Uninstalling ISA 2004 from SBS 2003

As you may know, SBS 2008 will be released on Nov 12, 2008. Migrating from SBS 2003 to SBS 2008 will require some work and planning. For sites running SBS 2003 Premium with ISA 2004, you have some additional prep work. You will need to uninstall ISA 2004 and disable or remove your 2nd NIC prior to starting your migration from SBS2003 to SBS2008. But, this is not as daunting of a task as you may think. In fact, I just did it this weekend on my own internal SBS 2003 production server.

Blog History:
1.0 Original blog
1.1 Information on uninstalling the Firewall client from workstations has been expanded and moved to Step 2 in the process.
1.2 Add Step 12 to address issues with self-signed cert and remote access (RWW, ActivySync, etc.)
1.3 Add information in Step 2 on uninstalling ISA Firewall client “quietly”.
1.4 Add information on Trend Micro/other 3rd party software

Some preliminary notes before we begin:

Note 1. With ISA 2004 we use two NIC’s. I refer to the 1st NIC as the External NIC, that is, the one connected to the router. This NIC uses the IP range of the router. Let’s assume that IP range is 192.168.1.x.

Note 2. I refer to the 2nd NIC as the Internal NIC, that is, the one connected to the switch/hub for your internal LAN. A separate IP range is used for this second NIC. I generally use a 10.0.0.x range, while others may use 192.168.16.x or something else.

Note 3. The process I describe will result in using the external 1st NIC as our only NIC and disabling or eventually removing the 2nd NIC. This means that all of our internal workstations, WAP’s and network printers will be be assigned IP addresses using the IP range of the first NIC.

Note 4. Finally, after disabling the 2nd NIC, we will need to move around some cables between your serverm your switch and your router.

Uninstalling ISA 2004:

1. As always, make sure you have a full backup of your SBS2003 server. An image backup is best (IMHO). After backing up, reboot your server and make sure there’s no event errors you need to address before proceeding.

2. While the server is backing up, this would be a good time to go around and uninstall the Microsoft ISA Firewall Client from each workstation.
– If you only have a small number of workstations, you can uninstall the Firewall client via Add/Remove Programs on each workstation.
– However, you can also do this via a command line that you could place in a batch file and run from each workstation. Thuis will uninstall ISA Firewall Client “quietly”. See the Microsoft Technet article for more information.
– Some people have reported that you may issues with uninstalling the Firewall Client if you wait until after you uninstall ISA itself.
– Also, it has been reported that if several users log onto the same workstation, uninstalling the Firewall client does not clear the proxy settings in IE for the additional users.

3. Uninstall ISA 2004 from Control Panel > Add/Remove Programs. NOTE: if you are not able to uninstall ISA, see the Troubleshooting remarks at the end.

4. Towards the end of the uninstall process, you will be automatically prompted to run the CEICW wizard. As you step through the CEICW (Connect to Internet Wizard), I suggest using all the default options provided. This will configure your server to still use both NIC cards, and configure the Microsoft Firewall. You may be wondering why we don’t configure CEICW right away to only use one NIC. Call me old fashion, but I like doing one thing at a time. In this case, we will uninstall ISA and make sure the server is working and then proceed to remove the second NIC.

5. After uninstalling ISA 2004 and reconfiguring CEICW you should be prompted to reboot the server. Even if you are not, you should reboot the server, and verify the server is functioning properly.

6. After rebooting the server, rerun CEICW. From the Broadband connection screen, you will want to select the ‘My Server uses a local router’ option instead of the ‘Direct broadband’ option, in order to tell the wizard you want to use only one NIC card. Be sure to have your ISP’s DNS IP addresses availble to enter when requested.  You will get a pop-up box along the way warning you that you are using one NIC, and therefore the SBS firewall cannot be configured. Click to proceed.

7. Once CEICW has been reconfigured, you can disable the 2nd NIC and then reconfigure your network setup. First take the cable that’s currently plugged into your server’s first NIC, and plug it into an available slot on your internal LAN switch. Then move the cable that’s plugged into your server’s 2nd NIC and plug it into the 1st NIC. What we now have is that all of your workstations and server are still plugged into the switch, and the switch is connected to the router.

Alternatively, if your router has an unused additional LAN port, you could have left the setup with your 1st NIC alone, and simply unplug the cable from the 2nd NIC into the available port on your router.

8. You are now ready to reboot your server one more time.

9. After the server comes up, be sure to review and change your Network Bindings configuration on your server. Go to My Network Places > View Network Connections Connections, then click Advanced > Advanced Settings. Make sure your 1st NIC is listed fiirstingm and that it has File & Printer Sharing and Client for Microsoft Networks binding enabled. Remove those bindings for your 2nd NIC, which is now disabled.

10. If you have network devices that were assigned static internal IP addresses (such as network printers or wireless access points), you will need to go in and reconfigure DHCP and adjust your DHCP range accordingly, and then go to each network device and reconfigure their new IP address.

11. Go around and reboot each workstation or network device, and verify that they all communicate back to the server. Check IE settings to ensure that proxy settings have been turned off.

12. Check remote access (RWW, OWA, ActiveSync for cell phones), especially if you are using a self-signed SBS cert. You may need to reload the new cert on laptops and cell phones. If you are stillhaving issues conencting remotely, check IIS on your server. It may have generated a new (second) ‘Default Web Site’. Stopping the new one, and starting up the old one will restart remote access.

13. Review and reconfigure any 3rd party software on your server to not use a proxy server. For example, with TrendMicro, you would go to Preferences > Global Setings to turn off proxy server.

ISA 2004 UninstallTroubleshooting:

If you run into problems when uninstalling ISA Server 2004, don’t fear. Kevin Royalty offers the following steps:

1. Install and run Microsoft’s Windows Installer Cleanup Utility on your SBS server and then reboot your server
2. Reinstall ISA 2004 from the SBS 2003 Premium CD.
3. Note: if you used to have ISA 2000 on this server, you may get an error. You can click OK, and then NO to continue to install ISA 2004 from the SBS SP1 disk 3.
4. Reboot
5. Uninstall ISA 2004
6. you may now return to Step 3 and continue with my instructions.

Hope this helps!

Leave a Reply

Your email address will not be published. Required fields are marked *