It’s all going wrong on Friday. Remember, The wizard is your friend.
February 13, 2009 Leave a comment
I finally finished my long anticipated (by me anyway) article on how to publish Small Business Server 2008 yesterday and sent it over to my editor for, well, editing i guess. Also so that they could run through the procedure and confirm it works.
I like to tinker with things, and usually this isn’t a bad thing because you can improve the way something works, or just learn a bit more about something, by breaking it and fixing it and vowing never to do it again. Small Business Server is in no way an exception to the rule. Rather, it seems, something you should never tinker with.
Now of course i knew that. My experience with Small Business Server 2003, and briefly with SBS 2000 has taught me nothing if not – Just use the wizard – and for gods sake don’t do anything else.
So imagine my surprise when after about 3 weeks of research and documentation i logon to the SBS Server to check how something works, to find that in fact it doesn’t work anymore. it’s broken.
Part of the guide shows how to remove forms based authentication from Outlook Web Access – so that we can use the ISA Server to do the forms based authentication. This works fine. However when you are inside the network you can no longer then use Outlook Web Access at all. This is not fine.
There are things you could do to avoid this issue if we were not using SBS – but we are.
The problem I’m looking at is this :
I want to protect my network with ISA Server. So instead of using a standard firewall/router and opening up the ports to my SBS Server, i open them up and direct them to my ISA Server. I then tell ISA that i have servers behind it running applications – like Outlook Web Access, and i want people to be able to connect to them. ISA will usually proxy the requests – but the server itself is not actually accessible. What i mean by this is if we use Forms based authentication for OWA – when you go to https://server.domain.com/owayou are actually hitting an ISA Server Form, not the form on the SBS/Exchange Server.
The issue here is that if both the ISA and Exchange server are using Forms based authentication – it doesn’t work. So on one server you must switch this off. Usually the Exchange Server.
If you switch if off on the ISA Server – you are basically making it behave as if it is a normal Firewall/Router and you cant use any of the more advanced application filtering that ISA was designed for.
For the RWW i had already figured that i had to just open the ports because of the RWW logon page – another forms based page that you really cant turn off.
What was frustrating me here – is that ISA was passing the traffic to the RWW, but when i clicked on check my email – i had to logon again, when i clicked on internal website, i had to logon again. I understand the reasoning for this – but would my users accept 3 different logons – when if using a standard router, they would just have the one logon and that would be that.
Looking at it from a security point of view, i guess i could argue that it was ok to have 3 separate logons, but i think i would be trying to convince myself it was ok rather than actually believing it – the only security here would be username/password – and if they were already in the RWW they have a username and a password. So what’s the point?
It does seem as if i am resigned to the fact that i wont be able to use ISA Server to publish the SBS Server as successfully as i was hoping – although i cant help thinking if i can just change that setting…..
That leads us back to the first point – don’t tweak your SBS. That really is all you need to know. If it doesn’t have a wizard – you probably shouldn’t be doing it.
I found that very hard to ‘deal with’ / ‘understand’ when i first started out, because being trained as an MCSE you are shown the enterprise way of doing things, using scripts or just directly using MMC tools.
Using the wizards kind of felt like cheating – I’m an mcse i know how to do this without using the wizard and that’s what ill do.’ was my general opinion of all things SBS – and the amount of problems i used to have was ten fold to what i have now. Having sat down and read the SBS Administrators companion as well as Harry Brelsfords little red book i changed my mind. It was like a light went on in my head, OHHHHHHHHHHHHHH i thought, That makes sense, and Oh – and the wizard does all of that for you as well – why don’t i use the wizards? and from that day forth i was converted. It’s surprising still how much thought has gone into the design of these products, and just how complicated they are, and how simplified they have been by these incredible wizards.
So i am left now with the task of rewriting part 2 and 3 of my guide – however something tells me it will be much easier now.
This aside – i think it will still be of interest to some people to use ISA – even as a stop gap between Forefront Threat Management Gateway – i know we are deploying it along side our SBS 2008 boxes – because our customers currently have SBS 2003 Premium, and will still want the control over outbound access as well as inbound.
In fact you could look at it as just outbound protection… but it isn’t. Not being able to publishing the Web Applications directly via ISA is a disappointment, but it will still protect folders and directories we don’t want published.
And it will still give us more control over access to the server remotely than we would otherwise have, but somehow these problems have taken the shine off of things…