sbs/win 2000/2003 ISA/software FW or router?

[Leozack]

Confusing title I know, but here's the situation :

On a network with SBS2000 or just plain win2000, you can use ISA server to provide internet access (not just web browser) for the network of, say, 5 clients.
However, since a rebuild over the summer, nothing in the way of games or fancy stuff has worked. I can only assume that before the rebuild, the ISA server was blown wide open port-wise, and that now despite many attempts I just can't get the right ports open. Having many instant messengers and other file transfering thigns use dynamic ports makes it even harder!

The easy life is a software firewall, you just say 'yes' to an application and it handles the rest. Why can't ISA do this?! With ISA, you don't even get a log parser, so there's NO easy way to see what ports are being blocked from what pc's or ip's etc. So I have no help in trying to get anything working again!

My options are these :
1 - Someone points me to a log parser for ISA and instructions on how to run it as sweet as a software firewall.
2 - I use SBS2003 instead, and someone points me to a log parser for ISA and instructions on how to run it as sweet as a software firewall.
3 - I use win2003 instead, and someone points me to a log parser for ISA and instructions on how to run it as sweet as a software firewall.
4 - Someone points out it is better to get a cable modem router (yaknow the home sort, 4 port hub) and use software firewalls and a different way to setup net sharing? (don't you have to setup the router the same way you'd setup ISA anyway?)
5 - Anything else anyone can brighten my life with? Argh!

_________________________________
Leozack

MakeUniverse($infinity,1,42);

 

[dkediger]

Check out

http://www.smallbizserver.net/sbs2000/isa.aspx

for some information on configuring ISA server.

 

[Leozack]

Thanks, but with win2003/sbs2003 on their way to me, I shall probably upgrade. That site is great if you need to know something basic, or want to use MSN messenger. But I don't. Particularly. Took me long enough to get ICQ and Kazaa Lite working etc. Never yet got things like Counter Strike working because despite opening ports ahoy we just can't find the right ports! And with no log analyser for easy lists or ip's and applications etc that have been allowed/denied access, ISA becomes rubbishly hard to configure compared to a software firewall!

I also hate the way you have to make protocol definitions for every protocol and every port in a range, and then make a protocol rule to use it. The protocol filters seem to make no difference so far, I don't even have to make them, a definition and rule does the trick. But how can I open a RANGE of ports? AndI don't mean secondary ranges from a primary cos that's weird. It's all just so bunged up n painstaking to try and sort out. Can anyone point out what I'm missing that turns it into a "ahh, I want this to work, so I'll just do this" and 1 minute later it's working? =( I'm sure I had something else to comment/ask but I've forgotten, typical ¦(

_________________________________
Leozack

MakeUniverse($infinity,1,42);

 

[Xemus]

Sounds like your main problems stem from programs that shouldn't be running on a server anyway (ICQ, kazaa). These are major security risks, with kazaa being the target of numerous recent worms (

http://www.sarc.com)

and ICQ having been the target of exploits for years (google for ICQ crack). Am I correct in hearing that you are running them on your server? It's very hard to secure something that is loaded with insecure and malicous programs.

http://www.closedsocket.com

 

[Leozack]

Err, no, I never once mentioned running anything on my server, and if you run away from software because someone wants to be malicious towards it, then yot best not turn on your PC, let alone consider an operating system, cos those are targetted by hackers everyday X/ Sheesh. I'm looking for solutions not personal opinions on system security.

Ok, if that sounds rude, I shall REPHRASE my actual post intentions, incase it slipped by.

I am NOT trying to tie up a corporate network. I am trying to OPEN UP a home network, so it can actually be used. Ok? Sorted. Now if anyone can re-read this lot and reply with that in mind, I would be rather greatful Atm I'm close ot just buying a cable-router and shoving the network online through that and running software firewalls, but it is rather sad when you do that because the mighty MS offerings aren't usable =/

_________________________________
Leozack

MakeUniverse($infinity,1,42);

 

[Leozack]

Sorry if the last post sounds annoyed, that's because I was. Hopefully I made my point clear enough though, so that noone elses wastes their time and that those WITH the answers I'm after know what I'm talking about =P

My point, as I shall repost again if I have to so people understand it better first time, is I'm trying to OPEN UP a win2000/sbs/win2003/sbs2003/router network. NOT secure it. ATM I'm using sbs2000 and ISA server, but I could use any of the other solutions if someone can recommend them. The fact that noone's already said "here, get this log analyser, and here - this is the simple explanation of filter rules, protocol rules+definitions and how to open lots of ports not 1 at a time" leads me to beleive maybe ther is no answer? =(

_________________________________
Leozack

MakeUniverse($infinity,1,42);

 

[Lightspeed1]

Leo,
ISA is much more robust and complicated to configure than you need. A lot of cheap dsl/cable routers have port rules that are preconfigured and can be enabled via checkbox for the more popular applications - ICQ, games etc. For a home network check out Dlink's stuff.
What MS offerings are you worried about not being able to use?
Using a device like that means that you configure the access easily for all of the pc's on your network, using the DSL/cable router and not have to configure much on the individual machines. You get the firewall protection for your network because of the box doing NAT and hiding the rest of your network. I wouldn't even mess with software firewalls on each client machine, that would just add another variable to troubleshoot if the particular app that you are trying to make work...doesn't.
Just my humble opinion...
Lightspeed1

 

[Leozack]

I know ISA is big and fancy compared to what I 'need', but this isn't about what I need, I've had ISA for a couple of years. I just want to know HOW anyone is using it. Do they 'know' all the ports they want to open and therefore don't need a log analyser (why hasn't anyone written one?)? Do they open 1 port 1 protocol a time? Or am I missing something? If I'm missing something, then that's what I want to know.

As for the simple router solution (router, ugh, they're barely classable as routers) are you suggesting that pc's behind a router don't need software firewalls? Sounds dodgy to me. And the routers themself you still have to configure specific port forwarding on if you need it, and I fail to beleive they come pre-setup wiht things as you've said, cos I've never set one up that has. I've always had ot know what ports to open just like ISA, but opening everything and using a software firewall on the machines where you can just press yes/no per application sounds far simpler. Maybe noones reading these posts, because I know for a fact that over 50% of people are sharing their internet, so why are they not replying? I guess they don't use ISA and hey I don't blame em, it's for big companies and corporations mainly. Kinda sucks to be getting win2003 but resort to a ahrdware box to share out the internet?

_________________________________
Leozack

MakeUniverse($infinity,1,42);

 

[DonChino]

Leozack, you are not the only one having fits about ISA Server, since I joined Tek Tips myself to find answers as to HOW, WHY, etc.
Norton Internet Security seemed so much EASIER through application control, but here you have to define filters, protocols, etc, etc but in the end some work, some don´t. No rhyme or reason to how ISA seems to work, but I noticed in your post that you go Kazaa Lite to work.
I have had some success getting some things to work, but I wanted to ask if you could put up a WALKTHROUGH on how exactly to configure this application. I have tried everything found online but no one seems to put up a complete walkthrough, just bits and pieces.

 

[Leozack]

Ok, I can't give a walkthrough but I can say I :
told kazaa lite k++ (latest version) to NOT disable using port 1214 (by default it disables using that) and to get some filters that open up that port for tcp both ways. I then manually individually opened up ports 8000-8020 for tcp both ways, and set programs like icq and kazaa to use these ports, if such a setting existed. I think that was about it.

Rather than use the fine tuning 'application filters', I made 'protocol definitions' and enabled them with 'protocol rules'. A real pain in the arse, and half the reason I couldn't wait to get this new lot and see if anything was better.

But now - can anyone tell me I should NOT buy a router, before I do, or tell me a better paly to replace or work isa/2003?

_________________________________
Leozack

MakeUniverse($infinity,1,42);