[isapros] Re: ISA 2004 issue - cache only/single homed
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Mon, 25 Feb 2008 06:29:05 -0800
Oops... Just saw this was posted to the ISA Pros list and not the ISA list.
Sorry. Beat away :)
t
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> Sent: Monday, February 25, 2008 6:28 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA 2004 issue - cache only/single homed
>
> The guy hasn't even logged on to the box yet... Let's not beat on him
> out of the gate, shall we?
>
> Zoran, though your configuration is not supported, and indeed doesn't
> provide any firewall features, it looks like they don't want it to
> anyway...
>
> Yes, you can disable lockdown mode entirely on 2004:
> http://www.microsoft.com/technet/isa/2004/plan/disablelockdownonlogfail
> ure.mspx
>
> You can also disable the events that cause lockdown mode if you would
> like in Alerts. In order to cache, the firewall service would need to
> be running, but it looks like the "allow all" rule is already taking
> care of that.
>
> I take it this box is not connected to the internet, and that you've
> got some NAT device as the "router," right? If you now in charge of
> this environment, then at least give them the protection they have paid
> for and move the DC to the SMS box and stick the ISA box at the border.
> Putting the DC on the ISA box is always a bad idea and breaks the
> security model, no matter what the circumstances -- now, in your case,
> you really don't have an "ISA" box, but rather, just a box inside the
> network that you wanted to turn into a caching proxy.
>
> As you can tell, not only is the configuration not supported, but when
> we see people talking about this type of hork, it gets under our craw a
> bit as it illustrates that someone is purposefully going out of their
> way to build the worst possible configuration for the product.
>
> hth.
>
> t
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: Monday, February 25, 2008 6:07 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA 2004 issue - cache only/single homed
> >
> > (there is a rule "allow all") - <WHIMPER>
> > ISA has ceased to protect the server where it resides.
> > This is the example your school creates for its students?!?
> >
> > Point your school network admins to this link:
> >
> http://www.microsoft.com/technet/isa/2004/plan/unsupportedconfigs.mspx
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Zoran Marjanovic
> > Sent: Sunday, February 24, 2008 8:35 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA 2004 issue - cache only/single homed
> >
> > Thanks Thomas.
> >
> > It's a school and they insisted on it. Interestingly, DC works fine
> and
> > clients have no problems at all (there is a rule "allow all", I was
> > told).
> > The problem their admin experienced was related to accessing a share
> > hosted on this ISA box by their MS SMS (another box).
> > I have not logged on the server yet so I am not sure what errors they
> > got and how it really looks. My first thought was to simply shut
> > firewalling down, since they do not need it. I will probably check it
> > today and will let you know if I figure out what was the issue.
> >
> > Cheers,
> >
> > Zoran
> >
> >
> > ----- Original Message ----
> > From: Thomas W Shinder <tshinder@xxxxxxxxxxx>
> > To: isapros@xxxxxxxxxxxxx
> > Sent: Monday, 25 February, 2008 2:43:17 PM
> > Subject: [isapros] Re: ISA 2004 issue - cache only/single homed
> >
> >
> >
> > The ISA firewall is NOT supported on a DC, so it’s a moot question.
> >
> >
> >
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Zoran Marjanovic
> > Sent: Sunday, February 24, 2008 8:33 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] ISA 2004 issue - cache only/single homed
> >
> >
> >
> > Hi guys,
> >
> >
> >
> > It is a "multi-practic" server :), Win 2003 SP1, DC, ISA, file
> > server... huh, with only 1 NIC.
> >
> >
> >
> > Could you please confirm that Lockdown mode in ISA 2004 cannot be
> > disabled? (I think I saw it somewhere but cannot find it now)
> >
> > Also, is it possible to install ISA without its firewall service
> > because all I need is caching?
> >
> >
> >
> > Thanks a bunch!
> >
> >
> >
> > Zoran
> >
> >
> >
> >
> >
> >
> >
> > ________________________________
> >
> > Get the name you always wanted with the new y7mail email address
> >
> <http://au.rd.yahoo.com/mail/taglines/au/y7mail/default/*http:/au.yahoo
> > .com/y7mail/?p1=ni&p2=general&p3=tagline&p4=other> .
> >
> >
> >
> > ________________________________
> >
> > Get the name you always wanted with the new y7mail email address
> >
> <http://au.rd.yahoo.com/mail/taglines/au/y7mail/default/*http://au.yaho
> > o.com/y7mail/?p1=ni&p2=general&p3=tagline&p4=other> .
Other related posts: