Wednesday, August 31, 2005

ISAserver.org - August 2005 Newsletter

ISAserver.org Newsletter of August 2005
Sponsored by: GFI Software Ltd
------------------------------------------------------------------------------
In this issue:
How to Communicate Your Problems with the ISA Firewall
Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
ISAserver.org Learning Zone Articles of Interest
KB Articles of the Month
Tip of the Month
ISA Firewall Links of the Month
Ask Dr. Tom

Welcome to the ISAserver.org newsletter! Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

------------------------------------------------------------------------------
------------------------------------------------------------------------------
GFI WebMonitor for ISA Server 3 out now in BETA - Includes content filtering & virus scanning features!
The latest version of GFI WebMonitor for ISA Server, a utility for ISA server that allows for real time monitoring of web sites being browsed by network users and the files they are downloading, is now available in BETA! Version 3, BETA now includes a real-time online adult content filter, virus scanning and file type blocking capabilities and byte transfer stats per user/per site.

Click here (http://www.gfi.com/inj/) to download the new and improved BETA version!
------------------------------------------------------------------------------
------------------------------------------------------------------------------

1. How to Communicate Your Problems with the ISA Firewall
By Thomas W Shinder MD, MVP

We try to answer as many questions as possible on the ISAServer.org messages boards and mailing list. Sometimes there are some very interesting and potentially solvable questions, but there's not enough information provided to answer the question. Here are some things you can do to help all of us be more effective in answering your questions:

- Let us know what you have done to prove that it's an ISA firewall issue. From my experience, over 95% of connectivity issues are falsely attributed to the ISA firewall where the problem actually lies with some other network service or network infrastructure device
- Provide IP addressing information, including DNS settings, for your ISA firewall's NICs
- Provide information on what Access Rules are created on the ISA firewall and in what order they appear
- Tell us exactly what you want to accomplish. Don't give vague examples, tell us exactly what it is your trying to do
- Tell us exactly what you have done to make happen what you want to happen. Don't provide vague descriptions, tell us exactly what you did
- Provide exact descriptions of error messages seen on the client side, and also what appears in the ISA firewall's log files. Also, provide any information related to ISA firewall errors in the Windows Event Viewer
- If asked for an exact configuration of an Access Rule or Web Publishing Rule, give exact information. That means you put in real FQDNs, IP addresses, etc. If you use www.example.com, that doesn't help and it will likely end the discussion

If you follow these simple guidelines, the chances that your question will be answered quickly and correctly will be increased significantly. It will also show you've performed appropriate due diligence to solve the problem yourself and keep everyone's interest in making sure you get to your desired result.

=======================

Quote of the Month - "I'd rather be lucky than good. It's even better to be both" -Tom Shinder speaking of his post-undergraduate days as a semiprofessional gambler

=======================

------------------------------------------------------------------------------

2. Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
By Thomas W Shinder

Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall.

While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today: http://www.amazon.com/exec/obidos/ASIN/1931836191/isaserver/

------------------------------------------------------------------------------
------------------------------------------------------------------------------
GFI WebMonitor for ISA Server 3 out now in BETA - Includes content filtering & virus scanning features!
The latest version of GFI WebMonitor for ISA Server, a utility for ISA server that allows for real time monitoring of web sites being browsed by network users and the files they are downloading, is now available in BETA! Version 3, BETA now includes a real-time online adult content filter, virus scanning and file type blocking capabilities and byte transfer stats per user/per site.

