The Firewall Madness
This week I worked in an issue where ISA Server 2006 was stopping answering request and NLB on ISA Server was constantly appearing with the status for “Unavailable”. The odd thing about this scenario was that every time that the firewall admin changed a rule in one node and forces a synchronization the status of the NLB changed to “Unavailable”. I have to admit that I saw this couple of other times, but I didn’t want to jump into conclusions without gathering data and analyze the result. The issue was inconsistent, sometimes it happened performing the same operation, and sometimes it didn’t. Since I had already a felling of what was going on, I went to the NIC properties of the ISA Server and found that there was a third-party firewall bound to the interface:
This is not good..not good at all. ISA Server is already a firewall and FWENG is the filter driver that runs in Kernel Mode intercepting the traffic and inspecting it. If you add another firewall (that also runs in Kernel mode) on the same box, you should expect inconsistent results like this, because both will dispute the incoming traffic to analyze and inspect it.
Anyway…remember the built in Windows Firewall that comes with Windows Server 2003? Here it is what Microsoft says about it in a scenario of multiple host firewalls on the same box:
“Microsoft recommends that you disable Windows Firewall if you are already using a third-party host firewall product.”
The logic is quiet simple now: this means that on the ISA Server scenario, if you install a third-party host firewall product you probably don’t want to disable ISA Server firewall and leave the third-party one enabled, right? J
In this particular situation the firewall admin didn’t even know that this product that he installed was a Firewall, he thought it was only an Antivirus. This raises another flag: if you are going to install an antivirus on ISA, first use the recommendations from http://technet.microsoft.com/en-us/library/cc707727.aspx and secondly, make sure that this product doesn’t install a firewall module on top of that; otherwise you might experience those weird behaviors.
To fix this specific issue we uninstalled the third-party firewall and left only the AV installed by this product.
BTW, have a great Windows 7 day !!