Monday, November 24, 2008

Unlock ISA server from Lockdown mode

Title: NO PING after stopping ISA Firewall Services
Tags: Microsoft, ISA Server, 2006
Zones: MS Forefront-ISA, Windows Networking, Windows Network Security

hi folks

i got a strange problem. i thought i could PING NLB-enabled ISA servers after stopping their FWSRV service, but actually not.

basic system information of the ISA servers:

W2K3R2 Standard in Hyper-V
512MB
4 NICs with 4 dedicated IPs (1 x external facing, 3 x internal facing)
NLB enabled on all NICs on IGMP multicast mode
additional 17 VIPs assigned to the 4 NICs (10 + 1 + 3 + 3)
ISA 2006 Enterprise with SP1 and Supportability Update
Back Firewall template with Block All
outgoing DNS/HTTP/HTTPS/NTP/PING traffic is allowed

NOTE: ISA Integrated NLB is not used as it does not support NLB on all adapters with IGMP multicast, WLBS used instead.

the network connection is OK as i can use ARP -A to see their MAC addresses though i could not PING the IPs

any clues? many thanks for any input.

kind regards,
bbao

Author Comment - Author: bbao Date: 09/09/2008 - 07:13PM EST

just an update:

i just did a test on another stand-alone ISA server and got the same problem. no PING. it seems the stopped ISA server has been locked down.

i also found the following from MS TechNet site:

"2. Put the ISA Server firewall in LOCKDOWN mode, by stopping the Microsoft Firewall service. At a command prompt, type net stop fwsrv."

Troubleshooting networking issues
http://www.microsoft.com/technet/isa/2004/help/CMT_TrblDialup.mspx?mfr=true

the ISA servers are now in LOCKDOWN mode?? if so, how to unlock in turn to allow any incoming and outgoing traffic as before?

regards,
bbao

Assisted Solution - Author: keith_alabaster Date: 09/10/2008 - 08:21AM EST

Its not a problem - it is by design. Stopping the services means exactly that. ISA has a system policy (not firewall policy) that says whether to allow icmp traffic from internal to the localhost (isa box) so if you stop the services you also stop the access. removing ISA would allow the connections OK - stopping the services stops ISA from being operational however the dll's, the configs etc are all expecting ISA to be running.

Keith

Accepted Solution - Author: bbao Date: 09/10/2008 - 10:00AM EST

hi Keith

you are right, it is by design - a very good design.

i have actually already found the way to unlock ISA lockdown mode: NET STOP FWENG /Y.

this command will open the ISA server to all network traffic by stopping the Firewall Engine which runs in kernel mode of W2K3. the engine is a kernel-mode driver (fweng.sys) "which is called whenever network traffic arrives or leaves an ISA server network interface and modifies it if necessary."

this command will automatically stop the upper-layer Firewall Service, so NET STOP FWSRV is not necessary.

i found the above information from a MS white paper "ISA Server 2006 Firewall core", the best MS document i ever read - clear, informative, and accurate.

regards,
bbao

Expert Comment Author: keith_alabaster Date: 09/10/2008 - 12:39PM EST

Nice one :) - I will have a read on that as I don't recall that paper, and I have read quite a few

Regards

Keith :)

Author Comment Author: bbao Date: 09/10/2008 - 05:41PM EST

FYI

ISA Server 2006 Firewall Core
http://www.microsoft.com/isaserver/prodinfo/firewall_corewp.mspx

Expert Comment Author: keith_alabaster Date: 09/10/2008 - 07:53PM EST

Thanks :)

Author Comment Author: bbao Date: 09/10/2008 - 09:08PM EST

hi Keith,

do you mind that i accept my second comment as the answer as i would like to PAQ this question. i believe this would help others who intend to hear the heartbeat after killing the ISA server. :-)

i tried to share points to you by accepting multiple solutions, but EE did not allow me to choose my comment in this way... thanks for your kind help,

regards,
bbao

Expert Comment Author: keith_alabaster Date: 09/11/2008 - 12:26AM EST

No its fine and an accurate reflection anyway. Besides, you likely know my EE email address if you ever want help with ISA Server.

Regards
K :)

4 comments:

jim said...

computersforfutures.org |

gtscomputers.org |

computerisfun.org |

solocomputerservices.org |

computeroutlets.org |

squarefood.org |

ukfoodexports.org |

mnfoodtrucks.org |

ifoodie.org |

foodreformcoalition.org |

nimi parker said...

I like you recommendation. Your recommendation is of well use to people. A great article post, this is something very interesting. I really appreciate your post.
kocohouse.com |

Erin cody said...

I might want to thank you for your elegantly composed substance, its helpful and your written work style helped me to peruse it without any trouble.
www.piedmontreal-estate.org |

Erin cody said...

Always thinking to do the same thing again and again , i am very thankful that i found this one..
www.dollhousesd.com |