Security World: ISAserver.org - June 2005 Newsletter

ISAserver.org Newsletter of June 2005
Sponsored by: GFI Software Ltd
------------------------------------------------------------------------------
In this issue:
What Makes the ISA Firewall *THE* Firewall for Microsoft Exchange Servers
Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
ISAserver.org Learning Zone Articles of Interest
KB Articles of the Month
Post of the Month
ISA Firewall Links of the Month
Ask Dr. Tom

Welcome to the ISAserver.org newsletter! Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

------------------------------------------------------------------------------
------------------------------------------------------------------------------
GFI WebMonitor for ISA Server 3 out now in BETA - Includes content filtering & virus scanning features!
The latest version of GFI WebMonitor for ISA Server, a utility for ISA server that allows for real time monitoring of web sites being browsed by network users and the files they are downloading, is now available in BETA! Version 3, BETA now includes a real-time online adult content filter, virus scanning and file type blocking capabilities and byte transfer stats per user/per site.

Click here (http://www.gfi.com/inj/) to download the new and improved BETA version!
------------------------------------------------------------------------------
------------------------------------------------------------------------------

1. What Makes the ISA Firewall *THE* Firewall for Microsoft Exchange Servers
By Thomas W Shinder MD, MVP

There are a lot of reasons to deploy an ISA firewall, but probably the most compelling reason for deploying ISA firewalls on your network is to provide strong protection for your Microsoft Exchange Server. It doesn't matter what version of Microsoft Exchange users are accessing. The ISA firewall can provide a very high level of security and accountability for all remote access connections to Exchange Servers and services.

What does the ISA firewall bring to the plate to provide this unique level of security for remote access connections to Exchange Server?

- SSL to SSL bridging. The ISA firewall's SSL to SSL bridging features enables it to look inside encrypted SSL tunnels. Unlike typical "hardware" firewalls, where exploits are effortlessly passed through the hardware firewall to the Exchange server, the ISA firewall performs stateful application layer inspection on the contents of the SSL session, and only when the contents of the session are deemed safe and secure does the ISA firewall allow the connection to the Exchange OWA, OMA, RPC/HTTP(S) and ActiveSync sites.

- The HTTP Security Filter. The ISA firewall uses the HTTP Security Filter to perform stateful application layer inspection on the OWA, OMA, RPC/HTTP(S) and ActiveSync connections. The filter checks virtually all aspects of the HTTP communications and allows only those required to the Exchange Web services. If an attacker tries to use an unapproved and illegitimate command or insert malicious data, the attacker's connection is stopped in its tracks.

- OWA Forms-based authentication (FBA). The OWA FBA feature enables the ISA firewall to generate the log on form for all versions of OWA, including 5.5, 2000 and 2003. The ISA firewall accepts the users credentials, authenticates the user, and only after the user is authenticated and authorized to reach the OWA site, is the connection forwarded to the Exchange Server. Attackers no longer can leverage anonymous connections to attack your OWA site!

- RADIUS support for OWA forms-based authentication. The OWA FBA can be used together with the ISA firewall's integrated RADIUS support. RADIUS enables you to put the ISA firewall in a workgroup, such as when you're forced to put the ISA firewall between two stateful packet inspection-only firewalls. Since the stateful packet inspection-only firewalls can't provide the high level of security you require for your Exchange Servers, you can use RADIUS to shore up your level of security.

- Pre-authentication of OWA, OMA, RPC/HTTP(S) and Exchange ActiveSync. All connection attempts to Exchange Web services can be pre-authenticated and pre-authorized by the ISA firewall. First, the ISA firewall authenticates the user. If the user successfully authenticates, the next step the ISA firewall performs is authorization. If the user is successfully authenticated, but is not allowed access to the OWA, OMA, RPC/HTTP(S) or ActiveSync site, then the connection is dropped.

- Delegation for basic authentication. Delegation of basic authentication enables the ISA firewall to accept credentials from the OMA, RPC/HTTP(S) and ActiveSync client (and OWA too, if you want, but FBA takes care of this) and forward those credentials to the Exchange Sites. This enables the ISA firewall to authenticate and authorize the user, and also prevents multiple authentication prompts when the credentials are sent to the Exchange sites.

- Secure Exchange RPC publishing. The Secure Exchange RPC Publishing feature enables users of all versions to Outlook to connect from anywhere in the world to your Exchange Servers using the full Outlook MAPI client. Secure Exchange RPC Publishing enables you to use all the features of Outlook, without requiring you to upgrade to Outlook 2003 for RPC over HTTP support. Secure Exchange RPC publishing makes the "Outlook just works" scenario a reality for all users in your organization. And it does it in an exceptionally secure fashion by allowing only legitimate RPC connections to the Exchange Server.

- Forced encryption on secure Exchange RPC connections. An added feature of the Secure Exchange RPC filter is its ability to force encrypted communications between the Outlook host and the published Exchange site. This prevents data "leakage" due to unencrypted sessions between the remote Outlook host and the Exchange Server.

There's tons more the ISA firewall does to protect your Exchange Services organization, but this list gives you a taste of just how powerful the protection the ISA firewall provides your Exchange Servers and services. If you want to learn more about securing your Exchange Servers using the ISA firewall, a great place to start is by going through the ISA/Exchange Deployment Kit. Check it out at http://download.microsoft.com/download/1/8/8/188ab94a-4ec5-4746-ac0f-a18177040fbf/isa2004se_exchangekit-rev%201%2005.doc

------------------------------------------------------------------------------

2. Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
By Thomas W Shinder

Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall.

While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today: http://www.amazon.com/exec/obidos/ASIN/1931836191/isaserver/

3. ISAserver.org Learning Zone Articles of Interest

Configuring the ISA Firewall to Support TZO Dynamic DNS Services
http://isaserver.org/tutorials/2004TZO.html

Understanding the Web Proxy and Firewall Client Automatic Configuration
http://isaserver.org/articles/ISA2004_ClientAutoConfig.html

Getting Started Right with ISA Firewalls (v1.01)
http://isaserver.org/tutorials/2004rightstart.html

Publishing Secure FTP Servers behind ISA Firewalls
http://isaserver.org/tutorials/Publishing-Secure-FTP-Servers.html

Supporting ISA Firewall Networks Protecting Illegal Top-level Domains: You Need a Split DNS!
http://isaserver.org/tutorials/2004illegaltldsplitdns.html

------------------------------------------------------------------------------
4. KB Articles of the Month

Here are some interesting and useful ISA Server related Q articles posted by Microsoft in the last month:

When you try to re-authenticate the OWA client on the forms-based authentication page, you may receive an "Unknown Request" error message in ISA Server 2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;900249

ISA Server 2004 continuously prompts you for credentials when you try to access a Web listener that uses RSA SecureID authentication in ISA Server 2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;902194

RPC data may be blocked, and Outlook may not start in Windows Server 2003 with SP1
http://support.microsoft.com/default.aspx?scid=kb;en-us;897716

Internet Security and Acceleration Server 2004 stops responding or performs slowly after you configure a Web listener to use OWA forms-based authentication
http://support.microsoft.com/default.aspx?scid=kb;en-us;897717

You may receive a "Setup failed while creating the services configuration" error when you try to install ISA Server 2004 on a Windows Server 2003-based domain controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;898720

Users who are connected to the Internet experience a delay when you create a new access rule or when you apply changes to an existing access rule in ISA Server 2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;898623

Credentials that are provided to ISA Server are sent in an unprotected form
http://support.microsoft.com/default.aspx?scid=kb;en-us;899807

Session state management may not work as expected when ISA Server 2004 accesses a Web site that uses the round robin feature of DNS to achieve load balancing
http://support.microsoft.com/default.aspx?scid=kb;en-us;897075

------------------------------------------------------------------------------
5. Post of the Month

We've posted an article on www.isaserver.org on how to use a script to import entries in a text file into URL and Domain Name Sets for the Standard Edition ISA firewall. But what about Enterprise Edition? Ben steps up to the plate and offers a solution for Enterprise Edition ISA firewall admins:

So <deep breath>, I have my HTTP/HTTPS outbound access in my enterprise access polices. I can't use an array access policy to deny access to certain (porn) web sites because the enterprise rules take affect first, allowing access to all HTTP outbound.

Now this is the reason for my problem. There is a script widely available to take a text file with a bunch of domains (hundreds) and add it to an array level domain name set, but those domain name sets aren't available to use in Enterprise policies, nor could I export the array domain name set and import into enterprise. ISA said "no way" :)

So without further ado, here are two scripts to import domain name sets into either array level or enterprise level. The text file containing the domain name list should be called domains.txt and Ithink you need to create the domain name set ahead of time called "Domains"

'Array level
Set Isa = CreateObject("FPC.Root")
Set CurArray = Isa.GetContainingArray
Set RuleElements = CurArray.RuleElements
Set DomainNameSets = RuleElements.DomainNameSets
Set DomainNameSet = DomainNameSets.Item("Domains")
Set FileSys = CreateObject("Scripting.FileSystemObject")
Set DomainsFile = FileSys.OpenTextFile("domains.txt", 1)
For i = 1 to DomainNameSet.Count
DomainNameSet.Remove 1
Next
Do While DomainsFile.AtEndOfStream <> True
DomainNameSet.Add DomainsFile.ReadLine
Loop
WScript.Echo "Saving..."
CurArray.Save
WScript.Echo "Done"

'Enterprise level - set the 4 parameters on the 2nd line
Set root = CreateObject("FPC.Root")
root.ConnectToConfigurationStorageServer configservername, username, domain, password
Set entRuleElement = root.Enterprise.RuleElements
Set DomainNameSets = entRuleElement.DomainNameSets
Set DomainNameSet = DomainNameSets.Item("Domains")
Set FileSys = CreateObject("Scripting.FileSystemObject")
Set DomainsFile = FileSys.OpenTextFile("domains.txt", 1)
For i = 1 to DomainNameSet.Count
DomainNameSet.Remove 1
Next
Do While DomainsFile.AtEndOfStream <> True
DomainNameSet.Add DomainsFile.ReadLine
Loop
WScript.Echo "Saving..."
entRuleElement.Save
root.DisconnectFromConfigurationStorageServer()
WScript.Echo "Done"

Close ISA Server Manager and reopen it, and you should see the domain name set "Domains" populated with the domain names you had in domains.txt.

