Update to SBS WPAD available

From Jim Harrison:

http://isatools.org/sbs_wpad_3.zip

Thanx to Jonathon Howey for a bug report in the _2 version to the isaserver.org list and playing guinea pig for my troubleshooting.

Short story: WinHTTP proxy configuration (or auto-proxy behavior) can cause the script to make the wpad request as a CERN proxy request instead of a direct request.
Needless to say, this causes the mechanism to fail.

I’ve fixed this and stashed it as http://isatools.org/sbs_wpad_3.zip.


I’ll post this update into the original WPAD blog entry as well.

Force Reboot, Update for HTTP issues in Internet Security and Acceleration Server 2004 Service Pack 2

From the SBS Product Team blog.

We’ve seen a few cases now where ISA Hotfix 916106 does not prompt for a reboot, as the hotfix indicates it should. The hotfix does, however, successfully install. In addition, after the hotfix is installed the following services will be in a stopped state:

Microsoft Firewall
Exchange Routing Engine
Simple Mail Transfer Protocol (SMTP)
World Wide Web Publishing Service

The Microsoft Firewall service not restarting will throw ISA in to lockdown mode, which can potentially prevent remote administrators from being able to connect to manually reboot the server. In either case, the server should be rebooted.

A knowledgebase article is now available.

If you use a computer that is running Microsoft Small Business Server
2003 Premium Edition with ISA 2004, you may not be prompted for reboot.

See the rest of the knowledgebase article for a suggested solution.

DMZ – SBS special considerations

So you’d like to create a DMZ? It’s easy to do with ISA 2004 but don’t forget that you’ve got pre-defined rules in SBS that are going to open up your DMZ to more that you might want.

Step 1: Create the DMZ. To do this use this article but start at the section titled Create The Anonymous DMZ and continue through the section titled Create the Network (routing) Rule between the Anonymous Access DMZ and the External Network, then stop.

If this were a non-SBS implementation of ISA you’d have a DMZ with no rules defining access to it. But we live in a pre-configured world so the next step is to add a new rule to the ISA 2004 Firewall Policy to exclude the DMZ network from our pre-existing rule set.

Step 2: Open up the ISA 2004 management console and expand Configuration. Click on Networks. Move to the Network Sets tab. Click on Create new Network Set. Call it something like All Protected, Except DMZ. Make this network set look just like All Protected Networks except add your DMZ network to the exclusions list.

Step 3: Move to the Firewall Policy and edit the SBS Protected Networks Access Rule. Move to the From tab and replace All Protected Networks with the network set that you just created. This will prevent all traffic from the DMZ reaching your internal network. Now you’ve isolated the DMZ from your Internal network.

Step 4: Create a Rule so that the server in the DMZ can communicate with the other servers in your network. (this assumes that the server in the DMZ is a member server) Open up the ISA 2004 management console and click on Firewall Policy. Scroll down to the bottom. Highlight the SBS Protected Networks Access Rule. In the taskpad click New Access Rule. Call it something like DMZ Server Communications. Allow traffic from the DMZ to Internal Network with the following protocols: DNA, Kerberos-Sec (UDP), Kerberos – Sec (TCP), LDAP, Microsoft CIFS (TCP) Netbios Datagram, Netbios Name Service, Netbios Session, RPC (all interfaces), LDAP (UDP), Kerberos-ADM, ping and NTP. Make sure that this rule is placed just ahead of the SBS Protected Networks Rule.

Step 4: Create a Rule for any additional ports that the application running on the server in the DMZ requires. Place this rule above the SBS Protected Networks Rule as well.