Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA2004 and Active Directory

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Installation >> ISA2004 and Active Directory Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
ISA2004 and Active Directory - 10.Jun.2004 10:25:00 AM   
face_offir

 

Posts: 8
Joined: 7.Feb.2004
From: Tehran
Status: offline 		hi
i install w2k3 and active directory
my client can join and logon to my server
after i install isa2004 my clint can't login to domain
how can i do? "[Confused]"
Post #: 1
RE: ISA2004 and Active Directory - 11.Jun.2004 4:51:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Face,

Is the ISA firewall installed on the domainc controller?

Thanks!
Tom

(in reply to face_offir)
Post #: 2
RE: ISA2004 and Active Directory - 12.Jun.2004 11:33:00 AM   
face_offir

 

Posts: 8
Joined: 7.Feb.2004
From: Tehran
Status: offline 		Hi Tom
yes , ISA 2004 installed on my domain controller
and i add a rule to open all outbound outgounig
but my client can't connect to domain

(in reply to face_offir)
Post #: 3
RE: ISA2004 and Active Directory - 12.Jun.2004 12:54:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Face,

You should move the domain controller off the Firewall, since this configuration hasn't been described yet. Firewalls should not be domain controllers.

HTH,
Tom

(in reply to face_offir)
Post #: 4
RE: ISA2004 and Active Directory - 13.Jun.2004 3:45:00 PM   
face_offir

 

Posts: 8
Joined: 7.Feb.2004
From: Tehran
Status: offline 		Hi Tom
i don't have any problem with
w2k3 server and active drirectory
that ISA Server2000
but with ISA2004 my client can't join or logon to domain

(in reply to face_offir)
Post #: 5
RE: ISA2004 and Active Directory - 13.Jun.2004 7:34:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Face,

So, the ISA firewall is not a domain controller?

The problem is the clients cannot contact another machine on the network that is a domain controller?

If so, make sure the local domain table is configured correctly and that the Internal network addresses are also configured correctly.

HTH,
Tom

(in reply to face_offir)
Post #: 6
RE: ISA2004 and Active Directory - 15.Jun.2004 8:35:00 AM   
face_offir

 

Posts: 8
Joined: 7.Feb.2004
From: Tehran
Status: offline 		Hi Tom
1- w2k -> AD -> ISA2000 (all outgouing is allowed)
2-w2k3 -> AD -> ISA2004 (all outgouing is allowed)
in ISA2004 my client can't join or logon to my domain but in ISA 2000 clint work without any problem
tanx Tom

(in reply to face_offir)
Post #: 7
RE: ISA2004 and Active Directory - 16.Jun.2004 1:08:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Face,

I'm not clear on what machine can't join the domain. Is it the ISA firewall machine itself that cannot join the domain? Or is it an internal network host that can't join the domain?

Thanks!
Tom

(in reply to face_offir)
Post #: 8
RE: ISA2004 and Active Directory - 16.Jun.2004 8:06:00 AM   
face_offir

 

Posts: 8
Joined: 7.Feb.2004
From: Tehran
Status: offline 		Hi Tom
1-first i installed w2k3 and AD
my workstation join and logon to my domain
after i installed ISA2004 my workstation can't join or logon to my domain
but
2-i installed w2k3 and AD
my workstation join and logon to my domain
after i installed ISA2000 my dont't have any problem to join or logon to my domain
tanx Tom

(in reply to face_offir)
Post #: 9
RE: ISA2004 and Active Directory - 16.Jun.2004 4:15:00 PM   
SolidworK

 

Posts: 7
Joined: 16.Jun.2004
From: Dallas
Status: offline 		face, you're being a bit confusing....

Is your ISA Server also your DOMAIN CONTROLLER? If it is, this is not supported nor is it recommended... whether or not it works in ISA 2000 is a moot point.

This is the equivilent of having the president sitting on top of a tank in the middle of a war. Why have your greatest assets sitting on top of your armour? BAD idea.

(in reply to face_offir)
Post #: 10
RE: ISA2004 and Active Directory - 16.Jun.2004 8:02:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi SolidworK,

Ha! Great analogy!

Thanks!
Tom

(in reply to face_offir)
Post #: 11
RE: ISA2004 and Active Directory - 26.Jun.2004 6:57:00 PM   
panikovski

 

Posts: 25
Joined: 26.Jun.2004
Status: offline
quote:
Originally posted by SolidworK:
face, you're being a bit confusing....

Is your ISA Server also your DOMAIN CONTROLLER? If it is, this is not supported nor is it recommended... whether or not it works in ISA 2000 is a moot point. .
Sorry, but i can't believe it! Using ISA 2004 on the DC is not supported only in betas release or it the NEW general changes to this product for also final realese?
What about small company's? They will must to buy a new license for serverOS where to install isa2004 [Frown]
Finally, what about MS SBS 2003 which selling like all in one solution for smallbusiness and has a mail(exchange), isa, and database (sql) servers as a one OS.?
Thanks!

(in reply to face_offir)
Post #: 12
RE: ISA2004 and Active Directory - 26.Jun.2004 10:58:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi panikovski,

ISA 2004 firewalls are true network firewalls in the same class as Checkpoint, Bluecoat and Astaro. (PIX is mostly a packet filtering router, so I don't really put it in the true network firewall stateful application layer inspection class).

So, I would not expect to put the ISA firewall on a DC any more than I would put a DC on a Checkpoint, Bluecoat or Astaro device.

However, the SBS community may be working on solutions for this. You might check out SBS related sites.

HTH,
Tom

(in reply to face_offir)
Post #: 13
RE: ISA2004 and Active Directory - 27.Jun.2004 11:30:00 AM   
panikovski

 

Posts: 25
Joined: 26.Jun.2004
Status: offline
quote:
Originally posted by tshinder:
Hi panikovski,

However, the SBS community may be working on solutions for this. You might check out SBS related sites.

HTH,
Tom
Thanks for your answer!
Well, i checked some SBS community, and there is no any solution yet for this. Just some post about to open all rules at internal interface.

Post from ms: URL

(in reply to face_offir)
Post #: 14
RE: ISA2004 and Active Directory - 27.Jun.2004 6:58:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi panikovski,

Looks like they haven't got it figured out yet. I'm sure once they do, they'll put up a procedure on one of the SBS Web sites. My focus is on ISA 2004 as a firewall, but I'll always welcome submissions from authors who have expertise in SBS installs.

HTH,
Tom

(in reply to face_offir)
Post #: 15
RE: ISA2004 and Active Directory - 17.Jul.2004 9:26:00 PM   
LoginKat

 

Posts: 12
Joined: 18.Jul.2002
Status: offline 		Just my 2 cents worth - if you aren't publishing any RPC services to the net then you'll find that ISA 2004 runs silky smooth on a Domain Controller after you disable the RPC Filter in the Add-Ins section.

I'm one of those tight budget folks who runs her Exchange Server, SQL Server, IIS6, and anything else I can think of together on the same box as ISA.

Works great!

(in reply to face_offir)
Post #: 16
RE: ISA2004 and Active Directory - 19.Jul.2004 2:03:00 PM   
panikovski

 

Posts: 25
Joined: 26.Jun.2004
Status: offline
quote:
Originally posted by ISAKat:
...after you disable the RPC Filter in the Add-Ins section.

Just disable RPC filter? Is it working?
Well going to test!...

(in reply to face_offir)
Post #: 17
RE: ISA2004 and Active Directory - 19.Jul.2004 4:32:00 PM   
leslie

 

Posts: 61
Joined: 31.Jul.2003
Status: offline 		Fascinating discussion. I was wondering if someone could give me concrete advice. I have a separate Domain controller now but used to run isa on the same machine without any problems. I face all sorts of problems when I want to use Windows groups and users on my ISA server unless i make it an Additional Domain controller. How do i set this up? What is the best config for me? I have separate servers to play around with

(in reply to face_offir)
Post #: 18
RE: ISA2004 and Active Directory - 19.Jul.2004 8:44:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by ISAKat:
Just my 2 cents worth - if you aren't publishing any RPC services to the net then you'll find that ISA 2004 runs silky smooth on a Domain Controller after you disable the RPC Filter in the Add-Ins section.

I'm one of those tight budget folks who runs her Exchange Server, SQL Server, IIS6, and anything else I can think of together on the same box as ISA.

Works great!
Hi ISAKat,

Yikes! The RPC filter is one of the most important application layer filters on the firewall. I would not be comfortable using it without the filter enabled.

Thanks!
Tom

(in reply to face_offir)
Post #: 19
RE: ISA2004 and Active Directory - 20.Jul.2004 6:08:00 PM   
panikovski

 

Posts: 25
Joined: 26.Jun.2004
Status: offline 		! If you understand the security risk of having DC and ISA on the same machine then:

Make a "Allow All" rule from your "internal network" to the "Local Host"... (don't disable RPC filter!)

Its works.

[ July 20, 2004, 06:12 PM: Message edited by: panikovski ]

(in reply to face_offir)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Installation >> ISA2004 and Active Directory Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts