Search This Blog

Wednesday, September 28, 2005

ISAserver.org - September 2005 Newsletter

ISAserver.org Newsletter of September 2005
Sponsored by: Rainfinity
------------------------------------------------------------------------------
In this issue:
What are the Most Important Features Missing from ISA 2004 Firewalls?
Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
ISAserver.org Learning Zone Articles of Interest
KB Articles of the Month
Post of the Month
ISA Firewall Links of the Month
Ask Dr. Tom

Welcome to the ISAserver.org newsletter! Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Download RainWall High Availability for ISA: Optimize Firewall, Internet and Content Security

Rainfinity delivers High Availability and Dynamic Load Balancing for Microsoft ISA 2004. Rainfinity's next generation high availability platform extends beyond the firewall to protect and optimize all of your network resources, including your ISP connections and content security. This is the only integrated solution for firewall and Internet connectivity that takes advantage of all nodes with load balancing and advanced failure detection. Download RainWall and RainConnect for ISA today! (http://www.rainfinity.com/products/downloads.html)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

1. What are the Most Important Features Missing from ISA 2004 Firewalls?
By Thomas W Shinder MD, MVP

As a Microsoft MVP in ISA firewalls, I'm going to have the unique opportunity of spending a few days with the ISA firewall product team this week. During the few days where the ISA firewall MVPs will have the product team's ears, one of the things I expect we'll talk about are features that the majority of ISA firewall admins using the product today consider to be missing.

I realize we always want more. In a perfect world of unlimited resources and personnel, the ISA firewall could have all the features that every other firewall in the world has and only cost $9.95US. Since we don't live in that world, we have to figure out what are the most important features.

What are the most important features? From a business point of view (and Microsoft is a business, so that's their point of view), the most important features are those that prevent you from buying the product and those that prevent you from repurchasing (upgrading) because of dissatisfaction with the current product.

Here's my list of features that I consider important and should be included with the next version of the ISA firewall in order to increase customer satisfaction (I'm a customer too, so these will also increase my satisfaction):

- Support for at least two Internet connections for failover and failback
- Ability to map a internal machine to an external IP address on the ISA firewall to support SMTP servers and reverse DNS lookups
- Bandwidth control that allows user/group control over application access to the Internet
- A straightforward approach to populating Domain and URL Sets so that block lists can be easily created
- Support for Web proxy protocols such as WCCP and ICAP.
- Support for popular SIP implementations for VoIP
- A "starter" version of the ISA firewall product, that limits the number of outbound connections to something like 10 and VPN connections to something like 5, and charge only $395.00 for it (including the Windows OS on which the ISA firewall runs)

That's my short list. There's plenty more I can put there, but these are the "biggies".

What features are on your list? Send me a note at tshinder@isaserver.org and let me know what you think are critical features that need to be included in the next version of the ISA firewall and I'll share you thoughts with the ISA firewall product group. Here's your change to get heard by the people who make the decisions, so let me know!

=======================

Quote of the Month - "Nothing is easy, and nothing is fast" - Tom Shinder speaking of all things computer

=======================

------------------------------------------------------------------------------

2. Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
By Thomas W Shinder

Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall.

While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today: http://www.amazon.com/exec/obidos/ASIN/1931836191/isaserver/

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Download RainWall High Availability for ISA: Optimize Firewall, Internet and Content Security

Rainfinity delivers High Availability and Dynamic Load Balancing for Microsoft ISA 2004. Rainfinity's next generation high availability platform extends beyond the firewall to protect and optimize all of your network resources, including your ISP connections and content security. This is the only integrated solution for firewall and Internet connectivity that takes advantage of all nodes with load balancing and advanced failure detection. Download RainWall and RainConnect for ISA today! (http://www.rainfinity.com/products/downloads.html)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

3. ISAserver.org Learning Zone Articles of Interest

Enabling ISA Firewall Forms-based Authentication (FBA) for OWA Connections for both Internal and External Clients - Part 1
http://isaserver.org/tutorials/Enabling-ISA-Firewall-Forms-based-Authentication-OWA-Connections-Internal-External-Clients-Part1.html

Tom Shinder's Trek through Small Business Server 2003 Service Pack 1 - Part 4: E-mail Domain Name Page to Completion of the CEICW
http://isaserver.org/articles/2004sbsinstallpart4.html

Tom Shinder's Trek through Small Business Server 2003 Service Pack 1 - Part 3: The CEICW from the Network Connection Page to the E-mail Retrieval Method Page
http://isaserver.org/articles/2004sbsinstallpart3.html

Tom Shinder's Trek through Small Business Server 2003 Service Pack 1 - Part 2: The CEICW from the Welcome Page to the Router Connection Page
http://isaserver.org/articles/2004sbsinstallpart2.html

Tom Shinder's Trek through Small Business Server 2003 Service Pack 1 - The Totally Unofficial and Non-Authoritative Guide on ISA Firewall Installation on SBS 2003 SP1 (Part 1)
http://isaserver.org/articles/200sbsinstallpart1.html

Using the ISA Firewall to Configure Granular Access Controls for VPN Clients (Part 2)
http://isaserver.org/tutorials/ISA-Firewall-Configure-Granular-Access-Controls-VPN-Part2.html

http://isaserver.org/tutorials/Windows-Server-2003-Security-Configuration-Wizard-Harden-ISA-Firewall.html
http://isaserver.org/tutorials/Windows-Server-2003-Security-Configuration-Wizard-Harden-ISA-Firewall.html

------------------------------------------------------------------------------
4. KB Articles of the Month

Here are some interesting and useful ISA Server related Q articles posted by Microsoft in the last month:

Active mode FTP client programs cannot access an FTP server from behind Internet Security and Acceleration Server 2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;884580

Routing and Remote Access stops responding in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;888090

Lockdown mode of operation in ISA Server 2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;838711

When you configure the No Connectivity alert to send an e-mail notification to an SMTP server, only every second e-mail notification may reach the recipient in Internet Security and Acceleration Server 2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;894458

The ISA Server RPC filter blocks RPC traffic after Windows Server 2003 Service Pack 1 is installed on a computer that is running ISA Server 2004 or ISA Server 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;887222

An "Event ID ( 19011 ) in Source ( MSSQL$MSFW ) cannot be found" message may be logged in the event log after you install ISA Server 2004 on a computer that is part of a workgroup
http://support.microsoft.com/default.aspx?scid=kb;en-us;840473

You cannot specify a path statement that ends in a wildcard character when you create a Web publishing rule in ISA Server 2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;900919

ISA Server 2004 stops forwarding traffic between networks and the Internet
http://support.microsoft.com/default.aspx?scid=kb;en-us;905180

------------------------------------------------------------------------------
5. Post of the Month

Direct Access, Direct Access, Direct Access!

Just about every day for the last two years I've answered a question with the answer being Direct Access.

What is Direct Access? Direct Access is an ISA firewall and client configuration where the client system bypasses the Web proxy client and/or the Firewall client configuration to reach the destination server.

Web proxy client bypass is often required to connect to sites that are poorly written, in that the Web developers "forgot" about Web proxy servers in the request/response path. When you encounter these Web sites, you need to configure the ISA firewall to support Direct Access to the site. Once the site is configured for Direct Access, the client system does not forward the connection to the ISA firewall's Web proxy filter. Instead, the client uses either its Firewall client or SecureNAT configuration to connect to the site.

Another situation where Direct Access is used is when the client needs to connect to a server located on the same ISA firewall Network. For example, if both the client and the server are located on the default Internal Network, then the client should not connect to the destination through the ISA firewall. Instead, the client should connect directly to the destination server, bypassing the ISA firewall completely.

For more information on Direct Access, check out these articles:

Configuring Sites for Direct Access: Part 1 - Configuring Direct Access for Web Proxy Connections http://isaserver.org/articles/2004directaccessp1.html

Configuring Sites for Direct Access: Part 2 - Configuring Direct Access for Firewall Clients and Publishing Scenarios http://isaserver.org/articles/2004directaccessp2.html

HTH -Tom.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Download RainWall High Availability for ISA: Optimize Firewall, Internet and Content Security

Rainfinity delivers High Availability and Dynamic Load Balancing for Microsoft ISA 2004. Rainfinity's next generation high availability platform extends beyond the firewall to protect and optimize all of your network resources, including your ISP connections and content security. This is the only integrated solution for firewall and Internet connectivity that takes advantage of all nodes with load balancing and advanced failure detection. Download RainWall and RainConnect for ISA today! (http://www.rainfinity.com/products/downloads.html)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

6. ISA Firewall Links of the Month

A bunch of ISA Firewall Webcasts

http://www.microsoft.com/events/series/isaserversecurity.mspx

Reasons why a Hardware ISA Firewall might be best for you

http://www.microsoft.com/isaserver/hardware/default.mspx

ISA Firewall Performance Best Practices

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/bestpractices.mspx

Upgrading from ISA Server 2000 Enterprise Edition to ISA Server 2004 Enterprise Edition

http://www.microsoft.com/technet/prodtechnol/isa/2004/isa2kexport.mspx

Exceptionally good document on configuring the ISA firewall to protect Exchange Servers

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/firewall-exchange2003.mspx

Microsoft Releases a TON of new ISA Firewall Troubleshooting Guides

http://www.microsoft.com/isaserver/techinfo/guidance/2004/planning.mspx

ISA Firewall Coding Corner

http://www.microsoft.com/isaserver/techinfo/Guidance/2004/coding.mspx

------------------------------------------------------------------------------

7. Ask Dr. Tom

QUESTION: I can receive incoming mail from my SMTP Server Publishing Rule but outbound mail isn't going out. How can I fix this? Thanks! Bob.

ANSWER: The incoming mail from Internet SMTP servers to your corporate SMTP servers is controlling by the Server Publishing Rule allowing the mail through the ISA firewall to the SMTP server on your network. The external DNS also was configured to resolve your MX names to the IP address on the external interface of the ISA firewall. For outbound SMTP connections, you'll need to make sure the SMTP server is able to resolve the names for the SMTP servers responsible for mail in each Internet domain. You'll need to configure the ISA firewall with Access Rules allowing outbound SMTP from the SMTP server to the Internet. Also, you need to make sure that the SMTP server is configured with a DNS server that has access to a DNS Access Rule.

QUESTION: I'm getting a 500 Internal Server Error when I try to access my OWA Web site. What's up with that? Ricky.

ANSWER: The problem is that the common name on the Web site certificate bound to the published Web server is not the same as the name on the To tab in the Web Publishing Rule. Change the name or IP address you have listed in the To tab so that it's the same as the common name on the Web site certificate. Also, make sure that the ISA firewall is able to resolve that name to the actual IP address of the Web site (the exception being if the Web site is separated from the ISA firewall by a NAT device, in which case the name should resolve to the IP address of interface on that device performing reverse NAT).

Got a question for Dr. Tom? Send it to tshinder@isaserver.org

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Download RainWall High Availability for ISA: Optimize Firewall, Internet and Content Security

Rainfinity delivers High Availability and Dynamic Load Balancing for Microsoft ISA 2004. Rainfinity's next generation high availability platform extends beyond the firewall to protect and optimize all of your network resources, including your ISP connections and content security. This is the only integrated solution for firewall and Internet connectivity that takes advantage of all nodes with load balancing and advanced failure detection. Download RainWall and RainConnect for ISA today! (http://www.rainfinity.com/products/downloads.html)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

Visit the Subscription Management section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@isaserver.org.
Copyright © ISAserver.org 2005. All rights reserved.

No comments: