Dear Dr. Shinder, I believe you never RECOMMEND installation ISA on DC, but There is your article about how to install ISA on its top http://www.isaserver.org/tutorials/Installing_ISA_Server_on_a_Domain_ Controller.html It is just a guide, that's why I said I follow that instruction, right? Roy -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, December 15, 2004 11:16 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4 http://www.ISAserver.org Hi Roy, I NEVER recommend compromising the ISA firewall by making it a DC, or any other extraneous services on the ISA firewall. Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] Sent: Wednesday, December 15, 2004 9:10 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4 http://www.ISAserver.org Dear Jim, Noted yours with thanks. But I am still too much confused or Even frustrated in getting your reply so let me re-confirm With you one by one 1) Upgrade of ISA2K4 instance: when I installed SQL2000 full version, the wizard asked me if new installation of new instance or upgrade, then I can select upgrade to existing instance called "isaserver/msfw", it looks that installation did upgrade that instance. Also, I can have a management through "enterprise management tool" under full SQL2000. So I am wondering "no in-place" upgrade 2) even if rule "allow traffic from interal to local ISA host", is there any risk for SQL server at ISA side. My understanding is if client with interal network can have right access right (qualified user/password information), they can access by such rule, or if can't supply such access previllage, SQL server can decline the access. In this sense, no risk for such a rule. Onemore thing I want to confirm is that if ISA rule block port 1433 at WAN NIC, does it mean all connection to SQL serverl via Wan interface can be blocked although SQL server listen port 1433 at all NIC interface (0.0.0.0) 3) "merely firewall" means to get full function of firewall but only at firwall i.e.: NAT, Access control, port forwarding and content filter like Surfcontrol, in this view point, simple hardward route can't fit the requirement. But I don't think we shall invest for one more server for above functions. In face, I did install "DC" on the same server according to advise of Dr. Thomas W Shinder published at www.isaserver.org, I want to stuff all the feature into one box but with less risk as much as can. Tim, I will surely thank you again for your comment for above although it seems My question is somewhat stupid! With regards, Roy Tsao P.S.: please also allow my poor English because it is not my native language! -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Monday, December 13, 2004 1:08 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4 http://www.ISAserver.org 1) ISA defaults to using MSDE, a scaled-down version of SQL; since this instance (not a default) is heavily "tweaked" to make it as secure as possible (and these tweaks will NOT be publicized), "upgrading" to a full-on SQL product is actually several steps backwards. 2) there is no in-place upgrade path for ISA MSDE to SQL. I'll be willing to bet that it isn't supported, either (anyone taking that bet?) 3) by default, ISA blocks anything you don't specifically allow. This isn't the case if/when you create a rule allowing "everything" from internal to localhost. 4) "merely for firewall usage" reflects poor thinking. If you believe that your firewall is "merely", then you should just go get yourself a DLink wireless firewall/router/bag-o-chips and be done with it. You should be thinking in terms of "attack surface reduction", not "stuff as much on one box as I possibly can". You undoubtedly have other machines in your environment; consider using one of them for the SQL logging. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -----Original Message----- From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] Sent: Saturday, December 11, 2004 10:07 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4 http://www.ISAserver.org Jim, Thanks a lot for your advise. 1) "Does it means no SQL server availabe at ISA2K4 server end in terms of security concern" Reflects my wondering "no installation of SQL At ISA2K4 server. 2) Sorry, I am not familiar with SQL server. Firstly, I want to know if I upgrade the instance, The ISA2004 are surely managed by SQL2000 or not and No limitation for storage & co-current connection 3) I duly note that mechanism of MSDE bundled with ISA2004 Is through memory mapped networking, no port listening at all. However after installation of SQL2000 server, does it help To prevent from vulnerabilities through port access (1433) blocking By ISA access rule, in another words what happen SQL listen 1433 on All NIC interface and ISA2K4 block 1433 port connection. 4) The reason why I want to put SQL & ISA into one box because There is not enough budget to have two servers merely for firewall Usage, agree? With regards, Roy Tsao -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Sunday, December 12, 2004 1:49 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4 http://www.ISAserver.org Yes. Really. I'm not quite clear on this statement, though: "Does it means no SQL server availabe at ISA2K4 server end in terms of security concern"? SBS2003 doesn't have ISA (yet) and when it does ship, co-location and security concerns will be addressed by whole teams of folks that do this for a living. If you mean "is there a security concern with MSDE on ISA?", the answer is "no". The MSDE instance on ISA is not even listening to the network. All MSDE logging is done via memory-mapped networking, not physical or logical devices. With the default MSDE instance, unless the ISA itself is compromised, you simply "can't get there from here". You can't say the same for SQL, which listens on all available adapters by default. Combine this with the prevalence of "allow all because I'm too damn lazy to understand my traffic profile" rules and you have the makings of Slammer-like virus victim. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -----Original Message----- From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] Sent: Saturday, December 11, 2004 9:05 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4 http://www.ISAserver.org Oh...Really, Does it means no SQL server availabe at ISA2K4 server end in terms of security concern? Then what about SBS 2003 plus ISA2K4. I think I can put it into one basket if port could Be blocked at firwall side like I block acess to SQL Server from Wan side. Moreover, I did upgrade instance of ISA2K4, it works Fine under full version of SQL2000, may I understand The log is still working under MSDE I/O SQL2000? -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Sunday, December 12, 2004 12:44 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4 http://www.ISAserver.org No. Bad. Unsupported. DO NOT REPLACE MSDE WITH SQL ON THE ISA SERVER ITSELF If you want to replace MSDE with SQL logging, then do it off-box. The MSDE that's shipped with ISA is "tweaked" to be as secure as possible. If you replace it, you open your ISA to potential SQL vulnerabilities. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -----Original Message----- From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] Sent: Saturday, December 11, 2004 6:51 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4 http://www.ISAserver.org Sorry, the mail sent directly from my OE to discussion list always change mal-coding. To the question of MSDE instance, my idea/suggestion for best performance is: a) install ISA2K4 bundled with MSDE b) upgrade SQL instance "server/msfw" into full version of SQL 2000 though SQL2000 server instllation c) use the same instance for Surfcontrol Both of ISA2K4 and Surfcontrol is now being managed under SQL2000 server I/O MSDE. Any comment -----Original Message----- From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx] Sent: Saturday, December 11, 2004 10:24 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4 http://www.ISAserver.org Who here can read Roy Tsao posts, all I see is gibberish characters in his messages, can someone translate it?? Regards, Andrew -----Original Message----- From: Mike Anderson [mailto:mike@xxxxxxxxxxxx] Sent: Saturday, December 11, 2004 12:19 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4 http://www.ISAserver.org In cases like this, isn't it better to just run a dedicated instance of SQL Server (if you got it) which resides on a separate box, OR have a single instance of MSDE host both Databases? If I remember correctly, MSDE is just a crippled version of SQL Server 7.0 - in which concurrent connections are just limited. Otherwise, it's pretty much the same animal. In fact, since I have a dedicated super fast SQL Server on my network, I was hoping to uninstall MSDE on the ISA Box, and redirect all the Database activity to my SQL Server. Can this be done - anybody do this yet? I don't mean to steal the fire away from your original post, but I think this sort of parallels what I suggest doing, which goes back to the question: "why have two instances of MSDE running?". Use the one that is working better (the one with less memory consumption), and host the database on that instance. I am just throwing out ideas here... Mike -----Original Message----- From: Crockett, Gregory [mailto:Gregory.Crockett@xxxxxxxxx] Sent: Friday, December 10, 2004 5:40 PM To: [ISAserver.org Discussion List] Subject: [isalist] SQLSERVE.EXE MSDE instance for ISA 2k4 http://www.ISAserver.org Anyone notice the MSDE instance for ISA 2k4 memory increase to over 1gb mem usage? We host two instances of MSDE on the ISA2k4 machine, one for Surf Control and the other for ISA2K4. Surf Control instance is stable, while the ISA 2k4 instance hogs a lot of memory. Current mem usage = 786,004k. Wait, wait -- 786,012k , 786,528k and growing. MSDE versions: SurfControl = 8.00.761 ISA2k4 = 8.00.818 Server has 3gb memory ISA2K4 version = trial TIA Have fun! greg ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: mike@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: andrew@xxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx