A common question about ISA Server configuration by people on the forums is:
Multiple NIC Deployment - ISA Server Standard Edition
Rename NICs:
Rename all NICs to descriptive names that ideally match the ISA Server network names.
Internal Network
Anonymous Access Perimeter Network
Authenticated Access Perimeter Network
External Network
Etc.
By matching the names, this makes mapping networks between ISA Server and Windows much easier when troubleshooting…
Configure NICs:
Internal Network
Default Gateway should not be defined
DNS Servers should be defined
Register this connection’s address in DNS – Enabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Perimeter Network(s)
Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IP – Disabled
Show icon in notification area when connected – Enabled
External Network
Default Gateway should be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IP – Disabled
Show icon in notification area when connected - Enabled
Please Note: Disabling the 'File and Print Sharing for Microsoft Networks' binding on the ISA Server internal interface will prevent you from connecting to shares on the ISA Server computer, irrespective of ISA Server system policy or other custom rules that may allow it. This approach is recommended for better security, as your firewall should not be accessible as a file server!
Amend Bind Order:
Edit the bind order as follows:
Multiple NIC Deployment - ISA Server Enterprise Edition
With ISA Server Enterprise Edition, it is recommended to add a dedicated Intra-Array NIC. Therefore, we need to consider this additional interface in our configuration.
Rename NICs: Rename all NICs to descriptive names that ideally match the ISA Server network names.
Internal Network
Intra-Array Network
Anonymous Access Perimeter Network
Authenticated Access Perimeter Network
External Network
Etc.
Configure NICs:
Internal Network
Default Gateway should not be defined
DNS Servers should be defined
Register this connection’s address in DNS – Enabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Intra-Array Network
Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Enabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Perimeter Network(s)
Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IP – Disabled
Show icon in notification area when connected – Enabled
External Network
Default Gateway should be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IP – Disabled
Show icon in notification area when connected – Enabled
Amend Bind Order:
Edit the network bind order as follows:
Single NIC Deployment – ISA Server Standard Edition
For a single NIC deployment, the following actions are recommended.
Rename NICs:
Rename all NICs to descriptive names that ideally match the ISA Server network names.
Internal Network
By matching the names, this makes mapping networks between ISA Server and Windows much easier when troubleshooting…
Configure NICs:
Internal Network
Default Gateway should be defined
DNS Servers should be defined
Register this connection’s address in DNS – Enabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Please Note: Disabling the 'File and Print Sharing for Microsoft Networks' binding on the ISA Server internal interface will prevent you from connecting to shares on the ISA Server computer, irrespective of ISA Server system policy or other custom rules that may allow it. This approach is recommended for better security, as your firewall should not be accessible as a file server!
Single NIC Deployment – ISA Server Enterprise Edition
For a single NIC deployment, the following actions are recommended.
Rename NICs:
Rename all NICs to descriptive names that ideally match the ISA Server network names.
Internal Network
Intra-Array Network
By matching the names, this makes mapping networks between ISA Server and Windows much easier when troubleshooting…
Configure NICs:
Internal Network
Default Gateway should be defined
DNS Servers should be defined
Register this connection’s address in DNS – Enabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Intra-Array Network
Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Enabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Please Note: Disabling the 'File and Print Sharing for Microsoft Networks' binding on the ISA Server internal interface will prevent you from connecting to shares on the ISA Server computer, irrespective of ISA Server system policy or other custom rules that may allow it. This approach is recommended for better security, as your firewall should not be accessible as a file server!
Amend Bind Order:
Edit the network bind order as follows:
How should I configure the network interfaces on my ISA Server?A high-level overview of NIC configuration best practice is provided below:
- The network card name used within the operating system should be changed to closely match the associated ISA Server network name. This clarifies assignment and improves supportability.
- Only one network interface should be configured with a default gateway.
- Only one network interface should be defined with DNS servers.
- Unused or unnecessary bindings should be removed from all interface, where possible, to improve security. This is often termed ‘interface hardening’.
- The default bind order should be amended to define a specific customised order.
Multiple NIC Deployment - ISA Server Standard Edition
Rename NICs:
Rename all NICs to descriptive names that ideally match the ISA Server network names.
Internal Network
Anonymous Access Perimeter Network
Authenticated Access Perimeter Network
External Network
Etc.
By matching the names, this makes mapping networks between ISA Server and Windows much easier when troubleshooting…
Configure NICs:
Internal Network
Default Gateway should not be defined
DNS Servers should be defined
Register this connection’s address in DNS – Enabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Perimeter Network(s)
Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IP – Disabled
Show icon in notification area when connected – Enabled
External Network
Default Gateway should be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IP – Disabled
Show icon in notification area when connected - Enabled
Please Note: Disabling the 'File and Print Sharing for Microsoft Networks' binding on the ISA Server internal interface will prevent you from connecting to shares on the ISA Server computer, irrespective of ISA Server system policy or other custom rules that may allow it. This approach is recommended for better security, as your firewall should not be accessible as a file server!
Amend Bind Order:
Edit the bind order as follows:
Internal Network (Highest)
Perimeter Network(s)
…Others…
External Network (Lowest)
Perimeter Network(s)
…Others…
External Network (Lowest)
Multiple NIC Deployment - ISA Server Enterprise Edition
With ISA Server Enterprise Edition, it is recommended to add a dedicated Intra-Array NIC. Therefore, we need to consider this additional interface in our configuration.
Rename NICs: Rename all NICs to descriptive names that ideally match the ISA Server network names.
Internal Network
Intra-Array Network
Anonymous Access Perimeter Network
Authenticated Access Perimeter Network
External Network
Etc.
Configure NICs:
Internal Network
Default Gateway should not be defined
DNS Servers should be defined
Register this connection’s address in DNS – Enabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Intra-Array Network
Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Enabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Perimeter Network(s)
Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IP – Disabled
Show icon in notification area when connected – Enabled
External Network
Default Gateway should be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IP – Disabled
Show icon in notification area when connected – Enabled
Amend Bind Order:
Edit the network bind order as follows:
Internal Network (Highest)
Intra-Array Network
Perimeter Network(s)
…Others…
External Network (Lowest)
Intra-Array Network
Perimeter Network(s)
…Others…
External Network (Lowest)
Single NIC Deployment – ISA Server Standard Edition
For a single NIC deployment, the following actions are recommended.
Rename NICs:
Rename all NICs to descriptive names that ideally match the ISA Server network names.
Internal Network
By matching the names, this makes mapping networks between ISA Server and Windows much easier when troubleshooting…
Configure NICs:
Internal Network
Default Gateway should be defined
DNS Servers should be defined
Register this connection’s address in DNS – Enabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Please Note: Disabling the 'File and Print Sharing for Microsoft Networks' binding on the ISA Server internal interface will prevent you from connecting to shares on the ISA Server computer, irrespective of ISA Server system policy or other custom rules that may allow it. This approach is recommended for better security, as your firewall should not be accessible as a file server!
Single NIC Deployment – ISA Server Enterprise Edition
For a single NIC deployment, the following actions are recommended.
Rename NICs:
Rename all NICs to descriptive names that ideally match the ISA Server network names.
Internal Network
Intra-Array Network
By matching the names, this makes mapping networks between ISA Server and Windows much easier when troubleshooting…
Configure NICs:
Internal Network
Default Gateway should be defined
DNS Servers should be defined
Register this connection’s address in DNS – Enabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Intra-Array Network
Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Enabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Please Note: Disabling the 'File and Print Sharing for Microsoft Networks' binding on the ISA Server internal interface will prevent you from connecting to shares on the ISA Server computer, irrespective of ISA Server system policy or other custom rules that may allow it. This approach is recommended for better security, as your firewall should not be accessible as a file server!
Amend Bind Order:
Edit the network bind order as follows:
Internal Network (Highest)
Intra-Array Network
Intra-Array Network
0 comments:
Post a Comment