Some problems/questions about ISA2004 in "Cache only" (Full Version)

All Forums >> [ISA Server 2004 Cache] >> General



Message


istari -> Some problems/questions about ISA2004 in "Cache only" (5.Aug.2004 11:18:00 AM)

Hi there.

My name is Claes and I work as a administrator for a couple of schools here in Sweden. We have recently upgraded one of our schools to windows 2003 and ISA 2004 (previously Win 2000 and ISA 2000). The installations are however on new servers (no upgrades). I have now run into two problems I would love to get some help with.

The setup:
At each school we have three servers. The one runing ISA also runs as a AD-domaincontroller, DNS, WINS, DHCP and File share.
I have set up ISA 2004 with the "single NIC template" (even though the server have 2 nics we only use one) and I have created a new policy wich allows all users & traffic to and from all networks.
The network is divided into 4 VLANs (teachers, students, servers and internet). Students does not have direct access to the internet so they have to connect via the ISA server. We use a Cisco PIX for the Firewall-function and the ISA-server only for proxy and logging.

The Problems:

1. Last year when we used ISA 2000 on Win2k I had setup the ISA in cachemode only and to allow authenticated users only to use the ISA-server. This gave me the control to allow only users in our domain to connect to the internet AND for the usernames of the students to appear in logs and reports.
If i setup my ISA 2004 with a rule that only allows authenticated users (and network services),
the server stops responding to most network requests (ping, RDP, DHCP etc.). If I set the rule to allow all users everything works fine except that only IP-addresses shows up in logs and resports and I guess I'll loose the abilty to lock non domain users out from internet access. Is there anyway to get around that?

2. When I do changes to the ISA configuration (ie change a FW Policy), I get an error message when i hit "apply". The error reads:
"The configuration changes were saved to storage, but at least one service failed to load these changes. The event log may include additional information on possible reasons for failure."
Then I have to restart the Firewall service manually for the changes to apply. I also see an error icon (and only ??? on uptime) when I check the monitoring/services (and dashboard) menu. Any hints on how to fix this?

pheew... a lot of text for two questions, but I hope someone can help me out with this.

thanks alot
/Claes Argards




tshinder -> RE: Some problems/questions about ISA2004 in "Cache only" (5.Aug.2004 12:57:00 PM)

Hi Claes,

What security advantage do you believe you have using the PIX for a firewall instead of using the ISA firewall as the stateful filtering and stateful application layer inspection firewall?

I would do it exactly the opposite, use the ISA firewall as the firewall and use the PIX as a router.

HTH,
Tom




istari -> RE: Some problems/questions about ISA2004 in "Cache only" (5.Aug.2004 1:38:00 PM)

Hi,

Since the network infrastructure was installed 2 yars ago and our needs to be able to route between vlans, set up tunnels between the different schools, publishing OWA, Web etc, ISA 2000 was not a really good option... Besides, my (and my collegues) knowledge about Cisco products are way better then our knowledges about ISA.
The only reason we use ISA at all is for the domain lvl control and the easy logging / reporting.
I guess we could redo the whole enviroment, replacing all the Cisco FWs with ISAs but that's too much work/cost to do right now... besides that, I would like to see ISA 2004 out in the public for some time before relying the whole WAN infrastructure on it...

regards
/Claes




tshinder -> RE: Some problems/questions about ISA2004 in "Cache only" (6.Aug.2004 1:13:00 PM)

Hi Claes,

OK, leveraging your current infrastrucutre and firewall expertise makes sense. However, having it in production for a while isn't an issue. I know a large software company with about 50,000 employees who has been pushing about 800GB of traffic per day through their ISA firewalls and have no problems with it!

Did you apply the single NIC template yet?

Thanks!
Tom




istari -> RE: Some problems/questions about ISA2004 in "Cache only" (6.Aug.2004 1:53:00 PM)

Oh yes, I'm running on the singel nic template but the 2 issues mentioned in the first post is still a problem...

cheers
/Claes




tshinder -> RE: Some problems/questions about ISA2004 in "Cache only" (9.Aug.2004 2:23:00 PM)

Hi Claes,

Are there any significant errors in the Event Log? I've not seen this error before with the unihomed Web proxy configuration.

Thanks!
Tom




istari -> RE: Some problems/questions about ISA2004 in "Cache only" (9.Aug.2004 3:26:00 PM)

Hi again,

The only error messages I find in the system log that might be related to the ISA server are the following two:

-----
Source: W3SVC
Event ID: 1007

"Cannot register the URL prefix 'http://*:80/' for site '1'. The necessary network binding may already be in use. The site has been deactivated. The data field contains the error number."
------
Source: W3SVC
Event ID: 1007

"Cannot register the URL prefix 'http://*:80/' for site '90346741'. The necessary network binding may already be in use. The site has been deactivated. The data field contains the error number."
------

Hope it gives you a clue, cause im running out of ideas...

thanks
/Claes




tshinder -> RE: Some problems/questions about ISA2004 in "Cache only" (9.Aug.2004 3:31:00 PM)

Hi Claes,

Is the WWW service running on the ISA firewall?

Thanks!
Tom




istari -> RE: Some problems/questions about ISA2004 in "Cache only" (9.Aug.2004 3:59:00 PM)

Hi,

Yes, the WWW publishing Service is running...

I've just found the "require all user to authenticate"-check box... so problem number one is solved now =)...




tshinder -> RE: Some problems/questions about ISA2004 in "Cache only" (14.Aug.2004 6:14:00 PM)

Hi Claes,

OK, if the WWW service is running on the ISA fireawll, disable it! That is a security hole unless you're using it only for server management and using SSL and strong authentication.

HTH,
Tom




seeds -> RE: Some problems/questions about ISA2004 in "Cache only" (1.Sep.2004 10:42:00 AM)

Claes,
Did you get the solution for your error issue below, I have the same problem and can't figure it out ??

Thanks

. When I do changes to the ISA configuration (ie change a FW Policy), I get an error message when i hit "apply". The error reads:
"The configuration changes were saved to storage, but at least one service failed to load these changes. The event log may include additional information on possible reasons for failure."




istari -> RE: Some problems/questions about ISA2004 in "Cache only" (2.Sep.2004 11:50:00 AM)

Hi,

No, unfortunatly not.. The Error still remains on three of our four schools (the fourth have a slightly different server enviroment)...

To add some more clues to the problem... It seems to be somewhat connected to the SQL thingi thats installed with ISA... the small Icon next to the clock doesnt have a "play" symbol on the servers where I have the ISA problem.
I hope that made sence =)

/Claes




tshinder -> RE: Some problems/questions about ISA2004 in "Cache only" (2.Sep.2004 12:45:00 PM)

Hi Claes,

You can ignore the icon in the system tray. It does NOT mean anything. The MSDE logging is installed and the icon in they tray means NOTHING.

HTH,
Tom




Page: [1]