Wednesday, June 27, 2007

ISAserver.org - June 2007 Newsletter

ISAserver.org Newsletter of June 2007
Sponsored by: Burstek
------------------------------------------------------------------------------
In this issue:
Web Proxy Filter Tricks and Traps
Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
ISAserver.org Learning Zone Articles of Interest
KB Articles of the Month
Tip of the Month
ISA Firewall Links of the Month
Blog Posts
Ask Dr. Tom


Welcome to the ISAserver.org newsletter! Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Why Do IT Departments Choose Burstek's Security Software? Get a Free Trial of Burstek for ISA and See.
(http://www.burstek.com/ISApromo/)Burstek was built from the ground up for Microsoft and ISA environments. Burstek is The ISA Advantage: easy installation, ease of use and administration, no additional consoles, hardware, software or plug-ins are required to manage the entire enterprise and no agents or additional software are required for automatic replication across multiple servers or locations.

Burstek's Web Filtering & Reporting software helps organizations with ISA environments protect their information, networks and employees better and with more ease.
Get a 15-day free Burstek trial now and see for yourself!

Evaluate a Free Trial of Burstek for ISA today and get a free t-shirt!(http://www.burstek.com/ISApromo/)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

1. Web Proxy Filter Tricks and Traps
By Thomas W Shinder MD, MVP

A friend recently had a problem with the Web proxy filter. He noticed that when he unbound the Web Proxy Filter from the HTTP protocol, the ability to configure the HTTP Security Filter went away. That is to say, the configuration interface was no longer accessible because the "Configure HTTP" setting was gone from the right click menu on the Access Rule or Web Publishing Rule.

My friend also noticed another thing - when the Web Proxy Filter was bound to the HTTPS protocol, outbound connections to SSL Web sites were not possible.

This all seemed very strange to him since he wanted to publish a secure Web server and assumed that the Web Proxy Filter would be required for the HTTPS in order to allow the HTTP Security Filter to do its security work.

Are these problems normal, or did my friend do something wrong with his ISA Firewall? Let us look at these problems and then try to come to a conclusion.

It is true that when you unbind the Web Proxy Filter from the HTTP protocol, the configuration interface will no longer be available. This is a bug that has existed before ISA 2004 was released and continues to be a bug in ISA 2006. However, just because you cannot see the configuration interface for the Web Proxy filter does not mean that the settings in the HTTP Security Filter are not working.

How is that? Let us look at the two HTTP/S related scenarios:

- Secure Web Publishing Rules
- Outbound Access to HTTP

Web Publishing Rules always use the Web Proxy filter, regardless of whether the Web Proxy Filter is bound to the HTTP protocol. That is because the Web listener is intimately connected to the Web Proxy Filter. You cannot break the connection between a Web listener and the Web Proxy Filter, not even by removing the Web Proxy Filter from the HTTP protocol.

Outbound access is another story. When clients are configured as Web Proxy clients for outbound access, they will be exposed to the Web Proxy filter and the configuration settings in the HTTP Security Filter. Why? Because Web Proxy clients are communicating directly with the Web Proxy filter. And because Web Proxy clients communicate directly with the Web Proxy filter, they are able to benefit from the settings in the HTTP Security Filter, even though the configuration interface has disappeared because the Web Proxy Filter was unbound from the HTTP protocol

In contrast, SecureNET and Firewall clients will no longer benefit from the Web Proxy filter if you unbind the Web Proxy Filter from the HTTP protocol. This means that SecureNET and Firewall clients will not benefit from the security settings in the HTTP Security Filter and will not be able to leverage the ISA Firewall's Web cache. Remember, SecureNET and Firewall clients do not communicate directly with the Web Proxy Filter as Web Proxy clients do - they need the "hook in" to the Web Proxy Filter by binding the Web Proxy Filter to the HTTP protocol.

Why would you want to unbind the Web Proxy filter from the HTTP protocol? One reason for unbinding the Web Proxy Filter from the HTTP protocol is so that you can get true Direct Access to sites that do not play nice with Web proxies. You put the site in question in your Direct Access list, and the Web Proxy client will bypass its Web Proxy configuration when accessing that site and leverage either its SecureNET or Firewall client configuration. And because the Web Proxy filter is unbound from the HTTP protocol, the SecureNET or Firewall client request will not be funneled up to the Web Proxy filter for access to that site.

Now to answer the second question: Why does binding the Web Proxy Filter to the HTTPS protocol stop all connections to secure SSL sites?

The reason for this is that for outbound connections, the SSL termination point is at the destination Web server, not the ISA Firewall. The ISA Firewall is secure by default, and fails closed. Since the Web Proxy Filter cannot evaluate what is going on inside an SSL tunnel, it will deny the connection since it cannot determine if the connection meets ISA Firewall security requirements.

Note that this is not the case for inbound SSL connections to securely published Web sites. Why? Because in the inbound scenarios the SSL connection is terminated at the ISA Firewall. That means that the ISA Firewall decrypts the SSL protected content, which enables it to use the Web Proxy filter and HTTP Security Filter to examine the unencrypted HTTP content. In most cases, a second SSL connection is established to the published secure server, but traffic is allowed over this connection only when it has passed security inspection by the ISA Firewall when in its unencrypted state.

Want to Learn More ISA Firewall Secrets?

The ISA Firewall and Microsoft Network Security Troika - Tim Mullen (thor), Jim Harrison and myself will be teaching a Microsoft Security Ninja class at this year's Black Hat in Las Vegas. As an ISAserver.org member, you qualify for a $200 discount for this class! If you are interested in signing up and getting the discount, send me a note at tshinder@isaserver.org(mailto: tshinder@isaserver.org) and we will get you fixed up. For more information about the class, check out http://blogs.isaserver.org/shinder/2007/06/02/microsoft-ninjitsu-black-belt-edition/

BTW - we will be covering more than just the ISA Firewall and will expand into related area pivotal to Microsoft network security.

Thanks!

Tom

tshinder@isaserver.org(mailto: tshinder@isaserver.org)

=======================

Quote of the Month - "It's nice to be nice to the nice"

-- Frank Burns (MASH)

=======================

------------------------------------------------------------------------------

2. Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
By Thomas W Shinder

Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall.

While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today: http://www.amazon.com/exec/obidos/ASIN/1931836191/isaserver1-20/

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Why Do IT Departments Choose Burstek's Security Software? Get a Free Trial of Burstek for ISA and See.
(http://www.burstek.com/ISApromo/)Burstek was built from the ground up for Microsoft and ISA environments. Burstek is The ISA Advantage: easy installation, ease of use and administration, no additional consoles, hardware, software or plug-ins are required to manage the entire enterprise and no agents or additional software are required for automatic replication across multiple servers or locations.

Burstek's Web Filtering & Reporting software helps organizations with ISA environments protect their information, networks and employees better and with more ease.
Get a 15-day free Burstek trial now and see for yourself!

Evaluate a Free Trial of Burstek for ISA today and get a free t-shirt!(http://www.burstek.com/ISApromo/)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

3. ISAserver.org Learning Zone Articles of Interest

The Definitive Guide to ISA Firewall Outbound DNS Scenarios Part 2
http://isaserver.org/tutorials/Definitive-Guide-ISA-Firewall-Outbound-DNS-Scenarios-Part2.html

The Definitive Guide to ISA Firewall Outbound DNS Scenarios Part 1: DNS Resolvers, DNS Forwarders, DNS Caching and Recursion
http://isaserver.org/tutorials/Definitive-Guide-ISA-Firewall-Outbound-DNS-Scenarios-Part1.html

DNS Publishing Scenarios (Part 1)
http://isaserver.org/tutorials/DNS-Publishing-Scenarios-Part1.html

Overview of ISA 2004 SP3
http://isaserver.org/tutorials/Overview-ISA-2004-SP3.html

------------------------------------------------------------------------------
4. KB Articles of the Month

Here are some interesting and useful ISA Server related articles posted by Microsoft in the last month:

When you try to re-authenticate the OWA client on the forms-based authentication page, you may receive an "Unknown Request" error message in ISA Server 2004
http://support.microsoft.com/kb/900249/en-us

Users receive an "Error Code 502: Proxy error. The parameter is incorrect. (87)" error when they visit certain URLs after you configure HTTP content filtering based on signatures or on extensions in ISA Server 2004
http://support.microsoft.com/kb/894483/en-us

Error message when ISA Server 2004 Web Proxy client users try to access an external FTP site by using passive FTP functionality: "Error Code: 502 Proxy Error"
http://support.microsoft.com/kb/900256/en-us

ISA Server 2004 blocks UDP traffic between two networks
http://support.microsoft.com/kb/915461/en-us

Session state management may not work as expected when ISA Server 2004 accesses a Web site that uses the round robin feature of DNS to achieve load balancing
http://support.microsoft.com/kb/897075/en-us

The ReturnAuthRequiredIfAuthUserDenied property setting does not work if the access rules include a Content Type rule in ISA Server 2004
http://support.microsoft.com/kb/905767/en-us

Authentication fails when client computers use Internet Explorer 7 to authenticate with an upstream ISA Server computer through a downstream ISA Server computer that does not require authentication
http://support.microsoft.com/kb/927265/en-us

Users may receive slow responses when you enable the Cache Array Routing Protocol in ISA Server 2004, Enterprise Edition
http://support.microsoft.com/kb/928273/en-us

------------------------------------------------------------------------------
5. Tip of the Month

Lots of folks have problems troubleshooting RPC/HTTP connections through the ISA Firewall. Here is a great thread on the ISAserver.org message boards that will help you solve some of your RPC/HTTP troubleshooting issues:

http://forums.isaserver.org/m_2002023851/mpage_2/key_/tm.htm#2002045787

Having problems with your Domain Controllers computer set? Maybe you have the wrong entries in there because the domain controllers have changed addresses or the ISA Firewall was moved. What is the best thing to do? Some people want to monkey around with the Registry or edit the ADAM database, but it would be better for you to create your domain controllers computer set and then go into group policy and remove the old one and put in your customer DC set. This tip is courtesy of Tim Mullen, lead instructor of the Microsoft Security Ninja training class.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Why Do IT Departments Choose Burstek's Security Software? Get a Free Trial of Burstek for ISA and See.
(http://www.burstek.com/ISApromo/)Burstek was built from the ground up for Microsoft and ISA environments. Burstek is The ISA Advantage: easy installation, ease of use and administration, no additional consoles, hardware, software or plug-ins are required to manage the entire enterprise and no agents or additional software are required for automatic replication across multiple servers or locations.

Burstek's Web Filtering & Reporting software helps organizations with ISA environments protect their information, networks and employees better and with more ease.
Get a 15-day free Burstek trial now and see for yourself!

Evaluate a Free Trial of Burstek for ISA today and get a free t-shirt!(http://www.burstek.com/ISApromo/)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

6. ISA Firewall Links of the Month

Kerberos Constrained Delegation in ISA Server 2006

http://www.microsoft.com/technet/isa/2006/kcd.mspx

ISA Server Operations Guide

http://www.microsoft.com/technet/isa/2006/operations_guide.mspx

ISA Server 2006 Events Help

http://www.microsoft.com/technet/isa/2006/downloads/events.mspx

ISA Server Team Blog

http://blogs.technet.com/isablog/

------------------------------------------------------------------------------
7. Blog Posts

Multiple PPTP VPN clients behind a NAT device

http://blogs.isaserver.org/pouseele/2007/06/17/multiple-pptp-vpn-clients-behind-a-nat-device/

OT: OWA versus Full Outlook Client Comparison

http://blogs.isaserver.org/shinder/2007/06/11/ot-owa-versus-full-outlook-client-comparison/

OT: Installation of Office 2007 Applications Break Outlook 2003 Junk Email Filter

http://blogs.isaserver.org/shinder/2007/06/07/ot-installation-of-office-2007-applications-break-outlook-2003-junk-email-filter/

Fun Facts About the Session Tab in 2006 ISA Firewall Monitoring

http://blogs.isaserver.org/shinder/2007/06/04/fun-facts-about-the-session-tab-in-2006-isa-firewall-monitoring/

Some Fun Facts About MSDE Logging that I Bet You Didn't Know About

http://blogs.isaserver.org/shinder/2007/06/04/some-fun-facts-about-msde-logging-that-i-bet-you-didnt-know-about/

Microsoft set to release new build of upcoming mid-market "Centro" product

http://blogs.isaserver.org/shinder/2007/06/21/microsoft-set-to-release-new-build-of-upcoming-mid-market-centro-product/

------------------------------------------------------------------------------

8. Ask Dr. Tom

QUESTION: Hi,

I have ISA server 2004 standard edition on windows 2003. I can not NAT one client to one Valid IP except external interface IP on the ISA Firewall. I have 32 valid IP addresses and each client must NAT to 1 valid IP address. I can not create this rule because each Access Rule NAT source address is the primary IP address on the external interface of the ISA Firewall.

In Linux or Netscreen you can create rule to this purpose for example in Netscreen you can create DIP on external interface and source NAT 1 client to 1 valid IP.
Please Help me. Thanks

ANSWER: Yes, all outbound traffic through the ISA Firewall will show the source IP address to be the primary IP address on the interface of the ISA Firewall that the traffic is leaving. This is not a configurable option.

QUESTION: Hi Tom,

To configure ASA 5500 and ISA 2006 as front end and backend firewalls, is it recommended for any specify [sic] reasons or is it wasting resources??

Best Regards, Hafiz Mapkar

ANSWER: More security is always better than less security. If you already have an ASA device, there is no reason why you cannot put it in production with the ISA Firewall. If you are interested in a back to back Firewall configuration, put the ISA Firewall behind the ASA, since you want your strongest security closest to the assets requiring protection. Then configure the ASA to allow inbound connections only to the ports used by the ISA Firewall's Web and Server Publishing Rules. On the ASA, allow all outbound traffic from the IP address(es) on the external interface of the ISA Firewall. That is all there is to it!

QUESTION: Dear Sir,

I want to block .EXE file downloads using ISA Server 2006. Can you tell me how to configure this?

Zeeshan Saeed

ANSWER: This is a very easy task! What you need to do is configure the HTTP security filter for the rule that you want to block the .exe file downloads. If you have multiple rules that allow HTTP downloads of .exe files, then you need to configure the filter for each rule. Right click on the rule and click "Configure HTTP". Then on the General tab, put a checkmark in the Block responses containing Windows executable content. Click OK and then click Apply to save the changes to ISA Firewall policy.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Why Do IT Departments Choose Burstek's Security Software? Get a Free Trial of Burstek for ISA and See.
(http://www.burstek.com/ISApromo/)Burstek was built from the ground up for Microsoft and ISA environments. Burstek is The ISA Advantage: easy installation, ease of use and administration, no additional consoles, hardware, software or plug-ins are required to manage the entire enterprise and no agents or additional software are required for automatic replication across multiple servers or locations.

Burstek's Web Filtering & Reporting software helps organizations with ISA environments protect their information, networks and employees better and with more ease.
Get a 15-day free Burstek trial now and see for yourself!

Evaluate a Free Trial of Burstek for ISA today and get a free t-shirt!(http://www.burstek.com/ISApromo/)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Why Do IT Departments Choose Burstek's Security Software? Get a Free Trial of Burstek for ISA and See.
(http://www.burstek.com/ISApromo/)Burstek was built from the ground up for Microsoft and ISA environments. Burstek is The ISA Advantage: easy installation, ease of use and administration, no additional consoles, hardware, software or plug-ins are required to manage the entire enterprise and no agents or additional software are required for automatic replication across multiple servers or locations.

Burstek's Web Filtering & Reporting software helps organizations with ISA environments protect their information, networks and employees better and with more ease.
Get a 15-day free Burstek trial now and see for yourself!

Evaluate a Free Trial of Burstek for ISA today and get a free t-shirt!(http://www.burstek.com/ISApromo/)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

Visit the Subscription Management section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@isaserver.org.
Copyright © ISAserver.org 2007. All rights reserved.

No comments:

Post a Comment