RE: Sercond ISA on SBS Member Server

Dear Rui Kang Lu:
Thank you for posting here.

To answer your first question:
If you are using ISA2004 Standard Edition, you cannot install an additional
ISA on a SBS member server. However, if you are using ISA2004 Enterprise
Edition, it is possible to do so.

Generally speaking, if the ISA server is standard edition, in case that the
server will crash sometime, we should backup the configuration to perform
the recovery. Without a good backup, it's difficult to have the server
restored to the original status. We need to manually create the rules and
configure the ISA settings.

Based on my experience, I detailed the backup/restore process for iSA2k as
below:
Option #1. Simple backup/restore.

Right-click the server/array name in ISA management console, you will find
the option to "Back Up" and "Restore". This will save the configurations to
a single file. Please be advised that this file can only be used on the
computer creates this backup file. Otherwise, it will not work.

- This is often used for ISA server configuration recovery.

Backing up and restoring an array configuration
http://www.microsoft.com/technet/prodtechnol/isa/proddocs/isadocs/m_s_c_back
uprestore.asp

Option #2. Full backup/restore the system and ISA. It does work, but has
some limitation.
The disadvantage is that: you cannot restore a configuration to another
machine, and if restoring the configuration to the same machine after the
boot partition disk dies can be a bit of a challenge. Microsoft does not
support renaming of the ISA Server computer after ISA Server is installed.
The method will not allow you to restore your configuration to a machine
that has been renamed.

The advantage is that: there are a number of scripts and tools that will
allow you to back up some of your ISA Server settings. But none of them
will back them all up while this method does.

Backup Steps:

a. Log onto the ISA Server computer as a member of the Domain
Administrator''s group.

b. In the ISA Management console, right click on your server name and
click the "Back Up" command.

c. In the "Backup Array" dialog box, type in a name and location for the
backup file in the "Store backup configuration in this location "text box.
Type a description in the "Comment" text box. Click OK.

d. The "Backup Array" dialog box appears and informs you that the backup
succeeded. Click OK.

e. Open a command prompt and type "net stop mspfltex" (without quotation
marks). You will be asked if its OK to stop a number of services. Say yes
and press [ENTER] to stop the services

f. After the services are stopped, type "net stop gksvc" (without
quotation marks) and press [ENTER]. This will stop the H.323 Gatekeeper
service.

g. Click "Start" and click the "Run" command. In the Run dialog box,
type "ntbackup" (without quotation marks) and click OK.

h. In the Backup application, click the Restore tab.

i. Click the "Tools" menu and then click the "Options" command.

j. In the "Options" dialog box, click the "Restore" tab. Select the
"Always replace the file on my computer" option. Click OK.

k. Click the "Backup" tab. In the left pane, select the "Microsoft ISA
Server" folder and the "System State". You can back up other things if you
like, but this is what you''ll need to restore to get your ISA Server
configuration back.
- You can deselect the ISAlogs folder as it is saving the ISA server
logs.

l. Type in a location for the backup file in the "Backup media or file
name" text box. Click the "Start Backup" button.

m. In the "Backup Job Information" dialog box, make the appropriate
changes to the "Backup description". Select the "Replace the data on the
media with this backup" option.

n. Click the "Advanced" button. In the "Advanced Backup Options" dialog
box, select the "Verify data after backup" option. Set the "Backup Type" to
"Copy". Click OK.

o. Click the "Start Backup" button in the "Backup Job Information"
dialog box. The backup process begins and might take quite a while, so be
patient.

p. When the backup is finished, click "Close" in the "Backup Progress"
dialog box and then close the "Backup" application.

Restore Steps:

a. When you''re ready to fix the ISA Server configuration, reboot the
computer in Safe Mode. You can press F8 when booting to enter this mode.

b. Click "Start" and click on the "Run" command. In the "Open" text box,
type "ntbackup" (without quotation marks) and click OK. Click OK in the
"Removable Storage Not Running" dialog box.

c. Click on the "Restore" tab. Click the "Tools" menu and click the
"Catalog a Backup File" command.

d. Type in the file name or use the Browse button to find the backup
file that contains the ISA Server folder hierarchy and the System State.
Click OK.

e. Expand the media file in the left pane that includes your backed up
files. You may find that the Backup File Name dialog box keeps popping up.
Don''t worry about it. Just click OK each time it pops up.

f. Expand the C: drive and the "System State" in the left pane of the
Backup application. Place checkmarks in the "Microsoft ISA Server" folder
checkbox and the "System State" checkbox. There will be blue checkmarks in
the boxes that you check, as seen in the figure below. Make sure you set
the "Restore files to" drop down list box to read "Original location".
Click the "Start Restore" button. Click the OK button in the "Warning" text
box that tells you that the System State will be restored. Click OK in the
"Confirm Restore" dialog box. Click OK in the "Enter Backup File Name" text
box; make sure it lists the right backup file name!

g. After the backup is complete, click the Close button in the "Restore
Progress" dialog box. Click Yes in the "Backup" dialog box to restart the
computer. When you restart the computer you can do it in normal mode. You
do not need to restart in Safe Mode.

h. Log in as a Domain Admin. Click Start and point to "Administrative
Tools". Click on the "Services" command.

i. In the Services console, set the "Startup Type" for the following
services to "Disabled":
Microsoft Firewall
Microsoft H.323 Gatekeeper
Microsoft ISA Server Control
Microsoft Scheduled Cache Content Download
Microsoft Web Proxy

j. Reboot the computer.

k. Reinstall ISA Server using the "Add/Remove Programs" applet in the
Control Panel. Click the "Change" button. This will allow you to reinstall
the ISA Server applications files without losing your settings. This
repairs the basic ISA Server installation. Just click on the "Reinstall"
button as seen below. Restart the computer after you reinstall.

m. This backup restores the configuration as of the time you ran the
"ntbackup" tool to back up the ISA Server directory hierarchy and the
System State. At this point, you should restore your most recent ISA Server
integrated backup file. Just right click your server name in the "ISA
Management" console and click the "Restore" command. Enter your backup file
name or use the "Browse" button, then click OK.

n. The "Restore Array" dialog box appears. Confirm the information and
click OK. After the restoration is complete, click the OK button to confirm
that it worked.

- If you are using Enterprise edition in array, the client side does not
save much configurations. These basic configurations are saved in Active
Directory on the DC. When you reinstall ISA to join the array, the
configuration will be recovered.

You can read the following article for more information on this topic.

Using the NTBACKUP Utility to Restore the ISA Server Configuration
http://www.isaserver.org/tutorials/Using_the_NTBACKUP_Utility_to_Restore_the
_ISA_Server_Configuration__Part_1.html

Option #3, Backup the main configurations of the ISA server. You can
download the ISAEXPORTIMPORT utility from http://isatools.org. You must
read the readme document with this utility for how to use it. It can back
up the following.

a. Site and Content Rules
b. Protocol Rules
c. Web Publishing Rules
d. Server Publishing Rules
e. Routing Rules
f. Listeners
g. Packet Filters

Please notice that this script DOES NOT support Enterprise Policies. It is
used for exporting settings from a standalone ISA server and importing it
back into the same ISA server or in another ISA server.

Option #4. You can use ISAINFO to export all the ISA server settings to a
text file and the use this file to reinstall ISA and reconfigure ISA
manually. In worst scenario (rarely occur), if the above options failed, an
exported ISAINFO report can help you remember what you have configured
previously. You can run it on an existing ISA server to export the settings
when the ISA server is running properly. To download this utility, refer to
http://isatools.org.

Regarding your second question:
I am sorry to say that you cannot have multiple External interfaces with
different default gateways on your ISA server and publish servers on each
of them. We only support one external interface on the ISA Server, you
might need to look at one of the third party add-ons like rainfinity or
some thing at http://www.microsoft.com/isaserver/partners/default.asp.

Multiple external interfaces are only supported in a DMZ configuration
where packet filters allow routing to and from the secondary external
networks. In other words, multiple external interfaces for connecting to
separate internet providers to provide redundancy and/or fault tolerance
for internet bound traffic is not natively supported in ISA. For redundancy
of the internet connection it may be possible to use RIP, IRDP, HSRP, or
some other routing protocol designed to manage the default gateway in a
single external NIC configuration, but the selected protocol would need to
be supported by the routers involved as well. Alternatively there are 3rd
party products that can add the desired functionality to ISA. See the
following link:
http://www.microsoft.com/isaserver/partners/highavailability.asp.

FYI - ISA 2004 Standard/Enterprise does not provide any new ability to
handle multiple external interfaces. It might be a possibility for future
version, but we have no definitive information for the features of
unreleased version of ISA at this time.

As I mentioned above, one option is to use a hardware load balancing in
front of the ISA Server. There are router solutions that allow you to plug
multiple external interfaces into them to create a fault tolerant solution.
You can also use a hardware load balancer, such as F5 networks BigIP. These
solutions work well, but suffer from being somewhat expensive.

In addition, you can use products like Rainfinity to balance across network
connections, this will do the trick:
http://www.rainfinity.com/products/rainconnect_isa.html. The RainConnect
product will first be implemented as a second server that you can put in
front of the ISA Server, and later will be implemented to integrate with
the ISA Server machine itself. This will allow you to connect multiple
external interfaces into the computer, such as a DSL and T1, or multiple
DSL or T1 lines. The RainConnect product will automatically load balance
the connections and provide fault tolerance.

For you information, Here is the network diagram of the router solution:
ISP1===
\\
{Hardware router}===={SBS 2003 server with ISA}===={Internal
workstations}
//
ISP2===

To configure CEICW Wizard, you can refer to following KB article for
detailed information:

825763 How to configure Internet access in Windows Small Business Server
2003
http://support.microsoft.com/?id=825763

Hope the above information helps.
I appreciate your time and understanding. If you have any questions or
concerns, please feel free to let me know.

Have a nice weekend! :)


Best Regards
Edward Tian(MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Rui Kang Lu" <hbtec@xxxxxxxxxxxxx>
| Subject: Sercond ISA on SBS Member Server
| Date: Thu, 11 Aug 2005 16:17:40 -0700
| Lines: 10
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| X-RFC2646: Format=Flowed; Original
| Message-ID: <e8zcLrsnFHA.860@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: adsl-67-113-80-14.dsl.lsan03.pacbell.net 67.113.80.14
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:143492
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Is it possible to have ISA running on the SBS Server and also on a SBS
| member server for failover or redundacy?
|
| ISA Standard Edition says it "Supports inlimited multiple networks and
| types" I am thinking this should mean we could have two WAN (Static IP
DSL)
| connectioned to the ISA box? Am I interpreting this wrong?
|
| Thanks for your guidance.
|
|
|

.