• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 330
  • Last Modified:

ISA 2004 Domain controller question

Is it really that bad to have ISA running on the same box as the domain controller?  I hear conflicting opinions.  I havn't had a problem yet.  I'm not sure why it would matter but I'd like to get an another take on it.
0
hmcnasty
Asked:
hmcnasty
  • 3
  • 2
1 Solution
 
Keith AlabasterEnterprise ArchitectCommented:
This depend on how you are using ISA.

For example, SBS2000/2003 comes with ISA server (premium versions) and therefore sits on a DC anyway.

If you are using ISA on non-SBS systems but in a firewall mode, you should not have ISA on a DC in best practice. ISA (in a firewall mode) should be dedicated to running ISA services. To make it run as a DC as well requires many ports to be opened to allow dns, dhcp, pc, kerberos etc to talk to other controllers and the internal networks.

If you are using ISA in a proxy mode then it being on a DC is not so much of an issue.

Regards

Keith
ISA MCT
0
 
hmcnastyAuthor Commented:
Keith ,

Thank you I found out the hard way it does matter.  Up until today I've been using SBS 2003 on most of my clients and ISA works great so I assumed in a Server 2003 enterprise environment I could run ISA on the AD Exchange box.  Oh boy did it mess things up none of the built in policies worked.  It wouldn't even give out DHCP after I installed it.  I had to create a rule for eveyting .  It sucked. BUT ....I moved it on it's owns box and I am happy to say I am off and running.  I will however have a few questions abotu policies though.

Thank you very much.

Wes
0
 
Keith AlabasterEnterprise ArchitectCommented:
No problem Wes. If you are ever in the position where you literally have no choice.....

Click the firewall policy and look at the top of the screen. You will see a row of icons; select the last one (it toggles the system policy as visible/invisible). This will display another 17-18 rules for the system policy. This is where you would make the amendments for all the various connotations. As i said, it can be done but its yukky :)

Regards

Keith
0
 
hmcnastyAuthor Commented:
I'll tell you one I can't get is VPN outbound I have clients I VPN into and I can 't get it to go out. My rule: allow PPTP all networks to external allusers.  I figured that would do it .

W
0
 
Keith AlabasterEnterprise ArchitectCommented:
Open the gui.
Click on monitoring - logging - start query.
try the connection.
What do you see in the log?
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now