               

              Not nice, but perhaps there will be an update for ISA.

               

               

              Clemens
                 
              • 17 Oktober 2007 15:52
                 
                 
                Masuk untuk Memilih
                0

                That sounds like an idea.

                But i'm already in contact with microsoft so maybe they can tell me how this must work.

                 

                regards, mark