ISA 2004 Enterprise SP2 install in AD/Workgroup Mode

This may already be available on Usenet, but it wasn’t as of a few weeks ago when I first tried this. If you are running a ISA 2004 Enterprise Array in workgroup mode, and your Configuration Storage Server is in a domain (your using SSL for the LDAP config traffic), then the SP2 install on the firewall array members themselves does not allow you to enter domain authentication credentials for talking back to the CSS (like starting the ISA management console does). If you don’t do the below, the Service Pack 2 install will fail during the ‘register modules’ portion, and then fail to rollback, leaving your firewall broke (hopefully only in your test lab). So, you need to do three things before running the ISA 2004 Enterprise SP2 on the workgroup array:

1. Install SP2 on the CSS (nothing special required here)
2. Ensure their is a LOCAL account on the CSS that is same un/pw as the account you are logging onto the FW array members with (you’ll likely have to create a new local account on the CSS to match your existing admin account for the array boxes)
3. Add the new CSS local account to the CSS ADAM permissions so that new account has permissions to administer the CSS store. Do this by opening ‘ADAM adsiedit’ (localhost:2171), drilling down to CN=Configuration, CN=Roles, and opening the properties on CN=Administrators. Scroll down to ‘member’, edit it, and add the new CSS local account to the list
4. Now Install SP2 on the array members.

Oh, and if you find this out the hard way: by installing the SP2 wrong and it failing, then just do a detect and repair from Add/Remove Programs for ISA, rather then a full uninstall/reinstall.