[isalist] Re: "Domain Controllers" in ISA 2004
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Thu, 8 Mar 2007 12:09:51 -0600
Checking the System Policy is the first thing you should do after
installation of the ISA Firewall software is complete. They installation
routine makes a lot of assumptions, and most of them are good
assumptions, however, you still need to review each System Policy Rule
and make sure each one is appropriate for your own environment. Keep in
mind least privilege here -- a lot of System Policy Rules allow access
to an entire ISA Firewall Network (such as Internal) where you might
want to tighten them up to apply to a certain Computer Set and even an
individual Computer.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young
Sent: Thursday, March 08, 2007 10:03 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: "Domain Controllers" in ISA 2004
Tell me about it... makes me wonder if Guido will be visiting
Thor instead of Tom, though. J
I found this tidbit of information very valuable. J
Out of curiosity - and as a bit of an aside - what is the best
practice for modifying system rules? I had been under the impression
that you wanted to do so as little as possible and add firewall rules.
Cordially yours,
Jerry G. Young II
Application Engineer, Platform Engineering and Architecture
NTT America, an NTT Communications Company
22451 Shaw Rd.
Sterling, VA 20166
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: Thursday, March 08, 2007 10:43 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: "Domain Controllers" in ISA 2004
Man, I wish I had known that a year ago, when we were
experiencing the exactly problem described!
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Wednesday, March 07, 2007 4:32 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: "Domain Controllers" in ISA 2004
Rob-
The "domain controllers" list is a built-in, non-user-changeable
object that is populated during installation time by the ISA server
polling AD for existing domain controllers. The default system DNS
system policy is set to use the domain controllers object.
Just create your own Domain Controllers object (like "DC's" or
something) and populate that with the actual DC's. Then remove the
"Domain Controllers" object from the System Policy and replace it with
your "DC's" object (and anywhere else you use that object) and life will
return to normal.
t
----- Original Message -----
From: Rob Moore <mailto:RMoore@xxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Wednesday, March 07, 2007 10:38 AM
Subject: [isalist] Re: "Domain Controllers" in ISA 2004
The ISA server is, indeed, a DNS server. I'm looking at
The Book and it does, indeed, say that the external interface should
have NO DNS entry. I'm not sure how the internal IP address of the ISA
server got in there. I suppose I must have put it in there, but I don't
remember doing it. Anyway, it's out now.
Rob
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young
Sent: Wednesday, March 07, 2007 1:10 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: "Domain Controllers" in ISA 2004
Is the ISA server a DNS server, too?
If not, I would think you'd want to specify the DNS
server IP addresses on the NIC that resides on the same network as your
DCs. It would probably be a good idea to remove them from the other NIC.
Cordially yours,
Jerry G. Young II
Application Engineer, Platform Engineering and
Architecture
NTT America, an NTT Communications Company
22451 Shaw Rd.
Sterling, VA 20166
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore
Sent: Wednesday, March 07, 2007 11:51 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: "Domain Controllers" in ISA 2004
Yes to both of your AD questions. The ISA server points
only to itself (the internal address) on both NICs.
Rob
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young
Sent: Wednesday, March 07, 2007 11:12 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: "Domain Controllers" in ISA 2004
Rob,
Are sites configured in Active Directory and do you have
subnets defined for the sites in Active Directory? You'll also want to
check your NIC configuration for DNS servers on the ISA box(es). Are
those settings up to date?
Cordially yours,
Jerry G. Young II
Application Engineer, Platform Engineering and
Architecture
NTT America, an NTT Communications Company
22451 Shaw Rd.
Sterling, VA 20166
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore
Sent: Tuesday, March 06, 2007 9:57 PM
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] Re: "Domain Controllers" in ISA
2004
Here's what I'm experiencing. We have somewheres around
15 DCs in the domain. Two of them are on the local subnet. I recently
retired one of the two local DCs. Then I noticed that our Internet
connection got real slow--mainly a delay of, say, 20 seconds before a
page would load. I started poking around with DNS. If I changed the WAN
card on the firewall to point at an external DNS server, the web sped up
a bunch. But you probably know that this isn't a good arrangement and
pretty soon thereafter we got other problems happening. So I pointed DNS
on the WAN card back to the LAN address on the firewall. The other
problems went away but slow access came back. So I poked around on the
firewall a bit and found that Domain Controllers computer set. I noticed
that the list in there was out of date, and both of the DCs on the local
domain that were in that list are now retired. So I'm guessing (maybe
incorrectly) that that somehow bears on this problem--like maybe the ISA
server is now trying to talk to DCs on remote subnets since it can't
find the two DCs on the local subnet. So I was hoping if I could edit
that computer set I could make the problem go away.
Anyway, that's what's happening. Maybe I'm way off base?
Any suggestions?
Rob
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thomas W
Shinder
Sent: Tue 3/6/2007 3:54 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: "Domain Controllers" in ISA 2004
http://www.ISAserver.org <http://www.isaserver.org/>
-------------------------------------------------------
The domain controllers computer set is one of the great
mysteries of the
ISA firewall. You won't find any documentation about it
and many will
deny its existance. Never bring it up in polite company.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob
Moore
> Sent: Tuesday, March 06, 2007 1:23 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: "Domain Controllers" in ISA
2004
>
> http://www.ISAserver.org <http://www.isaserver.org/>
>
-------------------------------------------------------
>
> Can this field not be edited? Is the ISA server
supposed to
> pick up the
> DCs automatically? What's the mechanism for that? Is
there
> something in
> my configuration that's not allowing this to happen?
>
> Thanks,
> Rob
>
> -----Original Message-----
> From: Rob Moore
> Sent: Tuesday, March 06, 2007 1:18 PM
> To: 'isalist@xxxxxxxxxxxxx'
> Subject: RE: [isalist] Re: "Domain Controllers" in ISA
2004
>
> I have a stand-alone Standard edition server. I was
trying to edit it
> from the ISA 2004 console.
>
> Rob
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Tuesday, March 06, 2007 12:55 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: "Domain Controllers" in ISA
2004
>
> http://www.ISAserver.org <http://www.isaserver.org/>
>
-------------------------------------------------------
>
> Where are you editing from; array or enterprise level?
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Rob Moore
> Sent: Tuesday, March 06, 2007 9:10 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] "Domain Controllers" in ISA 2004
>
> I have a Computer Set in my ISA 2004 called "Domain
Controllers." The
> list is inaccurate, and I think it's starting to cause
us
> some trouble.
> But I can't seem to edit it. How do I make changes to
it?
>
> Thanks,
>
> Rob
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
> Rob Moore
>
> Network Manager
>
> 215-241-7870
>
> Help Desk: 800-500-AFSC
>
>
> All mail to and from this domain is GFI-scanned.
>
> ------------------------------------------------------
> List Archives:
//www.freelists.org/archives/isalist/
> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our
other sites:
> http://www.techgenix.com <http://www.techgenix.com/>
> ------------------------------------------------------
> To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives:
//www.freelists.org/archives/isalist/
> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our
other sites:
> http://www.techgenix.com <http://www.techgenix.com/>
> ------------------------------------------------------
> To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives:
//www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other
sites:
http://www.techgenix.com <http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
