isa 2006 - array query

hi ive configured my isa 2006 member server and all internal users receive internet access as normal.

ive run: msbpa and their is a configuration issue with my internal nic 1 - it mentions about 'array' and not sure if i should be installing this as ive been reading about 'array' and it was referring to 2 x isa and i only have 1 x isa!!

eventviewer - firewall has stopped

qns 1.  can anyone help ?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can have only one ISA. You need not have 2 ISA's if you are worried about it.
I think that the problem is related to not having a network being defined in the Configuration-----------> Network tab...
Can you verify that all your network sets are added to the Proper Network tabs?
mikey250Author Commented:
hi yes i realise that i can have 1 nic instead of 2 nics, but i will stick with 2 nics to learn for the time being as will need to know!!!:)

ive attached some screenshots!

im not even sure if this can actually effect my remote vpn ie locating files on server!!!!uuumm
I am sorry but what is the exact problem and what help are you seeking for?
I am not getting your issues.
Can you explain a bit about it.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

mikey250Author Commented:
im not sure how to rectify the nic issue.  other experts have said my configuration is correct and they could not see where nic issue was!!

ive attached a screenshot.:)
I saw the message earlier. But is it causing any problems to any of your clients?
This error occurs at times when there are inconsistencies between the network defined in the Network Object of ISA and network route of windows.
But that should not be any problem to the users if you have defined the networks that the clients are assigned to, properly in the ISA.
If you are worried about it, can you tell what the IP Range 10.x.x.x is used for?
Also, can you post result of Route Print from Command prompt and all the Networks that are added to the ISA Configuration?
mikey250Author Commented:
hi although yes my clients do have internet access.

yes i am concerned about how to put it right!!!

my isa/internal range is: - - set in isa and nothing else
my isa/external is: - address does (not) change although allocated via my netgear router box/built-in dhcp.  ipconfig /all on isa shows correctly isp internet ip addressing as expected.

yes i have done 'route print' and i have nothing set except for default settings/configured settings that appear ok to me!! ive attached!:)

as a result the 'firewall switches' off in 'eventviewer' and not sure what impact this has!!
Go to ISA console:
In the networks tab, what are the Networks defined in the NIC Card?
If the address do not match the ones in the route  print in windows then the error like the one you are getting is shown.
About the firewall, are you talking about the windows firewall?
ISA has its own in-built firewall which is appropriate for protection and you can disable or stop the Windows Firewall service all together without worrying.
mikey250Author Commented:
hi abhishek1986, my laptop had an issue but resolved now!!

regarding the 'firewall policy' i was referring to isa!!

i will look at network tab and compare!!

thanks for responding!!:)
I am sorry, but do you mean ISA Firewall, or the Windows firewall service in ISA Machine?
If ISA firewall is down, the clients won't get internet access at all, so it can not be down, since you are saying that clients are getting their net connections just fine.
mikey250Author Commented:
hi apologies for taking a while to come back.:)

no you mis-interpret as my main thread has a 'screenshot' attached of the error.  ive attached again and yes my internal users have internet access but this nic issue i have not got a clue what needs changing possibly in 'network rules' i assume!!!
Keith AlabasterEnterprise ArchitectCommented:
I do not believe you have 'printed  the internal nic address sets placed within the ISA GUI before - if you had I would have pointed out immdediately that they are wrong.

I have also referred you to my article on EE regarding the basic setup of windows prior to ISA install and the initial ISA configuration/setup itself.

ISA MUST have the network ID and the broadcast address included therefore the internal nic addresses within the ISA gui network address tab would be - (as I believe I pointed out in other questions for you).

If you have excluded the .255 and the .0 address then the broadcast address of the internal LAN will be seen as an attack - so put it right.

Run up the ISA2006 best practice analyser on the ISA box. Let's see what you've got.
You can download it here.
mikey250Author Commented:
hi keith originally im sure i did have it set as: -, unless maybe i had done: - and changed it again but issue was still there.  i will put back as suggested network id - 0 & broadcast address 255 and reboot machine & run msbpa again!!

yes i did read that article as saved!!!
Keith AlabasterEnterprise ArchitectCommented:
Don't need to reboot. :)
mikey250Author Commented:
hi keith, oh well i did reboot anyway as it was just a double-check!:)

no this change did not make a difference ie now: -

it states in msbpa: "isa server detected routes through the network adapter lan2 (which is my external address) that do not correlate with the network to which this network adapter belongs.  when networks are configured correctly the ip address ranges included in each array-level network must include ip address ranges but are not routable through any of the networks adapters: -".

i understand what it means but not even sure after the change you suggested that i need some specific 'static' route although we did discuss this on a previous thread and you did suggest that it maybe something to do with my 'virgin media hardware provided ie: netgear router although the only thing i can think of is maybe the firmware, but i have spoken with my isp and they have said it is upto date.

other than the 'built-in dhcp on my netgear router box that has allocated a 'private address' to my isa/external nic, which stays the same as nothing else is plugged in and nothing else has been configured on netgear except for default settings. (dont forget my isa does detect my isp 'public addresses' via isa/external so that is not an issue as client machines have internet access as normal.

I just wanted to find out once and for all what this nic issue was and how to put it right!

i have also noticed when completing an isa 2006 fundamentals online/video practical course i have noticed intermitantly the 'firewall service' failing and rectifying itself so whether this is because of my nic query im not sure, but on reading i did not see any explanation to explain anythying other than what the 'msbpa' detected!
Keith AlabasterEnterprise ArchitectCommented:
You are wrong - it has made a difference as, that setting at least, is now correct.

Static routes are not relevant to ISA. Static routes are for routing and this is undertaken as the OS level, ISA is not a router and therefore is not relevant to the ISA bpa.

I assume your external router's dhcp is only set with a mask, not a
mikey250Author Commented:
when doing my isa 2006 fundemantal course it shows an option in configurations for 'ip routing' that is 'ticked' acting like a router of sorts in 'kernel mode' which is the 'core' of the 'os' due to 2 networks ie internal/external and improves performance.

but if 'ip routing' is turned off it forces the comms up a little higher in the 'osi model' via the isa software which is supposed to slow the comms a little.

although it can be disabled for some other specific requirement although the course does not alloborate on exactly what!!

i have prior to this removed the 'ip routing tickbox', but the nic configuration still showed so i re-added the 'tick' as it is the default setting anyhow!

yes my netgear external router/built-in dhcp is set with a class c:

i assumed when you have used 'isa' that you did not get this error & so why do i ?
Keith AlabasterEnterprise ArchitectCommented:
I have around 800+ installations of ISA Server and Forefront TMG under my belt, am a Microsoft Certified Trainer for the two products and have been an Microsoft MVP for them since 2004 so yes, I guess that qualifies and you can say 'I have used ISA'...

I have never had to enable IP routing in anything on an ISA or an FTMG box - there has never been a need. I control routing from the OS and the ISA from the ISA.

What else is on the outside of the ISA external nic - are there ANY other devices (of ANY kind) that could be set to use ANYTHING on the 10.x.y.z network?

Is there ANYTHING on the internal network of ANY kind that could be using a 10.x.y.z ip address that is NOT in the - range?
mikey250Author Commented:
hi keith i dont doubt you as just trying to increase in depth knowledge but linking my understanding as also completed that fundamental course which prompted a question or 2 but understood the rest as was practical!!:)

either way adding 'ip routing or not' does not resolve the 'nic array' issue that appears in the 'alerts' tab and so wanted to get rid of it once and for all.

the isa/external nic via a cross-over cable is plugged into my hardware netgear router box.  which according to my isa course it states that while the isa is a firewall it also states as it explains and shows how deep the isa can dig into applications of the 'os' for eg and protect and that also adding a hardware firewall on the outside to the internet is preferred.

so other than that nothing at all as just the 'coaxial' cable via my netgear router box direct to internet!!  all other ports are unused!

note: when changing the internal address range to: - in isa2006/configuration/network/network rules tab - it appeared to make changes everywhere else & in firewall policy when i checked!

all my machines are in use for this specific network design so once ive completed my tasks i can then delete and re-install and configure/connect for a new design so know as each of my machines all have 'static' addresses via my dhcp as also added manually except for my single xp host pc.

while im currently working on this specific issue and to save on my electric i have switched off my:

- wds server
- wsus server
- xp host pc

switched on:

- master dc/ad/dns/dhcp server
- isa2006/internal/external server
- netgear router box (hardware)
- cisco layer 2 switch

nothing else!

im just wondering even though my client xp pc and all servers currently have internet access still, is there something ive added additional that has caused this 'nic array' 'alert'..
mikey250Author Commented:
hi keith i appreciate you maybe busy but wanted to know if you had anymore ideas for the network array issue i have even though i have only 1 isa and just jogging your memory from passed comments from you: ?

- isa/internal is set to: -

- isa external is set with my (hardware netgear router box) via built-in dhcp - - direct to the internet.

- isa external - does already detect my isp public addresses as normal and via 'ipconfig /all'

- intermitantly isa firewall looses connectivity in the 'alerts tab', but re-syns itself and brings it back online.

- clients have internet access
mikey250Author Commented:
hi keith i even 're-installed/re-configured' the 'dhcp relay agent', thinking this would resolve my issue of still receiving 'nic array issue' even though im only using 1 x isa 2006 server & all hosts still have access to the internet!!
mikey250Author Commented:
im in the middle of configuring a new network and i have added another server which i will install isa 2006 and i can then check if i get that same 'array' issue.  if i do get it i will update this thread and allocate points as normal.  as long as it appears my configurations are ok from what i did before.

so i appreciate your input 'keith'!!!
mikey250Author Commented:
hi keith, i have not forgotten about this thread just letting you know im still configuring my network and when i get to this part i will check and see if the 'nic array' issue still shows.  either way if it does i will (close) this thread and allocate you the points anyway!!
mikey250Author Commented:
hi keith just to let you know that 'array nic' issues has not re-appeared over these last few days and it appears basically i had not allowed all updates to be installed.  so job done!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mikey250Author Commented:
although it appears i had not installed all relevant updates on my isa, it appears this did the trick but either way the responses i got were definately good troubleshooting methods.  appreciated!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.