[isalist] Re: "Domain Controllers" in ISA 2004

[isalist] Re: "Domain Controllers" in ISA 2004One modifies System Policy rules 
when a particular access rule needs to remain active in the case of the 
firewall service stopping.  RDP/Remote Admin is an excellent example of this.  
If ISA goes into "lockdown" mode, you most probably want to have a method of 
RDP'ing into the box for troubleshooting purposes.   

t
  ----- Original Message ----- 
  From: Gerald G. Young 
  To: isalist@xxxxxxxxxxxxx 
  Sent: Thursday, March 08, 2007 8:03 AM
  Subject: [isalist] Re: "Domain Controllers" in ISA 2004


  Tell me about it… makes me wonder if Guido will be visiting Thor instead of 
Tom, though. J

   

  I found this tidbit of information very valuable. J

   

  Out of curiosity – and as a bit of an aside – what is the best practice 
for modifying system rules?  I had been under the impression that you wanted to 
do so as little as possible and add firewall rules.

   

  Cordially yours,

  Jerry G. Young II

  Application Engineer, Platform Engineering and Architecture

  NTT America, an NTT Communications Company

   

  22451 Shaw Rd.

  Sterling, VA 20166

   

  Office: 571-434-1319

  Fax: 703-333-6749

  Email: g.young@xxxxxxxx

   

  From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ball, Dan
  Sent: Thursday, March 08, 2007 10:43 AM
  To: isalist@xxxxxxxxxxxxx
  Subject: [isalist] Re: "Domain Controllers" in ISA 2004

   

  Man, I wish I had known that a year ago, when we were experiencing the 
exactly problem described!

   


------------------------------------------------------------------------------

  From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thor (Hammer of God)
  Sent: Wednesday, March 07, 2007 4:32 PM
  To: isalist@xxxxxxxxxxxxx
  Subject: [isalist] Re: "Domain Controllers" in ISA 2004

   

  Rob-

   

  The "domain controllers" list is a built-in, non-user-changeable object that 
is populated during installation time by the ISA server polling AD for existing 
domain controllers.  The default system DNS system policy is set to use the 
domain controllers object.

   

  Just create your own Domain Controllers object (like "DC's" or something) and 
populate that with the actual DC's.  Then remove the "Domain Controllers" 
object from the System Policy and replace it with your "DC's" object (and 
anywhere else you use that object) and life will return to normal.

   

  t

    ----- Original Message ----- 

    From: Rob Moore 

    To: isalist@xxxxxxxxxxxxx 

    Sent: Wednesday, March 07, 2007 10:38 AM

    Subject: [isalist] Re: "Domain Controllers" in ISA 2004

     

    The ISA server is, indeed, a DNS server. I’m looking at The Book and it 
does, indeed, say that the external interface should have NO DNS entry. I’m 
not sure how the internal IP address of the ISA server got in there. I suppose 
I must have put it in there, but I don’t remember doing it. Anyway, it’s 
out now.

     

    Rob

     

    From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Gerald G. Young
    Sent: Wednesday, March 07, 2007 1:10 PM
    To: isalist@xxxxxxxxxxxxx
    Subject: [isalist] Re: "Domain Controllers" in ISA 2004

     

    Is the ISA server a DNS server, too?

     

    If not, I would think you’d want to specify the DNS server IP addresses 
on the NIC that resides on the same network as your DCs. It would probably be a 
good idea to remove them from the other NIC.

     

    Cordially yours,

    Jerry G. Young II

    Application Engineer, Platform Engineering and Architecture

    NTT America, an NTT Communications Company

     

    22451 Shaw Rd.

    Sterling, VA 20166

     

    Office: 571-434-1319

    Fax: 703-333-6749

    Email: g.young@xxxxxxxx

     

    From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Rob Moore
    Sent: Wednesday, March 07, 2007 11:51 AM
    To: isalist@xxxxxxxxxxxxx
    Subject: [isalist] Re: "Domain Controllers" in ISA 2004

     

    Yes to both of your AD questions. The ISA server points only to itself (the 
internal address) on both NICs. 

     

    Rob

     

    From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Gerald G. Young
    Sent: Wednesday, March 07, 2007 11:12 AM
    To: isalist@xxxxxxxxxxxxx
    Subject: [isalist] Re: "Domain Controllers" in ISA 2004

     

    Rob,

     

    Are sites configured in Active Directory and do you have subnets defined 
for the sites in Active Directory?  You’ll also want to check your NIC 
configuration for DNS servers on the ISA box(es).  Are those settings up to 
date?

     

    Cordially yours,

    Jerry G. Young II

    Application Engineer, Platform Engineering and Architecture

    NTT America, an NTT Communications Company

     

    22451 Shaw Rd.

    Sterling, VA 20166

     

    Office: 571-434-1319

    Fax: 703-333-6749

    Email: g.young@xxxxxxxx

     

    From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Rob Moore
    Sent: Tuesday, March 06, 2007 9:57 PM
    To: isalist@xxxxxxxxxxxxx
    Subject: RE: [isalist] Re: "Domain Controllers" in ISA 2004

     

    Here's what I'm experiencing. We have somewheres around 15 DCs in the 
domain. Two of them are on the local subnet. I recently retired one of the two 
local DCs. Then I noticed that our Internet connection got real slow--mainly a 
delay of, say, 20 seconds before a page would load. I started poking around 
with DNS. If I changed the WAN card on the firewall to point at an external DNS 
server, the web sped up a bunch. But you probably know that this isn't a good 
arrangement and pretty soon thereafter we got other problems happening. So I 
pointed DNS on the WAN card back to the LAN address on the firewall. The other 
problems went away but slow access came back. So I poked around on the firewall 
a bit and found that Domain Controllers computer set. I noticed that the list 
in there was out of date, and both of the DCs on the local domain that were in 
that list are now retired. So I'm guessing (maybe incorrectly) that that 
somehow bears on this problem--like maybe the ISA server is now trying to talk 
to DCs on remote subnets since it can't find the two DCs on the local subnet. 
So I was hoping if I could edit that computer set I could make the problem go 
away.

     

    Anyway, that's what's happening. Maybe I'm way off base? Any suggestions?

     

    Rob

     


----------------------------------------------------------------------------

    From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thomas W Shinder
    Sent: Tue 3/6/2007 3:54 PM
    To: isalist@xxxxxxxxxxxxx
    Subject: [isalist] Re: "Domain Controllers" in ISA 2004

    http://www.ISAserver.org
    -------------------------------------------------------
     
    The domain controllers computer set is one of the great mysteries of the
    ISA firewall. You won't find any documentation about it and many will
    deny its existance. Never bring it up in polite company.

    Thomas W Shinder, M.D.
    Site: www.isaserver.org
    Blog: http://blogs.isaserver.org/shinder/
    Book: http://tinyurl.com/3xqb7
    MVP -- Microsoft Firewalls (ISA)



    > -----Original Message-----
    > From: isalist-bounce@xxxxxxxxxxxxx
    > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore
    > Sent: Tuesday, March 06, 2007 1:23 PM
    > To: isalist@xxxxxxxxxxxxx
    > Subject: [isalist] Re: "Domain Controllers" in ISA 2004
    >
    > http://www.ISAserver.org
    > -------------------------------------------------------
    >  
    > Can this field not be edited? Is the ISA server supposed to
    > pick up the
    > DCs automatically? What's the mechanism for that? Is there
    > something in
    > my configuration that's not allowing this to happen?
    >
    > Thanks,
    > Rob
    >
    > -----Original Message-----
    > From: Rob Moore
    > Sent: Tuesday, March 06, 2007 1:18 PM
    > To: 'isalist@xxxxxxxxxxxxx'
    > Subject: RE: [isalist] Re: "Domain Controllers" in ISA 2004
    >
    > I have a stand-alone Standard edition server. I was trying to edit it
    > from the ISA 2004 console.
    >
    > Rob
    >
    > -----Original Message-----
    > From: isalist-bounce@xxxxxxxxxxxxx
    > [mailto:isalist-bounce@xxxxxxxxxxxxx]
    > On Behalf Of Jim Harrison
    > Sent: Tuesday, March 06, 2007 12:55 PM
    > To: isalist@xxxxxxxxxxxxx
    > Subject: [isalist] Re: "Domain Controllers" in ISA 2004
    >
    > http://www.ISAserver.org
    > -------------------------------------------------------
    >  
    > Where are you editing from; array or enterprise level?
    >
    > -----Original Message-----
    > From: isalist-bounce@xxxxxxxxxxxxx
    > [mailto:isalist-bounce@xxxxxxxxxxxxx]
    > On Behalf Of Rob Moore
    > Sent: Tuesday, March 06, 2007 9:10 AM
    > To: isalist@xxxxxxxxxxxxx
    > Subject: [isalist] "Domain Controllers" in ISA 2004
    >
    > I have a Computer Set in my ISA 2004 called "Domain Controllers." The
    > list is inaccurate, and I think it's starting to cause us
    > some trouble.
    > But I can't seem to edit it. How do I make changes to it?
    >
    > Thanks,
    >
    > Rob
    >
    > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    >
    > Rob Moore
    >
    > Network Manager
    >
    > 215-241-7870
    >
    > Help Desk: 800-500-AFSC
    >
    >
    > All mail to and from this domain is GFI-scanned.
    >
    > ------------------------------------------------------
    > List Archives: http://www.freelists.org/archives/isalist/ 
    > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
    > ISA Server Articles and Tutorials:
    > http://www.isaserver.org/articles_tutorials/
    > ISA Server Blogs: http://blogs.isaserver.org/
    > ------------------------------------------------------
    > Visit TechGenix.com for more information about our other sites:
    > http://www.techgenix.com
    > ------------------------------------------------------
    > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
    > Report abuse to listadmin@xxxxxxxxxxxxx
    >
    > ------------------------------------------------------
    > List Archives: http://www.freelists.org/archives/isalist/ 
    > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
    > ISA Server Articles and Tutorials:
    > http://www.isaserver.org/articles_tutorials/
    > ISA Server Blogs: http://blogs.isaserver.org/
    > ------------------------------------------------------
    > Visit TechGenix.com for more information about our other sites:
    > http://www.techgenix.com
    > ------------------------------------------------------
    > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
    > Report abuse to listadmin@xxxxxxxxxxxxx
    >
    >
    >
    ------------------------------------------------------
    List Archives: http://www.freelists.org/archives/isalist/ 
    ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
    ISA Server Articles and Tutorials: 
http://www.isaserver.org/articles_tutorials/
    ISA Server Blogs: http://blogs.isaserver.org/
    ------------------------------------------------------
    Visit TechGenix.com for more information about our other sites:
    http://www.techgenix.com
    ------------------------------------------------------
    To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
    Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts: