- Configuring the ISA Server interfaces
- Configuring the LAT and LDT
- Configuring the Dial up Entry for a dial up connection on the
external interface
- Configuring Protocol Rules
- Install the Firewall client on Windows based computers
- Optional Configuration Settings
After you go through each of these configuration issues, Outlook
Express or any other email client should work famously!
Configure the ISA Server Interfaces
You should configure the interfaces of the ISA Server to support
the ISA Server installation before you install ISA Server.
The ISA Server will have two interfaces: an internal interface
that is connected to your LAN, and an external interface
that is connected to the Internet. The external interface can be
a permanent interface or a dial-up interface.
If you are using a dial-up interface, your ISP will configure it
automatically for you when the dial-up connection is established.
The dial-up interface will be automatically assigned an IP address,
gateway, and DNS server. So, theres no reason for you to configure
any of these on the DUN connectoid.
If you are using a permanent interface, then youll need to
manually configure it, unless youre using a DSL or cable connection.
In that case, DCHP will configure the interface for you.
To manually configure the external interface, do the following:
IP Address: The address the ISP tells you to assign to the
interface
Subnet Mask: The subnet mask the ISP tells you to assign
to the interface
DNS server: The IP address of your ISPs DNS server
or servers
Default gateway: The gateway address your ISP tells you to
use
Everyone has to configure their internal interface, regardless
of the type of external interface you are using. To manually configure
the internal interface, do the following:
IP Address: Any private IP address that is on the same network
ID as your internal network directly connected to this interface.
Subnet Mask: A subnet mask appropriate for the network ID
for the network the interface is directly connected to.
DNS server: Since you dont have your own DNS server,
dont enter a DNS server address here.
Default Gateway: Do not enter a default gateway address on
the internal interface. NEVER enter a default gateway address on
the internal interface!
The ISA Server uses the DNS settings on the ISA Server to resolve
Internet host names for Firewall clients. You want to make sure
the DNS server settings are configured correctly.
There are other considerations for setting up the internal and
external network interfaces.
What Ive listed above should be considered the minimum interface
configuration. Check the Learning Zone and our book for more details
on interface configuration.
Configure the LAT and LDT
The Firewall client uses the Local Address Table (LAT) and
the Local Domain Table (LDT) to determine which IP addresses
and domain names are external and which are internal. If an IP address
or FQDN is on the LAT or LDT, the Firewall client software does
not handle the request and the request is sent directly to the internal
host. This means that the ISA Server does not handle requests
for hosts on the LAT and LDT.
Its critical that you have the correct entries in the LAT.
If you accidentally include external network IP addresses in the
LAT, you can severely compromise the security of your ISA Server.
If you do not include your internal network addresses in the LAT,
the clients may not be able to access the Internet.
One tip for configuring the LAT: allow the ISA Server setup procedure
to create the LAT based on the routing table and select the internal
network interface in the setup dialog box. Theres little chance
that youll get things wrong if you do it this way.
For a small network like yours, its unlikely that youll
have multiple internal network segments. But if you do have multiple
internal network segments, youll need to add routing table
entries for each network segment. Check out the Windows Help File
or our book for details on how to add these routing table entries.
The Local Domain Table isnt important unless you host internal
network domains, or you want to access external domains directly
without being subject to ISA Server access policies. However, if
you do have a domain environment for your internal network, you
should create a LDT entry for your domain. Note that you do not
configure the LDT during installation. You can configure the LDT
after installation is complete.
To configure the LDT, perform the following steps:
- Open the ISA Management console and expand your server
name. Expand the Network Configuration node and right click
on the Local Domain Table (LDT) node. Point to New
and click LDT Entry.
- In the Name text box, type the name of your domain. Usually
youll want to make a wildcard entry, such as *.mydomain.com
so that all of you servers on the internal network domain are
automatically included. Click OK.

Configuring Dial-up Entry if using a Dial-up Connection
If you use a dial-up connection to access the Internet, you know
that you have to create a dial-up networking connectoid to connect
to the ISP. ISA Server uses the DUN connectoid to autodial to the
Internet when a request for external network resources is made to
the ISA Server.
Make sure you have created the DUN connectoid first, and then perform
the following steps to configure ISA Server to use your dial-up
connection:
- Open the ISA Management console, expand your server name
and then expand the Policy Elements node. Right click on
the Dial-up Entries node, point to New and click
on Dial-up Entry.
- In the New Dial-up Entry dialog box, enter the Name
and Description. Click the Select button to select
your DUN connectoid. Click the Set Account button and type
in the user name you use to connect to your ISP. Do not use
your internal network credentials! Type in your password and
type it again to confirm your password.

- Click OK to close the New Dial-up Entry dialog
box.
After the dial-up connection is configured, you want to make sure
the ISA Server uses the dial-up connection as its primary network
connection. This also enables the autodial feature of ISA Server.
There are two places where you need to configure the dial-up connection
as a primary: Firewall routing and Default Web Routing.
Do the following to configure your routing rules:
- Open the ISA Management console and expand your server
name. Right click on the Network Configuration node and
click Properties.
- On a simple network you will not use Firewall chaining. Select
the Use Primary Connection option and then place a checkmark
in the User dial-up entry checkbox.
- Click Apply and then click OK.
- Expand the Network Configuration node and click on the
Routing node. Double click on the Default rule.
- Click on the Action tab. Place a checkmark in the Use
dial-up entry for primary route checkbox.
- Click Apply and then click OK.
Configure Protocol Rules
If you want to use Outlook Express to send and receive mail, you
typically need access to the POP3 and SMTP protocols. If you want
to use Outlook Express to access your Hotmail account, you will
need to allow outbound access for the HTTP and HTTPS protocols.
HTTPS is required for the secure log on phase of the connection,
but the remainder of the session is via HTTP. Finally, some people
like to use IMAP to connect to their mail servers at work. IMAP
is a wonderful protocol and it really should be used more often.
You need to create Protocol Rules to allow outbound access
for internal network clients. Protocol Rules are used for outbound
access control for internal network clients. You will NEVER, I repeat
NEVER, use packet filters to control outbound access for internal
network clients, unless you need to allow outbound access for non-TCP/UDP
protocols. Fortunately, all mail protocols are TCP based.
Since you are using the Firewall client, you do not need to create
a Protocol Rule for outbound DNS queries. The reason for this is
that the ISA Server performs DNS queries on the behalf of Firewall
clients. The ISA Server can make DNS queries because a packet filter
is created by default that allows the ISA Server to make outbound
DNS queries. You do not need to create this packet filter.
Note that a packet filter is used because it is the ISA Server
itself that needs access to the protocol. Packet filters are used
to allow inbound and outbound access to applications and services
running on the ISA Server itself.
Before you can create a Protocol Rule, there must be a Protocol
Definition for that protocol. ISA Server includes a bunch of
Protocol Definitions right out of the box. You will not need to
create a new Protocol Definition to support your mail protocols.
To create a Protocol Rule for your mail protocols, perform the
following steps:
- Open the ISA Management console, and expand your server
name. Expand the Access Policy node and right click on
the Protocol Rules node. Point to New and click on Rule.
- On the Welcome page, type in a name for the rule, such as Mail
Protocols and then click Next.

- On the Rule Action page select the Allow option
and click Next.

- On the Protocols page, click the down arrow under Apply
this rule to and select Selected protocols. In the
Protocols list, place a checkmark in the checkbox for each
of the protocols you want access to. You might want to select
SMTP, POP3, IMAP4, HTTP and HTTPS. After you have
selected your protocols, put a checkmark in the Show only selected
protocols checkbox. This will make it easier for you to see
what protocols you selected. Click Next.

- On the Schedule page, go with the default, which is Always,
and click Next.
- On the Client Type page, select the Any request
option and click Next.
- On the last page of the Wizard, review your settings and click
Finish.
Install the Firewall Client
The ISA Server is now all set up to support Outlook Express, or
any other email client you might want to use. Next step is to install
the Firewall client application. The Firewall client software will
intercept all TCP and UDP communications leaving the client computer
and forward them to the Firewall service on the ISA Service. There
are a lot of advantages to using the Firewall client. You should
install the Firewall client on all Windows computers except Windows
3.x and the original version of Windows 95.
The easiest way to install the Firewall client on a small network
is to connect to the shared directory on the ISA Server that contains
the Firewall client software. There are many ways you can do this.
Heres one way:
- Click Start and then click the Run command.
- In the Run dialog box, type <server_name>\mspclnt\setup.exe
in the Open text box. Replace <server_name>
with the name of the ISA Server. Click OK.

- Follow the instructions provided by the installation Wizard.
On Windows 2000 and Windows XP machines, you wont have to
restart the computer. On downlevel operating systems, you might
have to restart.
Optional Configuration Settings
Now youre ready to rock and roll with Outlook Express or
any other email client you want to use. Just configure the appropriate
server settings in your client and youll be able to send and
receive email.
There are a couple of optional settings you might want configure
on the ISA Server. These are the Packet Filtering and the
IP Routing options.
You always want to enable Packet Filtering on the ISA Server. When
Packet Filtering is enabled, the only traffic that can move to and
from the ISA Server is the traffic that youve explicitly allowed
by creating packet filters, Protocol Rules and Publishing Rules.
If you dont enable packet filtering, all the default ports
that are opened by Windows services and applications will be open
on the external interface of the ISA Server. This obviously represents
a security risk.
You might also want to enable IP Routing. This feature can
greatly improve performance for SecureNAT clients. Although we havent
discussed the SecureNAT client setup in this article, you might
find that when this feature is enabled that the Firewall clients
perform better as well. You also need to enable IP Routing if you
want to run a DMZ segment off the ISA Server itself. But in the
simple network configuration were discussing here, this isnt
much of an issue.
Conclusion
In this article we discussed how to configure the ISA Server to
allow email applications to work with external mail servers. If
you go through the procedures in this article, your email clients
must work. Its very hard to mess up this configuration! If you find
that youre still having problems sending and receiving mail,
then look at things other than the ISA Server (after you confirm
that youve set everything up correctly).
It could be that your ISP is having problems, or youre using
a DSL connection and having an MTU problem. Check that you can access
the Internet using other protocols, such as your HTTP using your
Web browser. If you cant get anywhere, it could be that you
have a cable modem and you lost your IP address. In that case, make
sure the DHCP packet filter is enabled, and then restart the computer.
|