Configuring ISA Server for incoming ping response
By default after installation you can’t ping ISA Servers external interface. This is due to ISA Servers handling of ICMP packets. They were all dropped. In most cases there’s no need to change that behavior. I would say it’s one more little security feature. Thereby ISA Server is hidden. If you don’t use any publishing rules, your ISA won’t be found by scan attacks. When using publishing scenarios of course, it will be detected by specific port scans or port attacks. But that is not topic of this article.
In exceptional cases it is necessary to configure the ISA Server to respond on external incoming ping requests. But my recommendation is not to change the default setting unless you’ve a good reason.
Without any configuration you get this:
Don’t wonder about Windows Version 5.2.3718. It’s a second Windows Server 2003 in front of ISA Server.
To understand my current environment here is my ipconfig:
To enable ping response, we need a new predefined IP Packet Filter:
Type a name to identify your Packet Filter
Yes, we want to allow transmission….
The guys from Microsoft made us life easier…there’s a predefined Filter available.
In the first step of this tutorial we use the default IP address. We’ll take a closer look to that screen in the next part.
It’s up to you to set further restrictions. “Only this computer” means that only the typed-in IP address is able to get a ping response.
The last wizard screen provides a short summary.
Now let’s do another ping – if we made our work correct we’ll get a different ping screen than above.
Great! It works!
As shown in ipconfig ISA Server has several external IP Addresses. Let’s try to ping the second one (192.168.69.71):
Oh shit! Something must be wrong…..?
No. All ok. It’s normal. Remember, I mentioned at the screen “Apply this packet filter to” that we’ll have a closer look at the other options later. Now it’s time to do so.
As shown in the screen above both relevant IP Packet Filters (marked) are configured to use Default external IP address. That’s the point. The default IP address of ISA is always the first IP address of the NIC. Don’t be confused about the pre-defined Packet Filter “ICMP ping response (in)”. It’s necessary for outbound pings from ISA machine itself to the internet only.
If we want to use another IP, we have to configure two new IP Packet Filters.
First we define a IP Packet Filter “ICMP outbound” for all types and codes:
Now it’s time to tell ISA that we want to get the second IP address published:
Finish wizard by clicking “Next”.
Let me show you the important screens for the second IP Packet Filter we need:
Let’s have a look to the result:
Yeah! Nice! It’s done.
If you want to use an other IP address, you know what to do, don’t you?
Stand: Friday, 28. August 2009/DR.
oder Probleme in Zusammenhang mit dieser Website richten Sie bitte an den
Webmaster. Bitte inhaltliche oder technische Fragen ausschließlich in der
deutschen ISA Server Newsgroup