ISA Server 2004 Standard Edition
Service Pack 1 Released (ver 1.1)
By Thomas W Shinder MD, MVP
Got Questions? Go to:
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=24;t=000506 and ask!
ISA Server 2004 Service Pack 1 was released this week and you can get it by following the link to it at www.microsoft.com/isaserver.
I always look forward to service packs, not only because they fix known issues with the software, but also because they often come with little improvements that aren’t so obvious. I’m sure it was difficult for the ISA team to come up with things to fix with this service pack, because there seems to be little that doesn’t work with the RTM release of the ISA Server 2004 firewall software.
However, just because something’s good doesn’t mean you can’t make it better. ISA Server 2004 Service Pack 1 provides you two things:
First, let’s talk about the fixes.
Article 884569: The ISACTRL and WSPSRV services do not start when you install ISA Server 2004 on a multiprocessor computer
http://support.microsoft.com/default.aspx?scid=kb;en-us;884569
ISA Server 2004 SP1 fixes a problem where the ISA firewall services wouldn’t start if you installed the firewall software onto a multiprocessor computer with a certain configuration. This issue also appeared if you had hyperthreading enabled on a Pentium 4 processor. This problem occurred because ISA Server 2004 incorrectly determines the number of processors that are installed in a computer when Hyper-Threading Technology is enabled. ISA Server 2004, Standard Edition supports up to four processors. No problem anymore.
Article 884560: You cannot use RADIUS when you use the Outlook Web Access (OWA) Forms-Based Authentication on a Web publishing rule http://support.microsoft.com/default.aspx?scid=kb;en-us;884560
There are times when you don’t need to join your ISA firewall to the domain, like when you have a front-end / back-end ISA firewall configuration. There may also be times when you have to deal with "security experts" who insist that there’s uncanny evil inherent in making the ISA firewall a domain member.
For whatever technical, political or supernatural reasons, you can still benefit from ISA firewall’s pre-authentication features by using RADIUS auth for Web Publishing Rules if the ISA firewall is not a member of the domain.
The problem was that many organizations wanted to use the ISA firewall’s extremely cool forms-based authentication mechanism and use RADIUS authentication at the same time. The RTM version of the ISA firewall required that you chose between FBA and RADIUS authentication. ISA Server 2004 SP1 fixes this problem and you can now use RADIUS authentication with the ISA firewall’s FBA feature. Cool!
Article 884580: Active mode FTP client programs cannot access an FTP server behind Internet Security and Acceleration Server 2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;884580
A day doesn’t go by when I don’t hear someone complain about FTP not working correctly from behind an ISA firewall. The was somewhat arcane and depended on a certain configuration to be in place in order to show itself. Bottom line: no more problems with Active (PORT) mode FTP from behind the ISA firewall.
Article 888422: CookieAuthFilter fails to logon credentials that include an Umlaute
Can’t tell you much about this one as the KB article does not appear on the Microsoft Web site. But the title should tell it all.
Article 891510: CRL check on Web Publishing fails when ROOT certificate has no CDP extension
Same goes with this one, a mysterious KB article. I’m sure these will show up in the near future. Probably by the time you read this article.
Article 891719: Request fails when CRL verification is enabled on ISA Server
This one makes it a trifecta 
Article 885683: "401 Unauthorized" error message when you use the Internet Security and Acceleration Server 2004 Firewall client to access a Web page.
Got the superfecta now!
Article 893171: Issues with ISA Server 2004 Firewall Client running on Windows 98
Five and a row!
I’ll make sure to update this article as soon as the relevant KB articles are up, because I wasn’t aware of these problems either, although now that they’re fixed, I guess they’re never going to be problems.
Installing Service Pack 1
I installed ISA Server 2004 SP1 while connected to the firewall from a remote workstation via a 128bit encrypted RDP link. I downloaded the Service Pack to the workstation, because we all know that you should never run client applications on a firewall. I scanned the file for viruses and copied it to a USB key. Scanned the USB key just to be safe, and then copied the Service Pack from the USB key to the ISA firewall’s hard disk.
Double click the install file and everything went smoothly. However, you never know when things aren’t going to go smoothly, so it would be nice to be able to back out of the Service Pack just in case things went haywire. If you want to be able to remove ISA Server 2004 Service Pack 1 after installing it, make sure you have Windows Installer 3.0 on the System. Same goes for uninstalling the new Firewall client software too. You can get it at http://go.microsoft.com/fwlink/?LinkID=40389
You will need to restart after the install. When the ISA firewall came back up, all was well. No problems at all. I logged in again over secure RDP and found that the ISA console was noticeably faster and more responsive. Client-side performance seemed better, but given the nature of Internet communications, it could have been a coincidence.
I let the machine run for a few hours before installing the updated Firewall client. I didn’t notice any problems using the previous version of the Firewall client during the interim, so if you need some time to figure out how you’ll deploy the new Firewall client, then you have plenty of time.
If you installed the Firewall client via Group Policy, you can use Group Policy’s software management features to update to the new client. Several people have reported there’s no problems upgrading the Firewall client using this method.
You can also use the update.bat file that comes with the service pack. The details are included in the ISA Server 2004 Service Pack 1 release notes which I highly recommend you read before installing the service pack. Not that anything terrible will happen to you if you don’t, but there are several tidbits of interesting and valuable information in there that might prove valuable.
One thing to be aware of is that the current Firewall client tool (that you can download from the Microsoft ISA download site) will not work with the updated version of the Firewall client. BTW, the updated version of the Firewall client is version 4.0.3440.81
Overall I found updating my ISA firewalls to ISA Server 2004 Service Pack 1 a uniformly painless experience. If you are not running any third party software on your ISA firewall, then install it knowing that you’ll very likely have the same excellent upgrade experience. If you have third party software of any kind installed on the ISA firewall, I highly recommend that you test the service pack on a staging sever first. At the very least, make sure that the Windows Installer version 3.0 is installed on the ISA firewall before installing the service pack so that it’ll be easier to back out.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=24;t=000506 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom
If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our 'Real-Time Article Update' by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.
