ISA 2004 Domain controller question

Is it really that bad to have ISA running on the same box as the domain controller?  I hear conflicting opinions.  I havn't had a problem yet.  I'm not sure why it would matter but I'd like to get an another take on it.
hmcnastyAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
This depend on how you are using ISA.

For example, SBS2000/2003 comes with ISA server (premium versions) and therefore sits on a DC anyway.

If you are using ISA on non-SBS systems but in a firewall mode, you should not have ISA on a DC in best practice. ISA (in a firewall mode) should be dedicated to running ISA services. To make it run as a DC as well requires many ports to be opened to allow dns, dhcp, pc, kerberos etc to talk to other controllers and the internal networks.

If you are using ISA in a proxy mode then it being on a DC is not so much of an issue.

Regards

Keith
ISA MCT
0
 
hmcnastyAuthor Commented:
Keith ,

Thank you I found out the hard way it does matter.  Up until today I've been using SBS 2003 on most of my clients and ISA works great so I assumed in a Server 2003 enterprise environment I could run ISA on the AD Exchange box.  Oh boy did it mess things up none of the built in policies worked.  It wouldn't even give out DHCP after I installed it.  I had to create a rule for eveyting .  It sucked. BUT ....I moved it on it's owns box and I am happy to say I am off and running.  I will however have a few questions abotu policies though.

Thank you very much.

Wes
0
 
Keith AlabasterEnterprise ArchitectCommented:
No problem Wes. If you are ever in the position where you literally have no choice.....

Click the firewall policy and look at the top of the screen. You will see a row of icons; select the last one (it toggles the system policy as visible/invisible). This will display another 17-18 rules for the system policy. This is where you would make the amendments for all the various connotations. As i said, it can be done but its yukky :)

Regards

Keith
0
 
hmcnastyAuthor Commented:
I'll tell you one I can't get is VPN outbound I have clients I VPN into and I can 't get it to go out. My rule: allow PPTP all networks to external allusers.  I figured that would do it .

W
0
 
Keith AlabasterEnterprise ArchitectCommented:
Open the gui.
Click on monitoring - logging - start query.
try the connection.
What do you see in the log?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.