Earlier today Susan blogged about upgrade season in her office, and getting ready to migrate from SBS 2003 to 2008. In that post, she talked about uninstalling ISA and mentioned a post that Kevin has on that subject. I thought I’d take a moment to expand a little bit on Kevin’s post and add a few thoughts from my own battle scars with removing ISA.
First and foremost – Kevin mentions removing the ISA firewall client from all of your PCs before you remove ISA from the server. I cannot overstate how crucial this step is. The ISA 2004 firewall client uninstaller wants access to the original installation MSI, which lives in a share on your SBS box. This share is actually the Clients folder in the ISA installation directory. So what happens when you remove ISA from your SBS? You guessed it – the mspclnt share with the firewall client installation files is removed, which means any firewall clients still installed on PCs are not going to be happy when you try to remove them and they can’t find the MSI.
Since the Clients folder under the ISA installation folder is typically only about 5MB, I copy this folder to a safe spot on the server – usually my Tech directory where we keep various utilities and scripts. Here’s why – more and more, customers are backing up their workstations whether via Acronis / StorageCraft / Windows Home Server. We may find ourselves at a point in the not so distant future after removing ISA that we need to restore a PC from an image taken before ISA was removed, and need to remove the firewall client again. Or we may discover a forgotten PC / laptop that we missed removing the firewall client from. There’s all sorts of scenarios – but by keeping the Clients folder in-tact, we can share that out with the original mspclnt share name at any time and be able to uninstall the firewall client just like ISA was still installed on the server. Without the mspclnt share, you have a very VERY ugly path in front of you, and it is safe to say that you may end up facing the decision of living with the firewall client still on the machines, or wiping & re-installing the OS . . .
Second – Kevin also makes a brief mention about proxy settings. When you uninstall the firewall client from a PC, it will automatically disable proxy settings for the user account that is running the uninstall, but not for any other users on the machine. So if you have a PC that multiple users log in to, or if you are running a terminal server, be prepared for some proxy pain. I actually have a little VBScript that disables proxy settings for the current user by changing the value of the HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ProxyEnable key from 1 to 0. I modify my login script to call the VBScript, in effect ensuring proxy gets disabled for each user when they log in to each machine.
The other aspect with proxy settings to keep in mind are your server-side applications. Unless you modified your ISA firewall policy to allow unauthenticated outbound http access from the server itself, you most likely specified proxy information for apps like Trend Micro’s Worry-Free Business Security or even WSUS – so that they can download their updates automatically. After removing ISA, you no longer have a proxy server, which means apps configured to use a proxy aren’t going to be able to get out to the internet. As a result, you stop getting automatic updates for things like A/V. So you will need to manually update the connection settings in these apps to remove the proxy settings previously defined.
So – here’s my quick checklist for removing ISA from your network & installing a hardware firewall:
- Prep your hardware firewall in a lab setting. Enter in all public IP info, disable DHCP, and create all of our inbound rules. It’s best to do this while ISA is still installed & working, so you can refer to the rules in ISA to make sure you don’t miss any necessary inbound rules for your environment.
- Backup your ISA configuration. While we’re moving away from ISA permanently, if we do encounter an issue with the new hardware solution where something isn’t working that was working with ISA, the ISA backup is an XML file that is relatively easy to read to see what rules you had and what they did without having to reinstall & restore ISA on your SBS.
- Open up your outbound access in ISA by creating the proverbial ALL/ALL/ALL rule. In other words, create a new access rule in ISA allowing All outbound traffic via all protocols for all users/computers. Much of the internet access in ISA on SBS is dependent on users being members of the Internet Users security group. The firewall client on the PCs is what actually passes user info to the ISA server so it can check group membership. Once we remove the firewall client from PCs, ISA isn’t going to be getting user info and some stuff that worked before isn’t going to work now. If you only have 5 PCs and are moving from ISA to your hardware firewall on a Sunday when no one is working, you might be able to skip this step. But if you have a larger number of PCs, etc. this helps to insure you don’t disrupt users’ internet access too much while removing the firewall client . . .
- In my case, I update my domain login script to call my DisableProxy.vbs script at this point.
- Uninstall the firewall client from ALL PCs. Again – see my notes above. Your life will be MUCH simpler if you insure the firewall client is completely removed from all PCs before removing ISA from your server.
- Copy the contents of the mspclnt share (%programfiles%\Microsoft ISA Server\Clients by default) to a safe location on the server, and plan to keep this folder safe for some time [:)]
- Follow Kevin’s steps 3-9 to remove ISA from the server.
- When you re-run the CEICW, it should automatically update the DHCP scope option on the server to use the internal IP of the new hardware firewall as the default gateway setting. If you have any devices that are using static IP addresses, you will need to manually update those with the new gateway. (HINT: Take a few extra minutes to create DHCP reservations for each device using a static IP, and change those devices to DHCP – so if you have another network reconfiguration in the future, all you have to do is reboot those devices instead of reconfigure [:)]. For all of your other DHCP devices, you will want to run an ipconfig /release followed by an ipconfig /renew to update their IP settings so they pull the new gateway, or you can reboot them as well. HINT 2 – PSTools are your friend. Create a batch file with the two ipconfig commands, and use PSExec to push & execute the batch file on all machines in the domain from the server. 5 minutes tops to update the IPConfig on all domain machines (that are online) instead of sneakernetting . . .
- ALSO – if you followed Jim Harrison’s steps to configure auto-detection of proxy settings on your SBS LAN, you want to remove the wpad A record from your internal AD domain forward lookup zone in DNS – otherwise you may have devices pulling proxy settings for pointing to your non-existent proxy server via auto-detect.
So that’s my addendum to Kevin’s excellent post.
P.S. . . . and if you haven’t decided on a hardware firewall yet, I highly recommend Calyptix devices. These are the standard devices we are implementing when migrating customers to SBS 2008.