ISA server - again

Am reusit pana la urma,mersi PreTXT,tacerea ta la urma m-a ambitionat  :coolspeak:

ISA 2004 vine cu vreun log analizer tool ceva? sau trebuie cumparat separat? daca da, care ar fi cel mai complet dintre cele de pe piata?

DeathRipple, on Dec 20 2005, 09:50, said:

ISA poate genera rapoarte sumare cu ....cel mai bine te uiti pe un astfel de raport :)

Edited by muntos, 20 December 2005 - 11:50.

da...pe mine ma intereseaza de ex user-ul x a accesat site-urile a, b, c .... tampenii d-astea. iti foarte multumesc, insa tipul ala de raport nu face chiar ce vreau eu.

Banuiam eu ca nu asta te intereseaza,dar din moment ce n-ai specificat exact ce te intereseaza..:)
In cazul tau arunca un ochi la http://www.isaserver.../ISA/Reporting/
http://www.isaserver...toring-&-Admin/

De aici cel mai bun mi se pare SurfControl (www.surfcontrol.com)(dar este mai mult decat un tool de log analyzer) si WebSpy (www.webspy.com)

surfcontrol nu este un log analyzer .. intra in categoria web filtering. Rapoartele care le ofera includ si site-uri vizitate de un anumit user.

revin cu o noua si frumoasa problema...

in prezent am un calculator pe care ruleaza Win2k server cu ISA 2000 si AD. vreau sa pun pe o alta masina win2003 server, ISA 2004 si sa transfer AD-ul si politicile de la cel vechi. cu alte cuvinte, vreau un upgrade soft si hard, dar care sa se produca cat mai transparent pentru utilizatori. pana acum am dat peste tot felul de probleme, asa ca m-am decis sa sterg cu buretele si s-o iau de la capat.

a mai facut cineva asa ceva? un step-by-step pe undeva pe internet? cine poate sa ma ajute?

multumesc.

DeathRipple, on Apr 27 2006, 10:32, said:

Legat de AD eu as face (de fapt am si facut cu exceptia ca era tot un Win2003) asa cum scrie gaurika in thread-ul de aici
Trecerea de la ISA2000 la ISA2004 o poti face in mai multe feluri.Poti exporta Firewall si System Policies-urile din ISA2000 si importa in ISA2004 (exista ceva tooluri si articole legate de acest proces pe www.isaserver.org).
Atentie la instalare sa bifezi optiunea ca vechile versiuni de Firewall Client sa poata comunica cu ISA2004.Sfatul meu este ca apoi sa migrezi toti clienti de firewall la noua versiune ( o poti face centralizat cu AD).
Bafta

mai jos sunt rezultatele obtinute in urma diagnosticarii win 2003 server....

log-ul de la netdiag:




    Computer Name: NETPLANET
    DNS Host Name: netplanet.WORLDNET
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 15 Model 4 Stepping 3, GenuineIntel
    List of installed hotfixes :
        KB890046
        KB893756
        KB896358
        KB896422
        KB896424
        KB896428
        KB899587
        KB899588
        KB899589
        KB899591
        KB900725
        KB901017
        KB901214
        KB902400
        KB904706
        KB904942
        KB905414
        KB905915
        KB908519
        KB908521
        KB908531
        KB910437
        KB911562
        KB911564
        KB911565
        KB911567
        KB911927
        KB912812
        KB912919
        KB913446
        Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Intern

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : netplanet
        Autoconfiguration IP Address : 172.16.1.200
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . :
        Dns Servers. . . . . . . . : 172.16.1.1
                                     172.16.1.200


        AutoConfiguration results. . . . . . : Failed
            [WARNING] AutoConfiguration is in use. DHCP not available.

        Default gateway test . . . : Skipped
            [WARNING] No gateways defined for this adapter.

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.

    Adapter : Extern

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : netplanet
        IP Address . . . . . . . . : xxx.xxx.xxx.xxx
        Subnet Mask. . . . . . . . : 255.255.xxx.xxx
        Default Gateway. . . . . . : xxx.xxx.xxx.xxx
        NetBIOS over Tcpip . . . . : Disabled
        Dns Servers. . . . . . . . : xxx.xxx.xxx.xxx


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Failed
            No gateway reachable for this adapter.

        NetBT name test. . . . . . : Skipped
            NetBT is disabled on this interface. [Test skipped]

        WINS service test. . . . . : Skipped
            NetBT is disable on this interface. [Test skipped].


Global results:


Domain membership test . . . . . . : Failed
    [WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC.


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{85B890CE-F304-4274-B67B-1DDD877F67AE}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Failed

    [FATAL] NO GATEWAYS ARE REACHABLE.
    You have no connectivity to other network segments.
    If you configured the IP protocol manually then
    you need to add at least one valid gateway.


