Search results for 'app:weblogs' matching tag 'ISA'

EBS - SharePoint - TMG and ISA - Postback and Read-Only fix

jeffl — Tue, 17 Nov 2009 06:00:00 GMT

This is an early report of a fix to a problem which showed up in EBS at a client site.

First, I would like to say if you are facing this problem the fix will not be instantaneous because of a number of technologies at play.

The Problem

1) When a user goes to save a new SharePoint item such as an announcement, the page returns an error. As a result of the error, the item is not created. The page reports a Postback Error.

2) When a user uploads a document to SharePoint there is no problem. When the user then opens the document for editing it is only available for read only. Changes to the document cannot be saved.

The Fix

From the TMG console:

Select Firewall Policy
Right Click 'Allow Authenticated Users to access SharePoint services' and select Properties
The 'Allow Authenticated Users to access SharePoint services' Properties dialog will appear. Select the Paths tab
Click the Add Button
Using the default settings add a path for /webresource.axd*
Click Apply and then OK to exit.
I suggest you run IISreset on the Management server where SharePoint is located by default..
Additionally you should wait fifteen minutes for TMG to update and start applying the path.

Since this is an early fix if I have updates over time I will report back. If you have different experience please touch base and leave a comment.

Jeff Loucks
Available Technology

Subscribe in a reader

Killing off ISA

cgross — Sun, 11 Oct 2009 05:00:00 GMT

Earlier today Susan blogged about upgrade season in her office, and getting ready to migrate from SBS 2003 to 2008. In that post, she talked about uninstalling ISA and mentioned a post that Kevin has on that subject. I thought I’d take a moment to expand a little bit on Kevin’s post and add a few thoughts from my own battle scars with removing ISA.

First and foremost – Kevin mentions removing the ISA firewall client from all of your PCs before you remove ISA from the server. I cannot overstate how crucial this step is. The ISA 2004 firewall client uninstaller wants access to the original installation MSI, which lives in a share on your SBS box. This share is actually the Clients folder in the ISA installation directory. So what happens when you remove ISA from your SBS? You guessed it – the mspclnt share with the firewall client installation files is removed, which means any firewall clients still installed on PCs are not going to be happy when you try to remove them and they can’t find the MSI.

Since the Clients folder under the ISA installation folder is typically only about 5MB, I copy this folder to a safe spot on the server – usually my Tech directory where we keep various utilities and scripts. Here’s why – more and more, customers are backing up their workstations whether via Acronis / StorageCraft / Windows Home Server. We may find ourselves at a point in the not so distant future after removing ISA that we need to restore a PC from an image taken before ISA was removed, and need to remove the firewall client again. Or we may discover a forgotten PC / laptop that we missed removing the firewall client from. There’s all sorts of scenarios – but by keeping the Clients folder in-tact, we can share that out with the original mspclnt share name at any time and be able to uninstall the firewall client just like ISA was still installed on the server. Without the mspclnt share, you have a very VERY ugly path in front of you, and it is safe to say that you may end up facing the decision of living with the firewall client still on the machines, or wiping & re-installing the OS . . .

Second – Kevin also makes a brief mention about proxy settings. When you uninstall the firewall client from a PC, it will automatically disable proxy settings for the user account that is running the uninstall, but not for any other users on the machine. So if you have a PC that multiple users log in to, or if you are running a terminal server, be prepared for some proxy pain. I actually have a little VBScript that disables proxy settings for the current user by changing the value of the HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ProxyEnable key from 1 to 0. I modify my login script to call the VBScript, in effect ensuring proxy gets disabled for each user when they log in to each machine.

The other aspect with proxy settings to keep in mind are your server-side applications. Unless you modified your ISA firewall policy to allow unauthenticated outbound http access from the server itself, you most likely specified proxy information for apps like Trend Micro’s Worry-Free Business Security or even WSUS – so that they can download their updates automatically. After removing ISA, you no longer have a proxy server, which means apps configured to use a proxy aren’t going to be able to get out to the internet. As a result, you stop getting automatic updates for things like A/V. So you will need to manually update the connection settings in these apps to remove the proxy settings previously defined.

So – here’s my quick checklist for removing ISA from your network & installing a hardware firewall:

Prep your hardware firewall in a lab setting. Enter in all public IP info, disable DHCP, and create all of our inbound rules. It’s best to do this while ISA is still installed & working, so you can refer to the rules in ISA to make sure you don’t miss any necessary inbound rules for your environment.
Backup your ISA configuration. While we’re moving away from ISA permanently, if we do encounter an issue with the new hardware solution where something isn’t working that was working with ISA, the ISA backup is an XML file that is relatively easy to read to see what rules you had and what they did without having to reinstall & restore ISA on your SBS.
Open up your outbound access in ISA by creating the proverbial ALL/ALL/ALL rule. In other words, create a new access rule in ISA allowing All outbound traffic via all protocols for all users/computers. Much of the internet access in ISA on SBS is dependent on users being members of the Internet Users security group. The firewall client on the PCs is what actually passes user info to the ISA server so it can check group membership. Once we remove the firewall client from PCs, ISA isn’t going to be getting user info and some stuff that worked before isn’t going to work now. If you only have 5 PCs and are moving from ISA to your hardware firewall on a Sunday when no one is working, you might be able to skip this step. But if you have a larger number of PCs, etc. this helps to insure you don’t disrupt users’ internet access too much while removing the firewall client . . .
In my case, I update my domain login script to call my DisableProxy.vbs script at this point.
Uninstall the firewall client from ALL PCs. Again – see my notes above. Your life will be MUCH simpler if you insure the firewall client is completely removed from all PCs before removing ISA from your server.
Copy the contents of the mspclnt share (%programfiles%\Microsoft ISA Server\Clients by default) to a safe location on the server, and plan to keep this folder safe for some time
Follow Kevin’s steps 3-9 to remove ISA from the server.
When you re-run the CEICW, it should automatically update the DHCP scope option on the server to use the internal IP of the new hardware firewall as the default gateway setting. If you have any devices that are using static IP addresses, you will need to manually update those with the new gateway. (HINT: Take a few extra minutes to create DHCP reservations for each device using a static IP, and change those devices to DHCP – so if you have another network reconfiguration in the future, all you have to do is reboot those devices instead of reconfigure . For all of your other DHCP devices, you will want to run an ipconfig /release followed by an ipconfig /renew to update their IP settings so they pull the new gateway, or you can reboot them as well. HINT 2 – PSTools are your friend. Create a batch file with the two ipconfig commands, and use PSExec to push & execute the batch file on all machines in the domain from the server. 5 minutes tops to update the IPConfig on all domain machines (that are online) instead of sneakernetting . . .
ALSO – if you followed Jim Harrison’s steps to configure auto-detection of proxy settings on your SBS LAN, you want to remove the wpad A record from your internal AD domain forward lookup zone in DNS – otherwise you may have devices pulling proxy settings for pointing to your non-existent proxy server via auto-detect.

So that’s my addendum to Kevin’s excellent post.

P.S. . . . and if you haven’t decided on a hardware firewall yet, I highly recommend Calyptix devices. These are the standard devices we are implementing when migrating customers to SBS 2008.

GFI Webmonitor

Anonymous — Tue, 16 Jun 2009 05:00:00 GMT

For the ISA fans out there. GFI Webmonitor has a public beta available for Webmonitor 2009 SR2. http://forums.gfi.com/m_900777363/mpage_1/key_/tm.htm#900777363

Two Important new White Papers

Anonymous — Thu, 09 Apr 2009 05:00:00 GMT

1. Step-by-Step Configuring ISA 2006 in front of SBS 2008. See http://www.thirdtier.net/blog for more details. Those of you that got ISA 2006 as part of the make-good in SA have been waiting for this. It’s a nice step-by-step paper, easy to follow to get your rules setup correctly. 2. Security Features in Microsoft Online Services. http://www.microsoft.com/downloads/details.aspx?FamilyID=5736aaac-994c-4410-b7ce-bdea505a3413&DisplayLang=en [...]

ISA or Calyptix?

Anonymous — Wed, 11 Feb 2009 06:00:00 GMT

As migrations to SBS 2008 start to pick up steam, consultants that were using ISA as part of SBS 2003 Premium are wondering how the Calyptix Access Enforcer compares. Let’s make one thing clear right off the bat; nothing compares to ISA except ISA. ISA has a rating of 4+. That’s as good as it [...]

Secure IMAP in SBS 2003 with ISA 2004

steveb — Wed, 21 Jan 2009 06:00:00 GMT

Eriq Neale wrote this post in September, 2007. Given that I referenced it yet again today while configuring a customer's SBS 2003 R2 Premium with ISA 2004 to get IMAPS running for an employee's Mac at their house so they could use Apple Mail and IMAP, I figured I would drop a quick note of thanks here to Eriq and link to it for my own quick reference to dig it up again later. ;-)

Thanks Eriq! Thanks to Tim too for encouraging you to write it up!

Steve

Teaching at Baker College

Anonymous — Mon, 05 Jan 2009 06:00:00 GMT

I will be teaching a course a Baker College in Auburn Hills this winter in ISA. In addition to the prescribed curriculum I intend to bring real world experience into the classroom. So students will learn not just the what, but also why and when to apply a particular security solution. ISA is an very [...]

EBS-MVP Awardee

Anonymous — Thu, 01 Jan 2009 06:00:00 GMT

Today I was awarded by Microsoft with the Essential Business Server - Most Valuable Professional. I am especially pleased to be the first person in the USA, to get this award. Microsoft has awarded me an MVP in previous years but I’ve never been the first. Gotta say it feels really good to the only [...]

EBS: Introduction to TMG Q&A

Anonymous — Sat, 06 Dec 2008 06:00:00 GMT

Thanks everyone for attending the session on Thursday. Below is the Q&A content from the session. It is also available for offline viewing at the 5w/50 partner training site. As part of our continuing series of free educational seminars at ThirdTier, I am planning to hold additional seminars on more advanced topics in TMG and EBS [...]

Migration from SBS 2003 to EBS 2008

steveb — Wed, 08 Oct 2008 05:00:00 GMT

When migrating over to EBS from SBS 2003 there are couple pre-migration steps that will save you a lot of trouble.

First:

Change the IP address of your SBS LAN IP. This will allow you to point mail to it during the installation process. If you do not change it, then you will not be able to have mail hit it if one of your EBS servers (in our deployments, we've standardized on .1 for SEC, .2 for MGT, and .3 for MSG) are going to use x.x.x.2 (default SBS 2003 IP address fourth octet).

Second:

If running SBS 2003 Premium and using ISA or dual-NIC'd with RRAS firewall? Do yourself a big, big favor and separate out the firewall role (ISA or RRAS) from the SBS box. Using an inexpensive hardware device make it the default gateway BEFORE you start the EBS setup. The key here is to separate out your default gateway from the rest of the server roles on SBS that EBS is looking to so they are not all on the same IP address.