Thomas Shinder Blog RSS

All Blogs  »  Thomas Shinder Blog  »  News ISA Central  »  Blog article: ISA Firewall Freedom Day Declared

ISA Firewall Freedom Day Declared

I’ve been saying for the last eight years that the ISA Firewall must not be installed on a domain controller. No matter how often I told people that installing the ISA Firewall on a DC is not supported, they continued to do it because there was no official statement from Microsoft regarding this issue.

Well, last Friday was a glorious day and the good guys won!

Check out the new addition to the unsupported scenarios:

http://www.microsoft.com/technet/isa/2004/plan/uns...lation

ISA Server 2004 and ISA Server 2006 Should Not be Installed on a Domain Controller

Problem: Installation of ISA Server 2004 on a domain controller is not supported unless the installation is performed as part of the Small Business Server 2003 Premium Edition Service Pack 1 installation, or the management wizards. Installing Isa Server 2006 on a domain controller or Small Business Server is not supported.

Cause: Not supported.

Solution: No workaround.

Because of this, we will call the first Friday in September of each year ISA Firewall Freedom Day to commemorate this great victory! If you run ISA Firewalls in your company, make sure to inform your boss that you should get this day off next year, as it’s an international holiday :)

Thanks!

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

This entry was posted on Sunday, September 9th, 2007 at 10:23 am and is filed under News, ISA Central. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

13 Responses to “ISA Firewall Freedom Day Declared”

  1. John Says:

    September 10th, 2007 at 12:09 am

    So it’s not supported big deal! It doesn’t say it will not work 100% and it will eat your hard drive. If there is compelling, technical reason for not installing ISA on a DC then you can have your freedom day.

  2. Tom Shinder Says:

    September 10th, 2007 at 4:58 am

    Not supported means not supported, means poor practice, means atrocious security decision, means do so at your own risk, means don’t blame Microsoft when you get pWnD.

  3. Jahad Says:

    September 10th, 2007 at 2:30 pm

    Great News - However, my boss did not go for the international holiday time off.

  4. Jeff Says:

    September 11th, 2007 at 1:59 pm

    What do you do if you only have a single server scenario?

  5. Crc64 Says:

    September 12th, 2007 at 12:44 am

    If you have only one physical server, then use virtual machines :) It’s really bad scenario to place ISA on something. It must be standalone, otherwise you will get some headaches when ISA lockdowns.

  6. Ricky Magalhaes Says:

    September 12th, 2007 at 10:26 am

    I agree with Tom, its extremely poor practice, if you only have one server that is poor practice too as you have no resilience for the solution, at very minimum there should be two DC’s having only one in a commercial environment is introducing problems.

    Many people may disagree but at the end of the day the fact remains best practise is there to be followed by those that have the budget and that want their systems to work as intended.

    Poor practice is another story, no one will thank you for implementing shoddy solution

    RM

  7. Phil Says:

    September 14th, 2007 at 11:43 am

    I am confused about something. You wrote an article dated June 20, 2006 that discusses ISA server Domain membership and from what I read you are recommending the Domain.

    Am I missing something?

  8. Tom Shinder Says:

    September 15th, 2007 at 8:16 am

    Hi Phil,

    Yes, you are missing something.

    The ISA Firewall SHOULD be a domain member for security reasons.

    However, the ISA Firewall MUST NEVER be installed on a domain controller.

    HTH,
    Tom

  9. Alex Says:

    September 17th, 2007 at 1:02 pm

    Hello.,

    I have ISA on a Domain Controler, cause is the only spare computer that i have, the only things that don´t work are the wins server and W32Time Service, have some issues with the internal Network Cards, besides that, i don´t have any problems on it, but soon i will buy another computer to make it the right way…

    Alex

  10. vitalhostage Says:

    September 18th, 2007 at 2:38 pm

    I think the placement of ISA servers appears to be a slightly nefarious issue because often it is misconstrued as being a service and not necessarily a server within peoples networks, and thus people decide on its placement without giving proper consideration to that fact it is a fundamental firewall product. People seem to be swayed into thinking that ISA just needs to sit on a Windows server somewhere and not on a dedicated server. Hence why unknowing IT admins and managers suggest putting ISA onto servers where they have room to do fit it, rather than try to justify the expense to the board that we need this on a new dedicated piece of hardware. This is why there are responses to the start of this thread stating that they have ISA working on a Domain Controller and its all ok. It’s a bit like dousing yourself in petrol and then deciding to have a cigarette. yes its possible, but it is a good idea? Let me know from the burns unit if it was getting flamed from your boss that put you there or having your favourite brand of tobacco.

  11. pie8ter Says:

    September 24th, 2007 at 6:59 am

    Vitalhostage,

    I couldn’t agree with you more!

    If Microsoft is serious about their firewall product, they would integrate ISA with the operating system itself and offer it as an edition. The operating system should be optimized for the firewall. This means no outlook express, mine sweeper, paint, solitaire and all the unnecessary programs. MS should include IE lite (like Firefox) with very little foot print.

    If it wasn’t for people like Dr. Shinder and others in this forum, I serioulsy doubt that this “add-on” MS firewall product would be widely used as it is now.

  12. sammi Says:

    October 1st, 2007 at 10:20 pm

    I vaguely remember discussion about ‘installing ISA in a separate domain with a trust’ as being more secure. Would appreciate some help here please. Should this have been ‘installing ISA on a server that is not a domain controller in a separate domain’?

  13. Tom Shinder Says:

    October 2nd, 2007 at 5:42 am

    Hi Sammi,

    No! The trusted domain gambit is not more secure. In fact, it probably is less secure overall becuase of the complexity. Also, the support statement is what is says — you must not install the ISA Firewall on a DC. Yes, the ISA Firewall should be a domain member of your user domain, but the ISA Firewall should not be installed on a DC.

Leave a Reply

This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

You must read and type the 5 chars within 0..9 and A..F, and submit the form.

  

If CAPTCHA image is missing or you cannot read the characters above, please generate a


Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!

Solution Center