Bump>CEICW fails during firewall config, ISA 2004

Still No Luck! Uninstalled and reinstalled ISA 2004 again, from SBS SP1
Prem CD's. I only have 3 Firewall policies, 1 SBS Protected Networks Access
Rule, 2 SBS Localhost Dhcp Access Rule, Last Default rule = Deny All.

Is there any way to import the SBS Standard Firewall Policies via an XML
file, does a file exist?. It seems like this wouldn't be hard to generate.
I looked at the installed XML Templates, but none of them relate to SBS
templates, just the default ISA 2004 templates. I can't understand why MS
wouldn't include an SBS specific template on disc 3. I feel like if I could
get the default policies loaded into ISA, the CEICW would work just fine.

My only other thought is to uninstall ISA2004, reinstall ISA2000, then
install ISA2004 over top like would be a normal upgrade for SBS SP1. My
only concern would be running CEICW (Post SP1) with ISA2000. Would that be
necessary to configure ISA2000 properly before reinstalling ISA 2004?

I need to get this going by Sunday as I will be going out of town for a week
and need access to the server from the road.

Any help from MS Tech's here????

Thanks
Chip

Below from previous thread...

Mariette, here are the errors, Looks like the ISA rules just aren't there,
and would work if I can just get them reloaded into ISA.

6/2/2005 2:11 AM
Firewall Rule: SBS DHCP Client
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS HTTP 80 Out CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS FTP 20 In CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS FTP 20 Out CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS POP3 110 Out CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS NTP 123 Out CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS DnsLookupPredefinedType
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS IcmpPingQueryPredefinedType
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS IdentdPredefinedType
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS TS 3389 In CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS TS 3389 Out CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS PptpReceivePredefinedType
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS PptpCallPredefinedType
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS FTP 21 In CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS FTP 21 Out CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS SMTP 25 Out CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS SmtpPredefinedType
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS NNTP 119 Out CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS Remote Web Workplace CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: SBS NTP 123 Out CustomFilter
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business RPC over HTTP Publishing Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business Business Card Publishing Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business CompanyWeb Publishing Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business TSWEB Publishing Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business RUP Publishing Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business Monitoring Publishing Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business OMA Publishing Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business OWA Web Publishing Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business Web Publishing Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business Server All Users Protocol Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business Internet Access Protocol Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business Internet Access Protocol Rule 2
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business Server Internet Access Site and Content Rule
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business Server Internet Access Site and Content Rule 2
Cannot find the firewall rule, ignoring the error
Firewall Rule: Small Business Server All Users Site and Content Rule
Cannot find the firewall rule, ignoring the error

Thanks
Chip

"Mariette Knap [SBS MVP]" <> wrote in message
news:%...
> In news:%,
> ChipW <> wrote:
>
>> OK, so I took the plunge and installed SBS SP1 last night (in
>> hindsight I should have waited for weekend), all went well until
>> upgrading from ISA 2000 to ISA 2004, had to turn off IIS Admin. The
>> CEICW wizard failed during the firewall configuration section. I
>> reread Mariette's et. al. guide (Thanks for all your efforts guys),
>> ah i thought ISA rule 22, deleted it, along with a couple others I
>> thought I didn't need/want anymore.... firewall config still fails. I
>> had Inet connection, even with ISA2K Clients. Hmmm. BTW I had a
>> screenful of firewall policies in ISA. Not leaving well enough alone,
>> I ran a ISA 2004 repair thinking maybe I deleted a policy I shouldn't
>> have. I reran CEICW, firewall config still failed, and now only half
>> a screen of policies. So I try another tach and ran CEICW and turned
>> off firewall (still fails) then run CEICW again to turn it back on,
>> still fails. A quick look at ISA now only shows 3 policies. Now I'm
>> thinking I really screwed things up. I unistalled ISA 2004 and
>> reinstalled, thinking that would put things back to default, but
>> no...still only 3 policies and no Inet with ISA 2004 clients now
>> installed. I had to manually change ISA policy to allow access to
>> Inet. Any changes in CEICW for publishing services (VPN, OWA, RDP,
>> etc.) don't change after running wizard. Rerunning CEICW now blocks
>> Inet access until I manually allow it again. So that's where I'm at,
>> and what I've done (right or wrong) I just don't know what to try
>> next. I'm just looking for a default, secure installation of ISA 2004
>> and have external access to RWW, OWA, Outlook RPC, etc.
>
> Can you post the last run of the icwlog.txt? Please, post only the part
> with the errors in it.
>
> --
> Mariëtte Knap
> Microsoft SBS-MVP
> One of the Magical M&M's
> www.smallbizserver.net
> Take part in SBS forum:
> http://www.smallbizserver.net/Default.aspx?tabid=53

In news:,
ChipW <> wrote:

> Mariette, here are the errors, Looks like the ISA rules just aren't
> there, and would work if I can just get them reloaded into ISA.

Contact Microsoft PSS. I don't have an answer to this and have never seen
this before. You do have both Nics enabled in your server, do you?

--
Mariëtte Knap
Microsoft SBS-MVP
One of the Magical M&M's
www.smallbizserver.net
Take part in SBS forum:
http://www.smallbizserver.net/Default.aspx?tabid=53

Sure do, and CEICW & ISA sees them both. I also found what I percieve as a
bug in CD3. I tried importing a ISA2004 template, but it fails saying the
template is for the ISA Enterprise Edition and can't be imported into the
Standard Edition.

Thanks for your efforts
Chip

"Mariette Knap [SBS MVP]" <> wrote in message
news:%...
> In news:,
> ChipW <> wrote:
>
>> Mariette, here are the errors, Looks like the ISA rules just aren't
>> there, and would work if I can just get them reloaded into ISA.
>
> Contact Microsoft PSS. I don't have an answer to this and have never seen
> this before. You do have both Nics enabled in your server, do you?
>
> --
> Mariëtte Knap
> Microsoft SBS-MVP
> One of the Magical M&M's
> www.smallbizserver.net
> Take part in SBS forum:
> http://www.smallbizserver.net/Default.aspx?tabid=53
>

We only have ISA standard, so if a template is for Enterprise, it indeed
won't work.

Just run the wizard and don't import a template.

ChipW wrote:
> Sure do, and CEICW & ISA sees them both. I also found what I percieve as a
> bug in CD3. I tried importing a ISA2004 template, but it fails saying the
> template is for the ISA Enterprise Edition and can't be imported into the
> Standard Edition.
>
> Thanks for your efforts
> Chip
>
> "Mariette Knap [SBS MVP]" <> wrote in message
> news:%...
>
>>In news:,
>>ChipW <> wrote:
>>
>>
>>>Mariette, here are the errors, Looks like the ISA rules just aren't
>>>there, and would work if I can just get them reloaded into ISA.
>>
>>Contact Microsoft PSS. I don't have an answer to this and have never seen
>>this before. You do have both Nics enabled in your server, do you?
>>
>>--
>>Mariëtte Knap
>>Microsoft SBS-MVP
>>One of the Magical M&M's
>>www.smallbizserver.net
>>Take part in SBS forum:
>>http://www.smallbizserver.net/Default.aspx?tabid=53
>>
>
>
>

Susan, I know we only have standard, that's why I think there is a problem
with the CD, the templates provided on, at least my CD3, seem to be for EE
and are obviously of no value to an SBSer with ISA 2004 Standard. Could
someone confirm that their CD3 has the EE templates, just start the import
wizard, I think mine failed on the second screen, click details on error
window, mine says the template is for Enterprise Edition and can't be
imported. If any one has a default set of SBS policies that they could
export and send to me I would be most greartful!!! Short of that I think
I'll be on the phone with PSS all day giong over this whole episode all over
again.

I have run and run the CEICW and it fails during the firewall configuration,
reading the error log it fails because ISA is missing the SBS specific
policies, thats how I got started looking into importing. Wouldn't it have
made sense to include an SBS Specific template on CD3 for a problem senario
like I seem to be experiancing? I have unistalled and reinstalled ISA 2004
several times hoping to get default policies, with zero luck.

Thanks
Chip

"Susan Bradley" <> wrote in message
news:...
> We only have ISA standard, so if a template is for Enterprise, it indeed
> won't work.
>
> Just run the wizard and don't import a template.
>
> ChipW wrote:
>> Sure do, and CEICW & ISA sees them both. I also found what I percieve as
>> a bug in CD3. I tried importing a ISA2004 template, but it fails saying
>> the template is for the ISA Enterprise Edition and can't be imported into
>> the Standard Edition.
>>
>> Thanks for your efforts
>> Chip
>>
>> "Mariette Knap [SBS MVP]" <> wrote in
>> message news:%...
>>
>>>In news:,
>>>ChipW <> wrote:
>>>
>>>
>>>>Mariette, here are the errors, Looks like the ISA rules just aren't
>>>>there, and would work if I can just get them reloaded into ISA.
>>>
>>>Contact Microsoft PSS. I don't have an answer to this and have never seen
>>>this before. You do have both Nics enabled in your server, do you?
>>>
>>>--
>>>Mariëtte Knap
>>>Microsoft SBS-MVP
>>>One of the Magical M&M's
>>>www.smallbizserver.net
>>>Take part in SBS forum:
>>>http://www.smallbizserver.net/Default.aspx?tabid=53
>>>
>>
>>

Based on our last conversation, the resolution to your issue as agreed upon
is

CAUSE:

Front Page is used to create custom websites.

It adds the following section to the metabase.xml file:

<Custom

Name="IPSecurity"

ID="6019"

Value=""

Type="BINARY"

UserType="IIS_MD_UT_FILE"

Attributes="INHERIT | REFERENCE"

/>

The format fo this section causes the CEICW to fail.

RESOLUTION:

Open the Internet Services Management snap-in.

Open the properties of the custom web site virtual directory and go to the
Directory Security tab. (you may also do this on the default web site if
they have several custom virtual directories underneath the Default Web
Site).

Go to the IP Address and Domain Name Restrictions setting and change the
setting. (Just do the opposite of what is set). If currently set to grant
all, change it to deny all except for the local IP and subnet mask of the
server.

Select all to apply the change to all sub webs.

Select all again to apply the change all the way down.

Running the CEICW now should be successful.

Based on your input, it will reset the IP and domain name restrictions
accordingly.

Confirm that the IP and domain name restrictions are back to where they
should be



"ChipW" <> wrote in message
news:...
> Still No Luck! Uninstalled and reinstalled ISA 2004 again, from SBS SP1
> Prem CD's. I only have 3 Firewall policies, 1 SBS Protected Networks
> Access Rule, 2 SBS Localhost Dhcp Access Rule, Last Default rule = Deny
> All.
>
> Is there any way to import the SBS Standard Firewall Policies via an XML
> file, does a file exist?. It seems like this wouldn't be hard to
> generate. I looked at the installed XML Templates, but none of them relate
> to SBS templates, just the default ISA 2004 templates. I can't understand
> why MS wouldn't include an SBS specific template on disc 3. I feel like if
> I could get the default policies loaded into ISA, the CEICW would work
> just fine.
>
> My only other thought is to uninstall ISA2004, reinstall ISA2000, then
> install ISA2004 over top like would be a normal upgrade for SBS SP1. My
> only concern would be running CEICW (Post SP1) with ISA2000. Would that be
> necessary to configure ISA2000 properly before reinstalling ISA 2004?
>
> I need to get this going by Sunday as I will be going out of town for a
> week and need access to the server from the road.
>
> Any help from MS Tech's here????
>
> Thanks
> Chip
>
> Below from previous thread...
>
> Mariette, here are the errors, Looks like the ISA rules just aren't there,
> and would work if I can just get them reloaded into ISA.
>
> 6/2/2005 2:11 AM
> Firewall Rule: SBS DHCP Client
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: SBS HTTP 80 Out CustomFilter
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: SBS FTP 20 In CustomFilter
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: SBS FTP 20 Out CustomFilter
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: SBS POP3 110 Out CustomFilter
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: SBS NTP 123 Out CustomFilter
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: SBS DnsLookupPredefinedType
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: SBS IcmpPingQueryPredefinedType
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: SBS IdentdPredefinedType
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: SBS TS 3389 In CustomFilter
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: SBS TS 3389 Out CustomFilter
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: SBS PptpReceivePredefinedType
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: SBS PptpCallPredefinedType
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: SBS FTP 21 In CustomFilter
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: SBS FTP 21 Out CustomFilter
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: SBS SMTP 25 Out CustomFilter
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: SBS SmtpPredefinedType
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: SBS NNTP 119 Out CustomFilter
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: SBS Remote Web Workplace CustomFilter
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: SBS NTP 123 Out CustomFilter
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: Small Business RPC over HTTP Publishing Rule
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: Small Business Business Card Publishing Rule
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: Small Business CompanyWeb Publishing Rule
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: Small Business TSWEB Publishing Rule
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: Small Business RUP Publishing Rule
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: Small Business Monitoring Publishing Rule
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: Small Business OMA Publishing Rule
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: Small Business OWA Web Publishing Rule
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: Small Business Web Publishing Rule
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: Small Business Server All Users Protocol Rule
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: Small Business Internet Access Protocol Rule
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: Small Business Internet Access Protocol Rule 2
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: Small Business Server Internet Access Site and Content Rule
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: Small Business Server Internet Access Site and Content Rule
> 2
> Cannot find the firewall rule, ignoring the error
> Firewall Rule: Small Business Server All Users Site and Content Rule
> Cannot find the firewall rule, ignoring the error
>
> Thanks
> Chip
>
> "Mariette Knap [SBS MVP]" <> wrote in message
> news:%...
>> In news:%,
>> ChipW <> wrote:
>>
>>> OK, so I took the plunge and installed SBS SP1 last night (in
>>> hindsight I should have waited for weekend), all went well until
>>> upgrading from ISA 2000 to ISA 2004, had to turn off IIS Admin. The
>>> CEICW wizard failed during the firewall configuration section. I
>>> reread Mariette's et. al. guide (Thanks for all your efforts guys),
>>> ah i thought ISA rule 22, deleted it, along with a couple others I
>>> thought I didn't need/want anymore.... firewall config still fails. I
>>> had Inet connection, even with ISA2K Clients. Hmmm. BTW I had a
>>> screenful of firewall policies in ISA. Not leaving well enough alone,
>>> I ran a ISA 2004 repair thinking maybe I deleted a policy I shouldn't
>>> have. I reran CEICW, firewall config still failed, and now only half
>>> a screen of policies. So I try another tach and ran CEICW and turned
>>> off firewall (still fails) then run CEICW again to turn it back on,
>>> still fails. A quick look at ISA now only shows 3 policies. Now I'm
>>> thinking I really screwed things up. I unistalled ISA 2004 and
>>> reinstalled, thinking that would put things back to default, but
>>> no...still only 3 policies and no Inet with ISA 2004 clients now
>>> installed. I had to manually change ISA policy to allow access to
>>> Inet. Any changes in CEICW for publishing services (VPN, OWA, RDP,
>>> etc.) don't change after running wizard. Rerunning CEICW now blocks
>>> Inet access until I manually allow it again. So that's where I'm at,
>>> and what I've done (right or wrong) I just don't know what to try
>>> next. I'm just looking for a default, secure installation of ISA 2004
>>> and have external access to RWW, OWA, Outlook RPC, etc.
>>
>> Can you post the last run of the icwlog.txt? Please, post only the part
>> with the errors in it.
>>
>> --
>> Mariëtte Knap
>> Microsoft SBS-MVP
>> One of the Magical M&M's
>> www.smallbizserver.net
>> Take part in SBS forum:
>> http://www.smallbizserver.net/Default.aspx?tabid=53
>
>