isa2006 array in workgroup mode (Full Version)

All Forums >> [ISA 2006 General] >> Installation and Planning


theRob -> isa2006 array in workgroup mode (14.Dec.2006 4:54:35 AM)

I have setup isa 2006 in a workgroup in the dmz.
This array will do only webpublishing.

I have a seperate box for configuration storage server, that is member of the workgroup.

On the configuration storage server is a server certificate installed.
On the array member the root CA is added to the trusted root certification autority.
There is one account that has the same username and password on all the isa servers and configuration storage server.

I successfully installed isa 2006 SCS and the array members.

But for some reason i keep getting an error in the storage configuration servers:
Under tab Configuration:

ISA Server Management cannot establish a connection with the configuration storage server <array member name>

Everything else works fine.

What is configured wrong??

tshinder -> RE: isa2006 array in workgroup mode (15.Dec.2006 6:40:47 AM)

Most likely a name resolution issue.

Workgroup mode is for sissies [:D]

Get real protection and make the ISA Firewall array a domain to get fully security support.


theRob -> RE: isa2006 array in workgroup mode (15.Dec.2006 7:10:01 AM)

The isa servers are in workgroup mode because, it is for webpublishing only.
Nameresolution is in place on the dmz.

I have got LDAPS en LDAPSGC working ok.

I only have got the problem on the configuration storage server, on the actually isa array members i have no issues.

The enviroment is build in a test enviroment.
So i want to squash all the problems we got now before we go into production.

And maybe in the future the isa servers will be a member of the domain, but not for now.
You can't just simply redesign a complete dmz infrastructure overnight.

theRob -> RE: isa2006 array in workgroup mode (18.Dec.2006 2:44:36 AM)


Nobody who knows the answer????

tshinder -> RE: isa2006 array in workgroup mode (18.Dec.2006 10:33:30 AM)

How many NICs in the ISA Firewalls?

What procedure did you use to install the first array member?

Did the second array member find the first array member that contained the CSS?

Did you create DNS entries for the array and the CSS?


theRob -> RE: isa2006 array in workgroup mode (18.Dec.2006 11:36:42 AM)

Hi Thom,

Three servers each with one nic.
One server is the configuration storage server. It's only role is configuration storage server. It has got a server certificate that is exported and used  to create a isa enteprise configuration in workgroup mode.

On the isa servers that will do the actual work, the root ca certificate is imported from the rootca tha issued the server certificate for the configuration storage server.

On all the servers there is mirrored user account that is the same on all servers.

Then i installed the first server in the array.
Later the second one, that i could join to the existing array.

That all works perfectly.

But only for the error i get on the configuration storage server.
DNS etc. is all oke.

theRob -> RE: isa2006 array in workgroup mode (20.Dec.2006 2:45:43 AM)

Nobody got the solution???

Or is it a bug/feature?

tshinder -> RE: isa2006 array in workgroup mode (20.Dec.2006 10:19:23 AM)

The ISA Firewall array members need three NICs  -- external, internal and intra-array.

You can get by without the intra-array NIC, but you need at least an internal and external NIC. Otherwise, the ISA Firewall won't be able to shore up the well-known weaknesses in most "hardware" firewalls.


theRob -> RE: isa2006 array in workgroup mode (20.Dec.2006 10:22:48 AM)

Its a web proxy only array.
Intra array nic is not necessary with w2k3 sp1.

RamyMahmoud -> RE: isa2006 array in workgroup mode (27.Dec.2006 1:34:25 PM)

MS informed that Intra array nic is not necessary with win2k3 SP1 !!!
regarding this Info.  I made ISA Installation "2 servers in workgroup with 2 NIC , One of them hold the CSS , using the internal NIC for Intra array commencation " every thing working fine but when  i enabled the NLB , the NLB service didn't run on one of Isa array member ...

tshinder -> RE: isa2006 array in workgroup mode (28.Dec.2006 12:45:18 PM)

Web proxy? That's HORK MODE.

I've never deployed a hork mode setup -- too easily to bypass ISA Firewall security, and I'm certainly NOT going to trust a PIX to a Netscreen, when I have a perfectly functioning ISA Firewall that can be configured to shore up the security risks inherent in the "hardware" firewalls.


theraz -> RE: isa2006 array in workgroup mode (5.Jan.2007 10:11:22 AM)


I think I've had the same problem that you describe.  I tried lots of things, including about 3 full re-installs...  Name resolution was fine, the certs were fine, etc.  As you described, the two ISA array members were fine, it was just the CSS that couldn't see them.  Anyway, to cut a long story short, I looked on one of the array members under live logging and noticed that a shed load of traffic was being dropped from the CSS (including RPC, Firewall Control, etc.).  I put the CSS server in the Array Server group under System Policy and everything was OK i.e. traffic was being allowed and everything starting turning green!  This step isn't mentioned in any docs I've read...

See how you get on anyway.



Boedus -> RE: isa2006 array in workgroup mode (5.Jan.2007 10:29:20 AM)

Yeah that's my feeling too, to have had the same kind of issues.
The best tool to troubleshoot why you can not connect to remote machines is to run the start the live logging features with "Access Denied" as a filter.
This should talk right away and point you out to the right direction.
Maybe you forgot to enable the SQL ports or so ?

theraz -> RE: isa2006 array in workgroup mode (7.Jan.2007 8:03:36 AM)


Further to my previous post.

The following extract is taken from:

It probably explains the problems we were having.

Configuring Arrays

Configuring arrays consists of the following steps:

1. Define arrays. You can run Setup to create and configure an array, or install the Configuration Storage server, and then create arrays in ISA Server Management after running Setup. To monitor the array from the Configuration Storage server, the IP address of the Configuration Storage server must be added to either the predefined computer set Enterprise Remote Management Computers, or the predefined array-level computer set Remote Management Computers. If you create an array when installing ISA Server firewall, this is done automatically. If you create the array from ISA Server Management after running Setup, add this IP address manually to the computer set.



tshinder -> RE: isa2006 array in workgroup mode (7.Jan.2007 9:03:29 AM)

Hi Steven,

Absolutely. That's included in the installation docs I've done on this site.


theraz -> RE: isa2006 array in workgroup mode (7.Jan.2007 9:32:06 AM)

Hello again,

Can you point me to those docs please Tom?

I was using the following docs (Parts 1 to 4) and didn't see any reference (but it's quite possible I missed something!):
Installing ISA Server 2004 Enterprise Edition Part 1 Installing and Configuring the Configuration Storage Server

Although they are aimed at 2004 - the bulk of the stuff in them is still accurate for 2006 isn't it?

Also, I've noticed that ISA 2006 can be a bit fussy in terms of inter-array comms.  When I enabled intra-array comms on a different adapter I noticed that the array members still attempted to communicate on the old interfaces...  A reboot of both arrays seem to fix the situation.  In your experience, do you have to be a bit patient sometimes and let things settle down after configuration changes - sometimes using reboots to induce stability?

Finally, I noticed that it's better to make some changes on the array members directly rather than on the CSS - for example changing the Intra-Array IP of the servers.  Are there any other situations where it's better to make changes on the array members directly to avoid problems?



tshinder -> RE: isa2006 array in workgroup mode (7.Jan.2007 9:53:22 AM)

Hi Steven,

I didn't write those, that's why they're not complete! [:D]

Check out the ISA 2004 docs at

I wrote the Quick Start Guides. I'd done a lot on installing ISA 2006 EE on this site, but didn't call out the articles as installation guides.


theraz -> RE: isa2006 array in workgroup mode (7.Jan.2007 10:04:13 AM)

OK.  Thanks for that Tom.  I've just had a quick perusal of the Quick Ref Guide and it looks useful.



Page: [1]