I would say the approach discussed below is one of the easiest ones and not to mention that it has worked for me most of the time.So when we have Isa server 2006 Enterprise Edition and want to install it in workgroup scenario Then we need to follow certain steps for this typical set up .
Let us assume that we have two servers both windows 2003 sp2 and are in work group.We will install ISA server 2006 enterprise edition on them, we will have CSS(Configuration Storage Server) on one and would make both as firewall nodes.
Some Basic requirements before we start
1. In work group environment we need to use a dns suffix to get a FQDN name for the servers so e.g if we had names as follows :
Server1: Isaserver1
Server2: Isaserver2
If we use dns suffix as contoso.com on both the servers then names would now be
Server1: Isaserver1.contoso.com (will have CSS installed on it)
Server2: Isaserver2.contoso.com.
2. We need to get a server authentication certificate on the server which is going to act as CSS server i.e. Isaserver1.contoso.com . You can install Certification Authority that comes with windows 2003 on the CSS server itself and then assign itself a server authentication certificate and on Isaserver2.contoso.com we need to put certification authority root certificate in the trusted computer certificate store.
RootCA certificate
Server Authentication certificate
3. Assuming we have dual NIC servers then in the Tcp/ip configuration on the internal network card should not have default gateway configured on it but external network card should have default gateway configured on it.
4. Create mirrored user accounts on both the nodes. They are not required to be local administrators. mirror accounts are user accounts which are identical and are created on all the array members.
5. On Isaserver1.contoso.com create a host file entry for Isaserver2.contoso.com resolving to its internal NIC IP address and similary on Isaserver2.contoso.com create host file entry for Isaserver1.contoso.com resolving to its internal NIC IP address This manual name resolution is very important as you wont be able to join Isaserver2.contoso.com to the array.
Note. The Screens which I am posting here are the important screens as it would be very difficult to post all the screens of the installation wizard.
Installation...
1. Start the Isa server installation on Isaserver1.contoso.com begining with CSS server role
Choose workgroup deployment
and here you need to browse and select the server authentication certificate file as shown above. Then complete the installation of CSS server role. Then create a new array give it a name as per your choice.Then in the properties of the array under Configuration Storage tab change authentication to ssl authentication.
2. We can now install the firewall service on the Isaserver1.contoso.com.
Choose the CSS server to connect to
and then Join to the array created after the installation of CSS.
during the installation of the ISA services we will get a prompt within the wizard that will ask us how node would authenticate to the CSS server and we would choose ssl as follows
Then complete the installation of the ISA server services on Isaserver1.contoso.com following the directions in the wizard.
3. Then start installation of the ISA server services on the Isaserver2.contoso.com , connect to CSS server and join it to the same array using the same method as described above for the ISA server services on Isaserver1.contoso.com i.e step 2 .
4. Now in the array properties go to intra array authentication tab and then use the mirror account created earlier for authentication.
As a result we have ISA server 2006 in work group environment with CSS on one and both servers acting as firewall nodes. But there is important point to remember in workgroup scenario and that is we cannot have additional CSS server in workgroup scenario.
We can have a variation to the above scenario i.e. in above scenario we have only two nodes and one of them is acting as CSS server. We can have a variation in above scenario in which we can have CSS server on altogether a different server and we have two dedicated firewall nodes.
In this scenario we would follow the above steps making sure we have server authentication certificate and Root CA certificate on CSS server and other two nodes have Root CA certificate. Then on designated CSS server install CSS only and on nodes install Isa firewall services. So everything stays the same except we have CSS on different server.
Another variation could be that CSS server is in domain but the firewall nodes are in the workgroup so it would also be considered as workgroup model and in this case we can have addition CSS server and all the workgroup scenario requirements are same as discussed above.
You can also refer to the following article for more information: http://technet.microsoft.com/hi-in/library/cc302483(en-us).aspx
Take care
Suraj singh
Let us say you have CSS on Isaserver1.contoso.com which also has firewall service on it i.e. its acting both as CSS server and firewall node and you have another node isaserver2.contoso.com which is acting as firewall node only. This ISA server array is part of a domain called contoso.com. We plan to configure CSS replica on Isaserver2.contoso.com, but when we do that and start the installation on the Isaserver2.contoso.com for css replica we get error "setup failed to install ADAM in replica mode (0x80074e46)"
We will get this error if we have not added new css replica i.e. Isaserver2.contoso.com in the replicate CSS server group in the system policy at the enterprise level So we need to edit the system policy at the enterprise level , add the FQDN and the IP of the new CSS replica in replicate CSS server group save and apply the settings Then install the css replica and it shall install it successfully as shown below.
Getting error "Authentication over SSL encrypted channel with the configuration storage server couldnot be verified. To apply the configuration to ISA server computers, a certificate named ISAserver4.contoso.com must be installed on the configuration storage server"
You might see this error when you enable ssl authentication in the CSS tab of the array properties to enable ssl authentication. And in this case CSS name is "ISAserver4.contoso.com" and the server authentication certificate used on the CSS server is issued to "Isaserver4". So we need to use certificate which is issued to ISAserver4.contoso.com.
After using certificate which is issued to "ISAserver4.contoso.com" it shall work fine.
In this blog and the following posts i would discuss about troubleshooting various ISA server scanarios.I welcome people who work on ISA servers day in and day out and deal with different issues.
The Idea is to discuss the issues faced and how we resolved them. Different methods to get to achieve the same end result and in this process share the knowledge with each other.
There are various types of issues as we all know, begining with installation,CSS synching with nodes in enterprise editions,Publishing different services through ISa server e.g. web services ,exchange services etc.
We all know in what scenarios ISA server is used so discussions may not be towards it, However few words about it would be a good idea. Isa server is used both as firewall and proxy server. Depends on the requirements of the user/admins/networks it can be used the way you want. But there are certain configurations which are not supported and its mentioned in the article http://technet.microsoft.com/en-us/library/cc302678.aspx. I would start with installation of ISA server issues in my next post. Till then happy bloggng.
View My Stats
Take care,
After discussing the installation of the ISA server 2006 in work group scenario. I am starting the installation issues of isa server 2006 enterprise edition in workgroup scenario.
Let us assume we have two servers with windows 2003 sp2 and we will have CSS on one and firewall services on both of them exactly as per my post on the installation of isa server in workgroup scenario.
But let say when we are about to join the second node Isaserver2.contoso.com into the array then we get error " Connection to specified Configuration storage could not be established" with error code 0x8007203a Error description= The server is not operational.
Then Best thing to do is to check the steps mentioned in my article, has anyone of those steps been skipped or missed while installation,
if not sure then
1. You can use a tool called ldp that comes along with windows support tools, install windows support tools on Isaserver2.contoso.com and then open ldp and connect to Isaserver1.contoso.com (i.e. css server) on port 2172 check the box that say ssl . If this test fails then try to connect on port 2171 without ssl. If this test fails then we can rule out the possiblity of certificates causing the issue and focus more towards the connectivity between the two nodes.
2. While checking the connectivity, we can start with name resolution. We can start with pinging the Isaserver1.contoso.com from the Isaserver2.contoso.com and see if name gets resolved to the IP address of Isaserver1.contoso.com. In above scenario, I removed the entry in host file for Isaserver1.contoso.com on Isaserver2.contoso.com so I got host name not found as result of the ping. So after putting this entry back in the host file Isaserver2.contoso.com was able to resolve the name of Isaserver1.contoso.com and was able to connect to CSS server and I was able to join the node to array and complete its installation. In variation to this sometimes its also possible that name resolution is working but connectivity between the two nodes is missing. Then we have to follow different appraoch altogether to get the connectivity back and then move on( would talk about the connectivity variation on a different post).
3. There are situations when you are able to connect using ldp on port 2171 from Isaserver2.contoso.com but you are not able to connect using port 2172 with ssl. In that case repeat the ldp connect steps from the CSS server i.e. Isaserver1.contoso.com to itself and see if you can connect using port 2172 with ssl .If yes then the server authetication certificate is correct and ssl part is functional ,if not then issue could be related to the certificates. . Things that you would like to check regarding the certificates on the CSS server are:
a. Check the server authentication certificate first.
b. To whom this certificate is issued and does it match the name of the CSS server i.e. is it issued to Isaserver1.contoso.com?
c. Is this certificate expired? what's the validity period for this certificate?
d. Does this certificate have the private key?
e. Who is the Issuing Certificate Authority?
f. Then check the certificate of the Issuing Certificate Authority and its validity period.
There are variations to this issue depending upon which component got missing or was not configured as required will discuss that either by adding on to this post or by creating a new one. Till Then
Take care guys
Scenario is same as mentioned in the post for installation of ISA server in workgroup.
Getting error " An attempt to establish an SSL channel with the Configuration Storage server computer failed."
Error code=0x8007003a
Error description= The specified server cannot perform the requested operation.
This can happen if you have not installed the root certificate of the Issuing Authority i.e Certification Authority in the trusted CA computer store on the server. So the first thing to check in this scenario is if rootCA certificate is installed on the trusted CA certificate store or not? If yes then check if its correct and not expired.
If CA certificate is correct then we can use a tool called ldp that comes along with windows support tools, install windows support tools on Isaserver2.contoso.com and then open ldp and connect to Isaserver1.contoso.com (i.e. css server) on port 2172 with ssl.
if the above mentioned test fails then repeat the ldp connect steps from the CSS server i.e. Isaserver1.contoso.com to itself and see if you can connect using port 2172 with ssl .If yes then the server authetication certificate is correct and ssl part is functional ,if not then issue could be related to the certificates. . Things that you would like to check regarding the certificates on the CSS server are:
Will discuss variations to this scenario in my coming posts.
Regards,
Friends, starting a different series on the installation issues when ISA server is part of the domain, although work group part is not over as that is ongoing series and i would keep on adding to that. I wanted to discuss some interesting issues when you install ISA server in domain.
I would welcome your views and comments regarding this...