In the following scenario, the Windows operating system may not run correctly after installing ISA Server 2004 Service Pack 3:

1. ISA Server 2004 is installed on a computer which is a member of an Active Directory domain.
2. The Enterprise Admins group (which exists by default on the Active Directory root domain)  has been assigned any of the following roles:

· ISA Server 2004 Enterprise Edition: ISA Server Enterprise Administrator role

· ISA Server 2004 Standard Edition: ISA Server Full Administrator role

     3. You install ISA Server 2004 Service Pack  3  and restart the computer.

For the cause and the resolution, check out the ISA Firewall Team blog at:

https://blogs.technet.com/isablog/archive/2007/10/...3.aspx

Also, you might see the same problem after installing the ISA 2006 Supportability Update. Check out https://blogs.technet.com/isablog/archive/2007/10/...5.aspx for a solution

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Have you seen this since installing ISA 2004 SP3 or the ISA 2006 supportability update?

If so, then go to the ISA Team Blog and find out how to fix it!

https://blogs.technet.com/isablog/archive/2007/10/...s.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Wanted to pass on some information that you might want to know about:

Please join us for the third annual Mark Minasi Technical Forum Meeting. We will once again be meeting in beautiful Virginia Beach, VA to learn new technologies, share ideas, and meet the people that have become our online friends.

Hosted by Mark Minasi and organized by Eric B. Rux, this meeting will have in depth talks on Windows Server 2008, Exchange 2007, Windows Home Server (WHS), Windows Vista as well as other hot topics. You won’t want to miss this!!

• Dates: Sunday, April 20th 2008 through Wednesday, April 23rd. We recommend that you fly in on Saturday.
• Location: Virginia Beach Resort & Conference Center
• Costs:  hotel, airfare, meals and $450 registration fee
• Talks
• Speakers
• Link to register (it’s a “seminar registration” page but you’ll see the Forum meeting as an option)
• Link to pay with credit card if you’ve already registered but didn’t pay when you registered

Conference homepage: http://www.minasi.com/forummeet2008/

This is an inexpensive conference and the topics listed so far look very interesting. You might want to put this one on your calendar for next year!

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Another hit for Jason Jones and Jim Harrison!

“Think this is sorted now.

I needed to disable the “apply session timeout to non-browser clients” in the advanced form options for the web listener that was shared for OWA and ActiveSync. If you follow the built-in wizards, this option is disabled by default for any listener that is selected for ActiveSync use - that’ll teach me!

Thanks to Jim Harrison for the pointers!

“You don’t want the FBA timeout applied to EAS clients.
The folks in Exch, WM6 and ISA all agreed that a wide-open 30-minute timeout was good for  battery life.  If you close that sooner, the client has to re-authenticate.” “

So there you go — those wizards do bear magic!

For the complete thread, go here:

http://forums.isaserver.org/m_2002045198/mpage_1/k...053976

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Internet Security and Acceleration (ISA) Server 2006 Supportability Update provides enhanced troubleshooting tools, and improved log viewer functionality to ISA Server 2006 Standard Edition and Enterprise Edition. We strongly recommend customers install this supportability update on all computers running ISA Server 2006.

ISA Server 2006 Supportability Update can be installed directly on computers running ISA Server 2006, and includes:

• All software updates issued since ISA Server 2006 was released to manufacturing.
• Improved log viewer functionality, including an enhanced details pane view, text coloring, and new log filtering functionality.
• Updated ISA Server Microsoft Management Console (MMC) snap-in functionality that provides access to troubleshooting tools and options available directly from the ISA Server Management console.
• Integration with the Microsoft ISA Server Best Practices Analyzer Tool. For more information, see http://go.microsoft.com/fwlink/?LinkId=79754.
• New diagnostic logging functionality.

Download the new supportability update at:

http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I’ve been saying for the last eight years that the ISA Firewall must not be installed on a domain controller. No matter how often I told people that installing the ISA Firewall on a DC is not supported, they continued to do it because there was no official statement from Microsoft regarding this issue.

Well, last Friday was a glorious day and the good guys won!

Check out the new addition to the unsupported scenarios:

http://www.microsoft.com/technet/isa/2004/plan/uns...lation

ISA Server 2004 and ISA Server 2006 Should Not be Installed on a Domain Controller

Problem: Installation of ISA Server 2004 on a domain controller is not supported unless the installation is performed as part of the Small Business Server 2003 Premium Edition Service Pack 1 installation, or the management wizards. Installing Isa Server 2006 on a domain controller or Small Business Server is not supported.

Cause: Not supported.

Solution: No workaround.

Because of this, we will call the first Friday in September of each year ISA Firewall Freedom Day to commemorate this great victory! If you run ISA Firewalls in your company, make sure to inform your boss that you should get this day off next year, as it’s an international holiday

Thanks!

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

GFI is inviting you to try out the new GFI WebMonitor 4 for ISA Server and writing a short review of its features. The five best reviews, judged by this thread’s moderator, will be awarded with a retail 6GB USB pocket hard drive - no strings attached!

The software to be reviewed
GFI WebMonitor for ISA Server lets you to control your Internet users’ browsing habits through web categorization and web filtering. GFI WebMonitor also provides the functionality to monitor downloads in real-time and to protect your network from viruses, spyware, malware and phishing attacks.

Besides the original solution, separate WebFilter and WebSecurity editions are available also. For more info please visit http://www.gfi.com/webmon.

The objective
Download a trial version of GFI WebMonitor 4 for ISA Server here, try out its features and post a short (300-500 word) review within the thread at: http://forums.isaserver.org/m_2002052885/mpage_1/k...052885

Prize winners
If your review is selected as being one of the five best ones, you will be contacted directly via the email address which is registered in your ISAserver.org message boards account!

Deadline
The competition ends on Friday October 12, 2007.

Have Fun!

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

From Jim Harrison and confirmed by Jason Jones:

No; I’m saying that if CIO-JerkyBoy is intent on a no-prompt user experience, Amy will have to:

1. configure his OL to use NTLM (you probably overlooked this one) and point it to the oa.domain.tld listener
2. create two listeners for Exch; one for OA and another to support FBA / Basic
3. create separate DNS records for the two listeners (yes; now they have to use “oa.domain.tld” and “EveryFreakinOtherExchServiceCuzTheCioIsAJerkyBoy.domain.tld”)
4. configure the OA ISA listener for Integrated authentication
5. configure the non-OA listener for FBA
6. build two rules appropriate to the two listeners and point them both to the same Exchange CAS or farm

For detailed instructions on how to configure KCD with an Exchange 2003 in a FE/BE configuration:

http://www.isaserver.org/tutorials/Configuring-ISA...1.html

You can use that information to configure your Exchange 2007 CAS configuration, the general principles are the same. Or maybe you can wait to the Exchange Team puts out guidance, but don’t hold your breath

For more information on how to set SPNs in an environment that differs from my example network in the KCD article I wrote, check out Stefaan Pouseele’s article at:

http://blogs.isaserver.org/pouseele/2006/11/16/pre...ation/

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

You need a hotfix. You know it’s not your fault and you know that the hotfix will fix the problem. You haven’t misconfigured the software, you haven’t stolen the software, and you’re not trying to run a hork mode firewall (I had to throw that one in )

How do you get the hotfix without having to sit on the phone? Send an email request! Yes, you can request hotfixes over email. Just head on over to:

https://support.microsoft.com/contactus2/emailcont...hotfix

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

One thing you can never take for granted is that the overwhelming majority of “writers” and especially “journalists” don’t know which end eats when it comes to the subjects they write about. I’m sure you’ve noticed this when you read newspaper articles about subjects they you’re very well acquainted with and find that the “journalist” has completed misinterpreted the facts or just got them blatently wrong.

I ran into this today at http://rcpmag.com/features/article.aspx?editorials...d=1780

This article is supposed to be about Symantec and Microsoft, but I really wasn’t interested in that. What I was interested with this:

“Perhaps more intriguing for enterprise partners, though, is the battle emerging for the systems-management side of the security market. Microsoft, as it so often does, is pitching product and platform integration as a major selling point for Forefront, which includes a client-security offering and components for Exchange Server, SharePoint Server and Office Communications Server, as well as Internet Security and Acceleration (ISA) Server 2006, a gateway server designed to protect against Internet-based threats. Partners can sell each of the components separately or sell them together as a package.”

Hey dumb*ss journalist, guess what? The ISA Firewall isn’t a “gateway server” anymore than Check Point is a “food server”. No the ISA Firewall is a FIREWALL. And one the most secure FIREWALLS on the market today.

Why don’t these “journalists” do just a little bit of research before they go making fools of themselves? If you do a Google Search on ISA Firewall you get 2,220,000 hits, providing strong evidence that the ISA Firewall is a firewall. Maybe that’s why we call it the ISA Firewall?

Wow, everything is starting to make sense again…

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)