Video Screencast Help

SEP on ISA servers?

Created: 27 Jun 2009 • Updated: 21 May 2010 | 10 comments
JRV's picture
This issue has been solved. See solution.

ISA guru Thomas Shinder advises not to run ANY SOFTWARE (including Antivirus) on an ISA firewall that wasn't specifically designed to run with ISA or you risk compromising the firewall. Makes sense. One example:

http://blogs.isaserver.org/shinder/2007/03/19/do-not-install-a-host-av-program-on-the-isa-firewall/

I'm aware that Symantec says not to use the SEP firewall component on an ISA computer (also makes sense!) and that PTP is not supported on ANY server version. So that pretty much leaves AV/AS.

Is there anything "official" (in writing) that says SEP AV/AS is specifically designed to run on an ISA firewall? In our case, our ISA firewalls are also RRAS VPN endpoints/servers, if that changes the answer.

Comments 10 CommentsJump to latest comment

Beppe's picture

Hi,

in this document you can find some best practices to install SEP on an ISA Server:

www.symantec.com/business/support/endpointsecurity...

A copy of this file should be in the CD1/documentation folder as well.

Cheers,

Regards,

Giuseppe

JRV's picture

Interesting angle; didn't think to check the SEP docs for SBS 2003.

But this ISN'T SBS 2003, with all SBS's compromises. It's a company whose needs exceeded SBS years ago, that uses ISA 2004 & 2006 on WS2003 R2 SP2. A no-compromise, dedicated firewall paid for by a company that believes it needs a no-compromise, dedicated firewall. And there's nothing in that document that specifically says SEP on ISA is a great idea.

So if this is as close as Symantec comes to endorsing SEP on ISA, my take is that it means, "Of course, one MUST have file system AV protection on a file server, and SBS is, among other things, a file server. Unfortunately, SBS 2003 Premium may also happen to have ISA on it. And if it does, then we guess it's OK to use SEP. But only because you have to use some kind of AV, and ISA's on running on the same hardware, and SBS users are not likely to put their ISA firewalls on separate hardware just because they want to use SEP."

But that's not the same thing as saying, "Symantec recommends that you install SEP on your standalone ISA firewalls. We have tested SEP on ISA, and we certify full compatibility. No compromises, no exceptions...it's tested, recommended and supported."

Is there anything in any other document that says that? (Substantially, if not word-for-word.) Because if not, I'm inclined to stay with Shinder's recommendation and keep SEP off of ISA computers.

Abhishek Pradhan's picture

@ Jeff

Since you mentioned that the ISA server also serves as your RRAS VPN servers, I'd rcommend NOT TO INSTALL SEP on them for a very simple reason that I've seen SEP take down the RRAS config once it's installed. 

This happens very rarely, but it does happen and I've been the recieving end of such an incident, albeit in a test environment. Thank god I had made a backup before I installed SEP, else I'd be hung high and dry.

Abhishek Pradhan, PMP, MCT
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org

Beppe's picture

Do you remember if you installed only the AV/AS component or the NTP as well? Your answer could be useful for further investigations.

Regards,

Giuseppe

JRV's picture

Thanks Abhishek. Losing RRAS would be a disaster, esp. since 2 of the branch offices are in distant cities with no local IT.

Abhishek Pradhan's picture

@ Giuseppe

I'd tried first only with AV/AS and then with the NTP component as well.

I'd also handled a couple of  escalations reg. this issue back in my support days, and this is a known issue with EP since MR1. The install changes the registry entries for the RRAS required DLL files, viz RASMAN with Symantec entries, and that screws up everything. So our recommendation back then and even now would be to keep SAV as it is till a proper fix comes out.

I believe there is an Internal KB also for this issue should it crop up. You may want to search fin the KB with the following query -  Kedar Mohile and RASMAN to find the relevant KB.

This is a KB with a tool to fix the issue should it crop up. Though the KB title is different, the tool works.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008010718082848

Abhishek Pradhan, PMP, MCT
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org

Abhishek Pradhan's picture

Ok. Found the previously internal KB. Looks like it's been made Public :D

Unable to start Routing and Remote Access Server (RRAS) (Event IDs: 7023, 20070, 20151, 20063) after uninstalling Symantec Antivirus/Symantec Endpoint Protection

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008020203163548

Abhishek Pradhan, PMP, MCT
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org

Beppe's picture

I duplicated a post, sorry...

Regards,

Giuseppe

Beppe's picture

Hi,

thank you for the details, I read that you tested SEP on ISA servers with the only AV/AS component and the AV/AS component plus the firewall.
Did you face the issue with the only AV/AS component? The KB's you cited seem related to some issues with the removal of our firewall but install the Network Threat Protection on an ISA server is clearly unsuggested as it is written in the document I posted above.
Now we have to focus only on the AV/AS component.
I did not find a public document where it is written that SEP on ISA is 100,00% supported and I am not finding any document where issues between the only AV component and the ISA server are pointed out.
This document should be useful:
Considerations when using antivirus software on ISA Server
http://technet.microsoft.com/en-us/library/cc70772...

Cheers,

Regards,

Giuseppe

SOLUTION
JRV's picture

OK, Giuseppe, that clinches it: No SEP on ISA for this site! Glad to see MS has finally documented this. Thanks.