Solved

ISA 2004 Domain controller question

Posted on 2006-07-19
5
324 Views
Last Modified: 2013-11-16
Is it really that bad to have ISA running on the same box as the domain controller?  I hear conflicting opinions.  I havn't had a problem yet.  I'm not sure why it would matter but I'd like to get an another take on it.
0
Comment
Question by:hmcnasty
  • 3
  • 2
5 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 250 total points
ID: 17145363
This depend on how you are using ISA.

For example, SBS2000/2003 comes with ISA server (premium versions) and therefore sits on a DC anyway.

If you are using ISA on non-SBS systems but in a firewall mode, you should not have ISA on a DC in best practice. ISA (in a firewall mode) should be dedicated to running ISA services. To make it run as a DC as well requires many ports to be opened to allow dns, dhcp, pc, kerberos etc to talk to other controllers and the internal networks.

If you are using ISA in a proxy mode then it being on a DC is not so much of an issue.

Regards

Keith
ISA MCT
0
 

Author Comment

by:hmcnasty
ID: 17146753
Keith ,

Thank you I found out the hard way it does matter.  Up until today I've been using SBS 2003 on most of my clients and ISA works great so I assumed in a Server 2003 enterprise environment I could run ISA on the AD Exchange box.  Oh boy did it mess things up none of the built in policies worked.  It wouldn't even give out DHCP after I installed it.  I had to create a rule for eveyting .  It sucked. BUT ....I moved it on it's owns box and I am happy to say I am off and running.  I will however have a few questions abotu policies though.

Thank you very much.

Wes
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17146938
No problem Wes. If you are ever in the position where you literally have no choice.....

Click the firewall policy and look at the top of the screen. You will see a row of icons; select the last one (it toggles the system policy as visible/invisible). This will display another 17-18 rules for the system policy. This is where you would make the amendments for all the various connotations. As i said, it can be done but its yukky :)

Regards

Keith
0
 

Author Comment

by:hmcnasty
ID: 17147068
I'll tell you one I can't get is VPN outbound I have clients I VPN into and I can 't get it to go out. My rule: allow PPTP all networks to external allusers.  I figured that would do it .

W
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17149000
Open the gui.
Click on monitoring - logging - start query.
try the connection.
What do you see in the log?
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
Concerto provides fully managed cloud services and the expertise to provide an easy and reliable route to the cloud. Our best-in-class solutions help you address the toughest IT challenges, find new efficiencies and deliver the best application expe…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now