Checking the System Policy is the first thing you should do after installation of the ISA Firewall software is complete. They installation routine makes a lot of assumptions, and most of them are good assumptions, however, you still need to review each System Policy Rule and make sure each one is appropriate for your own environment. Keep in mind least privilege here -- a lot of System Policy Rules allow access to an entire ISA Firewall Network (such as Internal) where you might want to tighten them up to apply to a certain Computer Set and even an individual Computer. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- Microsoft Firewalls (ISA) ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young Sent: Thursday, March 08, 2007 10:03 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: "Domain Controllers" in ISA 2004 Tell me about it... makes me wonder if Guido will be visiting Thor instead of Tom, though. J I found this tidbit of information very valuable. J Out of curiosity - and as a bit of an aside - what is the best practice for modifying system rules? I had been under the impression that you wanted to do so as little as possible and add firewall rules. Cordially yours, Jerry G. Young II Application Engineer, Platform Engineering and Architecture NTT America, an NTT Communications Company 22451 Shaw Rd. Sterling, VA 20166 Office: 571-434-1319 Fax: 703-333-6749 Email: g.young@xxxxxxxx From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Thursday, March 08, 2007 10:43 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: "Domain Controllers" in ISA 2004 Man, I wish I had known that a year ago, when we were experiencing the exactly problem described! ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Wednesday, March 07, 2007 4:32 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: "Domain Controllers" in ISA 2004 Rob- The "domain controllers" list is a built-in, non-user-changeable object that is populated during installation time by the ISA server polling AD for existing domain controllers. The default system DNS system policy is set to use the domain controllers object. Just create your own Domain Controllers object (like "DC's" or something) and populate that with the actual DC's. Then remove the "Domain Controllers" object from the System Policy and replace it with your "DC's" object (and anywhere else you use that object) and life will return to normal. t ----- Original Message ----- From: Rob Moore <mailto:RMoore@xxxxxxxx> To: isalist@xxxxxxxxxxxxx Sent: Wednesday, March 07, 2007 10:38 AM Subject: [isalist] Re: "Domain Controllers" in ISA 2004 The ISA server is, indeed, a DNS server. I'm looking at The Book and it does, indeed, say that the external interface should have NO DNS entry. I'm not sure how the internal IP address of the ISA server got in there. I suppose I must have put it in there, but I don't remember doing it. Anyway, it's out now. Rob From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young Sent: Wednesday, March 07, 2007 1:10 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: "Domain Controllers" in ISA 2004 Is the ISA server a DNS server, too? If not, I would think you'd want to specify the DNS server IP addresses on the NIC that resides on the same network as your DCs. It would probably be a good idea to remove them from the other NIC. Cordially yours, Jerry G. Young II Application Engineer, Platform Engineering and Architecture NTT America, an NTT Communications Company 22451 Shaw Rd. Sterling, VA 20166 Office: 571-434-1319 Fax: 703-333-6749 Email: g.young@xxxxxxxx From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore Sent: Wednesday, March 07, 2007 11:51 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: "Domain Controllers" in ISA 2004 Yes to both of your AD questions. The ISA server points only to itself (the internal address) on both NICs. Rob From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young Sent: Wednesday, March 07, 2007 11:12 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: "Domain Controllers" in ISA 2004 Rob, Are sites configured in Active Directory and do you have subnets defined for the sites in Active Directory? You'll also want to check your NIC configuration for DNS servers on the ISA box(es). Are those settings up to date? Cordially yours, Jerry G. Young II Application Engineer, Platform Engineering and Architecture NTT America, an NTT Communications Company 22451 Shaw Rd. Sterling, VA 20166 Office: 571-434-1319 Fax: 703-333-6749 Email: g.young@xxxxxxxx From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore Sent: Tuesday, March 06, 2007 9:57 PM To: isalist@xxxxxxxxxxxxx Subject: RE: [isalist] Re: "Domain Controllers" in ISA 2004 Here's what I'm experiencing. We have somewheres around 15 DCs in the domain. Two of them are on the local subnet. I recently retired one of the two local DCs. Then I noticed that our Internet connection got real slow--mainly a delay of, say, 20 seconds before a page would load. I started poking around with DNS. If I changed the WAN card on the firewall to point at an external DNS server, the web sped up a bunch. But you probably know that this isn't a good arrangement and pretty soon thereafter we got other problems happening. So I pointed DNS on the WAN card back to the LAN address on the firewall. The other problems went away but slow access came back. So I poked around on the firewall a bit and found that Domain Controllers computer set. I noticed that the list in there was out of date, and both of the DCs on the local domain that were in that list are now retired. So I'm guessing (maybe incorrectly) that that somehow bears on this problem--like maybe the ISA server is now trying to talk to DCs on remote subnets since it can't find the two DCs on the local subnet. So I was hoping if I could edit that computer set I could make the problem go away. Anyway, that's what's happening. Maybe I'm way off base? Any suggestions? Rob ________________________________ From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thomas W Shinder Sent: Tue 3/6/2007 3:54 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: "Domain Controllers" in ISA 2004 http://www.ISAserver.org <http://www.isaserver.org/> ------------------------------------------------------- The domain controllers computer set is one of the great mysteries of the ISA firewall. You won't find any documentation about it and many will deny its existance. Never bring it up in polite company. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore > Sent: Tuesday, March 06, 2007 1:23 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: "Domain Controllers" in ISA 2004 > > http://www.ISAserver.org <http://www.isaserver.org/> > ------------------------------------------------------- > > Can this field not be edited? Is the ISA server supposed to > pick up the > DCs automatically? What's the mechanism for that? Is there > something in > my configuration that's not allowing this to happen? > > Thanks, > Rob > > -----Original Message----- > From: Rob Moore > Sent: Tuesday, March 06, 2007 1:18 PM > To: 'isalist@xxxxxxxxxxxxx' > Subject: RE: [isalist] Re: "Domain Controllers" in ISA 2004 > > I have a stand-alone Standard edition server. I was trying to edit it > from the ISA 2004 console. > > Rob > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: Tuesday, March 06, 2007 12:55 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: "Domain Controllers" in ISA 2004 > > http://www.ISAserver.org <http://www.isaserver.org/> > ------------------------------------------------------- > > Where are you editing from; array or enterprise level? > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Rob Moore > Sent: Tuesday, March 06, 2007 9:10 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] "Domain Controllers" in ISA 2004 > > I have a Computer Set in my ISA 2004 called "Domain Controllers." The > list is inaccurate, and I think it's starting to cause us > some trouble. > But I can't seem to edit it. How do I make changes to it? > > Thanks, > > Rob > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > Rob Moore > > Network Manager > > 215-241-7870 > > Help Desk: 800-500-AFSC > > > All mail to and from this domain is GFI-scanned. > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com <http://www.techgenix.com/> > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com <http://www.techgenix.com/> > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com <http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx