ISA Server FAQ Home | ISA 2000 | ISA 2004 | ISA 2006 | TMG | Verschiedenes | Tools | Downloads | Links | Das Buch! | Bücher | User Group | Events | Blog | About | Sitemap | Suche

Kapitel höher
ISA Terminalservice
ISA und SBS
Ping eingehend
Incoming ping response
pcAnyWhere
Terminalserver
TSAC / TSWeb
DNS veröffentlichen
Webserver - Teil 1
Webserver - Teil 2a
Webserver - Teil 2b
Webserver - Teil 3
Webserver mit IP-Zielsatz
Exchange SMTP
Exchange OWA
Exchange OWA mit FP1
OWA SSL Teil 1
OWA SSL Teil 2
OWA SSL Teil 3
OWA SSL Teil 4
OWA SSL Teil 5
Veröffentlichungen einschränken
Exchange RPC
RPC über HTTPS

 

Configuring ISA Server for incoming ping response

By default after installation you can’t ping ISA Servers external interface. This is due to ISA Servers handling of ICMP packets. They were all dropped. In most cases there’s no need to change that behavior. I would say it’s one more little security feature. Thereby ISA Server is hidden. If you don’t use any publishing rules, your ISA won’t be found by scan attacks. When using publishing scenarios of course, it will be detected by specific port scans or port attacks. But that is not topic of this article.

In exceptional cases it is necessary to configure the ISA Server to respond on external incoming ping requests. But my recommendation is not to change the default setting unless you’ve a good reason.

Without any configuration you get this:

Don’t wonder about Windows Version 5.2.3718. It’s a second Windows Server 2003 in front of ISA Server.

To understand my current environment here is my ipconfig:

To enable ping response, we need a new predefined IP Packet Filter: 

Type a name to identify your Packet Filter

Yes, we want to allow transmission….

The guys from Microsoft made us life easier…there’s a predefined Filter available.

In the first step of this tutorial we use the default IP address. We’ll take a closer look to that screen in the next part.

It’s up to you to set further restrictions. “Only this computer” means that only the typed-in IP address is able to get a ping response.

The last wizard screen provides a short summary.

 Now let’s do another ping – if we made our work correct we’ll get a different ping screen than above.

Great! It works!

As shown in ipconfig ISA Server has several external IP Addresses. Let’s try to ping the second one (192.168.69.71):

Oh shit! Something must be wrong…..?

No. All ok. It’s normal. Remember, I mentioned at the screen “Apply this packet filter to” that we’ll have a closer look at the other options later. Now it’s time to do so.

 As shown in the screen above both relevant IP Packet Filters (marked) are configured to use Default external IP address. That’s the point. The default IP address of ISA is always the first IP address of the NIC. Don’t be confused about the pre-defined Packet Filter “ICMP ping response (in)”. It’s necessary for outbound pings from ISA machine itself to the internet only.

If we want to use another IP, we have to configure two new IP Packet Filters.

First we define a IP Packet Filter “ICMP outbound” for all types and codes:



In the next screen we select “Allow packet transmission”.

Now it’s time to tell ISA that we want to get the second IP address published:

Finish wizard by clicking “Next”.

Let me show you the important screens for the second IP Packet Filter we need:

 Let’s have a look to the result:

Yeah! Nice! It’s done.

If you want to use an other IP address, you know what to do, don’t you?

Stand: Friday, 28. August 2009/DR.


Home | ISA 2000 | ISA 2004 | ISA 2006 | TMG | Verschiedenes | Tools | Downloads | Links | Das Buch! | Bücher | User Group | Events | Blog | About | Sitemap | Suche

Fragen oder Probleme in Zusammenhang mit dieser Website richten Sie bitte an den Webmaster. Bitte inhaltliche oder technische Fragen ausschließlich in der deutschen ISA Server Newsgroup stellen.
Verbesserungsvorschläge, Anregungen oder Fremdartikel sind jederzeit willkommen! Copyright 2001-2011. Alle Rechte vorbehalten. msisafaq.de steht in keiner Beziehung zur Microsoft Corp.
Stand: Monday, 18. March 2013 / Dieter Rauscher