Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the 'Ask the Author' form. You will also gain access to thousands of other FAQs at ITFAQnet.com.
Q: I can receive incoming mail from my SMTP Server Publishing Rule, but outbound mail isn't going out. How can I fix this?
A: The incoming mail from Internet SMTP servers to your corporate SMTP servers is controlled by the Server Publishing Rule allowing the mail through the ISA firewall to the SMTP server on your network. The external DNS also was configured to resolve your MX names to the IP address on the external interface of the ISA firewall. For outbound SMTP connections, you'll need to make sure the SMTP server is able to resolve the names for the SMTP servers responsible for mail in each Internet domain. You'll need to configure the ISA firewall with Access Rules allowing outbound SMTP from the SMTP server to the Internet. Also, you need to make sure that the SMTP server is configured with a DNS server that has access to a DNS Access Rule.
Q: I'm getting a 500 Internal Server Error when I try to access my OWA Web site. What's up with that?
A: The problem is that the common name on the Web site certificate bound to the published Web server is not the same as the name on the To tab in the Web Publishing Rule. Change the name or IP address you have listed in the To tab so that it's the same as the common name on the Web site certificate. Also, make sure that the ISA firewall is able to resolve that name to the actual IP address of the Web site (the exception being if the Web site is separated from the ISA firewall by a NAT device, in which case the name should resolve to the IP address of the interface on that device performing reverse NAT).
Q: My users are receiving multiple authentication prompts when connecting to my published Web site. How can I set the ISA firewall up so that users see a single prompt?
A: Configure the Web listener to use Basic authentication, and then configure the Web Publishing Rule to use delegation of Basic credentials. Then confirm that the published Web site supports Basic authentication. Users will no longer bet presented with multiple authentication prompts.
Q: I want to publish a mail server on an ISA Protected Network, but I do not want that machine to be a SecureNAT client. How can I configure the ISA firewall so that the machine doesn't need to be configured for SecureNAT?
A: You can configure the Server Publishing Rule so that the ISA firewall's IP address replaces the IP address of the source host. In this way, the only route the SMTP server needs to know is the route to the network ID on which the interface forwards the connection to the SMTP server.
Q: We want to allow VPN clients access only to our Microsoft Exchange Server via Secure Exchange RPC. Is this possible?
A: You can use the Mail Server Publishing Wizard to create a Secure Exchange RPC Server Publishing Rule with a listener on the VPN Clients Network. Then create a DNS Server Publishing Rule with a listener on the VPN Clients Network. Using the combination of these two Server Publishing Rules, you can publish your corporate network DNS and Exchange servers to members of the VPN Clients Network and allow them to connect to your Exchange Server using only secure Exchange RPC, and allow them access only to the Exchange and DNS servers and no other servers on the Network.
Q: SSL-to-HTTP bridging is configured for our published Web site, but it's not working. How can I fix the Web Publishing Rule so that SSL-to-HTTP bridging works correctly?
A: The of the problems with SSL-to-HTTP bridging is that Web servers often dynamically generate links based on the protocol used for the connection. Since the link between the ISA firewall and published Web server uses HTTP, the link generated by the Web server is an HTTP link, and this is returned to the Web client on the Internet. Since the connection between the Web client and the ISA firewall requires SSL, the connection fails. You may be able to solve this problem using the ISA firewall's Link Translation feature, but a better solution is to implement SSL-to-SSL bridging. Not only does SSL-to-SSL bridging solve the link problem, it also increases the overall level of security of your Web Publishing solution.
Q: We want to publish an HTTP Web server using a Server Publishing Rule because there's a Web app on the machine that doesn't support CERN-compliant Web proxies. How can we do this?
A: You can publish an HTTP Web server using a Server Publishing Rule instead of a Web Publishing Rule. You must make sure that no Web listener is using the socket you want to use for the Server Publishing Rule before using a Server Publishing Rule to publish the HTTP server. After confirming that no Web listener is using the socket (and the IIS WWW service is not installed on the ISA firewall), create a Protocol Definition for TCP port 80 Inbound. Then use this Protocol Definition to create the HTTP Server Publishing Rule.