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '172.16.1.1' and other DCs also have some of the names registered.
    PASS - All the DNS entries for DC are registered on DNS server '172.16.1.200' and other DCs also have some of the names registered.
       [WARNING] The DNS entries for this DC cannot be verified right now on DNS server 193.231.79.1, ERROR_TIMEOUT.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{85B890CE-F304-4274-B67B-1DDD877F67AE}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{85B890CE-F304-4274-B67B-1DDD877F67AE}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Failed
    [WARNING] Cannot call DsBind to netguardpro.WORLDNET (172.16.1.1). [RPC_S_CALL_FAILED_DNE]


Trust relationship test. . . . . . : Failed
    [FATAL] Secure channel to domain 'WORLDNET' is broken. [ERROR_NO_LOGON_SERVERS]


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed
    [WARNING] Failed to query SPN registration on DC 'netguardpro.WORLDNET'.


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully

dcdiag...


Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
  
   Testing server: Default-First-Site-Name\NETPLANET
      Starting test: Connectivity
         ......................... NETPLANET passed test Connectivity

Doing primary tests
  
   Testing server: Default-First-Site-Name\NETPLANET
      Starting test: Replications
         [NETGUARDPRO] DsBindWithSpnEx() failed with error 1727,
         The remote procedure call failed and did not execute..
         ......................... NETPLANET passed test Replications
      Starting test: NCSecDesc
         ......................... NETPLANET passed test NCSecDesc
      Starting test: NetLogons
         ......................... NETPLANET passed test NetLogons
      Starting test: Advertising
         Warning: DsGetDcName returned information for \\netguardpro.WORLDNET, when we were trying to reach NETPLANET.
         Server is not responding or is not considered suitable.
         ......................... NETPLANET failed test Advertising
      Starting test: KnowsOfRoleHolders
         Warning: NETGUARDPRO is the Schema Owner, but is not responding to DS RPC Bind.
         Warning: NETGUARDPRO is the Domain Owner, but is not responding to DS RPC Bind.
         Warning: NETGUARDPRO is the PDC Owner, but is not responding to DS RPC Bind.
         Warning: NETGUARDPRO is the Rid Owner, but is not responding to DS RPC Bind.
         Warning: NETGUARDPRO is the Infrastructure Update Owner, but is not responding to DS RPC Bind.
         ......................... NETPLANET failed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... NETPLANET failed test RidManager
      Starting test: MachineAccount
         ......................... NETPLANET passed test MachineAccount
      Starting test: Services
         ......................... NETPLANET passed test Services
      Starting test: ObjectsReplicated
         ......................... NETPLANET passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... NETPLANET passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... NETPLANET failed test frsevent
      Starting test: kccevent
         ......................... NETPLANET passed test kccevent
      Starting test: systemlog
         ......................... NETPLANET passed test systemlog
      Starting test: VerifyReferences
         ......................... NETPLANET passed test VerifyReferences
  
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
  
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
  
   Running partition tests on : WORLDNET
      Starting test: CrossRefValidation
         ......................... WORLDNET passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... WORLDNET passed test CheckSDRefDom
  
   Running enterprise tests on : WORLDNET
      Starting test: Intersite
         ......................... WORLDNET passed test Intersite
      Starting test: FsmoCheck
         ......................... WORLDNET passed test FsmoCheck

Hmmm...nu arata prea bine output-urile tale.
Parerea mea este ca ar trebui sa-ti rezolvi mai intai problemele de pe DC, altfel risti sa nu-ti iasa replicarea.

pai astea sunt otuput-urile de pe win 2003...cele de pe win 2000, unde e DC-ul original, sunt in regula...

Scuze,n-am fost atent.
Oricum, daca am inteles eu bine, este o idee fff proasta sa rulezi ISA pe un DC.

combinatia isa 2000 win2k srv cu ad merge f bine....si nu de azi, de ieri...

Citeste aici de ce nu.
Nu ca nu se poate ci este o greseala mare de securitate.

pt ca cineva sa ajunga la isa, tre' sa treaca de vreo 2 firewall-uri in prealabil. oricum, este interesant ce scrie acolo, insa daca esti atent si nu faci greseli ar trebui sa nu fie probleme asa mari. oricum este interesant articolul si confirma pasii efectuati de mine fara sa-l citesc :)

Edited by DeathRipple, 02 May 2006 - 09:30.

aaa...alta problema: care este diferenta intre clientii ISA care arata "configured to..." si "connected to..." ? in primul rand nu-mi explic de ce apare.

"Configured to" iti arata ca respectivul client are stabilita o conexiune cu ISA (vede serverul)
"Connected to", adica in momentul in care iti si apare o sagetuta verde pe icon-ul de client, inseamna ca s-a deschis o conexiune pe socket care necesita autentificare prin clientul de ISA.
In principiu daca un client este configurat sa aiba acess la Internet dupa ce se autentifica (Active Directory in mod normal) atunci in afara aplicatiilor care se pot autentifica prin web proxy (Internet Explorer sau alte programe configurate ca sa iasa printr-un proxy web) restul aplicatiilor trebuie sa se autentifice prin intermediul clientului de firewall.In acel moment clientul arata "connected to".