Discussion:
CEICW fails during firewall config, ISA 2004
(too old to reply)
ChipW
2005-06-02 15:23:04 UTC
Permalink
OK, so I took the plunge and installed SBS SP1 last night (in hindsight I
should have waited for weekend), all went well until upgrading from ISA 2000
to ISA 2004, had to turn off IIS Admin. The CEICW wizard failed during the
firewall configuration section. I reread Mariette's et. al. guide (Thanks
for all your efforts guys), ah i thought ISA rule 22, deleted it, along with
a couple others I thought I didn't need/want anymore.... firewall config
still fails. I had Inet connection, even with ISA2K Clients. Hmmm. BTW I had
a screenful of firewall policies in ISA. Not leaving well enough alone, I
ran a ISA 2004 repair thinking maybe I deleted a policy I shouldn't have. I
reran CEICW, firewall config still failed, and now only half a screen of
policies. So I try another tach and ran CEICW and turned off firewall (still
fails) then run CEICW again to turn it back on, still fails. A quick look at
ISA now only shows 3 policies. Now I'm thinking I really screwed things up.
I unistalled ISA 2004 and reinstalled, thinking that would put things back
to default, but no...still only 3 policies and no Inet with ISA 2004 clients
now installed. I had to manually change ISA policy to allow access to Inet.
Any changes in CEICW for publishing services (VPN, OWA, RDP, etc.) don't
change after running wizard. Rerunning CEICW now blocks Inet access until I
manually allow it again. So that's where I'm at, and what I've done (right
or wrong) I just don't know what to try next. I'm just looking for a
default, secure installation of ISA 2004 and have external access to RWW,
OWA, Outlook RPC, etc.

Thanks in advance
ChipW
Mariette Knap [SBS MVP]
2005-06-02 15:48:56 UTC
Permalink
Post by ChipW
OK, so I took the plunge and installed SBS SP1 last night (in
hindsight I should have waited for weekend), all went well until
upgrading from ISA 2000 to ISA 2004, had to turn off IIS Admin. The
CEICW wizard failed during the firewall configuration section. I
reread Mariette's et. al. guide (Thanks for all your efforts guys),
ah i thought ISA rule 22, deleted it, along with a couple others I
thought I didn't need/want anymore.... firewall config still fails. I
had Inet connection, even with ISA2K Clients. Hmmm. BTW I had a
screenful of firewall policies in ISA. Not leaving well enough alone,
I ran a ISA 2004 repair thinking maybe I deleted a policy I shouldn't
have. I reran CEICW, firewall config still failed, and now only half
a screen of policies. So I try another tach and ran CEICW and turned
off firewall (still fails) then run CEICW again to turn it back on,
still fails. A quick look at ISA now only shows 3 policies. Now I'm
thinking I really screwed things up. I unistalled ISA 2004 and
reinstalled, thinking that would put things back to default, but
no...still only 3 policies and no Inet with ISA 2004 clients now
installed. I had to manually change ISA policy to allow access to
Inet. Any changes in CEICW for publishing services (VPN, OWA, RDP,
etc.) don't change after running wizard. Rerunning CEICW now blocks
Inet access until I manually allow it again. So that's where I'm at,
and what I've done (right or wrong) I just don't know what to try
next. I'm just looking for a default, secure installation of ISA 2004
and have external access to RWW, OWA, Outlook RPC, etc.
Can you post the last run of the icwlog.txt? Please, post only the part with
the errors in it.
--
Mariëtte Knap
Microsoft SBS-MVP
One of the Magical M&M's
www.smallbizserver.net
Take part in SBS forum:
http://www.smallbizserver.net/Default.aspx?tabid=53
ChipW
2005-06-02 16:52:08 UTC
Permalink
Mariette, here are the errors, Looks like the ISA rules just aren't there,
and would work if I can just get them reloaded into ISA.

6/2/2005 2:11 AM
Firewall Rule: SBS DHCP Client
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS HTTP 80 Out CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS FTP 20 In CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS FTP 20 Out CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS POP3 110 Out CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS NTP 123 Out CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS DnsLookupPredefinedType
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS IcmpPingQueryPredefinedType
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS IdentdPredefinedType
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS TS 3389 In CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS TS 3389 Out CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS PptpReceivePredefinedType
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS PptpCallPredefinedType
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS FTP 21 In CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS FTP 21 Out CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS SMTP 25 Out CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS SmtpPredefinedType
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS NNTP 119 Out CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS Remote Web Workplace CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS NTP 123 Out CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business RPC over HTTP Publishing Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business Business Card Publishing Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business CompanyWeb Publishing Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business TSWEB Publishing Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business RUP Publishing Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business Monitoring Publishing Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business OMA Publishing Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business OWA Web Publishing Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business Web Publishing Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business Server All Users Protocol Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business Internet Access Protocol Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business Internet Access Protocol Rule 2
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business Server Internet Access Site and Content Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business Server Internet Access Site and Content Rule 2
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business Server All Users Site and Content Rule
Cannot find the firewall rule, ignoring the error

Thanks
Chip
Post by Mariette Knap [SBS MVP]
Post by ChipW
OK, so I took the plunge and installed SBS SP1 last night (in
hindsight I should have waited for weekend), all went well until
upgrading from ISA 2000 to ISA 2004, had to turn off IIS Admin. The
CEICW wizard failed during the firewall configuration section. I
reread Mariette's et. al. guide (Thanks for all your efforts guys),
ah i thought ISA rule 22, deleted it, along with a couple others I
thought I didn't need/want anymore.... firewall config still fails. I
had Inet connection, even with ISA2K Clients. Hmmm. BTW I had a
screenful of firewall policies in ISA. Not leaving well enough alone,
I ran a ISA 2004 repair thinking maybe I deleted a policy I shouldn't
have. I reran CEICW, firewall config still failed, and now only half
a screen of policies. So I try another tach and ran CEICW and turned
off firewall (still fails) then run CEICW again to turn it back on,
still fails. A quick look at ISA now only shows 3 policies. Now I'm
thinking I really screwed things up. I unistalled ISA 2004 and
reinstalled, thinking that would put things back to default, but
no...still only 3 policies and no Inet with ISA 2004 clients now
installed. I had to manually change ISA policy to allow access to
Inet. Any changes in CEICW for publishing services (VPN, OWA, RDP,
etc.) don't change after running wizard. Rerunning CEICW now blocks
Inet access until I manually allow it again. So that's where I'm at,
and what I've done (right or wrong) I just don't know what to try
next. I'm just looking for a default, secure installation of ISA 2004
and have external access to RWW, OWA, Outlook RPC, etc.
Can you post the last run of the icwlog.txt? Please, post only the part
with the errors in it.
--
Mariëtte Knap
Microsoft SBS-MVP
One of the Magical M&M's
www.smallbizserver.net
http://www.smallbizserver.net/Default.aspx?tabid=53
Mariette Knap [SBS MVP]
2005-06-02 17:10:04 UTC
Permalink
Post by ChipW
Mariette, here are the errors, Looks like the ISA rules just aren't
there, and would work if I can just get them reloaded into ISA.
Did you install ISA from the official Premium Upgrade CD?
--
Mariëtte Knap
Microsoft SBS-MVP
One of the Magical M&M's
www.smallbizserver.net
Take part in SBS forum:
http://www.smallbizserver.net/Default.aspx?tabid=53
ChipW
2005-06-02 17:36:49 UTC
Permalink
Yes, I had what seemed to be all the policies when I started, but then they
gradually went away as I fussed with it more. Initially, I'm sure they were
the one's exported from the ISA 2000 install.

Thanks
Chip
Post by Mariette Knap [SBS MVP]
Post by ChipW
Mariette, here are the errors, Looks like the ISA rules just aren't
there, and would work if I can just get them reloaded into ISA.
Did you install ISA from the official Premium Upgrade CD?
--
Mariëtte Knap
Microsoft SBS-MVP
One of the Magical M&M's
www.smallbizserver.net
http://www.smallbizserver.net/Default.aspx?tabid=53
Mariette Knap [SBS MVP]
2005-06-02 17:51:25 UTC
Permalink
Post by ChipW
Yes, I had what seemed to be all the policies when I started, but
then they gradually went away as I fussed with it more. Initially,
I'm sure they were the one's exported from the ISA 2000 install.
I would uninstall and reinstall ISA from the Premium Upgrade CD. That will
recreate all rules, I hope... This is strange because the CEICW should do at
least part of it.
--
Mariëtte Knap
Microsoft SBS-MVP
One of the Magical M&M's
www.smallbizserver.net
Take part in SBS forum:
http://www.smallbizserver.net/Default.aspx?tabid=53
ChipW
2005-06-02 18:01:18 UTC
Permalink
That's what I thought too. I did uninstall and reinstall hoping that would
resolve the missing policies. I'll try again though.

Thanks
Chip
Post by Mariette Knap [SBS MVP]
Post by ChipW
Yes, I had what seemed to be all the policies when I started, but
then they gradually went away as I fussed with it more. Initially,
I'm sure they were the one's exported from the ISA 2000 install.
I would uninstall and reinstall ISA from the Premium Upgrade CD. That will
recreate all rules, I hope... This is strange because the CEICW should do
at least part of it.
--
Mariëtte Knap
Microsoft SBS-MVP
One of the Magical M&M's
www.smallbizserver.net
http://www.smallbizserver.net/Default.aspx?tabid=53
Mariette Knap [SBS MVP]
2005-06-02 20:37:04 UTC
Permalink
Post by ChipW
That's what I thought too. I did uninstall and reinstall hoping that
would resolve the missing policies. I'll try again though.
How do you launch ISA setup from the CD. What executable do you double
click?
--
Mariëtte Knap
Microsoft SBS-MVP
One of the Magical M&M's
www.smallbizserver.net
Take part in SBS forum:
http://www.smallbizserver.net/Default.aspx?tabid=53
ChipW
2005-06-02 20:58:45 UTC
Permalink
I just put in the CD, let it autorun and clicked the ISA link. I'm getting
ready to reinstall, 5:00 pm Eastern Time here. Any other thoughts before I
start, or a 2nd option, incase reinstalling still doesn't work?

Thanks
Chip
Post by Mariette Knap [SBS MVP]
Post by ChipW
That's what I thought too. I did uninstall and reinstall hoping that
would resolve the missing policies. I'll try again though.
How do you launch ISA setup from the CD. What executable do you double
click?
--
Mariëtte Knap
Microsoft SBS-MVP
One of the Magical M&M's
www.smallbizserver.net
http://www.smallbizserver.net/Default.aspx?tabid=53
ChipW
2005-06-02 22:20:18 UTC
Permalink
Still No Luck.. Uninstalled and reinstalled ISA 2004 again, from SBS SP1
Prem CD's. I only have 3 Firewall policies, 1 SBS Protected Networks Access
Rule, 2 SBS Localhost Dhcp Access Rule, Last Default rule = Deny All.

Is there any way to import the SBS Standard Firewall Policies via an XML
file, does it exist?. I looked at the installed XML Templates, but none of
them relate to SBS templates, just the default ISA 2004 templates. I feel
like if I could get the default policies loaded into ISA, the CEICW would
work just fine.

Any help from MS here????

Thanks
Chip
Post by ChipW
OK, so I took the plunge and installed SBS SP1 last night (in hindsight I
should have waited for weekend), all went well until upgrading from ISA
2000 to ISA 2004, had to turn off IIS Admin. The CEICW wizard failed
during the firewall configuration section. I reread Mariette's et. al.
guide (Thanks for all your efforts guys), ah i thought ISA rule 22,
deleted it, along with a couple others I thought I didn't need/want
anymore.... firewall config still fails. I had Inet connection, even with
ISA2K Clients. Hmmm. BTW I had a screenful of firewall policies in ISA.
Not leaving well enough alone, I ran a ISA 2004 repair thinking maybe I
deleted a policy I shouldn't have. I reran CEICW, firewall config still
failed, and now only half a screen of policies. So I try another tach and
ran CEICW and turned off firewall (still fails) then run CEICW again to
turn it back on, still fails. A quick look at ISA now only shows 3
policies. Now I'm thinking I really screwed things up. I unistalled ISA
2004 and reinstalled, thinking that would put things back to default, but
no...still only 3 policies and no Inet with ISA 2004 clients now
installed. I had to manually change ISA policy to allow access to Inet.
Any changes in CEICW for publishing services (VPN, OWA, RDP, etc.) don't
change after running wizard. Rerunning CEICW now blocks Inet access until
I manually allow it again. So that's where I'm at, and what I've done
(right or wrong) I just don't know what to try next. I'm just looking for
a default, secure installation of ISA 2004 and have external access to
RWW, OWA, Outlook RPC, etc.
Thanks in advance
ChipW
ChipW
2005-06-02 23:07:03 UTC
Permalink
My only other thought is to uninstall ISA2004, reinstall ISA2000, then
install ISA2004 over top like would be a normal upgrade for SBS SP1. My
only concern would be running CEICW (Post SP1) with ISA2000. Would that be
necessary to configure ISA2000 properly before reinstalling ISA 2004?

Thanks
Chip
Post by ChipW
OK, so I took the plunge and installed SBS SP1 last night (in hindsight I
should have waited for weekend), all went well until upgrading from ISA
2000 to ISA 2004, had to turn off IIS Admin. The CEICW wizard failed
during the firewall configuration section. I reread Mariette's et. al.
guide (Thanks for all your efforts guys), ah i thought ISA rule 22,
deleted it, along with a couple others I thought I didn't need/want
anymore.... firewall config still fails. I had Inet connection, even with
ISA2K Clients. Hmmm. BTW I had a screenful of firewall policies in ISA.
Not leaving well enough alone, I ran a ISA 2004 repair thinking maybe I
deleted a policy I shouldn't have. I reran CEICW, firewall config still
failed, and now only half a screen of policies. So I try another tach and
ran CEICW and turned off firewall (still fails) then run CEICW again to
turn it back on, still fails. A quick look at ISA now only shows 3
policies. Now I'm thinking I really screwed things up. I unistalled ISA
2004 and reinstalled, thinking that would put things back to default, but
no...still only 3 policies and no Inet with ISA 2004 clients now
installed. I had to manually change ISA policy to allow access to Inet.
Any changes in CEICW for publishing services (VPN, OWA, RDP, etc.) don't
change after running wizard. Rerunning CEICW now blocks Inet access until
I manually allow it again. So that's where I'm at, and what I've done
(right or wrong) I just don't know what to try next. I'm just looking for
a default, secure installation of ISA 2004 and have external access to
RWW, OWA, Outlook RPC, etc.
Thanks in advance
ChipW
ChipW
2005-06-27 20:52:31 UTC
Permalink
Based on our last conversation, the resolution to your issue as agreed upon
is

CAUSE:

Front Page is used to create custom websites.

It adds the following section to the metabase.xml file:

<Custom

Name="IPSecurity"

ID="6019"

Value=""

Type="BINARY"

UserType="IIS_MD_UT_FILE"

Attributes="INHERIT | REFERENCE"

/>

The format fo this section causes the CEICW to fail.

RESOLUTION:

Open the Internet Services Management snap-in.

Open the properties of the custom web site virtual directory and go to the
Directory Security tab. (you may also do this on the default web site if
they have several custom virtual directories underneath the Default Web
Site).

Go to the IP Address and Domain Name Restrictions setting and change the
setting. (Just do the opposite of what is set). If currently set to grant
all, change it to deny all except for the local IP and subnet mask of the
server.

Select all to apply the change to all sub webs.

Select all again to apply the change all the way down.

Running the CEICW now should be successful.

Based on your input, it will reset the IP and domain name restrictions
accordingly.

Confirm that the IP and domain name restrictions are back to where they
should be
Post by ChipW
OK, so I took the plunge and installed SBS SP1 last night (in hindsight I
should have waited for weekend), all went well until upgrading from ISA
2000 to ISA 2004, had to turn off IIS Admin. The CEICW wizard failed
during the firewall configuration section. I reread Mariette's et. al.
guide (Thanks for all your efforts guys), ah i thought ISA rule 22,
deleted it, along with a couple others I thought I didn't need/want
anymore.... firewall config still fails. I had Inet connection, even with
ISA2K Clients. Hmmm. BTW I had a screenful of firewall policies in ISA.
Not leaving well enough alone, I ran a ISA 2004 repair thinking maybe I
deleted a policy I shouldn't have. I reran CEICW, firewall config still
failed, and now only half a screen of policies. So I try another tach and
ran CEICW and turned off firewall (still fails) then run CEICW again to
turn it back on, still fails. A quick look at ISA now only shows 3
policies. Now I'm thinking I really screwed things up. I unistalled ISA
2004 and reinstalled, thinking that would put things back to default, but
no...still only 3 policies and no Inet with ISA 2004 clients now
installed. I had to manually change ISA policy to allow access to Inet.
Any changes in CEICW for publishing services (VPN, OWA, RDP, etc.) don't
change after running wizard. Rerunning CEICW now blocks Inet access until
I manually allow it again. So that's where I'm at, and what I've done
(right or wrong) I just don't know what to try next. I'm just looking for
a default, secure installation of ISA 2004 and have external access to
RWW, OWA, Outlook RPC, etc.
Thanks in advance
ChipW
Loading...