compatriots versed in VoIP and related technologies. You can still call external machines on the Internet if you know the IP address of that computer. If the machine does not have a static IP address, but uses a dynamic DNS registration method such as TZO, you can dial up external hosts directly connected to the Internet through an FQDN. One of the biggest differences between using NetMeeting from behind the ISA server H.323 gateway and how you might have used it in the past with a plain NAT solution is that you can no longer register with ILS servers on the Internet (including the external interface of the ISA server) and have full functionality. The reason is that when your internal host registers with an ILS server, its internal private IP address is registered, rather than the public IP address of the NAT server. This is the case even when the ILS server is located on the ISA server itself. The result is that you can no longer use NetMeeting to call users on Internet ILS servers. If you require this feature, do not enable the H.323 gatekeeper. NetMeeting clients on the internal network should be configured to use the internal interface of the ISA server as their gatekeeper. When the NetMeeting clients are configured to use the gatekeeper, user information is stored in the registration database, and you can see information about the registered clients in the ISA Management console. These clients dynamically register user information with the gatekeeper, and the registrations are removed automatically when the client is shut down. To configure the NetMeeting client to use the gatekeeper, perform the following steps: 1. Open NetMeeting. Click on the Tools menu, and then click Options. You will see something like Figure 10.50. Figure 10.50 The NetMeeting Option Dialog Box 2. In the Options dialog box, click Advanced Calling. You will see what appears in Figure 10.51. Figure 10.51 The Advanced Calling Options Dialog Box In the Advanced Calling Options dialog box, you have the following options: · Use a gatekeeper to place calls Since we want to use the ISA server’s H.323 gatekeeper to place calls, you need to enter the computer name or the IP address of the internal interface on which the H.323 gatekeeper listens. If you use a computer name, make sure you have the DNS infrastructure that can resolve the name. · Log on using my account name Select this option if you would like to register an email address or username with the gatekeeper. Users on networks behind an H.323 gatekeeper will be able to call other networks behind an H.323 gatekeeper by using an email address. Note that you cannot use an email address to call a NetMeeting host if both the hosts are not behind a gatekeeper. For example, if a user running NetMeeting on his personal computer wants to call you by the email address you registered with the gatekeeper, it will not work, because the external NetMeeting user is not behind a gatekeeper. · Log on using my phone number Type in a telephone number you want to have registered with the gatekeeper. This number should contain only numbers, and should not contain letters, dashes, spaces, or anything other than numbers. External users can call you by using the telephone number you register with the gatekeeper. Even users who are directly connected to the Internet and are not behind an H.323 gatekeeper can call you using your telephone number if they configure their NetMeeting to use the external interface of the ISA server as their gateway. 3. Click OK, and then click OK again. You’ll see a little icon in the lower-right corner of the NetMeeting application that looks like two terminals. If you let your mouse pointer rest over it, it should say “logged onto gatekeeper.” 4. Go to the ISA Management console. Assuming that you’ve installed the optional H.323 Gatekeeper Service, expand the H.323 Gatekeepers node in the left pane, expand your server name, and click on the Active Terminals node. You should see something like what appears in Figure 10.52. Note that both the account name and the telephone number of the NetMeeting client is registered with the gatekeeper. Note that the Type column states that the registration is dynamic. When the NetMeeting client is closed, the registration will be dynamically removed from the list. Figure 10.52 The Active Terminals Node Gatekeeper-to-Gatekeeper Calling As mentioned earlier, the H.323 Gatekeeper Service was designed to optimize the benefits of LAN-to-LAN calls. When each LAN has a gatekeeper and NetMeeting clients registered with their respective gatekeepers, users can call NetMeeting clients on other networks by using either an email address or a telephone number. Calling by email address is actually the easiest way to do this, because you do not need to set up any routing rules on the ISA server to support calling by email address—all that is required is a Q931 resource record entry for your domain. The DNS entry needs to be on a publicly available DNS server. The type of entry is an SRV record called the Q931 address record. To configure the Q931 address record for your domain on a Windows 2000 DNS server, perform the following steps: 1. Open the DNS console, and right-click on your domain. Click Other New Records. 2. In the Resource Record Type dialog box (Figure 10.53), click the SRV record type, and then click Create Record. Figure 10.53 The Resource Record Type Dialog Box 3. In the New Resource Record dialog box, type in the entries as they appear in Figure 10.54. Figure 10.54 The New Resource Record Dialog Box The entries you should configure are: Service = _q931 Protocol = _tcp Port number = 1720 Host offering this service: [the name of your ISA server’s external interface] Click OK to create the record. After each network using the H.323 gatekeeper has registered its Q931 address in the DNS, all a user on the internal network needs to do is call the other user by his email address. Note that unlike the ILS server method, there is no way for the caller to search the registrations on the gatekeeper. The caller must know the address of the person he or she wants to call, and it is the sole responsibility of each user to configure NetMeeting with the correct information so that it is properly entered into the registration database. Hosts on networks behind gatekeepers can also call hosts on other networks behind gatekeepers using a telephone number. However, routing rules must be in place to support these types of calls, since there is no centralized database such as DNS or ILS to support locating hosts using telephone numbers. However, routing rules can be configured using prefixes for other networks that will direct the call to the appropriate remote gateway. We will discuss routing rules later in this section. ILS Servers NetMeeting clients can be configured to use ILS servers on the internal network, and call other internal NetMeeting clients registered with the ILS server. However, a NetMeeting client cannot register with both an ILS server and an H.323 gatekeeper. Registering with an ILS server is not a recommended configuration, because external users will never be able to call users on the private network through an ILS server. However, external clients can register with an internal ILS server. Internal clients can then call external users through ILS. The gatekeeper will manage conversations between the internal client and the external client. External users can dynamically register with the ILS NetMeeting Clients on the Internet Internal machines can call external NetMeeting clients that are directly connected to the Internet. The internal client must have permissions to use the H.323 protocol. There is a protocol definition for H.323 that you can use in protocol rules to allow access to Internet clients. This protocol definition is installed by the H.323 filter. If you disable the H.323 filter, the protocol definition will be unavailable. Both SecureNAT and firewall clients have access to this protocol, and you can implement user/group-based access controls for the protocol if you are using firewall client machines. NetMeeting clients on the internal network cannot call an external NetMeeting client that is directly connected to the Internet by calling a telephone number or email address. Calling by telephone number or email address is only available when the destination NetMeeting client is behind an H.323 gatekeeper. External NetMeeting clients directly connected to the Internet can have static registrations for them entered into the registration database. However, the client must have a static IP address, because static entries do not support using FQDNs for entering the Q931 IP address information. If you do create a static entry, you can use a telephone number to call the external NetMeeting client. One way around this problem is to create a routing rule that directs calls to the address for the static user to the registration database. External NetMeeting clients directly connected to the Internet can call internal NetMeeting clients that are behind the H.323 gatekeeper. The external client must be configured to use the ISA server’s external interface as its gateway to the internal network that it wants to call. Perform the following steps to configure the external NetMeeting client to use the external interface of the ISA server as its gateway: 1. Open NetMeeting. Click on the Tools menu, and then click Options. You will see something like Figure 10.55. Figure 10.55 The NetMeeting Option Dialog Box 2. In the Options dialog box, click Advanced Calling. You will see what appears in Figure 10.56. Figure 10.56 The Advanced Calling Options Dialog Box Place a check mark in the check box for Use a gateway to call telephones and videoconferencing systems, and type in the IP address or the FQDN that resolves to the external interface of the ISA server. 3. Click OK, and then click OK again. The NetMeeting client can now call an internal user behind the gatekeeper by using the internal user’s telephone number. A common misconception we’ve heard is that its possible for an external client on the Internet to dynamically register with the gatekeeper. Sometimes it appears that the client actually does register with the gatekeeper, but the connection is quickly lost or simply does not work. It is not possible for the external NetMeeting client on the Internet to dynamically register with the gatekeeper, so don’t even try it. Configuring the Gatekeeper There are just a few basic steps to configure the gatekeeper: · Creating destinations · Creating phone number rules · Creating email rules · Creating IP address rules Destinations are used in the routing rules. After the destination is created, it is used in the routing rule so that the ISA server knows where to send the request. Creating Destinations To create a new destination, perform the following steps: 1. Open the ISA Management console, expand your server or array, and then expand the H.323 Gatekeepers node. Expand your server, and finally expand the Call routing node. Right-click on the Destinations node, and click Add destination. 2. The New Destination Wizard appears. Click Next to continue. 3. The Destination Type page appears, as seen in Figure 10.57. Figure 10.57 The Destination Type Page From the Destination Type page, you can create one of the following destination types: · Gateway or proxy server This is the address of an H.323 gateway. If you wish to call NetMeeting clients on other networks, you can configure a gateway for the ISA server to route the request. You would use this gateway destination in a routing rule so that the ISA server knows where to send requests for an email address, telephone number or IP address. · Internet Locator Service (ILS) Create an ILS destination if you want to route calls to an internal ILS server. Do not configure an ILS destination for ILS servers on the Internet. · Gatekeeper While a single gatekeeper can handle up to 50,000 registrations, larger environments may wish to partition their internal client registration database. If you do so, you should configure a gatekeeper destination that can be used in rules to search for clients registered with those gatekeepers. For example, you might have all clients with the prefix 999 register with one gatekeeper, and have all clients with the prefix 888 register with another gatekeeper. Then you can create routing rules so that calls with a particular prefix are routed to the appropriate gatekeeper. · Multicast group All gatekeepers listen on the multicast address 224.0.1.41. If you have a large network and do not want to configure routing rules for multiple gatekeepers, you can configure a multicast destination to search all gatekeepers on the LAN. Select a Destination, and click Next. 4. The Destination Name or Address page appears as shown in Figure 10.58. Figure 10.58 The Destination Name or Address Page In the Destination name or address, type in the FQDN or IP address associated with the destination you are configuring. Click Next. 5. On the Destination Description page, type in a short description for the destination, and then click Next. 6. The last page lists your selections. If it looks good, click Finish. One you have created your destination, you can then create routing rules and use the destination in the rule. Call Routing Rules There are three types of call routing rules: · Phone number rules · Email address rules · IP address rules Let’s look at each type and how they are configured. Phone Number Rules Phone number rules can be used to route requests based on telephone number strings. These are helpful if you plan to implement multiple H.323 gatekeepers in your organization, and partition client registrations based on prefixes. For example, all machines with prefix 999 would register with one H.323 gatekeeper, and all machines with prefix 888 would register with another H.323 gatekeeper. If all numbers in your company use the same prefix, you can configure a routing rule that will direct the request to a local registration database Phone number rules can also be implemented if you plan to call other organizations. For example, another organization could use a prefix of 972 for all its clients. In this case, you can create a phone number rule to direct requests with that prefix to the other organization’s gateway. You can even configure a routing rule that allows you to configure custom prefixes that will route calls to remote networks, even when the remote network does not use a standardized prefix system in their telephone number scheme If your company uses an IP-to-PSTN gateway, you can implement a routing rule that forwards all requests destined for a POTS network to a specific gateway device that handles these requests. To create a phone number routing rule, perform the following steps: 1. Open the ISA Management console, expand your server or array, expand the H.323 Gatekeepers node, and expand the Call routing node. Right-click on the Phone number rules node, and click Add routing rule. 2. The Welcome page for the New Routing Rule Wizard appears. Click Next to continue. 3. The Name and Description page appears. Type in a name for this rule, and a short description that will let you know what this rule is used for. Click Next. 4. The Prefix or Phone Number page appears as in Figure 10.59. Figure 10.59 The Prefix or Phone Number Page On the Prefix or Phone Number page, type in a prefix or entire telephone number that will trigger this routing rule. For example, the prefix 973 might be used by all NetMeeting clients in the south office, which is connected to the Internet by an H.323 gatekeeper. You can also enter a single telephone number here, and route requests for that particular number. If you choose to enter the entire telephone number, remove the check mark from the Route all phone numbers using this prefix check box. Click Next to continue. 5. The Destination Type page appears as shown in Figure 10.60. Figure 10.60 The Destination Type Page [...]... install ISA Server, a new icon is placed in the Start | Programs | Microsoft ISA Server menu This icon opens the ISA Server Performance Monitor, shown in Figure 11.1, which is an implementation of the Windows 2000 System Monitor that includes a set of ISA performance counters as default objects Figure 11.1 The ISA Server Performance Monitor Includes a Set of ISA Server- Specific Default Counters The ISA Server. .. access to the ISA server by VPN clients, and by configuring ISA Server in a gateway-to-gateway configuration There are wizards built into ISA Server that make the process of configuring inbound VPN very easy, and they greatly simplify the process of configuring a gate-to-gateway ISA server VPN solution The Routing and Remote Access Service (RRAS) is required in order to configure the VPN server components... gateway Chapter 11 Optimizing, Customizing, Integrating, and Backing Up ISA Server Solutions in this chapter: · Optimizing ISA Server Performance · Customizing ISA Server · Integrating ISA Server with Other Services · Backing Up and Restoring the ISA Configuration Introduction In the preceding chapters, you’ve learned about what ISA Server is and how it works, how it fits into your network security plan,... DalSouth_DalNorth Domain name: CONFEDERATION Remote Network IP addresses range: 192 .168 .9. 0 - 192 .168 .9. 255 Remote ISA computer configuration: IP address of this machine: 222.222.222.222 Local Network IP addresses range: 192 .168.1.0 - 192 .168.1.255 192 .168.10.0 - 192 .168.10.255 The configuration file created for the remote ISA Servercomputer: c:\vpndal.vpc Dial-in credentials created: The user account DalNorth_DalSouth... virtual private networking by allowing inbound access to the ISA server by VPN clients, and by configuring ISA Server in a gateway-togateway configuration The Routing and Remote Access Service (RRAS) is required in order to configure the VPN server components on the ISA server If you want to allow external VPN clients to dial in to the ISA server, you can use the VPN Client Wizard to allow inbound access... components on the ISA server This is one instance when you want to have RRAS enabled However, the ISA server VPN wizards take care of the process of enabling and configuring the ISA server to support your VPN configuration There is no need for you to manually configure any component of the VPN through RRAS Configuring VPN Client Access If you want to allow external VPN clients to dial in to the ISA server, you... such as www.isaserver.org In order for your publishing rules to work, make sure you have your DNS client /server infrastructure in place Remember, your published servers are SecureNAT clients of the ISA server Firewall clients allow the ISA server to resolve requests on their behalf This is referred to as DNS proxy When working with a routed network, make sure the routing table on the ISA server is configured... Monitor (such as processor, memory, server service, TCP, the browser service, and many more) along with the ISA object counters UNDOCUMENTED ISA When you install ISA Server on a Windows 2000 machine, the ISA Server object counters are also added to the Windows 2000 System Monitor’s list of counters that can be monitored The advantage of the ISA Performance Monitor is that ISA objects do not have to be individually... configure ISA Server as a VPN server to allow inbound calls from VPN clients, and how to configure a gateway-to-gateway ISA server VPN solution The configuration of VPNs is easy using the VPN wizards included with ISA Server A wizard allows you to enable inbound VPN client calls using PPTP/MPPE and L2TP/IPSec After running the wizard, VPN clients anywhere on the Internet can initiate inbound calls to the ISA. .. configure ISA Server to be a VPN server through the VPN Wizard, RRAS will not show the change in the number of ports configured The number of ports is configured directly in the Registry However, if you restart the server, the number of ports will show up correctly in the RRAS console Gateway-to-Gateway VPN Configuration ISA Server makes it easy to configure a gateway-to-gateway solution using ISA Server . Virtual Private Networking ISA Server supports virtual private networking by allowing inbound access to the ISA server by VPN clients, and by configuring ISA Server in a gateway-to-gateway. VPN server components on the ISA server. This is one instance when you want to have RRAS enabled. However, the ISA server VPN wizards take care of the process of enabling and configuring the ISA. are wizards built into ISA Server that make the process of configuring inbound VPN very easy, and they greatly simplify the process of configuring a gate-to-gateway ISA server VPN solution.