Click here (http://www.gfi.com/inj/) to download the new and improved BETA version!
------------------------------------------------------------------------------
------------------------------------------------------------------------------

3. ISAserver.org Learning Zone Articles of Interest

Publishing an OWA Site in a Back to Back ISA Firewall Configuration (Part 2)
http://isaserver.org/tutorials/Publishing-OWA-Site-Back-to-Back-ISA-Firewall-Part2.html

Publishing an OWA Site in a Back to Back ISA Firewall Configuration (Part 1)
http://isaserver.org/tutorials/Publishing-OWA-Site-Back-to-Back-ISA-Firewall-Part1.html

Product Review: HP ProLiant DL320
http://isaserver.org/articles/HP-ProLiant-DL320-ISA-Hardware-Firewall.html

Redirecting OWA Users to the Correct Directories and Protocols (Part 2)
http://isaserver.org/tutorials/Redirecting-OWA-Users-Part2.html

Redirecting OWA Users to the Correct Directories and Protocols (Part 1) v.1.1
http://isaserver.org/tutorials/Redirecting-OWA-Users-Part1.html

Troubleshooting IPSec Tunnel Mode Scenarios
http://isaserver.org/tutorials/Troubleshooting-IPSec-Tunnel-Mode-Scenarios.html

How to Record URL and User Information in ISA 2004 Firewall Logs and Reports
http://isaserver.org/tutorials/2004recorduserinfo.html

------------------------------------------------------------------------------
4. KB Articles of the Month

Here are some interesting and useful ISA Server related Q articles posted by Microsoft in the last month:

You cannot use Netstat to verify holes in ISA Server 2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;838127

FIX: The "Maximum number of VPN clients allowed" value is reset when you install ISA Server 2004 Enterprise Edition and join the server to an existing array
http://support.microsoft.com/default.aspx?scid=kb;en-us;898717

The Firewall service may not start in Internet Security and Acceleration (ISA) Server 2004 after you select a certificate for a, SSL listener
http://support.microsoft.com/default.aspx?scid=kb;en-us;896495

How to create a detailed firewall policy report for any firewall policy in Internet Security and Acceleration Server 2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;841663

RPC data may be blocked, and Outlook may not start in Windows Server 2003 with SP1
http://support.microsoft.com/default.aspx?scid=kb;en-us;897716

Programs and services on a Firewall Client computer may not be able to access remote resources in ISA Server 2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;888642

FIX: You cannot use a different SSL certificate for each array member in an ISA Server 2004, Enterprise Edition-based array
http://support.microsoft.com/default.aspx?scid=kb;en-us;898066

You receive a "Setup failed while registering Wspadmin.dll" error message when you try to install ISA Server 2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;884494

------------------------------------------------------------------------------
5. Tip of the Month

You've created a very slick, very secure, and exquisitely functional split DNS infrastructure. Users never need to reconfigure any application depending on his location. The user just opens his laptop, opens the Web browser, e-mail client, or other network application, and it just works. You know it works because you've deployed a split DNS infrastructure.

However, you've been having problems with your VPN clients. They're not resolving internal names correctly when connected to the ISA firewall's remote access VPN server. The problem is a bug in Windows 2000 and Windows XP that prevents the RAS adapter from being automatically placed on the top of the adapter list. The KB article Cannot Change the Binding Order for Remote Access Connections at http://support.microsoft.com/default.aspx?scid=kb;en-us;311218&Product=winxp provides a workaround for this bug. HTH -Tom

------------------------------------------------------------------------------
------------------------------------------------------------------------------
GFI WebMonitor for ISA Server 3 out now in BETA - Includes content filtering & virus scanning features!
The latest version of GFI WebMonitor for ISA Server, a utility for ISA server that allows for real time monitoring of web sites being browsed by network users and the files they are downloading, is now available in BETA! Version 3, BETA now includes a real-time online adult content filter, virus scanning and file type blocking capabilities and byte transfer stats per user/per site.

Click here (http://www.gfi.com/inj/) to download the new and improved BETA version!
------------------------------------------------------------------------------
------------------------------------------------------------------------------

6. ISA Firewall Links of the Month

Compare Offerings from ISA Hardware Firewall Vendors

http://www.microsoft.com/isaserver/hardware/vendorcomparison.mspx

Reasons why a Hardware ISA Firewall might be best for you

http://www.microsoft.com/isaserver/hardware/default.mspx

ISA Firewall Webinars on the NS Hardware ISA Firewall

http://www.networkengines.com/sol/Webinars.aspx

Collection of New ISA Firewall Tools for FREE

http://www.microsoft.com/isaserver/downloads/2004/default.mspx

Check out this new ISA Firewall Scripts site

http://www.isascripts.org/

Microsoft Releases a TON of new ISA Firewall Troubleshooting Guides

http://www.microsoft.com/isaserver/techinfo/guidance/2004/planning.mspx

SSL Capacity Planning for ISA Firewalls

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ssl_performance.mspx

------------------------------------------------------------------------------

7. Ask Dr. Tom

QUESTION: The guy that came in before me setup the ISA firewall with a single NIC configuration and has configured the clients to be Firewall and Web proxy clients of the ISA firewall. I'm concerned that this isn't a secure configuration, since the clients are also configured to use a simple stateful packet inspection "hardware" firewall as their default gateway. What's the best way to correct the security issues with this firewall infrastructure?

ANSWER: There are two major problems with this deployment:

- The single NIC ISA firewall configuration supports only a tiny subset of the ISA firewall's full firewall functionality
- A single NIC ISA firewall cannot perform reliable access control

A single NIC ISA firewall is a hamstrung ISA firewall that is at the mercy of any other firewall you have on the network. If your main network firewall is a simple stateful packet inspection firewall, you're in for some serious trouble. The following ISA firewall features are not available in a single NIC ISA firewall configuration:

- Multi-network firewall policy. In single network adapter mode, ISA Server recognizes itself (the Local Host network). Everything else is recognized as the Internal network. There is no concept of an External network. Microsoft Firewall service and application filters operate only in the context of the Local Host network. (ISA Server protects itself no matter what network template is applied.) Because the Firewall service and application filters operate in the context of the Local Host network, you can use access rules to allow non-Web protocols to the ISA Server computer itself.
- Application layer inspection. Application level filtering is not functional, except for the Web Proxy filter (for HTTP, HTTPS, and FTP over HTTP).
- Server publishing. Server publishing is not supported. There is no separation of Internal and External networks, so ISA Server cannot provide the network address translation (NAT) functionality required in a server publishing scenario.
- Firewall clients. The Firewall Client application handles requests from Winsock applications that use the Firewall service. This service is not available in a single network adapter environment.
- SecureNAT clients. SecureNAT clients use ISA Server as a router to the Internet, and SecureNAT client requests are handled by the Firewall service. Because the Firewall service is not available in a single network adapter configuration, such requests are not supported.
- Virtual private networking. Site-to-site virtual private networks (VPNs) and remote access VPNs are not supported in a single network adapter scenario.

A single NIC ISA firewall also cannot perform reliable access control. The reason for this is that the ISA firewall must be in the request/response path in order to prevent users, both internal and external, from compromising your network. It's a relatively simple affair to bypass a single NIC ISA firewall to access resources that would have otherwise been protected if the ISA firewall had been setup correctly.

For these reasons, and many more, we at ISAServer.org consider the unihomed, single-NIC ISA firewall to be a legacy configuration that is deprecated and should be eschewed by all serious network and firewall administrators.

You can correct the current configuration by putting a second NIC in the ISA firewall and reconfiguring it in a back to back firewall configuration, with the simple stateful packet inspection firewall in front of the ISA firewall. Configure the ISA firewall's external interface to use the LAN interface of the simple stateful packet inspection firewall as its default gateway.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org

------------------------------------------------------------------------------
------------------------------------------------------------------------------
GFI WebMonitor for ISA Server 3 out now in BETA - Includes content filtering & virus scanning features!
The latest version of GFI WebMonitor for ISA Server, a utility for ISA server that allows for real time monitoring of web sites being browsed by network users and the files they are downloading, is now available in BETA! Version 3, BETA now includes a real-time online adult content filter, virus scanning and file type blocking capabilities and byte transfer stats per user/per site.

Click here (http://www.gfi.com/inj/) to download the new and improved BETA version!
------------------------------------------------------------------------------
------------------------------------------------------------------------------

Visit the Subscription Management section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@isaserver.org.
Copyright © ISAserver.org 2005. All rights reserved.

No comments:

Post a Comment