I provide this because I spent hours finding this info and then using trial and error. I couldn't find much info at all on Enterprise scripts. I ended up using a sample I found in the ISA 2004 SDK to help me out. I spent damn near as much time searching Google/isaserver.org as I did making this work. I'm not sure my enterprise script is totally correct, but it worked for me without any errors or messing up my ISA2004 EE server. HTH anyone!! - Ben

Thanks Ben! That took a lot of work and all the members of the ISAServer.org community salute your persistence and willingness to share your solution! Also, if you write to me with your last name and company, I'll be sure to include that in the next newsletter. Thanks! -Tom.

6. ISA Firewall Links of the Month

Ever wonder how to get the best performance from your ISA firewall? Me too. Check out this Best Practices for Performance in ISA Server 2004 doc at

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/bestpractices.mspx

Believe it or not, some people are still using H.323 for voice/video communications over the Internet. The problem is 2004 ISA firewall admins no longer have access to the H.323 gatekeeper to help them with H.323 communications through their ISA firewall. ISAServer.org member Number51 has done the footwork for you and provides a possible solution to this problem. Check it out at

http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=19;t=000898#000001

OK, so you're not a SQL database pro; neither am I. But that doesn't mean you can take advantage of SQL logging for the ISA firewall. Check out How to configure ISA Server 2004 to log data to an SQL Server database at

http://support.microsoft.com/default.aspx?scid=kb;en-us;838710

ISA 2004 Enterprise Edition uses a CSS as storage for enterprise layout and array configuration. The CSS is actually an instance of ADAM. The ISA Enterprise Edition firewall array can use certificates to authenticate communications between array members and the CSS. Certificates are typically used when array members are in workgroup mode. When using certificates, array members access the Configuration Storage servers with an ADAM account, using the LDAP over SSL (LDAPS). ADAM accounts are internal and not exposed in ISA Enterprise Edition firewall console. An update is available that sets ADAM account settings so won't expire. If account settings have already expired, and there is no connection between array members and the Configuration Storage server, installing the update will refresh account settings and renew the connection. Get the update at

http://www.microsoft.com/downloads/details.aspx?FamilyID=1CBAC3E5-ACAC-4613-9860-E1B760B9434F&displaylang=en

Got a hankerin' to code solutions for the ISA firewall? If so, you definitely need to check out the Microsoft ISA Coding Corner at

http://www.microsoft.com/isaserver/techinfo/guidance/2004/coding.mspx

Finally, make sure you check out the latest ISA firewall downloads. Find them at

http://www.microsoft.com/isaserver/downloads/2004/default.mspx

------------------------------------------------------------------------------

7. Ask Dr. Tom

QUESTION: I'm having a heck of a time getting Hotmail and MSN access through the ISA firewall. My clients are configured as Firewall and Web proxy clients, just like you said they should be. All Access Rules are configured to required authentication (except those from servers), so I think I have everything set up right. What do I need to do to get access to Hotmail and MSN working?

ANSWER: This is a very common problem. The issue isn't really a problem with the ISA firewall as it is with the sites you're connecting to. What you need to do is configure these sites for Direct Access. When you configure a site for Direct Access, it enables the clients to bypass the Web proxy configuration and use another method to connect to the destination site. Since you're using best practices and have deployed the Firewall client, you'll still be able to force authentication before the users connect to the Hotmail and MSN sites. Check out my article series on Direct Access at http://www.isaserver.org/articles/2004directaccessp1.html and http://www.isaserver.org/articles/2004directaccessp2.html

QUESTION: Thanks for your very interesting article. We have one of your mentioned problems. Our local Domain is Plenium.local and the official domain is plenium.de. We are not able to connect with our PDA via GPRS to our fixed official IP address. When we create a user it always gets the email address user.name@plenium.local and not user.name@plenium.de. After starting the ActiveSync on my PDA it tries to synchronize but then it fails. We don't have so much experience with Outlook/Exchange because we support Tobit David UMS Software for the last 8 years. I would be really happy to get some information from you to solve the problem. thanx and bye! --Alexander

ANSWER: Split DNS is critical for making OWA, OMA and Exchange ActiveSync work correctly. However, you don't need to change your internal domain name to make this work. You can add an additional zone to your internal DNS to match that if your external DNS used for your split DNS infrastructure. Check out http://www.isaserver.org/tutorials/2004illegaltldsplitdns.html for details. There is also some additional configuration you might want to configure in order to support accounts using the alternate domain name. Check out Paul Baldwin's excellent article on this subject at http://www.msexchange.org/tutorials/Configuring-Exchange2003-HTTP-Remote-Access.html

Got a question for Dr. Tom? Send it to tshinder@isaserver.org

Visit the Subscription Management section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@isaserver.org.
Copyright © ISAserver.org 2005. All rights reserved.

Security World

Search This Blog

Thursday, June 23, 2005

ISAserver.org - June 2005 Newsletter

No comments: