ISA in SBS - yes, it's secure

A central location for SBS ISA specific configuration information relevant to small consulting practices and others smart enough to use the best technology in the world.

Lingo - The Talk of Broadband

Thursday, March 29, 2007

ISA and Windows 2003 SP2

The ISA team has blogged about some issues affecting ISA after an installation of Windows 2003 SP2. The original post is here.

ISA Server and Windows Server 2003 Service Pack 2

Recently Microsoft released Service Pack (SP) 2 for Windows Server 2003 (http://www.microsoft.com/technet/windowsserver/sp2.mspx). We tested ISA Server with the Windows service pack quite extensively. Unfortunately we discovered after the release of the Windows service pack that there are several issues that have potential ill-effects on ISA Server. This blog summarizes the currently known issues, and suggestions on how to mitigate those issues.

1. If you run ISA Server 2004 Enterprise Edition with or without the ISA Server SP2, you must install ADAM SP1 on the ISA Server Configuration Storage Server prior to installing the Windows Server 2003 SP2. ADAM SP1 can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyId=9688F8B9-1034-4EF6-A3E5-2A2A57B5C8E4&displaylang=en. If you install Windows Server 2003 SP2 without first installing the ADAM SP1, ISA Server will not start after the installation, and you will have to uninstall Windows Server 2003 SP2. Further information is available in the Windows Server 2003 SP2 release notes, at http://technet2.microsoft.com/WindowsServer/en/library/ed5382af-e819-4d33-ace0-225d31b7ab751033.mspx?mfr=true .

2. If you run ISA Server 2000, 2004 or 2006 Standard or Enterprise editions on a multi-core / multi-processor 32-bit computer, and the CPU is heavily utilized, you might experience performance degradation in certain deployment scenarios after installing Windows Server 2003 SP2. The issue stems from a change in interrupt handling introduced in SP2.To correct the issue you must download and run the Interrupt Affinity Tool (intfiltr) available in Windows Server 2003 resource kit (http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en). You can read about installation and usage of intfiltr.exe in http://support.microsoft.com/kb/252867.

3. If your network adaptors (NICs) support receive-side scaling (RSS), then in certain NAT scenarios ISA Server 2000, 2004 or 2006 Standard or Enterprise editions might not transfer packets from one NIC to the other after installation of Windows Server 2003 SP2.To correct the issue you must disable RSS support ­­- follow the instructions in http://support.microsoft.com/default.aspx?scid=kb;EN-US;927695.

Neta Amit
Program manager
ISA Server Sustained Engineering Team

6 Comments:

At 9:21 AM, Anonymous Anonymous said...

Hi amy,

I hope you can help me, I'm really in a pickle...

I have got an ISA 2004 installed on a 2003 Small Business Server. Then I have got Exchange on a seperate member server.

The SBS server is my dc and isa sits on this box too. Now, the exchange box sends traffic on port 389 (LDAP) and 3268 (LDAP GC) to authenticate between the two servers. This traffic between the two internal servers are being blocked.. I traced it to the system policy (I think). As far as I can see, Under Authentication services / Active Directory... the system policy is only sending out requests, but not allowing anything into the localhost... I have tried creating a new access rule, but no luck... it still denies all this traffic into the isa box... How can I correct this? I am really ready to kick isa in the nuts

Thanks!!

Rudi Groenewald
rudi.groenewald@hotmail.com

 
At 9:35 AM, Blogger Amy - Harbor Computer Services said...

Hey Rudy,

Sorry I didn't see your plea for help earilier. A better way to reach me is on the blog home page.

Being an SBS server you've got a series of pre-configured rules plus the system policy. The system policy defines that is allowed to reach the ISA server itself. The firewall policy defines what is allowed to pass through the ISA server. Since ISA is on your DC and Exchange is behind ISA, you'll need to look at both rule sets.

 
At 9:05 AM, Anonymous Anonymous said...

Hello

Regarding updating ADAM for ISA 2004. Does this need to be done even when the ADAM is running on a another server? ie not on the ISA server.

 
At 9:20 AM, Anonymous Anonymous said...

Hi All,

I have installed SP2 on an ISA 2004 with SP3. I have had no problems so far.

Rgds,

Neil

 
At 6:14 PM, Anonymous Anonymous said...

Hi all,

I hope someone çcan help me, I have big troubles.

I have got an ISA 2004 installed on a 2003 Small Business Server. Now, the server does not start up after one hour of restart. The server is a domain controller.

If someone have some idea to resolve this issue, please let me know.

Alexia

 
At 8:47 AM, Blogger Amy - Harbor Computer Services said...

It is not very effective to post for help on a blog comment. I would suggest calling Microsoft PSS support or posting to the newsgroups.

Alexia - You problem is most likely not ISA related but rather part of the patching-reboot issue taht is going around. Typically some services will have to be started manually and/or the server will require a second reboot.

 

Post a Comment

<< Home