Announcement

Collapse
No announcement yet.

Domain functional level for ISA 2006?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Domain functional level for ISA 2006?

    Evening all,

    I have a query regarding ISA 2006 (Standard, although I think this applies to Enterprise too) as a domain member.

    I've been looking into this for a while and until tonight hadn't really found anything particularly helpful. Now I've found two sources of information, which seem to contradict each other...

    Basically, my question is this. ISA 2006 as a domain member requires a domain functional level of 2003. Does that mean the level must be 2003, or must be 2003 or higher?

    This post on the forums at isaserver.org says yes, and since that's coming from a forum moderator, I would assume that means he has at least some experience with ISA. That is also backed up by this article, which says yes, and links to a pair of TechNet articles. Trouble is, they both imply that the answer is no - this one for Standard and this one for Enterprise. Confused.com? Me too. Better go compare the meerkat...

    Can anybody please let me know whether or not ISA 2006 can be installed as a domain member in a Server 08-level domain? There'll be a in it for you

    Since upgrading the functional level can't be undone without restoring from a backup, if possible I would appreciate it if you could provide a link to some documentation supporting your answer if the answer is yes

    We're not running ISA yet, but we are planning to implement it soon. We're currently running at the 2003 level with 2008 DCs, but we would benefit from upgrading due to the requirements of some software we're looking to put in place...

    Let me know if you need any more details

    Thanks
    G
    Last edited by gforceindustries; 10th September 2009, 22:08.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

  • #2
    Re: Domain functional level for ISA 2006?

    Yes, ISA can be a member of a Windows 2008 domain. It doesn't matter which functional level your domain is running.
    As long as ISA 2006 is installed on Windows 2003 32-bit OS.
    If possible, you also might hold the implementation of ISA server and wait for TMG. TMG is currently planned for Q4 this year, and it's the next generation of ISA server.
    TMG will run on Windows 2008 64-bit

    So, the articles you mentioned from Microsoft TechNet are incomplete or isn't updated (bad Microsoft).
    Anyway I haven't seen any issues with it.

    Edit: Note, ISA can't be installed on Windows 2008 or a Windows 2003 64 bit OS. However being a domain member of 2000+ AD environment is no problem at all.
    Also see this blog:
    http://blogs.technet.com/yuridiogene...rver-2008.aspx

    For what functionality are you going to implement ISA server and what clients do you have?
    Last edited by Dumber; 10th September 2009, 22:37.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Domain functional level for ISA 2006?

      I'd be inclined to believe elmajdal, he's also a member here and an edge security MVP. Haven't seen him around in a while though.

      3) Can I join and ISA Server 2006 to a Windows Server 2008 Domain?

      Yes you can. We will update the articles below with that info:

      http://technet.microsoft.com/en-us/l.../bb794821.aspx

      http://technet.microsoft.com/en-us/l.../bb794807.aspx
      That's from the blog you linked and I read that as the Technet links have never been updated since Server 2008 was released.

      We're in the process of migrating ourselves, we've got a physical and a virtual ISA but haven't decommisioned the 2K3 DCs yet. However the virtual ISA is only temporary - it'll be replaced with Forefront TMG when it's RTM'd which should be some time this quarter.

      I've got a virtual ISA at home left over from my exam practices, I can't remember what the test domain DC is though. If it's 2K8 I'll bump the level and let you know what happens.
      BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
      sigpic
      Cruachan's Blog

      Comment


      • #4
        Re: Domain functional level for ISA 2006?

        Well I'm sure it works.
        ISA isn't AD dependant, it doesn't do any schema updates or what so ever like Exchange does.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Domain functional level for ISA 2006?

          I don't see any reason why it wouldn't, I was in the middle of typing my post when you posted so didn't see it till after.

          Even in the very unlikely event there was a porblem you could just make it a workgroup server and use RADIUS for authentication anyway, at least until TMG is out.
          BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
          sigpic
          Cruachan's Blog

          Comment


          • #6
            Re: Domain functional level for ISA 2006?

            Originally posted by Dumber View Post
            Yes, ISA can be a member of a Windows 2008 domain. It doesn't matter which functional level your domain is running.
            As long as ISA 2006 is installed on Windows 2003 32-bit OS.
            Thanks yes, our gateway currently runs 2003 x86.

            Originally posted by Dumber View Post
            If possible, you also might hold the implementation of ISA server and wait for TMG. TMG is currently planned for Q4 this year, and it's the next generation of ISA server.
            TMG will run on Windows 2008 64-bit
            It's most likely that we will - we have Software Assurance on the licences. Plus while the current gateway *works*, the hardware spec really isn't that great, so ISA performance wouldn't be spectacular. It's also probably coming to the end of its servicable life. It's a Dell PE SC420 that we got from Ebay for 20, that was originally intended to be used just for experimenting. There's a new server in the budget for January which will have 2008 and TMG installed - with the addition of more staff in the factory though we really want to get a proper web filter in place.

            Originally posted by Dumber View Post
            For what functionality are you going to implement ISA server and what clients do you have?
            We mainly want it to filter our users' web browsing - we're using OpenDNS at the moment as there was a need for an immediate solution to a problem (who we fired a few days later). It's _OK_ but it does have its limitations.

            Other than that, we'll use it as the edge firewall and VPN endpoint instead of the current RRaS. And caching is always a bonus too.

            Regarding clients, everyone is on a domain-joined machine. The laptop users connect over VPN when they're offsite, but 99% of the time they're in the office. Out of the office, they use IE to access the web, so we would need laptops to go through the proxy while they're in the office, and not when they're on the road. And we also want to be able to generate reports showing who's accessing what. We'll be looking in more detail later on at what the best implementation scenario is. While I have experimented, various problems have cropped up and I'm too busy for it to be a priority really. Which is a shame, as I'm keen to gain experience in ISA.

            Originally posted by cruachan View Post
            I've got a virtual ISA at home left over from my exam practices, I can't remember what the test domain DC is though. If it's 2K8 I'll bump the level and let you know what happens.
            Thanks, would be interesting to see if you spot any problems. I wouldn't expect any though, since Marcel I believe is pretty experienced with ISA himself

            Originally posted by Dumber View Post
            ISA isn't AD dependant, it doesn't do any schema updates or what so ever like Exchange does.
            Aye. Always worth checking though my boss has a habit of firing me from time to time (there's a good working atmosphere in this office - where else can you take the piss out of the General Manager )

            Thank you both for your replies - while I always make a point of backing up before changes like this, I am now a lot more confident about going ahead with the upgrade

            Edit:

            Originally posted by cruachan View Post
            Even in the very unlikely event there was a porblem you could just make it a workgroup server and use RADIUS for authentication anyway, at least until TMG is out.
            Also true. We're undecided at present whether or not we want it to be a domain member or not. Pros and cons either way.
            Last edited by gforceindustries; 10th September 2009, 23:22.
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment


            • #7
              Re: Domain functional level for ISA 2006?

              I'm personally in favour of ISA being a domain member, this article at isaserver.org is well worth a read.

              I wouldn't expect too many issues regarding the hardware, ISA doesn't need too much in the way of resources. Caching requires a bit more but still not huge amounts compared to most things.

              One thing to note is that web filtering, or at least easy to maintain web filtering, is not built into ISA. You can do things like have URL sets for blocked sites but really you need a third party add-on for effective web filtering.

              Lastly you'll probably want to look at WPAD for the laptop users so they can auto-detect the proxy in the office and not use one out of it. You can configure everyone as SecureNAT, but as you mentioned logging web traffic then having the clients as Web Proxy is much better.
              BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
              sigpic
              Cruachan's Blog

              Comment


              • #8
                Re: Domain functional level for ISA 2006?

                Thanks for the tip. I've printed it and put it on the pile... working probably straight through until 5pm tomorrow to get things done tonight

                Officially I'm leaving the company tomorrow. Unofficially, I still work here until pay day though. Plus as my boss is in Italy for most of next week, I'm covering IT in case there's a problem, plus it gives me more time to finish projects. Which is good, as I'm trying to get them to take me on again next year once I finish at Uni I think I'll be asked to come back in at various points over the next year for the larger projects though, since none of the candidates we interviewed for my job have any real experience in being the only member of IT staff. Or in some cases, no real experience
                Gareth Howells

                BSc (Hons), MBCS, MCP, MCDST, ICCE

                Any advice is given in good faith and without warranty.

                Please give reputation points if somebody has helped you.

                "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                Comment


                • #9
                  Re: Domain functional level for ISA 2006?

                  The best way to make sure that the ISA server is domain joined. The link about it already provided by cruachan so I don't going to repeat it

                  About the capacity of the machine, well you might be surprised. I don't know the specs of your current machine but you can calculate it. Microsoft has a nice nifty flash site which helps you out calculating it:
                  http://www.microsoft.com/isaserver/capacityplanner.swf

                  Another thing cruachan is the WPAD implementation. I really really recommend you to use that. The biggest advantage is that when a notebook user, want to start using the Internet from home, they 'don't need to change their proxy settings. The only thing you need to set in IE (or whatever you use) is the "automatically detect settings" option. The browser will try to lookup the WPAD entry in either DNS or DHCP. If he can't find it, he will try a direct connection.

                  Setting the clients as a Web proxy client is nice, but remember, other protocols then HTTP, HTTPS and FTP over HTTP are not supported and will not work.
                  Therefor you can use the Firewall client. If you look about the process when a client wants to connect he will first try the webproxy client. If not available or not supported he will fall back to the firewall client. If it isn't there or if it isn't possible, he will use the securenat method.

                  The big advantage of the firewall client is that it will allow you almost any traffic and still retain the logging with their usernames. Also you still can block access to certain users with groups or allow certain users for more privilege based on groups.

                  That's why I wanted to know about the clients. For Windows Vista you then need the updated firewall client which you can download from here:
                  http://www.microsoft.com/downloads/d...displaylang=en

                  For webfiltering I can highly recommend Websense which can be a plug-in for ISA server. I'm not sure what TMG will bring when it's been released about this

                  Edit: why does your boss has the habit to fire you on a regular base?
                  Last edited by Dumber; 11th September 2009, 11:27.
                  Marcel
                  Technical Consultant
                  Netherlands
                  http://www.phetios.com
                  http://blog.nessus.nl

                  MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                  "No matter how secure, there is always the human factor."

                  "Enjoy life today, tomorrow may never come."
                  "If you're going through hell, keep going. ~Winston Churchill"

                  Comment

                  Working...
                  X