Announcement

Collapse
No announcement yet.

removal of ISA from AD domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • removal of ISA from AD domain

    hi guys.. im not sure if this is the most apropo forum, so if it belongs to another area, accept my sincere appoligy and move it as needed mods. thanks...

    so i have this network at a small school. i had nothing to do with the setup, but i know currently it isnt working out. being that they have a crappy infrastructure (CAT5, not even e; daisy-chained netgear switches; mixed mode devices 10/100 & 10/G servers/client/routers; etc..) i am trying to make the most of what they have. so while 'go buy new stuff' is a viable answer that would solve the problem, that isnt an option.

    as it stands, they use an old dell server as an IAS box. it is slow and isnt even equiped with gig ports. so what i would like to do is remove it as an IAS server and replace it with a dedicated UTM device. i have decided on EFW, as i am familiar with it and can implement/manage it.

    so here is the problem.. they have policies that determine the amount of access they have. the IAS is acting as a firewall and content filter for the campus... thing is, im not super familiar with IAS.

    long story long... can i just stop IAS, drop in a new EFW/smoothwall box and change the DHCP issued gateway address to reflect the new EFW? im just not sure what would happen with the policies if there is all the sudden no more IAS.

    im rambling.. but i think i got my question out there. lastly, has anyone ever done something like this before? do you have any tips, experiences, caveats, horror stories or the like they would like to share?

    thanks for taking the time to read this far, and thanks in advance for any input.

    James
    its easier to beg forgiveness than ask permission.
    Give karma where karma is due...

  • #2
    Re: removal of IAS from AD domain

    Do you mean IAS (Internet Authentication Services) I.e. a RADIUS server, or ISA (Internet Security and Acceleration) Server? The reason I ask is I didn't think IAS could do firewall and content filtering (Might be wrong!) but ISA most certainly can.

    I'm pretty sure from the context and your question about gateway devices that it is ISA Server, but wanted to confirm first.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: removal of IAS from AD domain

      thank you for the correction.. its important that you get the acronyms correct, otherwise people might think you dont know what your doing

      yes, i meant ISA. my bizzle...

      so now that we have that out of the way and we're all on the same page, does anyone have any prior experience with something of this nature?

      im thinking that i just delete the policies that deal with the ISA and internet access/authentication and remove the proxy settings from the logon script and replace the gateway...

      a second question... can i just add the box at a new address (not the old address of the ISA) and manually configure my client IP/network settings to verify the new gateway works with(out) the policies, then switch the box? does that make sense?

      thanks for the correction cruachan, props

      James
      its easier to beg forgiveness than ask permission.
      Give karma where karma is due...

      Comment


      • #4
        Re: removal of IAS from AD domain

        No worries.

        I've done a few similar moves in SBS Networks, as SBS 2003 Premium came with ISA 2004 and SBS 2008 and higher removed that option.

        You need to check the client config prior to removing ISA Server. They will be configured either as Firewall Clients (the client software will be installed and will show in the system tray of the client machines) or as Web Proxy clients (using the ISA Server as a proxy in the browser) and will need to be told not to do that anymore.

        Standard config for Web Proxy is either via GPO or via WPAD (Windows Proxy Auto-Discovery), either of which is simple to remove. You mentioned a login script, simply removing this from a test machine should have the same effect. Internet Access will work through ISA Server as a SecureNAT client provided that Authentication is not turned on

        No issue with adding the new gateway straight away and testing it, probably a sensible approach to be honest if you have stringent security requirements to enforce, which I certainly would in a school.
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        sigpic
        Cruachan's Blog

        Comment


        • #5
          Re: removal of IAS from AD domain

          Thread title edited
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: removal of IAS from AD domain

            Originally posted by Ossian View Post
            Thread title edited
            much obliged. thank you sir!

            cruachan:

            alright, i see. yes, the proxy settings are handled via a vbs script. it basically accomplishes the same thing as the client would handle... with the difference being that the servers (that is plural because i refer to all the servers) were incorrectly set up because if the client is used the proxy doesnt work. you must either manually configure it or allow the logon script to fill in the blanks (for those less IT savvy than others).

            and i was thinking that a two gateway change-over would be the thing to do... like if i could get the smoothwall box up and verify that it functions correctly without an problem via the policy (which i dont think will affect my situation) then i can simply enable DHCP on the red interface and remove the old... thereby having a system that i know will work and minimal downtime on the network.

            thank you for your input and brainstorming with me. that was a big help!

            James
            its easier to beg forgiveness than ask permission.
            Give karma where karma is due...

            Comment


            • #7
              Re: removal of ISA from AD domain

              i just thought i would give an update and let people know what the deal was and what happened just in event that others may benefit...

              i went concurrent with the change over. i did this by placing a router in between the dmark and the ISA. dhcp srvr was enabled on the router, allowing 2 IPs that were NATed for external access.

              two ports were connected to the RED interfaces (i guess ISA calls it the external connection, smoothwall and efw call it a RED interface) on the ISA and the smoothwall box. this allowed the new smoothwall box to begin processing traffic (and updating prior to implementation) and also allowed the ISA configured clients to access the internet till the change was complete.

              once the policy was defined and the filtering enabled and configured (correctly), i began the change over...

              created A records (and associated PTR, default) for the new gateway host name...

              modify the logon script to correctly reflect the IP of the new proxy..

              waited till most everyone was gone and then in DHCP>ipv4>configure scope> 003 router> smoothwall/10.10.2.5 to update the default gateway address issued by dhcp.

              pushed a reboot command to all the client computers, allowing them to renew their lease and thereby update the proxy information. i had to manually configure the servers, but there are only 3 here, so not difficult...

              the next day i verify that ISA is not processing traffic for anyone anymore. i see that there are no connection to the ISA except 127.0.0.1, so im good.

              stopped ISA, removed services and application.

              disconnected the connection from the dmark and bypassed the router to directly connect the smoothwall to the internetz. ifconfig on the smoothwall to renew the RED interface connection and VIOLA! no more ISA.

              hope that helps anyone that inherits an ISA 2004 box with no history or notes.

              enjoy, and thanks to all that helped!

              J
              its easier to beg forgiveness than ask permission.
              Give karma where karma is due...

              Comment


              • #8
                Re: removal of ISA from AD domain

                Train Signal have an EXCELLENT Lab in learning ISA 2004 that has been made by David Davis.

                I watched it over a weekend then installed and configured it on the Monday morning with the boss leaning over my shoulder. Took less than and hour. A GREAT tutorial by David.
                1 1 was a racehorse.
                2 2 was 1 2.
                1 1 1 1 race 1 day,
                2 2 1 1 2

                Comment

                Working...
                X