Chad
Thu Nov 20 10:41:31 CST 2003
Hi Tom - see inline
--
Chad A Gross [SBS-MVP]
SBS ROCKS!!!
Thomas W Shinder [MVP] wrote:
> Check out the list I have so far, based on my ISAServer.org
> experience:
> 1.. ISA Server 2000 Quick Setup Guide on Small Business Server
Run SBS's integrated setup.
> 2.. Publishing Exchange Outlook Web Access on the Small Business
> Server
If they need OWA, strongly urge them to publish OWA over SSL and keep port
80 closed at all costs.
How do I configure OWA with SSL:
http://www.smallbizserver.net/sbs2000/How_do_I_configure_OWA_with_SSL.aspx
> 3.. Publishing Exchange SMTP/POP3/IMAP4 on the Small Business Server
IMAP is the only one of those protocols that would require an SBS Admin to
even open ISA Management. The ICW configures ISA for SMTP & POP3. SBS
Admins should always use the ICW.
> 4.. Publishing a Web Site on the Internal Network
Ack! Security dislaimer again please, telling them they're nuts for using
thier DC as a web server. Tell them to assume that the box *will* be
compromised at some point in time, and then take a look at the data they
have on that server & carefully evaluate their position. Web hosting is
cheap.
> 5.. Make the Small Business Server a a VPN Server
http://www.smallbizserver.net/sbs2000/How_do_I_configure_the_server_for_remote_access_with_VPN.aspx
I'd suggest 5a. How to configure SBS as both a dial-in & VPN server.
> 6.. DNS Support for ISA/Small Business Servers
A clear majority of SBS Admins (98%+) should never need to even open the DNS
mmc. Again - the SBS integrated setup installs & configures local DNS - and
the ICW configures DNS to use your ISP's DNS servers as forwarders . . .
> 7.. Publishing a Public DNS Server Located on the Small Business
> Server
Again - disclaimers. I really can't see any reason why an SBS should be a
public DNS server. It has enough going on as it is without handling public
DNS requests. In addition, if you're going to host your own DNS, you need
at least two (if not 3) DNS servers. Nope - SBS admins shouldn't be using
SBS as a public DNS server. There are cheap DNS hosting solutions available
that give the administrator full control over their DNS records so they can
add / edit / remove DNS records at any time, but let someone else's DNS
server do the work.
> 8.. Publishing an FTP Server on Located on the Small Business Server
Ack! Again - this is a DC, and most businesses *only* server holding
confidential information. Allowing FTP to a server on the LAN (let alone
SBS) is a very bad idea. Again, FTP hosting is cheap.
> 9.. Using FrontPage with Small Business Server
Ok. :^)
> This are frequent questions I see at ISAServer.org. I know they are
> not all representative of best practices, but there is a huge demand
> and people are less likely to get into trouble if they know the right
> way of doing things :-)
If part of the goal is keeping people out of trouble and the right way of
doing things, then for SBS I'd charge that these people need to be aware of
best practices. Because they *will* get into trouble by doing things like
hosting web & ftp sites.
No open port 80. Ever.
If OWA is a must - only over SSL. Preferrably publish OWA using a
non-standard, high-end port and link to OWA from your outsourced web site so
users don't have to remember the port number. They just go to the company
website, browse to a certain page & follow the link for OWA . . .
No FTP server. Absolutely not. Just like the web server, remember that
there is a very good chance that the people asking these questions aren't IT
people or full time admins. It's Joe in accounting that is the most
technically saavy staff member who gets to look after the server, not a
trained IT person familiar with security and aware of the risks inherent of
opening certain services up to the internet.
Direct SBS admins to the ICW. The wizards are our friends in SBS - they
work like wizards are supposed to and make our lives easier. Any
configuration that can be done via a wizard in SBS should be done with the
wizard versus manually configuring it.
First and foremost, security needs to be *the* issue. We don't do certain
things with ISA in SBS - not because it can't handle it, but because we
don't have the luxury of ISA sitting on it's own box. It's usually on our
only server - a DC with IIS, Exchange and confidential data. ISA is great
for egress filtering - but there are certain services that just should not
be opened up to the internet on an SBS.
>
> Thanks!!!
>
> "Chad A Gross [SBS-MVP]" <chad.gross@laytonflower.nospam.com> wrote in
> message news:eOABUozrDHA.2448@TK2MSFTNGP12.phx.gbl...
>> Hi Tom -
>>
>> Just like Susan indicated, we see the same issues you guys see. The
>> biggest issue I've seen is people not understanding how ISA works -
>> how the parts & pieces fit together to build the various rules, or
>> the difference between packet filters & protocol rules - hence ISA
>> for Dummies. Other common issues include viewing SSL over
>> non-standard ports behind ISA, internet access for VPN clients (no,
>> you cannot configure the VPN client as a Secure NAT client . . . :^)
>> or the regular questions about getting voice & video functionality
>> in MSN Messenger to work..
>>
>> If I was going to do an ISA deployment kit for SBS Admins, I'd do an
>> ISA for Dummies just on how the pieces fit together in order for ISA
>> to do it's job. I'd show the SBS Admin how to disable the default
>> BackOffice Internet Access rule and create new protocol rules for
>> only the traffic that they want to allow. I'd show them how to
>> configure what ISA logs, where the logs can be found, and offer best
>> practices on how often logs should be reviewed. I'd also show them
>> how to backup & restore their ISA configuration, so they can
>> experiment with settings and know how to get back to a known working
>> condition if the experiments go awry. Show them how to configure
>> ISA as a VPN server, and discuss the security risks of allowing
>> unmanaged clients to create VPN connections.
>>
>> Things to remember with ISA on SBS is that we'll never use web
>> publishing rules, since ISA is on our DC. I can't think of anyone
>> who would recommend having a web server on your LAN. We recommend
>> not hosting a public website on SBS, but with the increased need for
>> OWA, and the wonderful functionality of Remote Web Workplace in SBS
>> 2003, it appears that these SBS's will be hosting sites - so the
>> best we can do now is have everything run over SSL so we can keep
>> port 80 closed. Since we also have IIS on our ISA server, SBS'ers
>> won't use SSL-bridging. The majority of SBS sites won't use server
>> publishing either, and the ones that do will most likely be
>> publishing a Terminal Server or Citrix Server. Also, because we've
>> got IIS and only a single ISA server, we don't use WPAD with SBS
>> LANs - and we don't do DMZs with ISA either. If we need a DMZ, we
>> put a nat'ing firewall device on the perimeter and set up a DMZ
>> completely external to ISA.
>>
>> Really, an ISA deployment kit for SBS Admins should be fairly simple
>> & straight-forward. Give them the basic info to understand how ISA
>> works. Show them how to backup & restore their configuration. Give
>> them best practices for restricting outbound access and log
>> management, and point them to resources and tools to help them
>> review their logs and determine what ports various apps need for
>> access. Show them how to do VPN, beat them over the head with
>> security and as a bonus, I'd throw in a procedure on how to use the
>> CMAK to build & deploy custom VPN connectoids . . .
>>
>> That's not too much to ask for, is it? :^)
>>
>> --
>> Chad A Gross [SBS-MVP]
>>
>> SBS ROCKS!!!
>>
>> Thomas W Shinder [MVP] wrote:
>>> Hey folks --
>>>
>>> I've had it. And I can't take the pain and sadness any more. We get
>>> zillions of requests from SBS users about problem/issues/procedures
>>> on their ISA/SBS servers. No one at ISAServer.org really knows how
>>> to help because they're using ISA as a dedicated firewall.
>>>
>>> Time to fix things. I'm going to do a ISA/SBS Deployment Kit along
>>> the lines of the ISA/Exchange Kit
>>> (www.tacteam.net/isaserverorg/exchangekit)
>>>
>>> What are the top ten issues you encounter with ISA and SBS (please
>>> don't say DSL/PPPoE :-\)
>>>
>>> Thanks!