SBS & ISA - they can do wonderful things for you

What can ISA do for you?

This is an often asked question, so here are a few of the answers:

• Provides an extra level of protection above RRAS firewall provided in default SBS.  It does this by inspecting the data that passes through the ports and ensures it is good stuff
• It can add extra security by providing OWA and forms based authentication without the actual application have to be exposed to people ont he web
• It can provide bi-directional policy on what can go in & out of the system
• It can do all of the above on a policy basis, examples:
  • Allow users access to one set of sites 9-5 and then a greater list >5pm
  • Allow certain people to access Instant Messenger, but not others
• Monitor your comms and provide reports on where people are visiting, when and if it is successful

If you want to know more, why not visit the excellent BLOG - http://isainsbs.blogspot.com/ and see what Amy can do for you!!

There is also a lot more that ISA can do, remember to post questions on ISA here too

ttfn

David

Hi David,

Have a pretty basic question (I think) about ISA reports.

SBS 2K3 SP1 with ISA 2K4 SP2.

Have just started running the standard daily ISA reports.

Noticed that several external IP addresses are contained in the 'Top Users' list towards the start of the report.

Ran a WHOIS on them, and the top one was registered as Yahoo. The others seemed to be registered to ISP's as pools of Dynamic/end user addresses. There are are about 5 or 6 listsed.

Any idea why this traffic might be appearing? Is the server compromised?

**note - did actually post this on the M&M's site earlier before I saw your ISA area**

Thanks,

James

James,

 

I am presuming the Yahoo traffic to port 80 - i.e. http traffic.  A quick check of the IIS logs will tell, but my guess is that they are either trying to index your site, or they are reading your robots.txt file to be told not to index your site.  My guess this is a couple of machines on dynamic ip ranges might be "bad" machines on the internet probing random IP addresses.  Look at the responses to these connections - I suspect they are either doing port 80/443 or failing.

 

ttfn

 

David

Thanks David.

That gives me plenty to go on - I will have a dig and check those things out.

On the robots.txt - I dont have one at the moment.

I had a look at: http://download.microsoft.com/download/5/6/1/561c9fd7-0e27-4525-94ec-4d2d38f61aa3/TSHT_SBS.htm

This seems to indicate that the robots.txt file is only required to protect your RWW site from being indexed *if* "you use the Configure E-mail and Internet Connection Wizard to publish your Business Web site on the Internet".

I dont publish a business web site on the server, so do I need to have the robots.txt file published?

Or is it best practice to have one anyway, even without publishing the business web site; or even use CEICW to publish the business web site and include the robots.txt file even if you're not using SBS to publish your business web site?

Thanks,
James