Search This Blog

Wednesday, November 28, 2007

ISAserver.org - November 2007 Newsletter

ISAserver.org Newsletter of November 2007
Sponsored by: Redline Software
------------------------------------------------------------------------------
In this issue:
Registry Entries for Your New ISA Firewall
Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
ISAserver.org Learning Zone Articles of Interest
KB Articles of the Month
Tip of the Month
ISA Firewall Links of the Month
Blog Posts
Ask Dr. Tom


Welcome to the ISAserver.org newsletter! Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Internet Access Monitor for ISA Server: Monitoring Employees' Internet Activity
IAM allows you to easily find out which employees use up the most bandwidth, exactly what and when they download, and how much time they spend online. IAM generates various reports and diagrams quickly, is easy to use, and can create and send reports via email!

Find out more about IAM(http://www.redline-software.com/eng/products/iam/?r1=isaserverorg&r2=newslet)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

1. Registry Entries for Your New ISA Firewall
By Thomas W Shinder MD, MVP

A sad thing happened to me last week - my primary ISA Firewall died. This was a very nice little Scorpio based Celestix box that was originally designed for ISA 2000. In the five years I had this ultra-reliable Celestix box, I upgraded it to ISA 2004 and then to ISA 2006. Even though that little ISA Firewall only had 256 MB of RAM and a Pentium III 1.2GHz processor, it performed like a champ for my small office.

The good news was that I had another Celestix firewall sitting in a box in my office, so I deployed the new Celestix ISA Firewall to take over duties from the previous one. I considered importing my old configuration to the new ISA Firewall, but over the years the old rule set had become very ungainly, with many proof-of-concept configurations and extraneous rules and other litter that tends to gather over the years. So, instead of taking the easy way out, I decided to create an entirely new ISA Firewall. Of course, I later realized that I couldn't have imported my old ISA 2006 rules into the new box, as I was running ISA 2006 Standard Edition and the new Celestix ISA Firewall was running ISA 2006 Enterprise Edition.

I'll do a review later on the Celestix Firewall setup and configuration in detail, but at this time I wanted to focus on something that a lot of us tend to forget when setting up a new ISA Firewall: Registry settings. While most of us are pretty good at saving our firewall configuration after making a change, one thing that most of us forget to do is document any Registry changes we've made on the system over time. If you're one of those guys with a change control spreadsheet for each of your servers, then my hat's off to you! I need to do the same thing.

There aren't too many must have Registry changes, but there are three of them that I consider mandatory for almost all ISA Firewall admins:

- Enable Path MTU Discovery on the ISA Firewall
- Enable Black Hole Router Detection on the ISA Firewall
- Disable spurious authentication prompts due to Autodiscovery

To enable Path MTU Discovery on the ISA Firewall, follow the instructions at Microsoft KB Article 902347(http://support.microsoft.com/kb/902347). This article also describes the Access Rule you need to create to allow Path MTU Discovery to work.

To Enable Black Hole Router detection, check out: How to Troubleshoot Black Hole Router Issues.(http://support.microsoft.com/kb/314825)

To disable spurious authentication prompts due to Autodiscovery, check out: Users are prompted for authentication credentials when Internet Explorer is configured for automatic discovery in ISA Server 2004.

There are a couple of other things you might want to do, that many ISA Firewall admins forget. First, make sure that the Web Proxy listener is enabled on the local host network. This will help with downloading your automatic updates. Also, you might want to consider enabling the System Policy Rule that allows you to download CRLs, this will also help you with reaching the System Policy allowed sites if you want to use your browser to reach them (actually, any Microsoft site is safe in this regard, IMO).

There's still a lot of configuring to do, but my firewall policy is a lot cleaner than it was before. And since this was an outbound only firewall, I don't have to worry about certificates for Web Listeners. The machine is a lot faster and performance shows notable improvements.

Do you have any "must have" settings on your ISA Firewalls that aren't evident to the new ISA Firewall admin? If so, let me know! Send them to me at tshinder@isaserver.org(mailto: tshinder@isaserver.org) and I'll share them with everyone in the next newsletter.

Thanks!

Tom

=======================

Quote of the Month - "Encephalopathy is better than no 'lopathy at all."

-- Anonymous medical student

=======================

------------------------------------------------------------------------------

2. ISA Server 2006 Migration Guide - Order Today!
By Thomas W Shinder

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his illustrious team of ISA Firewall experts now present to you , ISA Server 2006 Migration Guide. This book leverages the over two years of experience Tom and his team of ISA Firewall experts have had with ISA 2006, from beta to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA 2006 and they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with their no holds barred coverage of Microsoft's state of the art stateful packet and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide. You'll be glad you did. Order it here: http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Internet Access Monitor for ISA Server: Monitoring Employees' Internet Activity
IAM allows you to easily find out which employees use up the most bandwidth, exactly what and when they download, and how much time they spend online. IAM generates various reports and diagrams quickly, is easy to use, and can create and send reports via email!

Find out more about IAM(http://www.redline-software.com/eng/products/iam/?r1=isaserverorg&r2=newslet)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

3. ISAserver.org Learning Zone Articles of Interest

Creating a DNS Infrastructure to Support Exchange Server 2003
http://isaserver.org/tutorials/Creating-DNS-Infrastructure-Support-Exchange-Server-2003.html

Configuring the ISA Firewall to Support Certificate-Based EAP-TLS Authentication (Part 1)
http://isaserver.org/tutorials/Configuring-ISA-Firewall-Support-Certificate-Based-EAP-TLS-Authentication-Part1.html

Configuring the ISA Firewall to Support Certificate-Based EAP-TLS Authentication (Part 2)
http://isaserver.org/tutorials/Configuring-ISA-Firewall-Support-Certificate-Based-EAP-TLS-Authentication-Part2.html

Creating an ISA Reports Web Server
http://isaserver.org/tutorials/Creating-ISA-Reports-Web-Server.html

Configuring the ISA Firewall to Support Certificate-Based EAP-TLS Authentication (Part 3)
http://isaserver.org/tutorials/Configuring-ISA-Firewall-Support-Certificate-Based-EAP-TLS-Authentication-Part3.html

Creating a Custom VPN Client Access Policy to Connect Outlook MAPI Clients to Microsoft Exchange (Part 1)
http://isaserver.org/tutorials/Creating-Custom-VPN-Client-Access-Policy-Connect-Outlook-MAPI-Clients-Microsoft-Exchange-Part1.html

------------------------------------------------------------------------------
4. KB Articles of the Month

Here are some interesting and useful ISA Server related articles posted by Microsoft in the last month:

HTTP compression support in ISA Server 2006
http://support.microsoft.com/kb/838365/en-us

Clients may receive an "Error Code 500 Internal Server Error" error message when they try to visit a Web site that you publish by using ISA Server 2006 or ISA Server 2004
http://support.microsoft.com/kb/841664/en-us

ISA Server 2004 and ISA Server 2006 do not support traffic redirection
http://support.microsoft.com/kb/888042/en-us

The RADIUS authentication process in ISA Server 2006 and ISA Server 2004
http://support.microsoft.com/kb/884492/en-us

How to enable ICMP traffic from protected SecureNet clients to external hosts in ISA Server 2006 and ISA Server 2004
http://support.microsoft.com/kb/838251/en-us

The external network adapter on your ISA Server 2006 or ISA Server 2004 computer cannot obtain an IP address from a DHCP server
http://support.microsoft.com/kb/841141/en-us

How to bypass the Web Proxy service in ISA Server 2006 or in ISA Server 2004
http://support.microsoft.com/kb/838708/en-us

------------------------------------------------------------------------------
5. Tips of the Month

I've seen a number of posts recently on how to get the Forefront Client Security client and System Center agents to work with the ISA Firewall. Here's a thread on the ISAserver.org Web boards that might help you steer in the right direction:http://forums.isaserver.org/m_2002056073/mpage_1/key_/tm.htm#2002056814

Looking for some methods for blocking file transfers over the IM channel using the ISA Firewall? Then check out this thread on the Web boards: http://forums.isaserver.org/m_2002056448/mpage_1/key_/tm.htm#2002056448

Recent information coming in to me indicates that setting up certificates to support Exchange 2007 publishing might not be nearly as complex as we thought it might be. The Exchange 2007 documentation team has done a bang up job at confusing us, making us believe that SAN certificates are required. However, this might not be the case, and we might be able to do things the exact way we used to with the easy to configure Exchange 2003. If so, I'll follow up on this finding in the next newsletter. This will certainly be good news, especially for those of us who have no interest in the Unified Communications feature included in Exchange 2007.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Internet Access Monitor for ISA Server: Monitoring Employees' Internet Activity
IAM allows you to easily find out which employees use up the most bandwidth, exactly what and when they download, and how much time they spend online. IAM generates various reports and diagrams quickly, is easy to use, and can create and send reports via email!

Find out more about IAM(http://www.redline-software.com/eng/products/iam/?r1=isaserverorg&r2=newslet)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

6. ISA Firewall Links of the Month

Questionable Users?
https://blogs.technet.com/isablog/archive/2007/10/03/questionable-users.aspx

Trusted Web Proxy Servers Appear to be Launching DoS Attacks!
https://blogs.technet.com/isablog/archive/2007/06/28/trusted-proxy-servers-can-appear-to-be-launching-flood-or-dos-attacks.aspx

Assigning a Static IP address to VPN Users
http://elmajdal.net/ISAServer/Assigning_the_Same_Static_IP_for_a_VPN_Client.aspx

------------------------------------------------------------------------------
7. Blog Posts

Multiple L2TP/IPsec VPN clients behind a NAT device
http://blogs.isaserver.org/pouseele/2007/11/24/multiple-l2tpipsec-vpn-clients-behind-a-nat-device/

Fixing Windows Media Player Authentication Prompts
http://blogs.isaserver.org/shinder/2007/11/22/fixing-windows-media-player-authentication-prompts/

Windows Essential Business Server Suite Announced
http://blogs.isaserver.org/shinder/2007/11/12/windows-essential-business-server-suite-announced/

Clearing the Cached WPAD Script
http://blogs.isaserver.org/pouseele/2007/11/09/clearing-the-cached-wpad-script/

Two XSS on Blue Coat ProxySG Management Console
http://blogs.isaserver.org/shinder/2007/11/02/two-xss-on-blue-coat-proxysg-management-console/

------------------------------------------------------------------------------

8. Ask Dr. Tom

QUESTION: Hi Thomas,<BR><BR>We'd like to join the ISA 2008 TAP program. I'm not sure in what state the program is right now, but is there still a chance of joining? If so, we'd also like you to become our TAP assistant. -Lourens van Dyk

ANSWER: I've had a number of people ask me about this in the last couple of months. From my understanding, the TAP program is now closed, so they won't be entering any new companies into the program. If I hear any information about them re-opening the TAP program, I'll be sure to let everyone know about it.

QUESTION: I would appreciate it if you could help with the current situation I'm having. I've been using ISA 2000 without any issues for years, I decided recently to configure a ISA 2006 server to replace the 2000 box and afford functionality for Sharepoint that was not available in 2000.<BR><BR>My problem is this. I have 5 subnets:<BR><BR>
10.100.10.0/22 - Local to head office<BR>
10.100.20.0/22 - Namibia<BR>
10.100.30.0/22 - Durban<BR>
10.100.40.0/22 - Port Elizabeth<BR>
10.100.50.0/22 - Cape Town<BR><BR>
10.100.10.0/22 works fine and clients can connect without a problem but all the other subnets cannot. They have all been added to the routing table and to the Internal Network config.<BR><BR>Pinging from the subnets works, but any other protocol is dropped as spoofed. When I examine the logs it would seem that ISA is seeing the Serial interface of the router (i.e. 192.168.100.2 - Namibia) and dropping the packet.<BR><BR>I have created access and subnets for these locations but without any luck. Been battling for 3 weeks and am unable to find any help on the subject.<BR><BR>Could you give me some advice on what to try next. You response will be greatly appreciated.<BR><BR>Kind regards, Jeremy

ANSWER: I looks like you've come up with the answer here yourself! I assume that all of these subnets are behind the same ISA Firewall interface. Since all subnets behind the same ISA Firewall interface must be part of the same ISA Firewall Network, you need to include all of the IP addresses in each of those subnets in the definition of the ISA Firewall Network for which that interface is the "root". In addition, if you have devices that are performing some kind of NAT behind the ISA Firewall, the IP addresses that the NAT devices are presenting to the ISA Firewall must also be included in the ISA Firewall Network that will be seeing these source IP addresses. In the example you provided, it appears that one of your routers is performing some kind of NAT and presenting a source IP address of 192.168.100.2. You need to include that IP address as part of the ISA Firewall Network. Finally, make sure your routers are pointing to the nearest ISA Firewall interface as their default gateway if you're depending on a SecureNET configuration for any hosts on your network.

QUESTION: Hi Tom,<BR><BR>
I have just upgraded based on the feature that allows the ISA Firewall to fall back to Basic authentication when the ISA Firewall detects a non-browser client. This is still not working for me. I have Listener set up for FBA and OWA and it works fine. However, my Blackberry devices still get denied. I have a rule configured as Basic and this works if I move it up the list. This of course changes OWA to basic. I am only using the Blackberry internet service not BES, so in theory I thought they would hit my OWA FBA rule and then revert to basic Any ideas?. I have got a work around in that I can publish FBA from Exchange but didn't need an upgrade to do that. -Lee Burley

ANSWER: The problem you have here is that the user-agent sent by the Blackberry service must not be included on the list of non-browser user-agents used by the ISA Firewall for its fallback mechanism. What you need to do is check your ISA Firewall's log files to determine the user-agent connecting via the Blackberry service. Once you do that, you might be able to include that user-agent in the list the ISA Firewall uses for the failback to Basic mechanism.

QUESTION: Hi Tom,<BR><BR>I want to set up a wireless system:
<OL><LI>For the company's employees, with laptops to have access to the internal network and internet.</LI>
<LI>For guests or clients, only Internet.</LI></OL>
Can you suggest to me any book that you or somebody else has written to help me with this?<BR><BR>Thanks

ANSWER: There is a very popular configuration and it's easy to set up. What you need are three NICs in your ISA Firewall: one external interface with the default gateway configured on it, and internal interface that faces the default Internal Network, and a DMZ interface. You'll need to create an ISA Firewall Network definition for the DMZ Network, and make sure that you define Network Rules for the DMZ that defines the Route relationship between the DMZ and the default Internal Network and the DMZ and the Internet. If you find that you have connectivity issues between the DMZ Network and anywhere else, check the ISA Firewall's log files. If you find that the connection is denied and there is no rule listing what rule denied the connection, then the reason for the failure was an absent Network Rule. For the complete details on how to create the wireless DMZ Network, check out the following article here on ISAserver.org:<BR><A href="http://www.isaserver.org/tutorials/2004wirelessdmzpart1.html">Configuring an Untrusted Wireless DMZ on the ISA Firewal</a>

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Internet Access Monitor for ISA Server: Monitoring Employees' Internet Activity
IAM allows you to easily find out which employees use up the most bandwidth, exactly what and when they download, and how much time they spend online. IAM generates various reports and diagrams quickly, is easy to use, and can create and send reports via email!

Find out more about IAM(http://www.redline-software.com/eng/products/iam/?r1=isaserverorg&r2=newslet)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Internet Access Monitor for ISA Server: Monitoring Employees' Internet Activity
IAM allows you to easily find out which employees use up the most bandwidth, exactly what and when they download, and how much time they spend online. IAM generates various reports and diagrams quickly, is easy to use, and can create and send reports via email!

Find out more about IAM(http://www.redline-software.com/eng/products/iam/?r1=isaserverorg&r2=newslet)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

Visit the Subscription Management section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@isaserver.org.
Copyright © ISAserver.org 2007. All rights reserved.

No comments: