Freigeben über

ISA Server and Windows Server 2003 Service Pack 2

  • Artikel

Recently Microsoft released Service Pack (SP) 2 for Windows Server 2003 (http://www.microsoft.com/technet/windowsserver/sp2.mspx). We tested ISA Server with the Windows service pack quite extensively. Unfortunately we discovered after the release of the Windows service pack that there are several issues that have potential ill-effects on ISA Server. This blog summarizes the currently known issues, and suggestions on how to mitigate those issues.

1. If you run ISA Server 2004 Enterprise Edition with or without the ISA Server SP2, you must install ADAM SP1 on the ISA Server Configuration Storage Server prior to installing the Windows Server 2003 SP2. ADAM SP1 can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyId=9688F8B9-1034-4EF6-A3E5-2A2A57B5C8E4&displaylang=en.
If you install Windows Server 2003 SP2 without first installing the ADAM SP1, ISA Server will not start after the installation, and you will have to uninstall Windows Server 2003 SP2. Further information is available in the Windows Server 2003 SP2 release notes, at http://technet2.microsoft.com/WindowsServer/en/library/ed5382af-e819-4d33-ace0-225d31b7ab751033.mspx?mfr=true .

2. If you run ISA Server 2000, 2004 or 2006 Standard or Enterprise editions on a multi-core / multi-processor 32-bit computer, and the CPU is heavily utilized, you might experience performance degradation in certain deployment scenarios after installing Windows Server 2003 SP2. The issue stems from a change in interrupt handling introduced in SP2.
To correct the issue you must download and run the Interrupt Affinity Tool (intfiltr) available in Windows Server 2003 resource kit (http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en).
You can read about installation and usage of intfiltr.exe in http://support.microsoft.com/kb/252867.

3. If your network adaptors (NICs) support receive-side scaling (RSS), then in certain NAT scenarios ISA Server 2000, 2004 or 2006 Standard or Enterprise editions might not transfer packets from one NIC to the other after installation of Windows Server 2003 SP2.
To correct the issue you must disable RSS support ­­- follow the instructions in http://support.microsoft.com/default.aspx?scid=kb;EN-US;927695.

 

Neta Amit

Program manager

ISA Server Sustained Engineering Team

Comments

  • Anonymous
    January 01, 2003
    ISA Server 2004 In modo poco appariscente, ed in barba alla festa del lavoro , Microsoft ha rilasciato

  • Anonymous
    January 01, 2003
    Has this been resolved with Windows 2003 SP2 and ISA 2006?  I’m still putting off installing SP2 after hearing about this.

  • Anonymous
    January 01, 2003
    Hi, Any Update on this issue? Thanks, Jake

  • Anonymous
    January 01, 2003
    Many have wondered about where I've been and what I've been doing not keeping up on this blog. Well,...

  • Anonymous
    January 01, 2003
    ISA Server 2006, Windows 2003 R2 w/ SP2. I disabled RSS Support via the registry and through the NIC settings.  Pretty much everything is back to normal, except I noticed that I'm still unable to RDP to the ISA externally.  It's a lab network so it's not really a big deal, but I'd like it to work.  RDP is published using a non-default port, and my machine is allowed... Thanks for any guidance

  • Anonymous
    January 01, 2003
    Anybody know why the ISA 2006 FW policy screen is blank in Vista using the MMC?

  • Anonymous
    January 01, 2003

  1. Run ISA Server 2004 Enterprise Edition on Windows 2003 RTM/SP1? Make sure to install ADAM SP1 on the ISA Server Configuration Storage Server before installing Windows 2003 SP2. 2. If you run ISA Server on a multi-core / multi-processor 32-b

  • Anonymous
    January 01, 2003
    Thanks for the info, little bit disappointed/angry, but I don't mind doing such steps. However, I am having difficulties in uninstalling the W2K3 SP2 on my ISA 2004, saying "The system cannot find file specified"  "SP2 was not uninstalled." Any help Thanks

  • Anonymous
    January 01, 2003
    Das Windows Server 2003 SP2 ist ja nun schon ein paar Tage verfügbar. Inzwischen wurden auch einige Probleme

  • Anonymous
    January 01, 2003
    If you are having specific issues with Service Pack 2, or trouble with any other ISA Server configuration issues, you may want to post to the ISA Server (Forefront Edge) forums at http://forums.microsoft.com/ForeFront/default.aspx?ForumGroupID=384&SiteID=41. These forums are monitored by other ISA Server users and by the ISA Server Development Team.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Longhorn Beta3 recenze Jak je dobrým zvykem na SuperSite recence na Longhorn na sebe nedala dlouho čekat a je poměrně hodně obsáhlá. Doporučuji k přečtení Paul Thurrott's SuperSite for Windows- Wind ...

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    I think this blog entry misses the most important point, and that there this is not a secure configuration because the partitioning of the VMs from each other, and the host OS, not is secure. Firewalls should never be put on VMs except for testing and "honeypot" deployments.videoconverter.org

  • Anonymous
    March 28, 2007
    Why cannot I generator a report any more? ISA 2006 Standard on a fresh R2 server. It seems it's related to IE7, isn't it?

  • Anonymous
    March 30, 2007
    The comment has been removed

  • Anonymous
    March 30, 2007
    I am also unable to generate a report any more in ISA 2006 Standard with a fresh R2 server...

  • Anonymous
    April 01, 2007
    as Phillip Windell I make a clean install of 2003 (not R2) with Sp2 and then installed ISA2006. I've a lot of problems with the HTML-Authentification Formular for OWA, or other published Websites and also much trouble with RPC over Https. It doesn't run anywhere. After I deinstalled ISA2006 and SP2 and Reinstall ISA20006 all publishing items running fine. Its a bug ?

  • Anonymous
    April 03, 2007
    On a Dell PowerEdge 1950 server with Windows 2003 R2 and ISA 2006 Standard, I installed the Windows 2003 SP2. All computers in my network were using secure NAT to connect to internet through ISA. Now it is impossible, I can only connect using proxy client (I did not test the firewall client). The NIC on this server is a BroadCom NetExtreme  II with the latest driver. I disabled the RSS but still having problem with secure NAT connections. Any idea about this?

  • Anonymous
    April 06, 2007
    Some what bettr but will be tested more to make a hard decision.

  • Anonymous
    April 09, 2007
    Are there any fixes for these problems yet?  I planned on implementing ISA 2004 for a client.  The machine was already prepared with Windows 2003 R2 and SP2.  Should I re-install without SP2 before installing ISA?

  • Anonymous
    April 13, 2007
    The comment has been removed

  • Anonymous
    April 16, 2007
    I posted on the Forefront Edge forums a question about ISA 2004 and WSUS.

  • Anonymous
    April 18, 2007
    The comment has been removed

  • Anonymous
    April 20, 2007
    The comment has been removed

  • Anonymous
    April 20, 2007
    I guess I would be one who is at least a little upset. But I am not upset because it messed up anything of mine, it has not. But it is preventing me from upgrading to ISA2006 because I am moving to new hardware at the same time and wish to do a clean install without having to follow up with over 100 patches for Server 2003 SP1.  Regaurdless of who is upset or why they are upset, the problems need to be nailed down, verified, and fixed so that those of us who are waiting can get on with the projects that are being held up by these problems. At this point I have not really even seen a real aknowledgement of any ISA-Std problems which is what I ran into. All I see are talk of ISA-Ent right now. I would at least feel like we were moving forward if someone just simply said,  "Yes, the are problems with SP2 and ISA-std also,...here is what they are, <blah, blah>,..and we are working on it."  At that point I would happily, quietly, and patiently wait for news of what needed to be done to solve it.

  • Anonymous
    April 24, 2007
    The comment has been removed

  • Anonymous
    May 05, 2007
    Thanks for the links to the bug fixes and the good info on this website.  

  • Anonymous
    May 10, 2007
    The comment has been removed

  • Anonymous
    May 11, 2007
    Microsoft should be testing service packs at least in the basic of environments. Like a fresh install of an operating system with every different microsoft application to make sure it works.  Not everyone has the money or time (or space in some cases) to spend on lengthy test lab projects.  On a fresh install of Windows 2003 server R2 with all updates, and after installing ISA Server 2006 with default template for edge network and unlimited internet access, SecureNAT does not work. This is on a multi-core multi-processor server.

  • Anonymous
    May 25, 2007
    So, what about Windows 2003 installation like this below: Imagine this cenario, you have: Windows 2003 R2 SP1 + ISA 2004 STD SP2 at first, installing ISA 2004 SP3 Win2003 R2sp1 + ISA2004SP3 Next, Install WIN2003 SP2 finally, we will have: WIN2003 R2 SP2 + ISA2004 SP3 Does anyone try to install like this? thanks, Angelo

  • Anonymous
    May 31, 2007
    The comment has been removed

  • Anonymous
    May 31, 2007
    The comment has been removed

  • Anonymous
    June 05, 2007
    The comment has been removed

  • Anonymous
    June 07, 2007
    By the way, I use an extended subnet of 10.0.0.0/23 Try setting up the servers on the 10.0.0 portion of the subnet, and the workstations on the 10.0.1 portion. The servers will be able to securenat, but not the workstations.

  • Anonymous
    June 18, 2007
    The comment has been removed

  • Anonymous
    June 25, 2007
    why isnt there a SP for ISA2006 available yet......ran into al lot of problems with Sp2 who was slipstreamed in a MS distributed release ......after hours of googling we found this site.....amazing......get up to date MS!!!!!

  • Anonymous
    July 02, 2007
    So, is there going to be a fix!!!???

