ISA 2004 Installation Fails Creating Sotrage

ISA in SBS – yes, it’s secure

This response by Mark Stanfill saved me last night. (Thank you Mark) The only additional thing I would add is that this installation method also does not create a share to hold the firewall client for you. So after you have sucessfully installed ISA go into add/remove programs, Choose ISA, select Modify and select the Firewall Client Share item.

Note: The original question came from a person with a HP Server. My problem machine was also an HP.


We’ve seen a few instances of this, usually related to MSDE install errors.
Please try the following:

1. Launch the ISA 2004 MSI package manually and install ISA manually from
CD #6:


2. The installation should be successful but this only installs the
console. The
MSDE instance has not yet been installed. Go ahead and run the Setup.EXE
for ISA
2004 so that all the additional components will install.

3. If the installation of MS_FPC_SERVER.MSI is NOT installed successfully,
then run
it with the following command to create a LOG file of the installation:

msiexec.exe /i D:\ISA2004\FPC\MS_FPC_SERVER.msi /l* c:\isa.txt

4. The log file will be located on C:\isa.txt

The verbose log file will help us in the next step of troubleshooting.

Mark Stanfill, MCSE+I, MCSE 2000, MCDBA, MCSA
Microsoft Corporation

Vista Firewall Client

How to obtain the version of Firewall Client for ISA Server (December 2006) that includes Windows Vista support

This KB article will take you to the page that lists the new features of the client as well as a link on where to download it. According to this KB the correct version is 1.0.

New features

The following features are new in this version of Firewall Client for ISA Server:

• Support for client computers that are running Windows Vista
• Software updates that improve the security and stability of Firewall Client for ISA Server

Protecting Wireless Networks – 3 Ways

Recently there’s been a rash of clients needing to setup open wireless access for visitors. For the record, I hate open wireless. But some clients won’t be convinced. Since this is the real world we do what we can do to protect them. Depending on the circumstances there are 3 options:

1. Install a 3rd NIC into your server. Create a network for this NIC corresponding to your wireless network and assign rules accordingly. Keep in mind, that if this is an SBS server, this is an unsupported option. The reason it is unsupported is that the Connect to the Internet Wizard will choke on the extra NIC. It was written to expect only 2 NICs. To work around this problem you should disable your 3rd NIC and the rules associated with it before running that wizard.

2. Use a different public IP for your wireless router and create an entirely seperate network for wireless. Most of the time an ISP will provide 5 IP addresses to business accounts. Most businesses are only using one of those. Plug the wireless router directly into the router provided by your ISP and assign the wireless router one of your unused IP address. Configure the wireless router as needed.

3. Connect the wireless router to your internal network and give it a static IP address. Set it up to assign DHCP addresses to the wireless guests that are on a seperate network. For example, if your internal network is 192.168.16 then setup the wireless router’s built-in DHCP server to pass out 192.168.17 addresses. Assign rules to keep the wireless router away from everything but the Internet.

Here’s what option 3 looks like in practice:

1. Create a DHCP reservation for your wireless router.
2. In ISA, create an Address Range Object for the wireless router.
3. In ISA, create a new Access Rule. From Wireless Router, To External, Specified Protocols: HTTP, HTTPS. Other protocols your guests might need include FTP, ICA and SMTP but keep the list as short as possible. Place this rule above the SBS Protected Networks Access Rule.
4. In ISA, create a new Acces Rule. From Wireless Router, to LocalHost, Specified Protocols: DNS. This will allow the wireless router to resolve addresses. Place this rule above the one you just created.