Problem solve Get help with specific problems with your technologies, process and projects.

Tom Shinder Q&A: Publishing servers with ISA Server 2000

Tom Shinder responds to user-submitted questions from his live expert Webcast June 27.

How many IP addresses do you need on ISA server? How can you publish VPN servers? What's up with FTP? These are just a few of the user-submitted questions Tom Shinder fielded in a recent live expert Webcast: Publishing servers with ISA Server 2000. Click here to listen to the audio archive, or download the Power Point slide show from this link.

Tom Shinder

SearchWin2000: I want to publish multiple Web sites on the internal network. How many IP addresses do I need on the ISA Server?

Shinder:: You can publish multiple Web sites with a single IP address on the external interface of the ISA Server. The Web Proxy Service can leverage a single external IP address on the external interface to publish multiple internal network Web servers.

SearchWin2000: How can I publish my VPN servers?

Shinder: You can't. The reason for this is that PPTP requires that the ISA Server pass GRE (Generic Encapsulation Protocol), which is IP Protocol 47. You can only publish TCP and UDP protocols with ISA Server. GRE doesn't use TCP or UDP as its transport and therefore PPTP isn't publishable. IPSec isn't publishable because it doesn't work across a NAT. The only exception is when the IPSec packets are encapsulated in a UDP header. In that case, you should be able to publish the L2TP/IPSec VPN server

SearchWin2000: I have published my Web site and have people authenticate with the ISA Server and the Web server on the internal network. Its doesn't work. What should I do?

Shinder: You can authenticate with the ISA Server's Incoming Web Requests Listener or you can authenticate with the internal Web Server, but you can't authenticate with both.

SearchWin2000: I published my Exchange Server and the e-mail isn't leaving the server. Why?

Shinder: The most likely reason for this is a DNS issue. Make sure you set the Exchange 2000 Server to use an external DNS server for MX domain name resolution. You can make this setting in the SMTP virtual server in the Exchange Management console.

SearchWin2000: Can you publish more than one FTP server on the DMZ?

Shinder: Yes. You can publishing as many FTP servers as you like in a DMZ. The procedure varies depending on the type of DMZ you're using: public versus private address DMZ segment.

SearchWin2000: We have a hardware firewall in place and want to replace our Proxy server. Is it a good idea to implement the ISA server in a proxying config only (without firewall)?

Shinder: ISA Server supports a single NIC configuration where its runs as only a Web Proxy Server. However, why waste an excellent firewall? You paid for it! You're must better off creating a back-to-back firewall configuration, putting your hardware firewall upstream from your ISA Server. This more than doubles your protection and gives you a nice DMZ between the external and internal firewall.

SearchWin2000: Any update on the lab series release date?

Shinder: The lab series has been cancelled. There wasn't enough interest in it to make it cost effective for me to complete it.

SearchWin2000: Regarding having ISA on the edge of the internal network, you're saying not in the DMZ, right?

Shinder: What I mean is that you should place the ISA Server between the external network and the internal network. Exactly how this works depends on whether you have a back to back DMZ, or a single firewall

SearchWin2000: Do you have to publish an application like a simple game, in order for a internal user to make a direct connection for peer to peer gaming. (My boss plays chess with his partner, shhh!)

Shinder: You shouldn't have to publish a game in order to get it to work, but you will almost always need to install the Firewall client, because most Internet games will require secondary connections. Check out the Games section on the Message Boards over at for more details about various games. Also check the gaming link at

SearchWin2000: My FTP server is on the ISA server. A user can access in passive mode but can't from the Web browser.

Shinder: It's a very poor security practice to put an FTP server on a firewall! However, if you do choose to do this, its simple to create the appropriate packet filters to allow both PASV and PORT mode FTP. Set your browser to run PASV or PORT mode, depending on the type of packet filters you've created.

SearchWin2000: I have ISA Server 2000 installed and would like to expose an Application Server as a Web service. The application would use XForms, a subset of the W3C XML standard. Do I need to create a custom protocol, and then create a Web Request Listener?

Shinder: You should have to create a custom protocol definition unless your application is using something other than TCP port 80 for HTTP communications. However, if you need some sort of application filtering, for security or other reasons, then you or your developers will need to create it.

SearchWin2000: I need to publish some shares on my internal network so that Internet users can access them. How do I do that?

Shinder: You don't ever want to allow external network users access to SMB/CIFS shares on your internal network because of security concerns. However, you can still make the content of these shares available to leverage your Web server. You can map shares on your IIS Web Server using the "Web Sharing" feature included with IIS. Make sure to secure the Shares with NTFS and IIS permissions, harden your IIS box, and you'll be in good shape.

SearchWin2000: I published an FTP server, but it doesn't work. The packets seem to arrive at the FTP server but the response never gets past the ISA Server. Why?

Shinder: You need to enable a Site and Content Rule that allows the FTP Server access to all Sites and Content. The reason for this is that the FTP server need to establish a new outbound connection, and so ISA Server doesn't really recognize the FTP server as completing an existing conversation. These should be handled by the FTP application filter, but it isn't.

SearchWin2000: I need to turn off reverse caching for my Web published sites. Can you explain to me how I do this? Thanks.

Shinder: Create Routing Rules for each of your sites. In the Routing Rule, configure the Caching option to never cache the contents for each site.

About the author:
Thomas W. Shinder is an M.D. and Microsoft Certified Systems Engineer. Tom was a Series Editor of the Syngress/Osborne Series of "Windows 2000 Certification Study Guides" and author of the best selling book on ISA Server 2000 "Configuring ISA Server 2000: Building Firewalls with Windows 2000." He is the editor of the Win2k News newsletter, the Sunbelt Software WinXP News newsletter, a regular contributor to TechProGuild, and content editor, contributor and moderator for the World's leading site on ISA Server 2000.

Click here to ask Tom a question.


 >>  Service prepares customers for Microsoft license change (IDG News)
 >>  Microsoft to ship Windows Server for Itanium 2 later this month (CRN)
 >>  Microsoft seeks 64-bit SQL Server beta candidates (InfoWorld)
 >>  Microsoft's mobile messaging plans address enterprise integration woes (CRN)
 >>  Liberty Alliance plans technology debut (IDG News)

>> Microsoft Report Card survey results...
>> Add a Win2000 Search Box to your Website
>> Windows XP or Windows 2000 Professional?

Dig Deeper on Windows Server storage management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.