Security World: ISAserver.org - July 2005 Newsletter

ISAserver.org Newsletter of July 2005
Sponsored by: Rainfinity
------------------------------------------------------------------------------
In this issue:
ISA Firewall Branch Office Updates on Tap for End of Year
Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
ISAserver.org Learning Zone Articles of Interest
KB Articles of the Month
Post of the Month
ISA Firewall Links of the Month
Ask Dr. Tom

Welcome to the ISAserver.org newsletter! Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Download RainWall High Availability for ISA: Optimize Firewall, Internet and Content Security
Rainfinity delivers High Availability and Dynamic Load Balancing for Microsoft ISA 2004. Rainfinity's next generation high availability platform extends beyond the firewall to protect and optimize all of your network resources, including your ISP connections and content security. This is the only integrated solution for firewall and Internet connectivity that takes advantage of all nodes with load balancing and advanced failure detection. Download RainWall and RainConnect for ISA today! (http://www.rainfinity.com/products/downloads.html)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

1. ISA Firewall Branch Office Updates on Tap for End of Year
By Thomas W Shinder MD, MVP

Lost in the hoopla of this year's TechEd were some very cool announcements from the ISA Server 2004 product group. Given the increasing adoption of ISA firewalls in branch office deployments, the ISA firewall team has put together a collection of updates and enhancements that will make the ISA firewall an even more compelling option for branch offices that need to be connected to the main office 24x7x365.

What are the big changes ahead for the ISA firewall? Check these out:

- Support for Microsoft Update Caching
- Compression Update
- Support for Quality of Service

New Support for Microsoft Update Caching

ISA firewalls updated with the Microsoft Update caching add-on will be able to use BITS and cache updates from:

- The Microsoft Windows Update site
- The Microsoft Update site
- WSUS sites

This update to the ISA firewall will significantly reduce the bandwidth load related to updating branch office clients and servers. If you use the Microsoft Windows Update site or the Microsoft Update site, you'll be able to cache the updates made by users or systems using these technologies right on the ISA firewall. When subsequent users or systems request the same updates, the updates will be delivered from the ISA firewall's Web proxy filter cache, not from the Microsoft update sites themselves. This will free ton's of bandwidth that would have otherwise been required when each user had to visit the Microsoft update sites to get these files.

Even more important for branch office deployments is support for caching updates from the main office WSUS servers. Right now, if you want to centralize your management of updates using WSUS, each host on the branch office would have to request the updates from the WSUS server. This taxes both the branch office's site to site VPN connection and the connections at the main office servicing the site to site VPN.

With WSUS update caching, the branch office clients get their updates cached on the branch office ISA firewall. The site to site link only need to be used to download the updates once from the main office WSUS server. After that, all updates are delivered to the branch office clients from the ISA firewall itself.

Compression Update

I'm not entirely sure what this feature will do, but the below is what appears in the announcement:

=====================

Get the ability to compress content at a remote office before going over the wide area network (WAN) to improve Web page load times for users in remote offices.

- Your IT administrator will be able to specify which content will be compressed
- Specific rules for compression can be defined by network

=====================

This sounds like compression support for Web Publishing Rules at the branch office. But since most branch offices aren't going to be publishing Web sites, it's not likely that this is what they have in mind. We'll have to wait for more info to find out exactly what the deal is here.

Support for Quality of Service

While I can't say I'm sad to see ISA Server 2000 fade away into the sunset, one of the things we all miss the most about ISA Server 2000 was the bandwidth control feature. Well, almost one of the things we miss the most. The bandwidth control feature was really nice when it worked, but I never saw an ISA Server 2000 firewall installation where the bandwidth rules kept working for more than a couple of months. What we were really looking forward to was a fixed version of the ISA bandwidth control feature to be included with the new ISA firewall.

It didn't happen, but that doesn't mean that people don't ask about bandwidth control support every day. The good news is that branch office updates due out later this year will add some bandwidth control to ISA firewalls.

The new bandwidth control support will allow you to:

- Specify URLs that should have the highest priority. You can identify high-priority sites and give those sites preferential bandwidth over other sites being accessed through the ISA firewall. This will work for both HTTP and HTTPS (SSL)
- Bandwidth priorities can be applied to published Web servers (this is how I interpret the current announcement)

I'm really looking forward to this feature, because it'll give us some bandwidth control again. While it appears that bandwidth control support is only for Web proxy filter mediated traffic (I'm guessing this because it only applies to HTTP and HTTPS traffic), its better than what we have now.

Something I'm really curious about is how the bandwidth controls placed on Web connections will interact with non-Web connections. Maybe they will implement a Web proxy filter bandwidth pool and non-Web proxy filter pool, and then you allocate Web proxy filter connections a percentage or priority of the bandwidth dedicated to the Web proxy pool. Or perhaps they will have a Web proxy filter and non-Web proxy filter prioritization, and then within the pool allocated to the Web proxy filter will be a second prioritization process for the Web proxy mediated connections.

Time will tell! -Tom Shinder

=======================

Quote of the Month - "When you see a fork in the road, take it" -- Jim Harrison

=======================

------------------------------------------------------------------------------

2. Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
By Thomas W Shinder

Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall.

While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today: http://www.amazon.com/exec/obidos/ASIN/1931836191/isaserver/

3. ISAserver.org Learning Zone Articles of Interest

Troubleshooting IPSec Tunnel Mode Scenarios
http://www.isaserver.org/tutorials/Troubleshooting-IPSec-Tunnel-Mode-Scenarios.html

Redirecting OWA Users to the Correct Directories and Protocols (Part 1) v.1.1
http://www.isaserver.org/tutorials/Redirecting-OWA-Users-Part1.html

How to Record URL and User Information in ISA 2004 Firewall Logs and Reports
http://www.isaserver.org/tutorials/2004recorduserinfo.html

ISA Firewall Best Practices, Tips and Tricks (Part 1)
http://www.isaserver.org/tutorials/2004bestpractices-p1.html

Enabling DHCP Relay for DMZ Segments
http://www.isaserver.org/tutorials/2004dhcprelaydmz.html

------------------------------------------------------------------------------
4. KB Articles of the Month

Here are some interesting and useful ISA Server related Q articles posted by Microsoft in the last month:

You experience problems when you access the Windows Update Version 5 or Version 6 Web site through a server that is running ISA Server
http://support.microsoft.com/default.aspx?scid=kb;en-us;885819

You experience slow Web browsing performance on internal client computers that use Internet Security and Acceleration Server to manage Web requests
http://support.microsoft.com/default.aspx?scid=kb;en-us;839510

The features and limitations of a single-homed ISA Server 2004 computer
http://support.microsoft.com/default.aspx?scid=kb;en-us;838364

How to create a detailed firewall policy report for any firewall policy in Internet Security and Acceleration Server 2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;841663

RPC data may be blocked, and Outlook may not start in Windows Server 2003 with SP1
http://support.microsoft.com/default.aspx?scid=kb;en-us;897716

Programs and services on a Firewall Client computer may not be able to access remote resources in ISA Server 2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;888642

FIX: You cannot use a different SSL certificate for each array member in an ISA Server 2004, Enterprise Edition-based array
http://support.microsoft.com/default.aspx?scid=kb;en-us;898066

You receive a "Setup failed while registering Wspadmin.dll" error message when you try to install ISA Server 2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;884494

------------------------------------------------------------------------------
5. Post of the Month

ISAServer.org member Number51 shares a method he's used to allow inbound NetMeeting connections through an ISA firewall:

Been reading lots of articles and such on how to achieve this. The actual, simple details are very difficult to find. Here is what I had to do to get it working, step by step. Take note, some of the things I list here may not impact my goal, but I did it and the inbound NetMeeting works!
Pc.1, my ISA Server 2004 internet gateway/firewall, DHCP server, DNS forwarder

internal IP=192.168.1.2

Pc.2, secondary server with ISA Server 2000 h.323 gatekeeper and manager ONLY, no other ISA 2000 components.
internal IP=192.168.1.10

DNS Manager on Pc.1

Added a "New Other Record" to my "Forward Lookup Zone".

- Resource record: SRV

- Service: Q931

- Protocol: _tcp

- Priority: 0

- Weight: 0

- Port Number: 1720

- Host offering this service: 192.168.1.10

- Delete this record when it becomes stable: No

- Time to live: 0 :1 :0 :0

ISA Server 2004 Manager on Pc.1

Configuration, Addins, H.323 Filter.

- Enable this filter: Yes

- Use this gatekeeper: 192.168.1.10 (pc.2)

- Use DNS gatekeeper lookup and LRQs for alias resolution: Yes

- Allow audio: No

- Allow video: No

- Allow T120 and application sharing: Yes

- Networks: External, Internal

New "Protocol"

- Name: H.225

- Protocol Type: UDP, Direction: Send Receive, Port range From: 1718, Port range To: 1719

New "Protocol"

- Name: H.323

- Protocol Type: TCP, Direction: Inbound, Port range From: 1503, Port range To: 1503

- Protocol Type: TCP, Direction: Inbound, Port range From: 1720, Port range To: 1720

- Protocol Type: TCP, Direction: Inbound, Port range From: 389, Port range To: 389

- Application Filters: H.323 Filter

New "Access Rule"

- Name: H.225

- Enabled: Yes

- Action to take: Allow

- Protocol: H.225

- From: Local Host

- To: 192.168.1.10 (Pc.2)

- Users: All Users

- Schedule: Always

- Content Types: All Content Types

New "Server Publishing Rule"

- Name: H.323

- Enabled: Yes

- Action to take: Allow

- Protocol: H.323

- From: Anywhere

- To: 192.168.1.10 (Pc.2)

- Requests appear to come from the ISA Server computer: Yes

- Networks: External (with the external interface specified)

- Schedule: Always

H.323 Gatekeeper Manager on Pc.2

Properties of local Gatekeeper:

- Network: 192.168.1.10 (the only one anyways)

- Registration Expiration time: 360

- Active Call Expiration Time: 35

- Security: Everyone

New "Destination"

- Address: 192.168.1.10

- Destination Type: Gatekeeper

- Enabled: Yes

New "Destination"

- Address: 192.168.1.2

- Destination Type: Gateway or proxy server

- Enabled: Yes

Site Server ILS Service disabled on both computers.

My internal NetMeeting clients now setup NetMeeting using a Gatekeeper @ 192.168.1.10, logging in with the phone number, which we fill with any arbitrary number. For example, my registered phone number is 22. Now clients outside access a simple web-page with calling links in the format:

CallTo:"22+type=phone+Gateway=xxx.xxx.xxx.xxx+secure=false+av=false+h323=false"

replacing the xxx.xxx.xxx.xxx with the external interface of the ISA Server 2004 computer.

http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=19;t=000898#000001

Thanks Number51! -Tom.

6. ISA Firewall Links of the Month

ISA Server 2004 Security Hardening Guide

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx

Export, Import, and Backup Functionality in ISA Server 2004

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/exportimportsettings.mspx

ISA firewall Webcast clearinghouse:

http://www.microsoft.com/events/series/isaserversecurity.mspx

ISA firewall interactive training

http://www.isa2004training.com/

Detailed Comparison chart for hardware ISA firewalls

http://www.microsoft.com/isaserver/hardware/vendorcomparison.mspx

Jim Harrison's ISA firewall tools, scripts, tips and more!

http://www.isatools.org

------------------------------------------------------------------------------

7. Ask Dr. Tom

QUESTION: Ever since Installing the ISA firewall as my edge firewall, it seems like Web requests are much slower than they were when we were using a simple packet filter firewall. What can I do to speed things up? Thanks! -Bob.

ANSWER: There are several things you can do to speed up Web performance through the ISA firewall. Steps you can take to increase performance include:

- Configuring the clients as Web proxy clients
- Configuring the Web browsers to use HTTP 1.1 through proxy connections
- Avoiding the use of the SecureNAT client configuration
- Configuring the DNS settings on the ISA firewall properly

Just making these few changes will make a big difference in your ISA firewall's Web performance. If you're not sure how to properly configure the ISA firewall's DNS settings, check out Jim Harrison's article on this subject over at http://isaserver.org/tutorials/DNS_for_ISA_Server.html

Got a question for Dr. Tom? Send it to tshinder@isaserver.org

Visit the Subscription Management section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@isaserver.org.
Copyright © ISAserver.org 2005. All rights reserved.

Security World

Search This Blog

Thursday, July 21, 2005

ISAserver.org - July 2005 Newsletter

No comments: