+ Post New Thread
Results 1 to 14 of 14
Internet Related/Filtering/Firewall Thread, Removing ISA 2004 - Tips/Gotchas? in Technical; I've got a small primary school with an old server that is now reaching end of life and one of ...
  1. #1
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118

    Removing ISA 2004 - Tips/Gotchas?

    I've got a small primary school with an old server that is now reaching end of life and one of the things that I inhereted with it is an ISA 2004 install that, to be honest, is more grief than it solves.

    I'm looking to get rid of it but I figure there must be a few hard won tips on how to do this, as well as things to watch out for in the process so that I don't leave everyone high and dry.

    Anyone got any valuable insight they can share on how best to tackle the process?

  2. #2

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    Are you replacing it with a better solution or just removing it? How is it configured on the network? Difficult to advise without any information on what your using it for.

  3. #3
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118
    Quote Originally Posted by timzim View Post
    Are you replacing it with a better solution or just removing it? How is it configured on the network? Difficult to advise without any information on what your using it for.
    At present it's being removed with no replacement intended... It's in a school with no more than 25 workstations and 2 servers. We did have a smoothie box in but due to some issues with staff training (ie: listening skills defecit) it was dropped about a year ago but I'm working on bringing it back as county broadband has been appalling for 6+ months.

    In terms of configuration, everything is currently piped through it with the server it's on being the gateway. Removal will retain the server as gateway, just via DHCP instead and without a local firewall...

    To be completely honest one of the other problems is my lack of experience or skill with ISA, and that in particular is holding things up... Worst case scenario, I'll be putting a Smoothie 3.x express box in front of the gateway and going that route.

  4. #4
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,490
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    51
    Quote Originally Posted by contink View Post
    At present it's being removed with no replacement intended... It's in a school with no more than 25 workstations and 2 servers. We did have a smoothie box in but due to some issues with staff training (ie: listening skills defecit) it was dropped about a year ago but I'm working on bringing it back as county broadband has been appalling for 6+ months.

    In terms of configuration, everything is currently piped through it with the server it's on being the gateway. Removal will retain the server as gateway, just via DHCP instead and without a local firewall...

    To be completely honest one of the other problems is my lack of experience or skill with ISA, and that in particular is holding things up... Worst case scenario, I'll be putting a Smoothie 3.x express box in front of the gateway and going that route.
    You should probably have something, that at least logs the access weather that is ISA 06 or smoothie or another package all together.

  5. #5

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    I agree. Despite connecting to the internet via the LGfL, which is supposedly safe & filtered, we still see plenty of thwarted all-port-scans and dos-attacks in our ISA logs. What problems are you having with the ISA server? Even if you disabled the firewall part of it (why though?) you could still benefit from its caching.

  6. #6
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118
    Quote Originally Posted by timzim View Post
    What problems are you having with the ISA server? Even if you disabled the firewall part of it (why though?) you could still benefit from its caching.
    The current issue is a block that makes little sense... A specific site Thinkuknow - home is creating a weird block where, for some reason, the client PC appears to put out a faked IP as part of a DHCP request and ISA shuts down access for that PC to DNS, until IE7 is closed and restarted.

    I'm in the process of sorting out the fact that WSUS hasn't been doing its job and there's a slew of updates required on the network but ISA has been a bugbear for some time and I've wanted to pull it for a while.

    The other part, as originally noted, is that I don't know ISA particularly well and I would rather spend time on a system I do understand and can configure properly (ie: Smoothwall)...


    I probably should have specified that I'm looking at putting in a smoothie box (ie: totally seperate from the server) when time allows but I'm not looking at putting it on the server as is.

    Does that make a bit more sense..



    Anyway, to politely repoint this back to the original question...

    Are there any things I need to consider before removing ISA in terms of issues to resolve prior/after, software that may be affected on the server. The server is a DC and is currently the master along with all the other points I noted in my 2nd post.

  7. #7

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    ISA server is on a DC...

    That's a major problem in itself but now you're going to remove the only protection it has and make your DC your gateway with no firewall protection at all?? I'm sorry, I can't advise you do this unless you put in a separate box as your gateway (Smoothwall or ISA or whatever) < mops fevered brow >

  8. Thanks to timzim from:

    contink (16th September 2010)

  9. #8

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,084
    Thank Post
    853
    Thanked 2,679 Times in 2,272 Posts
    Blog Entries
    9
    Rep Power
    769
    Do not remove ISA till you have a Smothwall box in place otherwise you may as well just format the box now and be done with it as you will have zero protection from the internet. If you pull ISA you would need to reconfigure the box manually anyway with RRAS to act as a NAT device manually to allow it to foward traffic as it does not do this by default. Not that I recommend it but this could be done however if you did you should leave the Windows firewall on and just open the required ports on the internet side for a modicom of protection.

    Once you have the Smoothwall setup as the gateway device and DHCP set to tell all clients to go via the Smoothwall then you should just be able to uninstall ISA. As long as you don't have any weird external mappings like hosted sites etc it should be fine. You will need to make sure to copy out any required mappings from ISA if you run externaly avalible things like your own email server. This would be a simple case of copying it to the into the config of the smoothwall.

    I have to agree with timzim, ISA on a DC is a canning factory of worms and is almost certainly why you have been having so many issues with it. It is a totally unsupported setup and Microsoft themselves can barely make it function on a fully integrated server under SBS. When installed as intended on a standalone box or VM (ISA 2006 or above unfourtunatly) it works really well and makes passing authentication and mapping stuff very simple.

  10. Thanks to SYNACK from:

    contink (16th September 2010)

  11. #9
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118
    Quote Originally Posted by timzim View Post
    ISA server is on a DC...
    As I said, this is how I inherited it... and yes it's more than slightly nuts...

    That's a major problem in itself but now you're going to remove the only protection it has and make your DC your gateway with no firewall protection at all??
    Erm... it is on the county broadband system and yes I know that an oxymoron in many senses but in order to resolve this mess I have to unravel it.

    I'm sorry, I can't advise you do this unless you put in a separate box as your gateway (Smoothwall or ISA or whatever) < mops fevered brow >
    Ok... Understood but in all seriousness this is a mess and unless someone can explain how to uninstall the ISA system in the first place I'm not actually going to get past first base and get things moving.

    So far all I've gotten is a lot of "ouch... you're doing it wrong" about the overall structure and the decision to do the uninstall, instead of anyone actually answering the question asked in the first place.



    In all seriousness, for all I know the ISA isn't even working properly so what protection there is (or isn't) is an unknown.

    If nothing else this is convincing me to get a Smoothie box organised sooner than intended but let's just assume that's going to happen...

    So third time lucky... What do I need to worry about in terms of uninstalling ISA? Will is kill the DC? Cause corruption issues? etc...

  12. #10
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118
    Quote Originally Posted by SYNACK View Post
    Do not remove ISA till you have a Smothwall box in place otherwise you may as well just format the box now and be done with it as you will have zero protection from the internet. If you pull ISA you would need to reconfigure the box manually anyway with RRAS to act as a NAT device manually to allow it to foward traffic as it does not do this by default.
    I suspect we're actually firewalled within the county but ok... you've convinced me on the local firewall point.

    RRAS was on my list but I suspect it would be better to put in the Smoothie box as the gateway and avoid the server taking yet another role.

    Once you have the Smoothwall setup as the gateway device and DHCP set to tell all clients to go via the Smoothwall then you should just be able to uninstall ISA. As long as you don't have any weird external mappings like hosted sites etc it should be fine. You will need to make sure to copy out any required mappings from ISA if you run externaly avalible things like your own email server. This would be a simple case of copying it to the into the config of the smoothwall.
    Ok... thanks...

    I have to agree with timzim, ISA on a DC is a canning factory of worms and is almost certainly why you have been having so many issues with it. It is a totally unsupported setup and Microsoft themselves can barely make it function on a fully integrated server under SBS. When installed as intended on a standalone box or VM (ISA 2006 or above unfourtunatly) it works really well and makes passing authentication and mapping stuff very simple.
    Yeah... Sadly, as already noted, I inherited this mess and given that it's standard LEA IT team policy here I should have realised it was a less than ingenious approach...

    So, one other question then...

    Were you in this position with a secondary server available (already a DC, FS and capable of taking over as Primary, DNS, DHCP, etc...) would you transfer the FSMO, and other roles across to that other server BEFORE trying to uninstall ISA?

    I'm guessing yes... and just to note the server, as is, is getting on for 6-8 years old now so I'm not wanting to keep it up as the ISA on its own either.

  13. #11
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118
    OK folks... just deep breathed and re-read the thread so apologies if the tone went into exasperation...

    As ISA is something I've not used myself it's not a system I've had to worry about much before. I'm not entirely sure why I assumed that county support would have done nothing daft when the indications to the contrary have been replete in the past.

    I shall take on board the point of putting up the new firewall in front before continuing with the uninstall and on reflection with the age of the gateway/ISA/DC server involved it's long overdue for being demoted anyway so I'll formulate a new plan for dealing with the whole thing..

    It will mean finding a new box to handle the smoothie role but with School Guardian on the cards anyway I suspect an ESXi machine with additional NICs is on the cards to make it all tidy without yet more unnecessary hardware.

    As much as anything I didn't want to accept this was a bigger job than first appeared but it looks like it's long overdue anyway, so painful re-think required.

  14. #12

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    Quote Originally Posted by contink View Post
    So third time lucky... What do I need to worry about in terms of uninstalling ISA? Will is kill the DC? Cause corruption issues? etc...
    Uninstalling ISA itself shouldn't cause corruption, assuming your server isn't already half compromised (sounds like it may be). However, removing ISA so that the DC is left unprotected will probably end up damaging not only the server but a lot else on the network. As I said earlier, we get all sorts of attacks on our system from WITHIN the LGfL (which I imagine is similar to your County system). It's supposed to be safe from outside attackers but that very fact makes people let down their guard and not bother with standard web defences, hence a good place for would-be hackers. You're only a benign primary school but within your County system you can bet there are plenty of non-benign users - try the local secondary school for a start...

    BTW there's no reason why an 8 year old server can't be used as an ISA server on its own. As you say, you've only 25 users on at any one time plus you already have the software/licence. I'd say it's an excellent use for an old server. Try isaserver.org for more info on how to set it up & use it.

  15. #13

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,084
    Thank Post
    853
    Thanked 2,679 Times in 2,272 Posts
    Blog Entries
    9
    Rep Power
    769
    Quote Originally Posted by contink View Post
    So, one other question then...

    Were you in this position with a secondary server available (already a DC, FS and capable of taking over as Primary, DNS, DHCP, etc...) would you transfer the FSMO, and other roles across to that other server BEFORE trying to uninstall ISA?

    I'm guessing yes... and just to note the server, as is, is getting on for 6-8 years old now so I'm not wanting to keep it up as the ISA on its own either.
    Yes, I'd transfer the roles over first and make sure it was all niceley replicated before preceeding if it is a possibility. Uninstalling ISA will most likely be fine in and of itself but in order to get it running convincingly on a DC there will have been many little reg hacks and random configurations. This may leave the machine in a less than perfect state and could require a bit of cleaning to keep things running smoothly, it should still work though. Given its age if you are keeping it in service as a secondary DC or something it would probably be best to do a fresh slipstreamed reinstall of the server OS on it anyway if you are moving all services off it. This should make it faster due to less update cruft and put it in a known good state with no silly hacks anywhere. You could then rejoin it to the domain as a secondary DC or use it for something else, as its that old you could even retire it.

    As you are in a seporate county network the risks may not be quite as dire as first thought but all it would need is some random worm or something to wander past to make a mess so the move to the smoothwall for cache and protection is still a good move and putting the traffic through an appliance as you say is going to be reliable and much faster than trying to push it through the old server.

  16. #14
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118
    Quote Originally Posted by timzim View Post
    Uninstalling ISA itself shouldn't cause corruption, assuming your server isn't already half compromised (sounds like it may be). However, removing ISA so that the DC is left unprotected will probably end up damaging not only the server but a lot else on the network. As I said earlier, we get all sorts of attacks on our system from WITHIN the LGfL (which I imagine is similar to your County system). It's supposed to be safe from outside attackers but that very fact makes people let down their guard and not bother with standard web defences, hence a good place for would-be hackers. You're only a benign primary school but within your County system you can bet there are plenty of non-benign users - try the local secondary school for a start...
    Yeah... The need to step away and revisit the problem with a fresh perspective was useful, albeit hard to stomach at first... consider me chastened.


    BTW there's no reason why an 8 year old server can't be used as an ISA server on its own. As you say, you've only 25 users on at any one time plus you already have the software/licence. I'd say it's an excellent use for an old server. Try isaserver.org for more info on how to set it up & use it.
    If I had the time, and frankly, the inclination to make use of it that way I probably would but in fairness I'm thinking more in terms of using it as a secondary DC.

    Most likely I'll go with Synack's suggestion of moving everything then decommissioning it before reinstalling it fresh as as a secondary DC and backup FS as it still has it's tape drive, etc...

    Despite appearances to the contrary I do appreciate the input... (well, eventually )

SHARE:
+ Post New Thread

Similar Threads

  1. Windows 7 Gotchas/Tips/FYI
    By ZeroHour in forum Windows 7
    Replies: 28
    Last Post: 19th September 2013, 08:48 AM
  2. ISA 2004
    By Gatt in forum How do you do....it?
    Replies: 25
    Last Post: 18th October 2007, 10:18 AM
  3. Either I am stupid or ISA 2004 is!
    By saundersmatt in forum How do you do....it?
    Replies: 14
    Last Post: 5th June 2007, 02:24 PM
  4. Tidying up ISA 2004
    By eejit in forum Windows
    Replies: 2
    Last Post: 29th January 2007, 01:20 PM
  5. ISA Server 2004
    By krb548 in forum How do you do....it?
    Replies: 15
    Last Post: 25th July 2005, 12:05 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •