This may already be available on Usenet, but it wasn’t as of a few weeks ago when I first tried this. If you are running a ISA 2004 Enterprise Array in workgroup mode, and your Configuration Storage Server is in a domain (your using SSL for the LDAP config traffic), then the SP2 install on the firewall array members themselves does not allow you to enter domain authentication credentials for talking back to the CSS (like starting the ISA management console does). If you don’t do the below, the Service Pack 2 install will fail during the ‘register modules’ portion, and then fail to rollback, leaving your firewall broke (hopefully only in your test lab). So, you need to do three things before running the ISA 2004 Enterprise SP2 on the workgroup array:
- Install SP2 on the CSS (nothing special required here)
- Ensure their is a LOCAL account on the CSS that is same un/pw as the account you are logging onto the FW array members with (you’ll likely have to create a new local account on the CSS to match your existing admin account for the array boxes)
- Add the new CSS local account to the CSS ADAM permissions so that new account has permissions to administer the CSS store. Do this by opening ‘ADAM adsiedit’ (localhost:2171), drilling down to CN=Configuration, CN=Roles, and opening the properties on CN=Administrators. Scroll down to ‘member’, edit it, and add the new CSS local account to the list
- Now Install SP2 on the array members.
Oh, and if you find this out the hard way: by installing the SP2 wrong and it failing, then just do a detect and repair from Add/Remove Programs for ISA, rather then a full uninstall/reinstall.
Got PIS? There are lots of subjects that would fit this title, but lately several events have led me to this post about personal financial awareness.
- One was getting duped by a fraudulent web site into buying an electronic item before doing research to ensure the site was trustworthy.
- The second was deciding to get a credit monitoring service, which has already been worth the $100 a year.
- Third was finally getting MS Money to sync with my bank accounts automatically every day, and still pay bills through the bank’s bill pay service inside of Money’s interface… which got me thinking about the sheer number of transactions a family has in a single week… Realizing that if a fraudulent charge went through the typical persons account, it could easily be days or weeks before they notice it (if ever) due to the volume of bank transactions in a month and the complexity of keeping aware of everything that is coming in and out.
- And lastly, this news on more fallout from the Citibank PIN scandal.
These events lead me to think I’ve been way too relaxed about my financial awareness. When you live in a metro area (make a lot, spend a lot), have a dual-income account with your partner (more coming in and out every day), you’ve got to start using every service available to you for monitoring your credit history, your accounts, and your credit cards. I’m thinking it’s no longer sufficient just to have ‘online access’ to your bank accounts and once-a-year credit reports.
Until a year or so ago, I was heavy into the wireless provider (2.4GHz space), wireless network, and enterprise wireless security arena. I have taken a break since; yet sill paid attention enough to see that WPA and WPA2 are basically everywhere.
I’m sure my job (who currently has stayed away from wireless for client access on campus) will need to deploy it at some point, and in my initial research it seams that a modern Broadcom or Intel 11b/g card with WPA2 abilities, Windows XP SP2 w/ the WPA2 patch, and a enterprise Cisco WAP would be as secure as any… No special software or PC Cards on the client, No additional VPN requirement after WPA2 authentication…. just seamless roaming-enabled wireless LAN connectivity without all the fuss. Is this still the stance of those with their head in the sand?
Here’s a year-old paper I submitted to SANS for the GIAC GCWN Certification. It’s is focused on using Exchange 2003, Windows 2003, and ISA 2004 to enable email gateway security features which in the past were only available on open source solutions.
Creating a Hardened Internet SMTP Gateway on Exchange 2003
You need a new or better VPN for your Windows clients. You want it to be the industry-standard IPSec. You want it to be seamless to your Windows XP clients, and easy to roll out and administrate. ISA 2004 Enterprise is the answer. Just finishing a project for this, there are some steps that seem to be missed in all the current documentation at technet.com and isaserver.org.
More details soon…