[isapros] Re: ISA 2004 issue - cache only/single homed
- From: Zoran Marjanovic <zoka_it@xxxxxxxxxxxx>
- To: isapros@xxxxxxxxxxxxx
- Date: Mon, 25 Feb 2008 16:37:29 -0800 (PST)
Hi T,
Thanks for your help. I saw the script and found out that it does not disable
the lockdown mode itself.
' Get a reference to the "Log failure" alert object,
' and modify it so that it will not stop the Firewall service.
' Ensure that the DropConnectionOnLogError property
' is set to False.
"By default, the built-in Log failure alert shuts down the Firewall service.
This alert is triggered by the Log failure event, which is raised when a
logging failure occurs. You can prevent logging failures from causing ISA
Server to go into lockdown by disabling the action of the Log failure alert
that shuts down the Firewall service."
I wanted to stop the firewall service manually (and disable it). I spent
several hours on the Internet and did not find anything that could help or even
explain what can be done.
I am not sure that the "allow all" rule really takes care of it. I experienced
faulty rules on both ISA 2004 and 2006, you know, you crate it and it does not
work. Then you delete it and recreate the identical one, and then it works. I
experienced a similar problem on Vista's firewall while setting RDP
communication. That is why I wanted to turn firewalling off completely.
I am not responsible for this system, but I know that it's a multi-site system
with 1 Internet connection. They run ISA 2004 (array) firewall on the exit
point. The ISA in question is located in a branch office which is connected to
the main office.
The guys who manage this school asked my boss to borrow me in order to help
them with the specific problem. They did not want (unfortunately) to discuss
about what/how/why they did so far. It looks like they have very limited
resources.
That's pretty much it.
Thanks.
Zoran
----- Original Message ----
From: Thor (Hammer of God) <thor@xxxxxxxxxxxxxxx>
To: isapros@xxxxxxxxxxxxx
Sent: Tuesday, 26 February, 2008 1:27:38 AM
Subject: [isapros] Re: ISA 2004 issue - cache only/single homed
The guy hasn't even logged on to the box yet... Let's not beat on him out of
the gate, shall we?
Zoran, though your configuration is not supported, and indeed doesn't provide
any firewall features, it looks like they don't want it to anyway...
Yes, you can disable lockdown mode entirely on 2004:
http://www.microsoft.com/technet/isa/2004/plan/disablelockdownonlogfailure.mspx
You can also disable the events that cause lockdown mode if you would like in
Alerts. In order to cache, the firewall service would need to be running, but
it looks like the "allow all" rule is already taking care of that.
I take it this box is not connected to the internet, and that you've got some
NAT device as the "router," right? If you now in charge of this environment,
then at least give them the protection they have paid for and move the DC to
the SMS box and stick the ISA box at the border. Putting the DC on the ISA box
is always a bad idea and breaks the security model, no matter what the
circumstances -- now, in your case, you really don't have an "ISA" box, but
rather, just a box inside the network that you wanted to turn into a caching
proxy.
As you can tell, not only is the configuration not supported, but when we see
people talking about this type of hork, it gets under our craw a bit as it
illustrates that someone is purposefully going out of their way to build the
worst possible configuration for the product.
hth.
t
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Monday, February 25, 2008 6:07 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA 2004 issue - cache only/single homed
>
> (there is a rule "allow all") - <WHIMPER>
> ISA has ceased to protect the server where it resides.
> This is the example your school creates for its students?!?
>
> Point your school network admins to this link:
> http://www.microsoft.com/technet/isa/2004/plan/unsupportedconfigs.mspx
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Zoran Marjanovic
> Sent: Sunday, February 24, 2008 8:35 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA 2004 issue - cache only/single homed
>
> Thanks Thomas.
>
> It's a school and they insisted on it. Interestingly, DC works fine and
> clients have no problems at all (there is a rule "allow all", I was
> told).
> The problem their admin experienced was related to accessing a share
> hosted on this ISA box by their MS SMS (another box).
> I have not logged on the server yet so I am not sure what errors they
> got and how it really looks. My first thought was to simply shut
> firewalling down, since they do not need it. I will probably check it
> today and will let you know if I figure out what was the issue.
>
> Cheers,
>
> Zoran
>
>
> ----- Original Message ----
> From: Thomas W Shinder <tshinder@xxxxxxxxxxx>
> To: isapros@xxxxxxxxxxxxx
> Sent: Monday, 25 February, 2008 2:43:17 PM
> Subject: [isapros] Re: ISA 2004 issue - cache only/single homed
>
>
>
> The ISA firewall is NOT supported on a DC, so it’s a moot question.
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Zoran Marjanovic
> Sent: Sunday, February 24, 2008 8:33 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] ISA 2004 issue - cache only/single homed
>
>
>
> Hi guys,
>
>
>
> It is a "multi-practic" server :), Win 2003 SP1, DC, ISA, file
> server... huh, with only 1 NIC.
>
>
>
> Could you please confirm that Lockdown mode in ISA 2004 cannot be
> disabled? (I think I saw it somewhere but cannot find it now)
>
> Also, is it possible to install ISA without its firewall service
> because all I need is caching?
>
>
>
> Thanks a bunch!
>
>
>
> Zoran
>
>
>
>
>
>
>
> ________________________________
>
> Get the name you always wanted with the new y7mail email address
> <http://au.rd.yahoo.com/mail/taglines/au/y7mail/default/*http:/au.yahoo
> .com/y7mail/?p1=ni&p2=general&p3=tagline&p4=other> .
>
>
>
> ________________________________
>
> Get the name you always wanted with the new y7mail email address
> <http://au.rd.yahoo.com/mail/taglines/au/y7mail/default/*http://au.yaho
> o.com/y7mail/?p1=ni&p2=general&p3=tagline&p4=other> .
Get the name you always wanted with the new y7mail email address.
www.yahoo7.com.au/y7mail
Other related posts:
