THE OFFICIAL BLOG OF THE SBS "DIVA" : ISA Server

So you want to ensure that you have full access to ISA before, during and after patching for 09-016?

bradley — Tue, 21 Apr 2009 02:45:00 GMT

So you want to ensure that you have full access to ISA before, during and after patching for 09-016 (assuming you don't have a box with more than 4 procs) http://blogs.technet.com/sbs/archive/2009/04/20/ms09-012-and-isa-server-standard-edition-14109-failures.aspx

http://www.microsoft.com/technet/security/Bulletin/MS09-016.mspx

Listen to this for the reason you want to add a policy for remote management:

Inside SBS Episode #12 - The ISA Server Meltdown | Odeo: Search, Discover and Share Digital Media from Millions of Audio and Video Clips:
http://odeo.com/episodes/538067-Inside-SBS-Episode-12-The-ISA-Server-Meltdown

Mark, Damian, Justin, Chris on ISA.

8:53 minutes in Justin talks about it.

Launch the ISA console
Click on Firewall Policy
Click on Edit system policy

Okay see that setting that says "Remote Management"?

See where you build a rule to add your external [static] IP address to remotely manage the box via TS no matter what? See where you can even add the ability to ping from your remote server?

Click edit, then add your static IP to that category of "remote management computers". Adding that rule there means you won't hit a "lockout" when you remotely manage ISA....like...installing a security patch.

SBS premium and Quad Core

bradley — Wed, 20 Feb 2008 08:13:00 GMT

SBS Premium with ISA Server 2004 on Quad Core CPUs

I hope Darren doesn't mind me stealing his entire REALLY good blog post about how he got stuck installing Windows 2003 sp2 and ISA on a quad core CPU server and how he needed to get up to ISA 2004 sp2 or sp3 to fix this

Recently a customer of mine purchased a Dual Quad Core server to act as their SBS Premium server. They planned to run SQL Server and ISA Server on this machine, and wanted the machine to last 5 to 7 years, so a dual Quad core configuration isn't out of line, and price wise, it wasn't much more expensive than two dual core processors.

When they went to install the ISA Server component however, they found that ISA Server wouldn't start. Complaining about there being too many processors.

SBS supports two PHYSICAL CPUs as counted by the number of CPU Sockets on the main board, not by the number of processor cores reported to the operating system. So ISA not working isn't a licensing issue, but rather a bug in ISA's detection of the number of CPUs.

Fortunately, there is a fix: Install ISA Server 2004 SP2. <edit now install ISA 2004 sp3 instead -- Download details: ISA Server 2004 Standard Edition Service Pack 3:
http://www.microsoft.com/downloads/details.aspx?FamilyId=A05A074A-5033-4792-AF8B-58B90D841436&displaylang=en>

To figure out the fastest / least error prone way of doing this, I contacted Microsoft's Pre-Sales Tech support, and here's the exact order in which they recommend doing the installation:

Now, there are few different things you need to do before going ahead with installing SP2 on ISA 2004.
1.) Make sure you download SP2 for ISA 2004 and two following roll outs first:

Update for HTTP issues in Internet Security and Acceleration Server 2004 Service Pack 2
http://support.microsoft.com/kb/916106
Update for HTTP issues in Internet Security and Acceleration Server 2004 Service Pack 2
http://support.microsoft.com/kb/917902

2.) Go ahead and install everything in the following order; SP2, KB 916106 then KB 917902. <instead install ISA 2004 sp3>

Once that is done with, you’ll probably want to install SP2 for Windows, apparently this is a potential problem with ISA; please view the following blog posting for information on the issue, before actually going ahead and installing it.

VPN, SecureNat/Nat and Outlook clients not working after installing Windows Service Pack 2 in SBS 2003 Premium

http://blogs.technet.com/sbs/archive/2007/03/19/vpn-securenat-nat-and-outlook-clients-not-working-after-installing-windows-service-pack-2-in-sbs-2003-premium.aspx

After all that is done, there is a chance that you might experience a performance issue with the workload spiking on one of the CPUs, the support team hasn’t had any calls on it, but just in case, here’s the KB on how to fix it.

Throughput for an ISA Server that is running on a Windows Server 2003 Service Pack 2 (SP2)-based multiprocessor computer may be greatly reduced or completely blocked

http://support.microsoft.com/kb/934809
Darren's Space: SBS Premium with ISA Server 2004 on Quad Core CPUs:
http://darrenmyher.spaces.live.com/blog/cns!1ABA4CA6583AB317!155.entry

A rule for ISA

bradley — Mon, 31 Dec 2007 18:38:00 GMT

Charlie needed to connect to Gmail's nntp folders inside of Outlook. He had ISA's rules to not be all open and realized it was impacting Gmail.

(Necessary if you're going to use Outlook rule processing, since SBS
doesn't include a default rule for this.) You'll need to add an ISA Rule
to make it work on some machines. I could post the XML file, but it's
easy enough to set up:

1.) Open ISA Mgmt console. 
2.) Scroll down to near the bottom, just about the SBS Internet Access
Rule
3.) Click Tasks tab on right, click Create a New Access Rule
4.) Give it a name - "Gmail SSL Allow" (or whatever). Click Next
5.) Select Allow, click Next.
6.) Select This Rule Applies to Selected Protocols from the drop down
list. 
7.) Click Add. Expand Mail. Select IMAPS (and IMAP4 if you also use
non-secure IMAP servers somewhere.) Click Add. Click Close.
8.) Click Next to move to the Access Rule Sources page. Click Add
9.) Expand Network Sets, select All Protected Networks. Click Add. Click
Close.
10.) Click Next to move to the Access Rule Destinations. Click Add.
11.) Expand Networks, select External, click Add. Click Close.
12.) Click Next to move to the User Sets. I leave this at All Users. 
13.) Click Next to move to the Completing New Access Rule page. 
14.) Click Finish. Then Click Apply to make the rule actually active. 

You're in business. 

Charlie.

What happened to my DHCP after ISA sp2?

bradley — Sun, 14 Oct 2007 04:17:00 GMT

MPECS Inc. Blog: SBS Premium - SBS Post Install ISA Rule Must Do for DHCP:
http://blog.mpecsinc.ca/2007/10/sbs-premium-sbs-post-install-isa-rule.html

Philip's blog talks about the case of the missing DHCP

Amy talks about why this happens:

Why DHCP Stops Working After You Add a Custom Access Rule - SecureSMB:
http://msmvps.com/blogs/securesmb/archive/2007/10/13/why-dhcp-stops-working-after-you-add-a-custom-access-rule.aspx

One of the unusual-ness of SBS is the behavior of rule making on the box it's protecting. This is one side effect we see, and in particular I've seen it pop up post sp2. ISA is very RFC aware and my guess is that with the application of sp2 it's gotten a bit more RFC aware than it already was. But that's pure speculation and probably what is going on is the mere 'change' that a service pack application brings and perhaps teh consultant has changed rule order post sp2 and is not equating that with the action. But bottom line, watch your rules. I don't have a special DHCP rule here and my server works just fine.

ISA hot topics

bradley — Sat, 13 Oct 2007 01:22:00 GMT

>>> HOT TOPICS for OCTOBER 2007 <<<

The following "hot topics" were posted and resolved during the month of
September:

ISSUE
=====
When you try to access external FTP sites in an ISA environment, you may
experience ISA error message:

ISA Server: extended error message :
200 Type set to I.
200 PORT command successful.
550 Permission denied on server. You are restricted to your account.

This mostly occurs when you visit some FTP sites which needs authentication
in IE7 using the URL form ftp://username:password@ftp.site.com.

In IE6
-------
You can also access the FTP site using the URL ftp://ftp.site.com. It will
prompts you to input username and password. After inputting username and
password, you can access the ftp site.

In IE7
-------
No matter what types of clients you are using (SecureNAT, web-proxy(BTW, it
will not work with folder view enabled) or firewall client). You just cannot
access it successfully.

CAUSE
======
This is because folder view is disabled in IE7, this is by design. This is
controlled by windows shell. Internet Explorer 6 and the Windows shell were
basically the same program but used different user interface (UI) entry
points. However, IE7 install new component of its own, it is not the same
program of Windows shell.

RESOLUTION
===========
To workaround the issue, you must access the website in Windows Explorer.

MORE INFORMATION
=================
Separation of Internet Explorer 7 from the Windows shell
http://support.microsoft.com/?id=928675

ISSUE
=====
ISA firewall service failed to start after you installed ISA 2004 Server on
the SBS. When we manually start firewall service, it retuned "Windows could
not start the Microsoft firewall on local computer. For more info review the
Event Log. If this is a non-Microsoft service, contact the vendor and refer
to service specific error code -2147221005".

In application log, you got Firewall error 14001: "The description for Event
ID ( 14001 ) in Source ( Microsoft Firewall ) cannot be found. The local
computer may not have the necessary registry information or message
DLL files to display messages from a remote computer. You may be able to use
the /AUXSOURCE= flag to retrieve this description; see Help and Support for
details.

Reinstalled ISA Server, however this issue persists.

CAUSE
======
Corrupted registry or components.

RESOLUTION
===========
Check the permission on following registry keys:

HEKY_CLASSES_ROOT/Fpc.FPCFilterExpressions
HEKY_CLASSES_ROOT /Fpc.FPCFilterExpressions.1 HEKY_CLASSES_ROOT /FPC.Root
HEKY_CLASSES_ROOT /FPC.Root.1 HEKY_CLASSES_ROOT /FPCSTG HEKY_CLASSES_ROOT
/FPCSTG.1 HEKY_CLASSES_ROOT /FPCSTG.FPCStorageEnvironment HEKY_CLASSES_ROOT
/FPCSTG.FPCStorageEnvironment.1 HEKY_CLASSES_ROOT /FPCSTG.FPCStorageFactory
HEKY_CLASSES_ROOT /FPCSTG.FPCStorageFactory.1

Set the above registry keys with following permission:

Administrator - Full Control
System - Full Control
Network Service - Full control
Authenticated Users - Full Control
Creator Owner - Full Control
Server Operators - Full Control

ISSUE
=====
OWA access problem via ISA 2006. Error Code: 500 Internal Server Error. The
number of HTTP requests per minute exceeded the configured limit. Contact
the server administrator. (12219).

CAUSE
======
Incorrect authentication method, FBA was enabled on both ISA and Exchange.

RESOLUTION
===========
Disabled FBA on Exchange server and enabled it on the ISA web listener.

MORE INFORMATION
=================
Publishing Exchange Server 2003 with ISA Server 2006
http://www.microsoft.com/technet/isa/2006/deployment/exchange2003.mspx

After upgrading nic drivers - reboot your box.

bradley — Sat, 05 May 2007 01:27:00 GMT

After doing a firmware upgrade and a driver upgrade to 10.24.0... reboot your server.

ISA will will block the traffic and not let it out. I had a feeling it would freak out just a smidge with that firmware/nic driver upgrade...and it did.

Now on to see if that helps with getting SP2 on the box.

ISA rules in the wrong place

bradley — Wed, 17 Jan 2007 07:15:00 GMT

http://simultaneouspancakes.com/Lessons/2007/01/15/isa-and-dhcp/

When you start using ISA to restrict things... be careful about restricting too much.....

Depending on where you put that ISA rule set you could end up shutting off DHCP services as a result.....

-------- Original Message --------
Subject: Sharing info.. ISA Rules
Date: Sat, 13 Jan 2007 22:25:44 -0000
From: Pop <Iknowyouwantit@lol.com>
Newsgroups: microsoft.public.windows.server.sbs

If you already all knew it then sorry... ;-)

Set up a denied access rule for 'banned sites' a few days later noticed pcs
were not getting an IP address from server DHCP (oh yes, router DHCP
switched off...lol)
Noticed the above rule was before the SBS Protected network rule, moved it
below and DHCP working again...

Interesting...

So I'm looking in my ISA log files...

bradley — Thu, 04 Jan 2007 04:15:00 GMT

So I'm looking in my ISA log files because for the last couple of days my Scorpion Software Firewall dashboard has indicated I've been getting ntp attacks from two IP addresses: 192.168.116.1 and 192.168.142.1 and it's now where I have some time on my hands to figure out what's going on.... they aren't getting out ...but what are they there? My internal IP address on this network is based on the old SBS 4.x numbering of 10.0.0.x, my home IP range is 192.168.16.x... the 192.168.1.254 is my external nic attached to the router...so WHY do I have two IP addresses attempting to get a time sync and being denied? When I ping them they are unavailable, and an arp -a brings back nothing. Well in chatting with Amy she indicated that the logging I was seeing "0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED" was not hitting a "rule" but rather at the kernel mode. It was labelling them as spoofed as it didn't see these addresses in my domain.

No kidding.... neither did I... so what are they? So Amy Googled and found that one might be a Vmware network connection and the other Cisco.... Vmware? Hang on .. I have vmware on this workstation but it's not loaded up... and at the time I had the two nics enabled (I've since disabled them)

And sure enough...that was the IP addresses that the nics were assigned in the interface and ISA was just doing was it was supposed to be doing on my internal network and saying "yo, I don't recognize these, they aren't on my approved internal IP addresses so I'm blocking them". Okay so not exactly like that, but you get my meaning.

Sure 'nuff, disabled the nics as I'm not running a vmware on this machine at this time and that was indeed it. Once again, the firewall dashboard stuck something in my face that I don't think I would have noticed otherwise.

And by the way.... to Amy ... Ditto! THANK YOU! for all that you do for the SBS and ISA Community! http://isainsbs.blogspot.com/2007/01/thank-you.html

Using ISA to protect the SBS mail server just a smidge more....

bradley — Fri, 29 Dec 2006 21:14:00 GMT

The recent closure of the Open Relay Database as reported by incidents.org points out how email and spam have changed over the years. Once upon a time Open Relays abounded and was the main way that spam attacks were launched. Now spam comes and attacks us from various ways from spam bots to NDR attacks. No longer is Open Relay our main SMTP security issue these days. In fact Exchange 2003 is not a mail relayer by default. Nevertheless, while our servers have gotten more secure, the spam impact is rising. As they've changed the playing field, we're using different tools to fight back. While the built in IMF spam filter in Exchange 2003 sp2 is an excellent spam filtering, there are new hosted solutions that place the burden of filtering on the backs of specialized vendors that can better see the Spam trends. From vendors such as Postini, Microsoft's Frontbridge, to the vendor that I personally use, ExchangeDefender.com it provides additional filtering in front of your Exchange server.

Hosted Exchange filtering provides several benefits. The first being that these vendors specialize in seeing the trends of viruses and spam and thus can act on these trends much faster than I can. Secondly they house the spam on their servers and not mine. And last but certainly not least, one of the reasons that I chose this was to provide a more secure connectivity to my mail server. I was able to do this by utilizing my ISA server 2004 to provide a bit more protection for my Small Business Server network.

Before the change, I could literally see pings from various countries entering my network via the open port 25 that I used to accept inbound email connections. Using an add on tool to ISA Server 2004, the Firewall Dashboard from Scorpion Software, you could see the various countries and IP addresses:

Figure 1 - Scorpion Software's Firewall Dashboard showing various SMTP connections

While attempts to guess a username and password on a mail connection on a network that has passphrases or a password policy that ensures that they are long, strong and not easily crackable at all, should not be a concern to the savvy network administrator, the reality is for many firms is that they would prefer to reduce an exposed attack surface if it's reasonable to do so. There have been cases where firms have been subjected to dictionary attacks and have had a password cracked merely to use the mail server and authenticate it to be used in more spam attacks. These attacks called SMTP auth attacks have increased over the years. In addition, the concern that I have with my firm located in California with data of California residents, is that should an attacker use a SMTP auth attack and through my own stupidity or misconfiguration, a password is cracked, that event would warrant a event under a law in California called SB1386 whereby I would need to notify clients of my firm's that their sensitive data may have been breached.

In our case, it is extremely reasonable and extremely easy to limit the connections to our mail server ports with a bit of judicious editing to our ISA server policy that allows connections to our mail server. The service that I use, ExchangeDefender only connects to my server from a specific set of IP addresses. Therefore, to ensure that we only accept inbound port 25 connections from those servers, we will set up rules in ISA Server 2004 to better protect the server and limit SMTP connections to only those 5 IP ranges. This will then in turn, close down the potential for SMTP auth attacks and other misdirected connections to the port 25 in my server, thus reducing even more of an already limited attack surface via the server.

Our first step in the process is to determine the IP addresses that we need to restrict port 25 to. The IP addresses are all Class C addresses. We begin by launching the ISA management console as shown below:

Figure 2 - Default rules as provided by the SBS 2003 "Connect to Email and Internet Wizard"

In my case, my version of ISA server 2004 is installed on the SBS 2003 network server and has a rule wizard that has pre-built the access to the server for email. I will edit that rule to provide the additional restrictions I need, but I need to remember that should I need to rerun the Connect to Internet and Email Wizard, or CEICW as it's commonly called, that is inside the Small Business Server network, it will reset these email rules to default. So at the end of this process, I'll make sure that I backup the ISA configurations I've customized to ensure they are retained.

So we begin by editing the policy and providing the additional IP restrictions so that only the IP addresses from the ExchangeDefender servers can connect to the SMTP connection on my server. In my example using SBS 2003's ISA server configuration, it has built for me a SMTP access rule that I will edit. Double check on the Smtp Server Access Rule and browse to the "From" tab. From here you can see that the current allowed connections are from the entire Internet. This is what we will be editing.

Figure 3 - Editing the SMTP server access rule

We will first begin by adding the necessary Address ranges that we need to limit connections. After clicking on "Add" we are presented with a Network Entities screen. We now need to click on "New" to add a new category of addresses that we will limit inbound port 25 connections from. As you can see, you are presented with various ways that you can add different rules sets for access. Ranging from "Networks" to sets, to various computers, to address ranges and so on. This makes it easy to add a rule with a specific need in mind.

Figure 4: Defining the Network Entities

We will build a series of Address ranges based on the information given to us by the Hosted Antivirus and AntiSpam provider that we will use to limit the connections. While we can use several categories of network entities to build the rule, including Address ranges for each range, Subnets for each one, the easiest way is to use the Computer Set rule and include in one set the five ranges that we have been given by the vendor to limit the connections to. This allows for the best organized rule as all of the vendors IP ranges that he has given us to limit connections to will be included in one spot. Be sure to add enough descriptive information to the rule set to ensure that you will remember the intent and to document it in your Firewall change log or whatever process you use to document firewall changes.

Figure 5: Using New Computer Rule Element

When everything is all done, the rules we have built will be included as one set. We can now easily remove the existing rule of "External" which allows all connections from all locations, with the more restrictive rule that only allows the 5 address ranges that have been specified. And like all other edits to Firewall rules in ISA, it's as easy as clicking on the "Apply" button to easily change the rule to our new edited one.

Figure 6: Applying the new configuration

Last but not least, we need to remember that in the Small Business Server 2003 environment we need to remember that should we re-run the firewall wizard for any reason, any SBS wizard specific rule that we customized before will be reset back to the original once you rerun that wizard. Therefore documentation of the changes you make, and ensuring that at the end of the process of customization you click on properties of the rule and you export the rule to allow for easy import will ensure that you can easily and quickly get the Firewall settings back as you need them to be.

Figure 7: Exporting out the changed configuration

In reality for many of us that use the power of ISA 2004 to better protect and report on the Internet connectivity on our SBS 2003 networks, we typically only run the Connect to Email and Internet wizard once when initially setting up the ISA 2004 configuration. After that first configuration, we tend to edit the rules as we need them and there is typically no need to rerun the setup wizard.

You can now use or go to any number of port probing web sites and tools ranging from Steve Gibson's veritable Shields Up on his www.grc.com web site to Microsoft's portquery tool and see that no longer is your port 25 seen open to the Internet and ready for drive by port 25 password attempts. While you are still fully able to get all of your cleaned and de-spammed email, you are no longer the fully exposed connection you once were.

Before you limit the connections, a port query response comes back with the following:

Data returned from port:
220 domain.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Mon, 25 Dec 2006 03:06:17 -0800
portqry.exe -n xx.xx.xx.xx -e 25 -p TCP exits with return code 0x00000000.

After you limit the connection, the response comes back as follows:

TCP port 25 (smtp service): FILTERED
portqry.exe -n xx.xx.xx.xx -e 25 -p TCP exits with return code 0x00000002.

Thus providing a bit more protection from drive by SMTP auth attackers.

While I would never say that a firewall should be a "set it up and then forget about it", typically the ISA 2004 configuration is straightforward enough that typically my only needs for adjusting are when my business needs change or a security stance changes have dictated a change in the firewall. The rest of the time, it just keeps doing what it does very well, being a great protection and reporting access tool for my business' network.

And now, it gave me just a little bit more help in the war against SPAM.

(Now blogged from this location on my blog site, was formerly blogged at another location)

P.S. as I've joked with folks.. the worse thing about all these external hosted spam filtering services is that they make your email boring.

Using ISA to protect Exposed ports

bradley — Thu, 28 Dec 2006 15:14:00 GMT

~~As a FYI a blog post I did on how to use ISA 2004 to better close your SMTP connection to the outside world ... especially when you are connnected to ExchangeDefender.com is up on the ISA server blog~~

~~http://blogs.technet.com/isablog/archive/2006/12/28/exchange-spam-filtering-and-isa-server.aspx~~

Exchangedefender.com is the service that I use that prefilters, cleans and despams my firm's email....

Bottom line it makes my email boring these days. And I'm serious about that... it's quite dull these days. Only business email. :-)

P.S. The post is off the blog site.. sorry if you are looking for it. No, I really won't go into why it was removed (not for reasons some folks might be thinking of anyway).

New ISA news

bradley — Wed, 13 Dec 2006 01:26:00 GMT

WSUS Product Team Blog : New Product Category for ISA Firewall client:
http://blogs.technet.com/wsus/archive/2006/12/12/new-product-category-for-isa-firewall-client.aspx

How to obtain the version of Firewall Client for ISA Server (December
2006) that includes Windows Vista support:
http://support.microsoft.com/kb/929556

Finally the ISA firewall client that will support Vista is out today and there's a new WSUS category to boot!

This is a tad confusing because the page on the download site says "Public beta" but the KB article doesn't say beta, nor does SeanDaniel.com....in the public ISA newsgroup it was posted that these are indeed final parts.

Issues installing ISA 2004

bradley — Fri, 27 Oct 2006 19:58:00 GMT

Question

Several days ago when i install ISA 2004 in SBS 2003 R2 i get the following
error in the
ISAWRAP_*.log file... and installation setup stops"Installer activated,
command-line='/v"/qn FULLPATHANSWERFILE=\"C:\Program
Files\Microsoft Windows Small Business
Server\Support\Premium\ISA2k4und2006_10_10_02_47_26.ini\""'
Running setup wrapper in quiet mode.
Activating firewall installation program
Setup failed. Error returned: 0x643
Firewall installation failed, hr=80070643
Installation completed successfully
ShowSecurePage: Not showing on unattended"

------------
Solution:

Setup failed. Error returned: 0x643
Firewall installation failed, hr=80070643

Regarding the error 0x643, we have experienced several similar issues
before, on the root of C drive there was a hidden config.msi folder. That
folder was created by a MSI installer for a previous failed installation of
another application. After renaming that folder to config.msi.old, the
installation of ISA was successful. To view hidden folder, please click
Tools->Folder Options, go to the View tab, and then change the option
"Hidden files and folders" to "Show hidden files and folders".

Detailed steps:

1. Open explorer and navigate to the location of your config.msi folder
(this is a hidden system folder created by the MSI installation, located on
the root of the C: drive by default)

2. Remove the read-only and system flags from the folder

3. Rename the folder to config.msi.old

4. Restart the installation

Meanwhile, please open the Regedit and check the following registry key:
1. Go to the following registry directory
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess

2. On the menu bar, go to Edit, Permissions.

3. Check the existing users to make sure they have Full Control Permission.

4. Add Everyone group and grant Full Control

5. Click Advanced button and check the two check boxes:

"Allow inheritable permission from the parent".
"Replace permission entries on all child objects".

How to block MSN Messenger traffic and Windows Live Messenger traffic by using ISA Server

bradley — Mon, 09 Oct 2006 05:46:00 GMT

I don't allow everyone in my office to have external IM in the office. I happened to catch Exchange 2000/SBS 2000 on software assurance and caught Live Communication for internal only instant messenging. If you do allow your firm to have external IM and you want to do a bit of control, here's a KB to add a bit of control...

http://support.microsoft.com/?kbid=925120

How to block MSN Messenger traffic and Windows Live Messenger traffic by using ISA Server

ISA firewall won't start

bradley — Fri, 11 Aug 2006 04:00:00 GMT

So there are times when you get a weird answer to a weird problem....

We've seen before that ISA/RRAS/MSfirewall won't start with a event id 7001, 7024 and 7.....

..and believe it or not the KB article that does the trick is this one:

You cannot use the Fax service on a Windows Server 2003-based domain controller or you receive a "Permissions could not be properly configured for Fax Operators" error message when you run the Windows Small Business Server 2003 Setup program:
http://support.microsoft.com/kb/842207/en-us

All of this is documented in Jeff Middleton's Swing Migration method at www.sbsmigration.com as he's seen the issue before....

The Microsoft Firewall service terminated with
service-specific error 212994 (0x34002).

You can see more of it here in this post.

ISA and IIS on the same box

bradley — Sun, 06 Aug 2006 23:59:00 GMT

On the download site is a program that allows you to do ISA and IIS on the same box.. there's just one problem... while it's a cool tool for SBS.. the fact is that you cannot install ISA 2006 on a SBS box. For one we're not licensed for it... and for two it breaks the CEICW. So while this is a cool download for our ISA 2004 boxes.. co-locating 2006 on a SBS box breaks things.

'When Internet Information Services (IIS) and Microsoft® Internet Security and Acceleration (ISA) Server 2006 are co-located, as in a Microsoft Small Business Server (SBS) installation, and a Dynamic Host Configuration Protocol (DHCP) or Domain Name System (DNS) server has a Web Proxy Automatic Discovery (WPAD) entry that points to the computer running IIS and ISA Server, the server applications use the same port. This prevents requests from Web Proxy clients for a Wpad.dat file and prevents Winsock Proxy Autodetect (WSPAD) requests from Firewall clients for a Wspad.dat file from reaching the server.

The files in this package can be used to configure IIS to direct client requests for proxy automatic configuration data to ISA Server using server-side Active Server Pages (ASP) code.'

ISA 2004 needed sp2 to properly load

bradley — Sat, 05 Aug 2006 04:06:00 GMT

Phil had installed SBS 2003 on a 2 processor, Dual core Xeon so = 8 logical processors... he then installed ISA 2004 and got the message:

The ISA Server Standard Edition cannot run. Either the server is using more than 4 processors, or it is configured to use the Active Directory service. Use the source location 100.371.4.0.2163.213 to report the failure. Contact Microsoft (R) Corporation for more information.

..and after reboot the ISA services would not restart. Ended up he had to install ISA 2004 sp2 to get ISA to function on this spec of a machine.

ISA 2006 RTM's (but remember it doesn't work on SBS)

bradley — Wed, 02 Aug 2006 03:57:00 GMT

Just a reminder that while ISA 2006 has recently RTM'd... the CEICW doesn't work with it and we're not licensed for it...So play with it for testing purposes for standalone installs....but don't try to install it on SBS.

Check out Tristan's blog for more.

ISA 2004 sp2 update for issues with Delta/iTunes, etc.

bradley — Mon, 24 Apr 2006 19:15:00 GMT

Heads up ..this 'may' need to reboot your server, so you'd probably need to install this after hours just in case...

(and if you have WSUS set for "publically available patches" ... or whatever that one category is....you should see this in your WSUS console as well....)

Download details: ISA Server 2004 Standard Edition Update:

http://www.microsoft.com/downloads/details.aspx?familyid=2aa53ee6-527c-4398-ab7c-fcf8e8dde8ce&displaylang=en

Overview

This update addresses the following HTTP issues for ISA Server 2004 Standard and Enterprise Editions with Service Pack 2 (SP2):

• KB 915045: Error 502 "The HTTP request includes a non-supported Header" when accessing certain web servers. This occurs when accessing certain Web servers that return headers that are incompatible with each other.

• KB 915421: Errors 11001 or 400 when accessing certain web servers. This is caused by a misinterpretation of spaces in headers provided by ISA Server, and results in a corrupted URL and failure to load the Web page.

• KB 915422: Event ID 23004 when accessing web sites that respond with compressed content. Some Web servers always return compressed content, which is denied by ISA Server when it did not request compressed content.

• KB 916573: Error 500 (Internal Server Error. Not implemented (-2147467263)) when trying to download zip attachments from an Outlook Web Access server. The header returned by Outlook Web Access causes ISA Server to deny the response.

• KB 917134: Grayed out checkbox “Enable caching of content received through the BITS service”

ISA 2004 sp2 hotfix and a reboot

bradley — Thu, 13 Apr 2006 04:20:00 GMT

Just in case you install the hotfix to fix the iTunes, Delta.com, Sun.com issues with ISA2004 and you DON'T get prompted for a reboot... reboot... just in case.

Besides sometimes I 'bounce the box' just to put a detailed info in that Shutdown logging screen.

Now I'm sure someone will tell me there's a way to do this without rebooting... but ...

From the newsgroup --

I wanted to post this for anyone out there thinking about getting the patch from PSS that fixed the way ISA 2004 SP2 breaks access to the ITunes music store. Here is the link http://support.microsoft.com/?kbid=916106 . I loaded the version of this patch for ISA 2004 Standard on my SBS box yesterday and everything appeared to go well. I didn't realize until this morning that it completely hammered IIS and all of the websites were stopped. ISA server's log was reporting an error trying to access the published page, publishing.<server domain>. I restarted IIS and mail began flowing, but OWA was still down and I could not start the default website because it was "in use by another process." I rebooted the server and all was well again, but I sat with mail and the websites down for about 20 hours. So just as a warning for anyone installing this patch, reboot the server afterwards. You are not prompted to do so by the installer.

Peace

Patch for issues with ISA 2004 sp2

bradley — Tue, 11 Apr 2006 06:17:00 GMT

Update for HTTP issues in Internet Security and Acceleration Server 2004 Service Pack 2:
http://support.microsoft.com/?kbid=916106

The hotfix for issues with ISA 2004 sp2 is now out....

For those of you who remember..that's Sun.com and Delta.com web site issues and iTunes and the biggies.