Remember to Use the ISA Firewall Best Practices Analyzer and Data Packager When Troubleshooting
All ISA Firewall admins will run into problems with their ISA firewalls sooner or later. There are even times when the most experienced of ISA firewall admin just can't seem to pin down the problem with a particular implementation. In cases like that, you're going to need to call PSS. While most of us see it as a badge of honor to not have to call PSS, there are times when PSS knows things about the ISA firewall's internals that outsiders just don't have access to.
But when calling PSS about your ISA firewall issues, you need to make sure that you're talking to someone who knows about the ISA firewall. If you don't, you could end up in more trouble than you started out having in the first place.
Before calling PSS, you should run the ISA firewall Best Practices Analyzer on the ISA firewall. If you have installed the ISA firewall Supportability Update (http://www.microsoft.com/downloads/details.aspx?FamilyId=6F629EAC-D8C6-4437-9D20-B47B02DB413A&displaylang=en), you'll see a link in the Troubleshooting node for Use the ISA Server Best Practice Analyzer. Click that link and download an install the BPA, or better, don't ever click any links on the ISA firewall and download it to a management machine, scan it, and then copy it to the ISA firewall. Download the Best Practices Analyzer at http://www.microsoft.com/downloads/details.aspx?FamilyID=d22ec2b9-4cd3-4bb6-91ec-0829e5f84063&DisplayLang=en
After installing the BPA, run a general purpose scan of your ISA Firewall. Then run some of the other scans available. Many times just running the ISA Firewall BPA will be enough for you to solve the problem yourself.
However, if you don't have success in solving your problem using the ISA firewall BPA, then the next step is to run the ISA Server Data Packager tool, which is the IsaDataPackager.exe application in the C:\Program Files\Microsoft IsaBPA folder.
The Data Packager allows you to collect static information and package that, and it also allows you to collect information for common scenarios, such as VPN, firewall policy, Web Publishing and others. The Data Packager will collect configuration information and then do a packet trace as you try to reproduce the problem. After you reproduce the problem you can stop the Data Packager and it will then create a .cab file that you can send to PSS.
When you call PSS, explain the problem and then tell them that you have repro'd the problem and have the .cab file to send to them. If the PSS engineer doesn't know about the .cab file, ask him to connect you to someone who knows about the ISA firewall, because all PSS staff trained in the ISA firewall are also trained in basic and advanced configuration and interpretation of the information in the Data Packager .cab file. You don't want to waste hours on the phone or worse, be told to remove the ISA firewall and "see what happens".
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP — Microsoft Firewalls (ISA)