Title: NO PING after stopping ISA Firewall Services
Tags: Microsoft, ISA Server, 2006
Zones: MS Forefront-ISA, Windows Networking, Windows Network Security
i got a strange problem. i thought i could PING NLB-enabled ISA servers after stopping their FWSRV service, but actually not.
basic system information of the ISA servers:
W2K3R2 Standard in Hyper-V
4 NICs with 4 dedicated IPs (1 x external facing, 3 x internal facing)
NLB enabled on all NICs on IGMP multicast mode
additional 17 VIPs assigned to the 4 NICs (10 + 1 + 3 + 3)
ISA 2006 Enterprise with SP1 and Supportability Update
Back Firewall template with Block All
outgoing DNS/HTTP/HTTPS/NTP/PING traffic is allowed
NOTE: ISA Integrated NLB is not used as it does not support NLB on all adapters with IGMP multicast, WLBS used instead.
the network connection is OK as i can use ARP -A to see their MAC addresses though i could not PING the IPs
any clues? many thanks for any input.
Author Comment - Author: bbao Date: 09/09/2008 - 07:13PM EST
just an update:
i just did a test on another stand-alone ISA server and got the same problem. no PING. it seems the stopped ISA server has been locked down.
i also found the following from MS TechNet site:
"2. Put the ISA Server firewall in LOCKDOWN mode, by stopping the Microsoft Firewall service. At a command prompt, type net stop fwsrv."
Troubleshooting networking issues
the ISA servers are now in LOCKDOWN mode?? if so, how to unlock in turn to allow any incoming and outgoing traffic as before?
Assisted Solution - Author: keith_alabaster Date: 09/10/2008 - 08:21AM EST
Its not a problem - it is by design. Stopping the services means exactly that. ISA has a system policy (not firewall policy) that says whether to allow icmp traffic from internal to the localhost (isa box) so if you stop the services you also stop the access. removing ISA would allow the connections OK - stopping the services stops ISA from being operational however the dll's, the configs etc are all expecting ISA to be running.
Accepted Solution - Author: bbao Date: 09/10/2008 - 10:00AM EST
you are right, it is by design - a very good design.
i have actually already found the way to unlock ISA lockdown mode: NET STOP FWENG /Y.
this command will open the ISA server to all network traffic by stopping the Firewall Engine which runs in kernel mode of W2K3. the engine is a kernel-mode driver (fweng.sys) "which is called whenever network traffic arrives or leaves an ISA server network interface and modifies it if necessary."
this command will automatically stop the upper-layer Firewall Service, so NET STOP FWSRV is not necessary.
i found the above information from a MS white paper "ISA Server 2006 Firewall core", the best MS document i ever read - clear, informative, and accurate.
Expert Comment Author: keith_alabaster Date: 09/10/2008 - 12:39PM EST
Nice one :) - I will have a read on that as I don't recall that paper, and I have read quite a few
Author Comment Author: bbao Date: 09/10/2008 - 05:41PM EST
ISA Server 2006 Firewall Core
Expert Comment Author: keith_alabaster Date: 09/10/2008 - 07:53PM EST
Author Comment Author: bbao Date: 09/10/2008 - 09:08PM EST
do you mind that i accept my second comment as the answer as i would like to PAQ this question. i believe this would help others who intend to hear the heartbeat after killing the ISA server. :-)
i tried to share points to you by accepting multiple solutions, but EE did not allow me to choose my comment in this way... thanks for your kind help,
Expert Comment Author: keith_alabaster Date: 09/11/2008 - 12:26AM EST
No its fine and an accurate reflection anyway. Besides, you likely know my EE email address if you ever want help with ISA Server.