From: The Netherlands
I have setup isa 2006 in a workgroup in the dmz. This array will do only webpublishing.
I have a seperate box for configuration storage server, that is member of the workgroup.
On the configuration storage server is a server certificate installed. On the array member the root CA is added to the trusted root certification autority. There is one account that has the same username and password on all the isa servers and configuration storage server.
I successfully installed isa 2006 SCS and the array members.
But for some reason i keep getting an error in the storage configuration servers: Under tab Configuration:
ISA Server Management cannot establish a connection with the configuration storage server <array member name>
From: The Netherlands
Three servers each with one nic. One server is the configuration storage server. It's only role is configuration storage server. It has got a server certificate that is exported and used to create a isa enteprise configuration in workgroup mode.
On the isa servers that will do the actual work, the root ca certificate is imported from the rootca tha issued the server certificate for the configuration storage server.
On all the servers there is mirrored user account that is the same on all servers.
Then i installed the first server in the array. Later the second one, that i could join to the existing array.
That all works perfectly.
But only for the error i get on the configuration storage server. DNS etc. is all oke.
The ISA Firewall array members need three NICs -- external, internal and intra-array.
You can get by without the intra-array NIC, but you need at least an internal and external NIC. Otherwise, the ISA Firewall won't be able to shore up the well-known weaknesses in most "hardware" firewalls.
MS informed that Intra array nic is not necessary with win2k3 SP1 !!! regarding this Info. I made ISA Installation "2 servers in workgroup with 2 NIC , One of them hold the CSS , using the internal NIC for Intra array commencation " every thing working fine but when i enabled the NLB , the NLB service didn't run on one of Isa array member ...
I've never deployed a hork mode setup -- too easily to bypass ISA Firewall security, and I'm certainly NOT going to trust a PIX to a Netscreen, when I have a perfectly functioning ISA Firewall that can be configured to shore up the security risks inherent in the "hardware" firewalls.
I think I've had the same problem that you describe. I tried lots of things, including about 3 full re-installs... Name resolution was fine, the certs were fine, etc. As you described, the two ISA array members were fine, it was just the CSS that couldn't see them. Anyway, to cut a long story short, I looked on one of the array members under live logging and noticed that a shed load of traffic was being dropped from the CSS (including RPC, Firewall Control, etc.). I put the CSS server in the Array Server group under System Policy and everything was OK i.e. traffic was being allowed and everything starting turning green! This step isn't mentioned in any docs I've read...
Yeah that's my feeling too, to have had the same kind of issues. The best tool to troubleshoot why you can not connect to remote machines is to run the start the live logging features with "Access Denied" as a filter. This should talk right away and point you out to the right direction. Maybe you forgot to enable the SQL ports or so ?
Configuring arrays consists of the following steps:
1. Define arrays. You can run Setup to create and configure an array, or install the Configuration Storage server, and then create arrays in ISA Server Management after running Setup. To monitor the array from the Configuration Storage server, the IP address of the Configuration Storage server must be added to either the predefined computer set Enterprise Remote Management Computers, or the predefined array-level computer set Remote Management Computers. If you create an array when installing ISA Server firewall, this is done automatically. If you create the array from ISA Server Management after running Setup, add this IP address manually to the computer set.
Although they are aimed at 2004 - the bulk of the stuff in them is still accurate for 2006 isn't it?
Also, I've noticed that ISA 2006 can be a bit fussy in terms of inter-array comms. When I enabled intra-array comms on a different adapter I noticed that the array members still attempted to communicate on the old interfaces... A reboot of both arrays seem to fix the situation. In your experience, do you have to be a bit patient sometimes and let things settle down after configuration changes - sometimes using reboots to induce stability?
Finally, I noticed that it's better to make some changes on the array members directly rather than on the CSS - for example changing the Intra-Array IP of the servers. Are there any other situations where it's better to make changes on the array members directly to avoid problems?