• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Some problems/questions about ISA2004 in "Cache only"

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Cache] >> General >> Some problems/questions about ISA2004 in "Cache only" Page: [1]
Login
Message << Older Topic   Newer Topic >>
Some problems/questions about ISA2004 in "Cache on... - 5.Aug.2004 11:18:00 AM   
istari

 

Posts: 17
Joined: 5.Aug.2004
From: Orebro, Sweden
Status: offline
Hi there.

My name is Claes and I work as a administrator for a couple of schools here in Sweden. We have recently upgraded one of our schools to windows 2003 and ISA 2004 (previously Win 2000 and ISA 2000). The installations are however on new servers (no upgrades). I have now run into two problems I would love to get some help with.

The setup:
At each school we have three servers. The one runing ISA also runs as a AD-domaincontroller, DNS, WINS, DHCP and File share.
I have set up ISA 2004 with the "single NIC template" (even though the server have 2 nics we only use one) and I have created a new policy wich allows all users & traffic to and from all networks.
The network is divided into 4 VLANs (teachers, students, servers and internet). Students does not have direct access to the internet so they have to connect via the ISA server. We use a Cisco PIX for the Firewall-function and the ISA-server only for proxy and logging.

The Problems:

1. Last year when we used ISA 2000 on Win2k I had setup the ISA in cachemode only and to allow authenticated users only to use the ISA-server. This gave me the control to allow only users in our domain to connect to the internet AND for the usernames of the students to appear in logs and reports.
If i setup my ISA 2004 with a rule that only allows authenticated users (and network services),
the server stops responding to most network requests (ping, RDP, DHCP etc.). If I set the rule to allow all users everything works fine except that only IP-addresses shows up in logs and resports and I guess I'll loose the abilty to lock non domain users out from internet access. Is there anyway to get around that?

2. When I do changes to the ISA configuration (ie change a FW Policy), I get an error message when i hit "apply". The error reads:
"The configuration changes were saved to storage, but at least one service failed to load these changes. The event log may include additional information on possible reasons for failure."
Then I have to restart the Firewall service manually for the changes to apply. I also see an error icon (and only ??? on uptime) when I check the monitoring/services (and dashboard) menu. Any hints on how to fix this?

pheew... a lot of text for two questions, but I hope someone can help me out with this.

thanks alot
/Claes Argards
Post #: 1
RE: Some problems/questions about ISA2004 in "Cach... - 5.Aug.2004 12:57:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Claes,

What security advantage do you believe you have using the PIX for a firewall instead of using the ISA firewall as the stateful filtering and stateful application layer inspection firewall?

I would do it exactly the opposite, use the ISA firewall as the firewall and use the PIX as a router.

HTH,
Tom

(in reply to istari)
Post #: 2
RE: Some problems/questions about ISA2004 in "Cach... - 5.Aug.2004 1:38:00 PM   
istari

 

Posts: 17
Joined: 5.Aug.2004
From: Orebro, Sweden
Status: offline
Hi,

Since the network infrastructure was installed 2 yars ago and our needs to be able to route between vlans, set up tunnels between the different schools, publishing OWA, Web etc, ISA 2000 was not a really good option... Besides, my (and my collegues) knowledge about Cisco products are way better then our knowledges about ISA.
The only reason we use ISA at all is for the domain lvl control and the easy logging / reporting.
I guess we could redo the whole enviroment, replacing all the Cisco FWs with ISAs but that's too much work/cost to do right now... besides that, I would like to see ISA 2004 out in the public for some time before relying the whole WAN infrastructure on it...

regards
/Claes

(in reply to istari)
Post #: 3
RE: Some problems/questions about ISA2004 in "Cach... - 6.Aug.2004 1:13:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Claes,

OK, leveraging your current infrastrucutre and firewall expertise makes sense. However, having it in production for a while isn't an issue. I know a large software company with about 50,000 employees who has been pushing about 800GB of traffic per day through their ISA firewalls and have no problems with it!

Did you apply the single NIC template yet?

Thanks!
Tom

(in reply to istari)
Post #: 4
RE: Some problems/questions about ISA2004 in "Cach... - 6.Aug.2004 1:53:00 PM   
istari

 

Posts: 17
Joined: 5.Aug.2004
From: Orebro, Sweden
Status: offline
Oh yes, I'm running on the singel nic template but the 2 issues mentioned in the first post is still a problem...

cheers
/Claes

(in reply to istari)
Post #: 5
RE: Some problems/questions about ISA2004 in "Cach... - 9.Aug.2004 2:23:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Claes,

Are there any significant errors in the Event Log? I've not seen this error before with the unihomed Web proxy configuration.

Thanks!
Tom

(in reply to istari)
Post #: 6
RE: Some problems/questions about ISA2004 in "Cach... - 9.Aug.2004 3:26:00 PM   
istari

 

Posts: 17
Joined: 5.Aug.2004
From: Orebro, Sweden
Status: offline
Hi again,

The only error messages I find in the system log that might be related to the ISA server are the following two:

-----
Source: W3SVC
Event ID: 1007

"Cannot register the URL prefix 'http://*:80/' for site '1'. The necessary network binding may already be in use. The site has been deactivated. The data field contains the error number."
------
Source: W3SVC
Event ID: 1007

"Cannot register the URL prefix 'http://*:80/' for site '90346741'. The necessary network binding may already be in use. The site has been deactivated. The data field contains the error number."
------

Hope it gives you a clue, cause im running out of ideas...

thanks
/Claes

(in reply to istari)
Post #: 7
RE: Some problems/questions about ISA2004 in "Cach... - 9.Aug.2004 3:31:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Claes,

Is the WWW service running on the ISA firewall?

Thanks!
Tom

(in reply to istari)
Post #: 8
RE: Some problems/questions about ISA2004 in "Cach... - 9.Aug.2004 3:59:00 PM   
istari

 

Posts: 17
Joined: 5.Aug.2004
From: Orebro, Sweden
Status: offline
Hi,

Yes, the WWW publishing Service is running...

I've just found the "require all user to authenticate"-check box... so problem number one is solved now =)...

(in reply to istari)
Post #: 9
RE: Some problems/questions about ISA2004 in "Cach... - 14.Aug.2004 6:14:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Claes,

OK, if the WWW service is running on the ISA fireawll, disable it! That is a security hole unless you're using it only for server management and using SSL and strong authentication.

HTH,
Tom

(in reply to istari)
Post #: 10
RE: Some problems/questions about ISA2004 in "Cach... - 1.Sep.2004 10:42:00 AM   
seeds

 

Posts: 16
Joined: 18.May2004
Status: offline
Claes,
Did you get the solution for your error issue below, I have the same problem and can't figure it out ??

Thanks

. When I do changes to the ISA configuration (ie change a FW Policy), I get an error message when i hit "apply". The error reads:
"The configuration changes were saved to storage, but at least one service failed to load these changes. The event log may include additional information on possible reasons for failure."

(in reply to istari)
Post #: 11
RE: Some problems/questions about ISA2004 in "Cach... - 2.Sep.2004 11:50:00 AM   
istari

 

Posts: 17
Joined: 5.Aug.2004
From: Orebro, Sweden
Status: offline
Hi,

No, unfortunatly not.. The Error still remains on three of our four schools (the fourth have a slightly different server enviroment)...

To add some more clues to the problem... It seems to be somewhat connected to the SQL thingi thats installed with ISA... the small Icon next to the clock doesnt have a "play" symbol on the servers where I have the ISA problem.
I hope that made sence =)

/Claes

(in reply to istari)
Post #: 12
RE: Some problems/questions about ISA2004 in "Cach... - 2.Sep.2004 12:45:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Claes,

You can ignore the icon in the system tray. It does NOT mean anything. The MSDE logging is installed and the icon in they tray means NOTHING.

HTH,
Tom

(in reply to istari)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Cache] >> General >> Some problems/questions about ISA2004 in "Cache only" Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts