ISA Server 2004 WAN Dropout

Hi,
First I will explain my set up. I have two servers. SRV-001 is running AD, DNS, DHCP, IAS and is the Enterprise CA. SRV-002 is just running ISA 2004. SRV-002 has two NICs: one for the LAN and one for the WAN. I have set up ISA to be an 'Edge Firewall'.

I can browse the internet fine on SRV-002 without ISA installed. When I install ISA, all is good for about 24 hours, and then the WAN drops. It tries to get an IP address on the WAN interface and it cannot. If I uninstall ISA, it can instantly get an IP address, and when I reinstall ISA, it works for about another day, and then drops again. I have tried a different NIC, a different modem, even a different network cable! But I figured it can't be any of them because it works fine without ISA, so it is something ISA is doing.

Can anyone help?

Thanks,
Michael

 

What are the IP addresses of the two NICs in SRV-002?

 

The LAN NIC has a static IP address of 10.160.0.1/255.255.255.0 and the WAN NIC has a dynamicaly assigned address. I noticed it is when I try to renew my IP address on the WAN that I get problems, so I am assuming that the reason it lasts for 24 hours is because my lease with Telstra expires and it tries to renew the IP address.

Very weird.

Thanks.

 

On the contrary. It seems very straight-forward to me. You've diagnosed the problem yourself.

If that isn't the cause of the problem, I'll eat my hat. Changing your external IP is going to have a huge impact on an ISA server. It's going to have to recalculate all its proxy and firewall functions, as all the relative paths will change.

I'd recommend you don't connect the server directly to your internet connection. Instead, use a router to connect to your server to the network. Use NAT across the router so that the server is presented with an static private IP address. The 192.168.0.0 address space would be ideal for the network between your router and the server.

The arrangement will be this:

10.160.0.0==Server==192.168.0.0==router==Internet

As this will mean that the address the server sees doesn't change every 24 hours, it shouldn't be confused every day. The router should be able to handle the changing IP address.

 

Thanks Reggie!

 

Actually, now I have another problem.

I have set up the SRV-002 to require users to authenticate using 'Integrated' authentication before they can access the internet. However on one of the clients, if they click cancel at the username-password prompt, it just lets them through!!!

Im pulling my hair out at this one.

Thanks,
Michael