• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

isa2006 array in workgroup mode

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> isa2006 array in workgroup mode Page: [1]
Login
Message << Older Topic   Newer Topic >>
isa2006 array in workgroup mode - 14.Dec.2006 4:54:35 AM   
theRob

 

Posts: 103
Joined: 31.Aug.2003
From: The Netherlands
Status: offline
I have setup isa 2006 in a workgroup in the dmz.
This array will do only webpublishing.

I have a seperate box for configuration storage server, that is member of the workgroup.

On the configuration storage server is a server certificate installed.
On the array member the root CA is added to the trusted root certification autority.
There is one account that has the same username and password on all the isa servers and configuration storage server.

I successfully installed isa 2006 SCS and the array members.

But for some reason i keep getting an error in the storage configuration servers:
Under tab Configuration:

ISA Server Management cannot establish a connection with the configuration storage server <array member name>

Everything else works fine.

What is configured wrong??
Post #: 1
RE: isa2006 array in workgroup mode - 15.Dec.2006 6:40:47 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Most likely a name resolution issue.

Workgroup mode is for sissies

Get real protection and make the ISA Firewall array a domain to get fully security support.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to theRob)
Post #: 2
RE: isa2006 array in workgroup mode - 15.Dec.2006 7:10:01 AM   
theRob

 

Posts: 103
Joined: 31.Aug.2003
From: The Netherlands
Status: offline
The isa servers are in workgroup mode because, it is for webpublishing only.
Nameresolution is in place on the dmz.

I have got LDAPS en LDAPSGC working ok.

I only have got the problem on the configuration storage server, on the actually isa array members i have no issues.

The enviroment is build in a test enviroment.
So i want to squash all the problems we got now before we go into production.

And maybe in the future the isa servers will be a member of the domain, but not for now.
You can't just simply redesign a complete dmz infrastructure overnight.

(in reply to tshinder)
Post #: 3
RE: isa2006 array in workgroup mode - 18.Dec.2006 2:44:36 AM   
theRob

 

Posts: 103
Joined: 31.Aug.2003
From: The Netherlands
Status: offline
*KICK*

Nobody who knows the answer????

(in reply to theRob)
Post #: 4
RE: isa2006 array in workgroup mode - 18.Dec.2006 10:33:30 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
How many NICs in the ISA Firewalls?

What procedure did you use to install the first array member?

Did the second array member find the first array member that contained the CSS?

Did you create DNS entries for the array and the CSS?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to theRob)
Post #: 5
RE: isa2006 array in workgroup mode - 18.Dec.2006 11:36:42 AM   
theRob

 

Posts: 103
Joined: 31.Aug.2003
From: The Netherlands
Status: offline
Hi Thom,

Three servers each with one nic.
One server is the configuration storage server. It's only role is configuration storage server. It has got a server certificate that is exported and used  to create a isa enteprise configuration in workgroup mode.

On the isa servers that will do the actual work, the root ca certificate is imported from the rootca tha issued the server certificate for the configuration storage server.

On all the servers there is mirrored user account that is the same on all servers.

Then i installed the first server in the array.
Later the second one, that i could join to the existing array.

That all works perfectly.

But only for the error i get on the configuration storage server.
DNS etc. is all oke.

(in reply to tshinder)
Post #: 6
RE: isa2006 array in workgroup mode - 20.Dec.2006 2:45:43 AM   
theRob

 

Posts: 103
Joined: 31.Aug.2003
From: The Netherlands
Status: offline
Nobody got the solution???

Or is it a bug/feature?

(in reply to theRob)
Post #: 7
RE: isa2006 array in workgroup mode - 20.Dec.2006 10:19:23 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The ISA Firewall array members need three NICs  -- external, internal and intra-array.

You can get by without the intra-array NIC, but you need at least an internal and external NIC. Otherwise, the ISA Firewall won't be able to shore up the well-known weaknesses in most "hardware" firewalls.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to theRob)
Post #: 8
RE: isa2006 array in workgroup mode - 20.Dec.2006 10:22:48 AM   
theRob

 

Posts: 103
Joined: 31.Aug.2003
From: The Netherlands
Status: offline
Its a web proxy only array.
Intra array nic is not necessary with w2k3 sp1.


(in reply to tshinder)
Post #: 9
RE: isa2006 array in workgroup mode - 27.Dec.2006 1:34:25 PM   
RamyMahmoud

 

Posts: 2
Joined: 16.Dec.2006
Status: offline
MS informed that Intra array nic is not necessary with win2k3 SP1 !!!
regarding this Info.  I made ISA Installation "2 servers in workgroup with 2 NIC , One of them hold the CSS , using the internal NIC for Intra array commencation " every thing working fine but when  i enabled the NLB , the NLB service didn't run on one of Isa array member ...


(in reply to theRob)
Post #: 10
RE: isa2006 array in workgroup mode - 28.Dec.2006 12:45:18 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Web proxy? That's HORK MODE.

