ISAserver.org Newsletter of September 2005
Sponsored by: Rainfinity
------------------------------------------------------------------------------
In this issue:
What are the Most Important Features Missing from ISA 2004 Firewalls?
Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
ISAserver.org Learning Zone Articles of Interest
KB Articles of the Month
Post of the Month
ISA Firewall Links of the Month
Ask Dr. Tom
Welcome to the ISAserver.org newsletter! Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Download RainWall High Availability for ISA: Optimize Firewall, Internet and Content Security
Rainfinity delivers High Availability and Dynamic Load Balancing for Microsoft ISA 2004. Rainfinity's next generation high availability platform extends beyond the firewall to protect and optimize all of your network resources, including your ISP connections and content security. This is the only integrated solution for firewall and Internet connectivity that takes advantage of all nodes with load balancing and advanced failure detection. Download RainWall and RainConnect for ISA today! (http://www.rainfinity.com/products/downloads.html)
------------------------------------------------------------------------------
------------------------------------------------------------------------------
1. What are the Most Important Features Missing from ISA 2004 Firewalls?
By Thomas W Shinder MD, MVP
As a Microsoft MVP in ISA firewalls, I'm going to have the unique opportunity of spending a few days with the ISA firewall product team this week. During the few days where the ISA firewall MVPs will have the product team's ears, one of the things I expect we'll talk about are features that the majority of ISA firewall admins using the product today consider to be missing.
I realize we always want more. In a perfect world of unlimited resources and personnel, the ISA firewall could have all the features that every other firewall in the world has and only cost $9.95US. Since we don't live in that world, we have to figure out what are the most important features.
What are the most important features? From a business point of view (and Microsoft is a business, so that's their point of view), the most important features are those that prevent you from buying the product and those that prevent you from repurchasing (upgrading) because of dissatisfaction with the current product.
Here's my list of features that I consider important and should be included with the next version of the ISA firewall in order to increase customer satisfaction (I'm a customer too, so these will also increase my satisfaction):
- Support for at least two Internet connections for failover and failback
- Ability to map a internal machine to an external IP address on the ISA firewall to support SMTP servers and reverse DNS lookups
- Bandwidth control that allows user/group control over application access to the Internet
- A straightforward approach to populating Domain and URL Sets so that block lists can be easily created
- Support for Web proxy protocols such as WCCP and ICAP.
- Support for popular SIP implementations for VoIP
- A "starter" version of the ISA firewall product, that limits the number of outbound connections to something like 10 and VPN connections to something like 5, and charge only $395.00 for it (including the Windows OS on which the ISA firewall runs)
That's my short list. There's plenty more I can put there, but these are the "biggies".
What features are on your list? Send me a note at tshinder@isaserver.org and let me know what you think are critical features that need to be included in the next version of the ISA firewall and I'll share you thoughts with the ISA firewall product group. Here's your change to get heard by the people who make the decisions, so let me know!
=======================
Quote of the Month - "Nothing is easy, and nothing is fast" - Tom Shinder speaking of all things computer
=======================
------------------------------------------------------------------------------
2. Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
By Thomas W Shinder
Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall.
While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.
Click here to Order your copy today: http://www.amazon.com/exec/obidos/ASIN/1931836191/isaserver/
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Download RainWall High Availability for ISA: Optimize Firewall, Internet and Content Security
Rainfinity delivers High Availability and Dynamic Load Balancing for Microsoft ISA 2004. Rainfinity's next generation high availability platform extends beyond the firewall to protect and optimize all of your network resources, including your ISP connections and content security. This is the only integrated solution for firewall and Internet connectivity that takes advantage of all nodes with load balancing and advanced failure detection. Download RainWall and RainConnect for ISA today! (http://www.rainfinity.com/products/downloads.html)
------------------------------------------------------------------------------
------------------------------------------------------------------------------
3. ISAserver.org Learning Zone Articles of Interest
Enabling ISA Firewall Forms-based Authentication (FBA) for OWA Connections for both Internal and External Clients - Part 1
http://isaserver.org/tutorials/Enabling-ISA-Firewall-Forms-based-Authentication-OWA-Connections-Internal-External-Clients-Part1.html
Tom Shinder's Trek through Small Business Server 2003 Service Pack 1 - Part 4: E-mail Domain Name Page to Completion of the CEICW
http://isaserver.org/articles/2004sbsinstallpart4.html
Tom Shinder's Trek through Small Business Server 2003 Service Pack 1 - Part 3: The CEICW from the Network Connection Page to the E-mail Retrieval Method Page
http://isaserver.org/articles/2004sbsinstallpart3.html
Tom Shinder's Trek through Small Business Server 2003 Service Pack 1 - Part 2: The CEICW from the Welcome Page to the Router Connection Page
http://isaserver.org/articles/2004sbsinstallpart2.html
Tom Shinder's Trek through Small Business Server 2003 Service Pack 1 - The Totally Unofficial and Non-Authoritative Guide on ISA Firewall Installation on SBS 2003 SP1 (Part 1)
http://isaserver.org/articles/200sbsinstallpart1.html
Using the ISA Firewall to Configure Granular Access Controls for VPN Clients (Part 2)
http://isaserver.org/tutorials/ISA-Firewall-Configure-Granular-Access-Controls-VPN-Part2.html
http://isaserver.org/tutorials/Windows-Server-2003-Security-Configuration-Wizard-Harden-ISA-Firewall.html
http://isaserver.org/tutorials/Windows-Server-2003-Security-Configuration-Wizard-Harden-ISA-Firewall.html
------------------------------------------------------------------------------
4. KB Articles of the Month
Here are some interesting and useful ISA Server related Q articles posted by Microsoft in the last month:
Active mode FTP client programs cannot access an FTP server from behind Internet Security and Acceleration Server 2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;884580
Routing and Remote Access stops responding in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;888090
Lockdown mode of operation in ISA Server 2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;838711
When you configure the No Connectivity alert to send an e-mail notification to an SMTP server, only every second e-mail notification may reach the recipient in Internet Security and Acceleration Server 2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;894458
The ISA Server RPC filter blocks RPC traffic after Windows Server 2003 Service Pack 1 is installed on a computer that is running ISA Server 2004 or ISA Server 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;887222
An "Event ID ( 19011 ) in Source ( MSSQL$MSFW ) cannot be found" message may be logged in the event log after you install ISA Server 2004 on a computer that is part of a workgroup
http://support.microsoft.com/default.aspx?scid=kb;en-us;840473
You cannot specify a path statement that ends in a wildcard character when you create a Web publishing rule in ISA Server 2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;900919
ISA Server 2004 stops forwarding traffic between networks and the Internet
http://support.microsoft.com/default.aspx?scid=kb;en-us;905180
------------------------------------------------------------------------------
5. Post of the Month
Direct Access, Direct Access, Direct Access!
Just about every day for the last two years I've answered a question with the answer being Direct Access.
What is Direct Access? Direct Access is an ISA firewall and client configuration where the client system bypasses the Web proxy client and/or the Firewall client configuration to reach the destination server.
Web proxy client bypass is often required to connect to sites that are poorly written, in that the Web developers "forgot" about Web proxy servers in the request/response path. When you encounter these Web sites, you need to configure the ISA firewall to support Direct Access to the site. Once the site is configured for Direct Access, the client system does not forward the connection to the ISA firewall's Web proxy filter. Instead, the client uses either its Firewall client or SecureNAT configuration to connect to the site.
Another situation where Direct Access is used is when the client needs to connect to a server located on the same ISA firewall Network. For example, if both the client and the server are located on the default Internal Network, then the client should not connect to the destination through the ISA firewall. Instead, the client should connect directly to the destination server, bypassing the ISA firewall completely.
For more information on Direct Access, check out these articles:
Configuring Sites for Direct Access: Part 1 - Configuring Direct Access for Web Proxy Connections http://isaserver.org/articles/2004directaccessp1.html
Configuring Sites for Direct Access: Part 2 - Configuring Direct Access for Firewall Clients and Publishing Scenarios http://isaserver.org/articles/2004directaccessp2.html
HTH -Tom.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Download RainWall High Availability for ISA: Optimize Firewall, Internet and Content Security
Rainfinity delivers High Availability and Dynamic Load Balancing for Microsoft ISA 2004. Rainfinity's next generation high availability platform extends beyond the firewall to protect and optimize all of your network resources, including your ISP connections and content security. This is the only integrated solution for firewall and Internet connectivity that takes advantage of all nodes with load balancing and advanced failure detection. Download RainWall and RainConnect for ISA today! (http://www.rainfinity.com/products/downloads.html)
------------------------------------------------------------------------------
------------------------------------------------------------------------------
6. ISA Firewall Links of the Month
A bunch of ISA Firewall Webcasts
http://www.microsoft.com/events/series/isaserversecurity.mspx
Reasons why a Hardware ISA Firewall might be best for you
http://www.microsoft.com/isaserver/hardware/default.mspx
ISA Firewall Performance Best Practices
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/bestpractices.mspx
Upgrading from ISA Server 2000 Enterprise Edition to ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/isa2kexport.mspx
Exceptionally good document on configuring the ISA firewall to protect Exchange Servers
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/firewall-exchange2003.mspx
Microsoft Releases a TON of new ISA Firewall Troubleshooting Guides
http://www.microsoft.com/isaserver/techinfo/guidance/2004/planning.mspx
ISA Firewall Coding Corner
http://www.microsoft.com/isaserver/techinfo/Guidance/2004/coding.mspx
------------------------------------------------------------------------------
7. Ask Dr. Tom
QUESTION: I can receive incoming mail from my SMTP Server Publishing Rule but outbound mail isn't going out. How can I fix this? Thanks! Bob.
ANSWER: The incoming mail from Internet SMTP servers to your corporate SMTP servers is controlling by the Server Publishing Rule allowing the mail through the ISA firewall to the SMTP server on your network. The external DNS also was configured to resolve your MX names to the IP address on the external interface of the ISA firewall. For outbound SMTP connections, you'll need to make sure the SMTP server is able to resolve the names for the SMTP servers responsible for mail in each Internet domain. You'll need to configure the ISA firewall with Access Rules allowing outbound SMTP from the SMTP server to the Internet. Also, you need to make sure that the SMTP server is configured with a DNS server that has access to a DNS Access Rule.
QUESTION: I'm getting a 500 Internal Server Error when I try to access my OWA Web site. What's up with that? Ricky.
ANSWER: The problem is that the common name on the Web site certificate bound to the published Web server is not the same as the name on the To tab in the Web Publishing Rule. Change the name or IP address you have listed in the To tab so that it's the same as the common name on the Web site certificate. Also, make sure that the ISA firewall is able to resolve that name to the actual IP address of the Web site (the exception being if the Web site is separated from the ISA firewall by a NAT device, in which case the name should resolve to the IP address of interface on that device performing reverse NAT).
Got a question for Dr. Tom? Send it to tshinder@isaserver.org
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Download RainWall High Availability for ISA: Optimize Firewall, Internet and Content Security
Rainfinity delivers High Availability and Dynamic Load Balancing for Microsoft ISA 2004. Rainfinity's next generation high availability platform extends beyond the firewall to protect and optimize all of your network resources, including your ISP connections and content security. This is the only integrated solution for firewall and Internet connectivity that takes advantage of all nodes with load balancing and advanced failure detection. Download RainWall and RainConnect for ISA today! (http://www.rainfinity.com/products/downloads.html)
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Visit the Subscription Management section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@isaserver.org.
Copyright © ISAserver.org 2005. All rights reserved.
No comments:
Post a Comment