Blog du Tristank

Migrating to . And still so terrific that 3 of 4 readers rated it "soporific"

ISA 2000: Block Barry’s Access Except For One Site

Q: I need to block Internet access for Barry, except for one site. A: As long as all users are required to authenticate when surfing, this is doable. You can specify exclusions using the Site and Content rules.   However, if any combination of (S&C and Protocol) rules is allowing anonymous access (anywhere), Barry may be able to get through; web browsers… Read more

More on Sasser, IPSec Firewalls, and SMB

I’ve had a couple of internal and external questions on the last post; rather than keep on flogging the earlier article, here’s some more background information on how this all works. I’ve been known to be wrong before, so please yell if you spot any mistakes or overgeneralizations.   Don’t Be Scared Of IPSec! It’s not… Read more

Using IPSec Policies as a Firewall to Block SASSER Infection

Short version: Use an IPSec policy to configure a miniature firewall on each client (Windows 2000 and above) to stop SASSER reboots and buy time to deploy the patch.   Long version: The Sasser worm hits hosts on port 445 to infect them and crashes LSASS, which makes the box restart – which can be annoying if you’re… Read more

ISA 2000: Web Publishing and the Pesky Client IP Address

ISA 2000: when you publish a web server, the requests in its IIS logs all appear to come from the ISA Server computer. This is normal. What happens under the covers is that the client computer connects directly to the ISA Server, which it believes is the Web server (you install the Web Server’s Server Authentication certificate… Read more

NLB: Dedicated IP Addresses Explained (An NLB Myth debunked?)

For information on Network Load Balancing – or “Wibbles” as we affectionately refer to it locally – it was called Windows Load Balancing Service, or WLBS until Windows 2000 – the definitive guide still appears to be nlbtech2.doc at the time of writing. I think there was a newer version for Windows Server 2003 that I can’t find any more… Read more

XPSP2 Resources for IT Pros

A friend of mine that works in the IT industry just stunned me by asking whether there was anything new in SP2 for Windows XP – seems we haven’t quite got the message out there enough yet – be prepared for this one, it is not just another Service Pack. So, for him and you,… Read more

DNS Resolution for Internet-Facing Servers: Clingy

NB Ahead of time, anytime I’m referring to a “primary” or “secondary” DNS server in this blurb, I’m referring to their relative positions on the client, not the “primary/master/secondary/slave/AD-integrated” mode of the server. You might have spotted that I spend a reasonable amount of time with ISA and Networking, and that I don’t mind writing… Read more

IRL: Busy Week

I did actually start writing a couple more infrastructure posts, but often in the course of researching them, I’d find documentation already existed. My thinking is that it might be useful just to draw attention to them, so next time, I’ll stick to the “why I should have known this already” format that my reader… Read more

ISA 2000: CARP and NLB

Short version: If you want to use both, for best results: Web Proxy clients should use the array routing script/WPAD and need direct connectivity to each array member through a non-load-balanced address.SecureNAT clients use the NLB VIP as the default gateway.Firewall Clients connect to either the VIP or a name that maps to the VIP…. Read more

ISA 2000: Port Forwarding and Port Address Translation (PAT)

Short version: ISA 2000 isn’t out-of-the-box able to change published ports when doing Server Publishing. (I think Application Filters can be written to do this, but I’m not totally sure). ISA 2004 can do this. Long version: RRAS has had the ability to translate a port mapping from a certain external port to a different internal port… Read more