  • Anonymous
    July 06, 2007
    After Installaton of Windows Server 2003 Service Pack 2 Connection to outlook ist not working. No solution found on Internet

  • Anonymous
    July 06, 2007
    The comment has been removed

  • Anonymous
    July 10, 2007
    I had a huge problem yesterday when ISA 2004 SP3 failed to install properly on a Windows Server 2003 Standard server running Windows SP2, it didn't rollback properly and wouldn't allow any users to login to the network or have internet access. If you're a reseller, open a business critical support incident with Microsoft and get an ISA engineer. I had to do the fix in the registry with the RSS stuff on the NIC's and then re-register a DLL or two. Here is the steps the engineer gave to me after completing the RSS fixes listed above: A.      Start | Run B.      Type “cmd” <Enter> C.      Run the following commands:

  1.       cd /d "%programfiles%Microsoft ISA Server" (use the quotes)
  2.       regsvr32 wspadmin.dll
  3.       md VPNNetsh
  4.       net start fwsrv This worked for me.

  • Anonymous
    July 14, 2007
    I made the fatal of allowing auto updates to install Win2k3 Sp2 on my home server running as a domain controller with ISA 2004 SP3 using Realtek 8139 network cards and I have no access to any of my network shares. I followed all the instructions for disabling the offloading and RSS entries in the registry and ran the MS RSS fix update, updated my adapter drivers with what I could find on Realtek's site, installed the ADAM patch after uninstalling win2k3 SP2 rechecked all the registry entries and still no joy. Now even if I uninstall SP2 I still have no access to my shares. Lucky this is just my home network. I have come to the end of options and still I cannot restore my network to the functionality I had before. I agree with posts earlier about frustration about how a SP can be released as an auto-update to systems that may not comply with the requirements to not suddenly break normal client access to common resources. If I have allowed this at work i would be in a power of trouble right now because I would have an organization that couldn't access what it needed to function normally and I would have no answer to resolve it. Now what do I do?

  • Anonymous
    July 15, 2007
    OMG it worked! I uninstalled SP2, made sure the latest drivers from Realtek were installed,  installed ADAM SP1 update, reinstalled Win2k3 SP2, ran the RSS patch and changed the registry entries as per a number of the instructions from MS and other blogs, restarted Win2k3 a number of times through the process and I now have network access to my shared folders again. Wiped the brow and let out a sigh of relief! Seems the essential part is installing ADAM SP1 before installing win2k3 SP2 then all the registry changes seem to work where they didn't before.

  • Anonymous
    July 28, 2007
    The comment has been removed

  • Anonymous
    July 30, 2007
    The comment has been removed

  • Anonymous
    August 04, 2007
    Hello.- I found that problems related to Windows 2003 SP2 and ISA 2004 are related to RPC and web proxy filters. Check this links. They are not pointing to Windows 2003 Server SP2, but following recomendations about RCP and Web Proxy let my server back to function again. I hope this helps. http://www.microsoft.com/technet/isa/2004/plan/ts_proxy_traffic.mspx#localhost http://support.microsoft.com/kb/887222

  • Anonymous
    August 15, 2007
    Is it (still) recommended not to install SP2 on a Windows 2003 std Server if you going to have it as a ISA 2006 server?

  • Anonymous
    August 17, 2007
    hi, ihave the same problem i just got a new DELL PowerEdge 1950 and i installed Windows 2003 R2 SP2 and ISA Server 2006, and i am not able to establish a VPN using L2TP using th ISA as a VPN server, and also every certain time the outside interface (internet) loose connectivity, i installed the last drivers and dissabled the RSS and TCPA in regedit, but it still does not work, any idea? Peter

  • Anonymous
    August 27, 2007
    When I publish rules of protocols, type 443, 21, 3389 non-Web server. So that it always appears to me he himself error, [enterprise] default rule. and with SP1 if it works

  • Anonymous
    August 28, 2007
    uninstalling ISA and its resources

  • Anonymous
    September 09, 2007
    I have ISA server 2006 in windows server 2003. My user on the network cannot use outlook, but my server can. they have access to the web through proxy settings.

  • Anonymous
    September 18, 2007
    Windows SP2 and ISA 2004 SP3. Access from clients (firewall client installed) to FTP sites (login required) was working fine before the application of Windows 2003 SP2 and now it is not working even after application of above RSS patch. Any more ideas?  Did you test this? FTP access from the server is fine and FTP "read-only" is unticked for all.

  • Anonymous
    October 04, 2007
    What an article!! Thank you so much for this...I have been literally tearing my hair out over adding a second ISA server to an existing array for the last two days. Being the good boy I am, it seems that TCPChimney among other things was preventing the second ISA server joining the array. Changed the 3 keys from 1 to zero, reboot and the second array member joins without a hitch! NT4 used to be a swine with even number service packs.....

  • Anonymous
    November 04, 2007
    My ISA 2006 was running ok.. but, report on my ISA cannot generate a graf, it's steal generate the report, but nothing... just blank with out chart. My ISA 2006 Running on Windows Server 2003 R2 SP 1

  • Anonymous
    April 04, 2011
    where can i download isa 2003 from?