ISA CSS and Arrays in a Nutshell

  • Article

There still seems to be some confusion about what an ISA Array is. I still see some very basic questions about ISA arrays and the CSS. First, ISA arrays have been around since ISA 2000 Enterprise Edition but the CSS was new with ISA 2004 Enterprise Edition.

The Configuration Storage Server is where the information for the enterprise is stored in an Active Directory Application Mode (ADAM) database instance. The CSS can support multiple arrays. There should only be one CSS but there can be many replica CSS systems. To clarify, each system should point to a single CSS so that there is no possibility that changes done on different systems that point to separate CSS systems does not get over written. The CSS has no other real function other than to store the configuration – rules, network objects, rule objects, etc., in the ADAM instance. These can be viewed by using ADAMADSIEdit.EXE or LDP.EXE to view the context over TCP port 2171. Updates and changes to the CSS are done using the LDAP protocol over that port. Whenever you make a change on the ISA, it then is written to the CSS. At that point each node I the array will then synchronize and apply the updated configuration. The information that is downloaded is then stored in the local systems registry. If the local registry settings and the CSS do not match then that triggers a synchronization to occur.

An array can be as small as a single ISA Server but usually contains two or more. You cannot mix different versions of ISA within an Enterprise CSS. To clarify, for the CSS, you can only have arrays of the same version. In other words, you cannot have a single CSS and have ISA 2004 EE, ISA 2006 EE or Threat Management Gateway (TMG) arrays. Each version must use its own CSS version. Now this does not mean that these versions cannot co-exist in the corporate enterprise. You can have an ISA 2004 CSS supporting multiple ISA 2004 arrays for one function along with an ISA 2006 CSS supporting a single or multiple ISA 2006 Arrays for other functions. The same applies for TMG arrays. This is a scenario that is quite common during migrations but rare for functionality reasons but there are exceptions so don’t blast me and give me every situation where you have both running in parallel.

Another gotcha is that members (or nodes) within the same array must be at the same patch level. It is also strongly recommended (hint…hint) that the CSS be at the same patch level. For example, the ISA 2006 array has 3 nodes. Each node has to be at the same service pack level and have the same ISA hotfixes installed on each member. It is not acceptable to install a hotfix for testing on one array member and leave the other two members unpatched. This can lead to array nodes not syncing properly with the CSS and also erratic functionality. You can however, apply a patch to one array (including all members in the said array) while not applying the patch to other arrays for testing purposes.

Author

Brennan Crowe

Security Support Escalation Engineer

Microsoft CSS Forefront Edge Team