How should I configure the network interfaces on my ISA Server?
A high-level overview of NIC configuration best practice is provided below:
- The network card name used within the operating system should be changed to closely match the associated ISA Server network name. This clarifies assignment and improves supportability.
- Only one network interface should be configured with a default gateway.
- Only one network interface should be defined with DNS servers.
- Unused or unnecessary bindings should be removed from all interface, where possible, to improve security. This is often termed ‘interface hardening’.
- The default bind order should be amended to define a specific customised order.
Based upon these best practices, the configuration shown below is the standard approach that I normally use as part of my usual ISA Server build process.
Multiple NIC Deployment - ISA Server Standard Edition
Rename NICs:
Rename all NICs to descriptive names that ideally match the ISA Server network names.
Internal Network
Anonymous Access Perimeter Network
Authenticated Access Perimeter Network
External Network
Etc.
By matching the names, this makes mapping networks between ISA Server and Windows much easier when troubleshooting…
Configure NICs:
Internal Network
Default Gateway should not be defined
DNS Servers should be defined
Register this connection’s address in DNS – Enabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Perimeter Network(s)
Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IP – Disabled
Show icon in notification area when connected – Enabled
Default Gateway should be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IP – Disabled
Show icon in notification area when connected - Enabled
Please Note: Disabling the 'File and Print Sharing for Microsoft Networks' binding on the ISA Server internal interface will prevent you from connecting to shares on the ISA Server computer, irrespective of ISA Server system policy or other custom rules that may allow it. This approach is recommended for better security, as your firewall should not be accessible as a file server!
Amend Bind Order:Edit the bind order as follows:
Internal Network (Highest)
Perimeter Network(s)
…Others…
External Network (Lowest)
Multiple NIC Deployment - ISA Server Enterprise Edition
With ISA Server Enterprise Edition, it is recommended to add a dedicated Intra-Array NIC. Therefore, we need to consider this additional interface in our configuration.
Rename NICs:Rename all NICs to descriptive names that ideally match the ISA Server network names.
Internal Network
Intra-Array Network
Anonymous Access Perimeter Network
Authenticated Access Perimeter Network
External Network
Etc.
Configure NICs:
Internal Network
Default Gateway should not be defined
DNS Servers should be defined
Register this connection’s address in DNS – Enabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Intra-Array Network
Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Enabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IP – Disabled
Show icon in notification area when connected – Enabled
External Network
Default Gateway should be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IP – Disabled
Show icon in notification area when connected – Enabled
Edit the network bind order as follows:
Internal Network (Highest)
Intra-Array Network
Perimeter Network(s)
…Others…
External Network (Lowest)
Single NIC Deployment – ISA Server Standard Edition
For a single NIC deployment, the following actions are recommended.
Rename NICs:
Rename all NICs to descriptive names that ideally match the ISA Server network names.
By matching the names, this makes mapping networks between ISA Server and Windows much easier when troubleshooting…
Configure NICs:
Internal Network
Default Gateway should be defined
DNS Servers should be defined
Register this connection’s address in DNS – Enabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Please Note: Disabling the 'File and Print Sharing for Microsoft Networks' binding on the ISA Server internal interface will prevent you from connecting to shares on the ISA Server computer, irrespective of ISA Server system policy or other custom rules that may allow it. This approach is recommended for better security, as your firewall should not be accessible as a file server!
Single NIC Deployment – ISA Server Enterprise Edition
For a single NIC deployment, the following actions are recommended.
Rename NICs:
Rename all NICs to descriptive names that ideally match the ISA Server network names.
Internal Network
Intra-Array Network
By matching the names, this makes mapping networks between ISA Server and Windows much easier when troubleshooting…
Configure NICs:
Internal Network
Default Gateway should be defined
DNS Servers should be defined
Register this connection’s address in DNS – Enabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Enabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Please Note: Disabling the 'File and Print Sharing for Microsoft Networks' binding on the ISA Server internal interface will prevent you from connecting to shares on the ISA Server computer, irrespective of ISA Server system policy or other custom rules that may allow it. This approach is recommended for better security, as your firewall should not be accessible as a file server!
Amend Bind Order:
Edit the network bind order as follows:
Internal Network (Highest)
Intra-Array Network
I hope this helps!
Posts
5 comments:
Thanks.
Short and precise, and it works :)
Excellent guide, de-mystifies the whole subject. Thanks!
What if you are using a single NIC card. You have an ideal configuration for that?
Thanks!
>> Evan
For single NIC:
Internal Network
* Default Gateway should be defined.
* DNS Servers should be defined.
* Register this connection’s address in DNS – Enabled
* File and Print Sharing for Microsoft Networks – Disabled
* Client for Microsoft Networks – Enabled
* NetBIOS over TCP/IP – Enabled
* Show icon in notification area when connected - Enabled
Article updated for both single and multi NIC deployments and some pretty pictures too ;)
Post a Comment