We have been migrating our DMZ from a NAT'd environment to a public IP subnet range for high availability purposes.
I had the great job of migrating the ISA servers to the new IP's. Let me just say that it a a couple of all-nighters that i would rather forget.
I still however have a problem where i cannot get one of the DMZ ISA servers back online.
Let me outline our setup:
DMZ: 2 x ISA servers in array (w/ NLB), these are 2 NIC per server with a Internal MID-DMZ with 172.X.X.X addressing and the External DMZ with 202.X.X.X addressing.
Internal 2 x CSS servers for the DMZ array. (10.X.X.X addressing)
I have sucessfully uninstalled and reinstalled ISA on the 1st DMZ server and it is handling all the ruleset published by the CSS, however the 2nd ISA server installs fine but then has an error with firewall services not starting at the end of the installation. I then install SP1 for ISA 2006 and the firewall services starts sucessfully but does not handle any of the published content. The 2nd DMZ server seems to receive changes from the CSS fine (I added a new vIP to the External Network) and did a ipconfig on the server to confirm. When I turn logging on, it is the default enterprise rule that is denying all requests.
I have uninstalled and blown away all remaining NLB settings (Microsoft script), then trying a fresh install muliple times (3 I think) but each time results in the same error.
Does anyone have any suggestions or can some light on my problem before I try reinstalling the Win2003 OS and really starting from scratch?
Sorry initial post was a little confusing after reading back through it. So i will try again.
We have two DMZ Array member servers, both with two NICs. The DMZ array talks to a CSS servers on the inside network. DMZ is a workgroup, CSS servers are AD Domain.
One of the DMZ servers is configured and working properly (01 for the sake of this post).
The other DMZ server (02) is not working. After running the installation, the installation fails towards the end (when trying to start firewall services). I then install SP1 for ISA 2006 and Firewall services is able to start. The problem is that the server appears to be working correctly but the publishing rules do not accept new connections on this server and deny incoming connections with the default deny rule.
Installation of ISA2006 looked fine as well, right up till the end of the installation where the same error was generated. Almost gave up here :)
This time I did a little more research and installed the feature pack and then the SP1.
I still had problems where published content was not available via the 2nd array member that I had just rebuilt. I tested all the rules and found that it was inconsistent, all HTTP was working and some HTTPS was working. Having found something to compare, I started looking at the HTTPS listeners to see the differences. There was only one.......
When a single certificate was applied to the listener the web publishing rule would work with HTTPS. When the certificate was applied to an IP in the Listener, the connection would fail. Re-applying all certificates to the IP's finally fixed my problem......
Now onto the next problem, Intermediate Verisign certificate has expired and i need to update it and restart the box.