I've never deployed a hork mode setup -- too easily to bypass ISA Firewall security, and I'm certainly NOT going to trust a PIX to a Netscreen, when I have a perfectly functioning ISA Firewall that can be configured to shore up the security risks inherent in the "hardware" firewalls.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to RamyMahmoud)
Post #: 11
RE: isa2006 array in workgroup mode - 5.Jan.2007 10:11:22 AM   
theraz

 

Posts: 5
Joined: 5.Jan.2007
Status: offline
Hi,

I think I've had the same problem that you describe.  I tried lots of things, including about 3 full re-installs...  Name resolution was fine, the certs were fine, etc.  As you described, the two ISA array members were fine, it was just the CSS that couldn't see them.  Anyway, to cut a long story short, I looked on one of the array members under live logging and noticed that a shed load of traffic was being dropped from the CSS (including RPC, Firewall Control, etc.).  I put the CSS server in the Array Server group under System Policy and everything was OK i.e. traffic was being allowed and everything starting turning green!  This step isn't mentioned in any docs I've read...

See how you get on anyway.

Cheers,

Steven

(in reply to tshinder)
Post #: 12
RE: isa2006 array in workgroup mode - 5.Jan.2007 10:29:20 AM   
Boedus

 

Posts: 195
Joined: 8.Sep.2006
Status: offline
Yeah that's my feeling too, to have had the same kind of issues.
The best tool to troubleshoot why you can not connect to remote machines is to run the start the live logging features with "Access Denied" as a filter.
This should talk right away and point you out to the right direction.
Maybe you forgot to enable the SQL ports or so ?

(in reply to theraz)
Post #: 13
RE: isa2006 array in workgroup mode - 7.Jan.2007 8:03:36 AM   
theraz

 

Posts: 5
Joined: 5.Jan.2007
Status: offline
Hi,

Further to my previous post.

The following extract is taken from:

http://www.microsoft.com/technet/isa/2006/enterprisemanagement.mspx#ArrayIntra

It probably explains the problems we were having.

Configuring Arrays

Configuring arrays consists of the following steps:

1. Define arrays. You can run Setup to create and configure an array, or install the Configuration Storage server, and then create arrays in ISA Server Management after running Setup. To monitor the array from the Configuration Storage server, the IP address of the Configuration Storage server must be added to either the predefined computer set Enterprise Remote Management Computers, or the predefined array-level computer set Remote Management Computers. If you create an array when installing ISA Server firewall, this is done automatically. If you create the array from ISA Server Management after running Setup, add this IP address manually to the computer set.


Cheers,

Steven

(in reply to Boedus)
Post #: 14
RE: isa2006 array in workgroup mode - 7.Jan.2007 9:03:29 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Steven,

Absolutely. That's included in the installation docs I've done on this site.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to theraz)
Post #: 15
RE: isa2006 array in workgroup mode - 7.Jan.2007 9:32:06 AM   
theraz

 

Posts: 5
Joined: 5.Jan.2007
Status: offline
Hello again,

Can you point me to those docs please Tom?

I was using the following docs (Parts 1 to 4) and didn't see any reference (but it's quite possible I missed something!):
Installing ISA Server 2004 Enterprise Edition Part 1 Installing and Configuring the Configuration Storage Server

Although they are aimed at 2004 - the bulk of the stuff in them is still accurate for 2006 isn't it?

Also, I've noticed that ISA 2006 can be a bit fussy in terms of inter-array comms.  When I enabled intra-array comms on a different adapter I noticed that the array members still attempted to communicate on the old interfaces...  A reboot of both arrays seem to fix the situation.  In your experience, do you have to be a bit patient sometimes and let things settle down after configuration changes - sometimes using reboots to induce stability?

Finally, I noticed that it's better to make some changes on the array members directly rather than on the CSS - for example changing the Intra-Array IP of the servers.  Are there any other situations where it's better to make changes on the array members directly to avoid problems?

Thanks!

Steven

(in reply to tshinder)
Post #: 16
RE: isa2006 array in workgroup mode - 7.Jan.2007 9:53:22 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Steven,

I didn't write those, that's why they're not complete!

Check out the ISA 2004 docs at http://www.microsoft.com/technet/isa/2004/planningarchitecture/default.mspx

I wrote the Quick Start Guides. I'd done a lot on installing ISA 2006 EE on this site, but didn't call out the articles as installation guides.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to theraz)
Post #: 17
RE: isa2006 array in workgroup mode - 7.Jan.2007 10:04:13 AM   
theraz

 

Posts: 5
Joined: 5.Jan.2007
Status: offline
OK.  Thanks for that Tom.  I've just had a quick perusal of the Quick Ref Guide and it looks useful.

Cheers,

Steven 

(in reply to tshinder)
Post #: 18

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> isa2006 array in workgroup mode Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts