Oops... Just saw this was posted to the ISA Pros list and not the ISA list. Sorry. Beat away :) t > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) > Sent: Monday, February 25, 2008 6:28 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA 2004 issue - cache only/single homed > > The guy hasn't even logged on to the box yet... Let's not beat on him > out of the gate, shall we? > > Zoran, though your configuration is not supported, and indeed doesn't > provide any firewall features, it looks like they don't want it to > anyway... > > Yes, you can disable lockdown mode entirely on 2004: > http://www.microsoft.com/technet/isa/2004/plan/disablelockdownonlogfail > ure.mspx > > You can also disable the events that cause lockdown mode if you would > like in Alerts. In order to cache, the firewall service would need to > be running, but it looks like the "allow all" rule is already taking > care of that. > > I take it this box is not connected to the internet, and that you've > got some NAT device as the "router," right? If you now in charge of > this environment, then at least give them the protection they have paid > for and move the DC to the SMS box and stick the ISA box at the border. > Putting the DC on the ISA box is always a bad idea and breaks the > security model, no matter what the circumstances -- now, in your case, > you really don't have an "ISA" box, but rather, just a box inside the > network that you wanted to turn into a caching proxy. > > As you can tell, not only is the configuration not supported, but when > we see people talking about this type of hork, it gets under our craw a > bit as it illustrates that someone is purposefully going out of their > way to build the worst possible configuration for the product. > > hth. > > t > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > Sent: Monday, February 25, 2008 6:07 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA 2004 issue - cache only/single homed > > > > (there is a rule "allow all") - <WHIMPER> > > ISA has ceased to protect the server where it resides. > > This is the example your school creates for its students?!? > > > > Point your school network admins to this link: > > > http://www.microsoft.com/technet/isa/2004/plan/unsupportedconfigs.mspx > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] On Behalf Of Zoran Marjanovic > > Sent: Sunday, February 24, 2008 8:35 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA 2004 issue - cache only/single homed > > > > Thanks Thomas. > > > > It's a school and they insisted on it. Interestingly, DC works fine > and > > clients have no problems at all (there is a rule "allow all", I was > > told). > > The problem their admin experienced was related to accessing a share > > hosted on this ISA box by their MS SMS (another box). > > I have not logged on the server yet so I am not sure what errors they > > got and how it really looks. My first thought was to simply shut > > firewalling down, since they do not need it. I will probably check it > > today and will let you know if I figure out what was the issue. > > > > Cheers, > > > > Zoran > > > > > > ----- Original Message ---- > > From: Thomas W Shinder <tshinder@xxxxxxxxxxx> > > To: isapros@xxxxxxxxxxxxx > > Sent: Monday, 25 February, 2008 2:43:17 PM > > Subject: [isapros] Re: ISA 2004 issue - cache only/single homed > > > > > > > > The ISA firewall is NOT supported on a DC, so it’s a moot question. > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] On Behalf Of Zoran Marjanovic > > Sent: Sunday, February 24, 2008 8:33 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] ISA 2004 issue - cache only/single homed > > > > > > > > Hi guys, > > > > > > > > It is a "multi-practic" server :), Win 2003 SP1, DC, ISA, file > > server... huh, with only 1 NIC. > > > > > > > > Could you please confirm that Lockdown mode in ISA 2004 cannot be > > disabled? (I think I saw it somewhere but cannot find it now) > > > > Also, is it possible to install ISA without its firewall service > > because all I need is caching? > > > > > > > > Thanks a bunch! > > > > > > > > Zoran > > > > > > > > > > > > > > > > ________________________________ > > > > Get the name you always wanted with the new y7mail email address > > > <http://au.rd.yahoo.com/mail/taglines/au/y7mail/default/*http:/au.yahoo > > .com/y7mail/?p1=ni&p2=general&p3=tagline&p4=other> . > > > > > > > > ________________________________ > > > > Get the name you always wanted with the new y7mail email address > > > <http://au.rd.yahoo.com/mail/taglines/au/y7mail/default/*http://au.yaho > > o.com/y7mail/?p1=ni&p2=general&p3=tagline&p4=other> .