One of the greatest mysteries facing mankind in the 21st century is ISA firewall policy storage.
Yes, we knew Standard Edition policy was stored only in the local Registry and Enterprise Edition stored policy in the CSS and copied it to the local Registry -- but that was about all we knew. Sure, we could play around with some scripts and "make things happen", but did we really know what was going on "under the hood"? No.
Jim Harrison has come out with an article on some of the basics of ISA firewall policy storage. Jim and the team come up with some interesting and useful conclusions:
- ISA Standard Edition has only one policy storage, so if policy storage updates or initial load fails, it cannot function.
- ISA Enterprise Edition can still perform as a firewall/proxy using the last known good policy in the registry even if CSS is not available. Only if this system-local copy fails to initialize properly will the firewall service enter lockdown for policy load failure
- You cannot reverse-engineer the registry-based Enterprise Edition policies to CSS-format storage
- In a disaster recovery situation, you cannot export the registry keys and import in a new system as an attempt to recreate the firewall policies.
- If you deploy a single CSS for your Enterprise firewall solution, you’re risking a complete Enterprise rebuild when (not if) that CSS fails. (bold highlight mine)
- If you use any method besides ISA Export / Import for disaster recovery, you risk losing data
For the details, check out:
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
MVP — Forefront Edge Security (ISA/TMG/IAG)