• Get Off to the Right Start with ISA Server 2004
• Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
• ISAserver.org Learning Zone Articles of Interest
• KB Articles of the Month
• Post of the Month
• ISA Firewall Links of the Month
• Ask Dr. Tom

1. Get Off to the Right Start with ISA Server 2004

Working with new software can be a frustrating experience. Often people well-heeled in a particular software package will forgot what its like to be a newbie with a particular piece of software. I was in this position the other day when testing Small Business Server Service Pack 1. I thought I knew what I was doing since I've set up Windows Servers in enterprise environments since Windows NT 4.0 hit the streets. However, just because I thought I knew what I was doing didn't mean I did. Like most newbs, I didn't read the manual and made some critical mistakes which gave me the false impression that SBS SP1 wasn't worth the bits it was printed on.

I see the same thing happen with the ISA firewall. There are a handful of issues that if you take care of in advance will bypass frustrating and perplexing problems with your initial ISA firewall setup and get you off to a good start. If you take into account these ISA firewall best practices, your life with the ISA firewall will go more smoothly, you'll end up less frustrated I see the same thing happen with the ISA firewall. There are a handful of issues that if you take care of in advance will bypass frustrating and perplexing problems with your initial ISA firewall setup and get you off to a good start. If you take into account these ISA firewall best practices, your life with the ISA firewall will go more smoothly, you'll end up less frustrated and disappointed, and you'll have a good impression of the ISA firewall instead of a negative one.

Key issues with ISA firewall configuration that will help you have a great install and configuration experience include the following:

• Set up supporting network services before standing up the ISA firewall
• Install at least two NICs on the ISA firewall
• Put a router in front of the ISA firewall if you don't have a dedicated IP address
• Configure the ISA firewall to use an internal DNS server and configure the internal interface of the ISA firewall to use this DNS server

Set up supporting network services before standing up the ISA firewall

The fact is the ISA firewall is a key part of network gear. While it might use Windows Server as its base operating system, the ISA firewall is a piece of the network infrastructure, it's not a server on the network. For this reason, you need to plan ahead in the same way you would plan when introducing any other piece of network infrastructure.

The ISA firewall works together with a number of other network infrastructure components; these include but aren't limited to:

• DHCP servers
• DNS servers
• WINS servers
• Certificate servers
• IAS (RADIUS) servers
• Active Directory domain controllers
• Network routers and switches
• Existing firewalls

Make sure you have all these supporting network services in place and working correctly before deploying the ISA firewall. While the ISA firewall in all scenarios doesn't require all of these services, having them in place in advance and working correctly will great simplify your deployment options for the ISA firewall and will reduce the amount of "just in time" work you might have to do in the future.

Install at least two NICs on the ISA firewall

The ISA firewall is a firewall. In spite of the ISA firewall's family history that included Proxy Server 1.0, the fact is that the Web proxy gene in the ISA firewall's DNA is only a small remnant of the ISA firewall's past. Now the Web proxy component is but a mere application filter and is an extension of the ISA firewall's firewall service. There is no more Web proxy service, as the ISA firewall's firewall service statefully examines all traffic moving through the firewall.

This means the ISA firewall is always a firewall. You can't "un-firewall" the ISA firewall. This is a good thing, as the entire point of having a firewall is to insure strong access control and network security for all traffic moving to and through the firewall. In order to deploy the ISA firewall so that it provides full firewall protection, you need to install two or more network interfaces. One or more interfaces on the internal network and one or more interfaces on non-internal networks.

Put a router in front of the ISA firewall if you don't have a dedicated IP address

The problem with DHCP is that in order to obtain an address from a DHCP server, the host issuing the DHCP request needs to broadcast the initial request and then accept the first lease offer given to it. These means people with less than good intensions would potentially take advantage of your ISA firewall by putting up a rogue DHCP server and assign your ISA firewall IP addressing information that better serves the intruders needs than yours.

In order to mitigate some of these issues, the ISA firewall sports a DHCP spoof detection mechanism. However, because of how some cable and other networks work, you might find that your ISA firewall's external interface won't be able to obtain an IP address from the ISP's DHCP server. This has caused a legion of ISA firewall admins more pain than they really needed to experience.

You can easily solve this problem by putting a router in front of the ISA firewall. If you have a PPPoE based DSL connection, a cable connection, or some other type of connection that depends on DHCP address assignment for the public interface, then put a router in front of the ISA firewall. This completely eliminates the DHCP issue and also will obviate DSL-related MTU problems.

Configure the ISA firewall to use an internal DNS server and configure the internal interface of the ISA firewall to use this DNS server

This is one of the most important issues related to ISA firewall performance. I can't tell you the number of times someone said to me that after introducing the ISA firewall into the network, everything was much slower. The problem was invariably related to DNS and adapter configuration.

First, you need a DNS server on the corporate network that is able to resolve Internet host names. Second, you need to configure the internal interface on the ISA firewall to use this internal DNS server as its primary DNS server, and last, you need to configure the internal interface as the top listed interface in the Advanced Properties of the Advanced Configuration dialog box in the Network Connections window.

The DNS server address or addresses on the internal interface should be the ONLY DNS servers configured on the ISA firewall's interfaces. You should NEVER configure the ISA firewall to use an external DNS server if you have a domain-based network environment.

Last but not least, you need to create an Access Rule allowing the DNS server on the internal network outbound access to the DNS protocol.

Summary

If you set up your supporting network services, put a router in front of ISA firewalls that use dynamic addressing for the external interface, put two or more NICs in the ISA firewall and configure a DNS server on the internal interface and never use external DNS servers on the ISA firewall's interfaces, your setup will go much more smoothly and you'll have a great experience with your ISA firewall.

Got questions about preparing for an ISA firewall rollout? Send them along to tshinder@isaserver.org and I'll answer them in the next newsletter. Thanks! -Tom.

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

By Thomas W Shinder Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall. While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Implementing Checkpoint NG R55 Firewall and Microsoft ISA 2004 Firewall IPSec Site-to-Site VPN by Idan Plotnik
• Configuring an Untrusted Wireless DMZ on the ISA Firewall: Part 1: Defining the Infrastructure and Setting Up the Split DNS
• Allowing the ISA 2004 Firewall to use Windows Update Services by Steve Moffat
• Secure Remote Access to Outlook Web Access (OWA) Web Sites: Part 1: Understanding SSL to SSL Bridging (Version 2.1)
• Cannot Logon to the Domain or Contact Other Servers After the ISA Server Installation By Santhosh Sivarajan
• Implementing ISA 2004 PPTP VPN based Smart Card EAP and RADIUS Authentication without Making the ISA Firewall a Domain Member by Idan Plotnik
• Review of SurfControl Web Filter 5.0 for ISA Server 2004
• Revisiting NLB Bidirectional Affinity on ISA Server 2004 Standard Edition

4. KB Articles of the Month

Here are some interesting and useful ISA Server related Q articles posted by Microsoft in the last month:

• INFO: WinInet Error Codes (12001 through 12156)
• When you configure the No Connectivity alert to send an e-mail notification to an SMTP server, only every second e-mail notification may reach the recipient in Internet Security and Acceleration Server 2004
• Enabling RADIUS authentication for the OWA Forms-Based Authentication in ISA Server 2004
• A publishing rule may not listen on all addresses in Internet Security and Acceleration Server 2004
• Your QuickTime Player with a Firewall Client may not retransmit in Internet Security and Acceleration Server 2004
• You receive a "Setup cannot modify or create the registry entry" error message when you try to start the ISA Server Management tool
• Users receive a "The parameter is incorrect" error when they try to access a Web site through ISA Server 2004
• After you repair or update ISA Server 2004, the ISA Server 2004 firewall service may not start on a Windows Server 2003-based computer that has been upgraded from Windows 2000 Server
• An update is available to prevent Configuration Storage server account settings from expiring when you use certificate authentication in ISA Server 2004, Enterprise Edition

5. Post of the Month

Last month I did a short feature on the scripts included on the ISA firewall CD and offered to publish the scripts of any readers who had a cool management script he wanted to share. Bill Stewart bellied up to the bar with a great script and the rationale behind the script:

Hi Tom,

I just wanted to let you know that I wrote a script that several ISA admins have found useful. You can read about it in this thread:

http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000383

The script is RequestAuth.vbs. It configures the ReturnAuthRequiredIfAuthUserDenied setting on a Network's web listener's properties.

The default value for this setting is disabled: That is, if an authenticated user is denied access via rules, the user will not be given the opportunity to authenticate again; the request will simply be denied. If you enable this setting, authenticated users that are denied access via rules will be given the opportunity to authenticate themselves. (This was the default behavior in ISA 2000.)

To give a real-world example, suppose only the group WWW Users has permission to use HTTP, and only integrated authentication is enabled on the web listener. If a user logs onto a machine using a local (non-domain) account and attempts to use a browser, the request will be denied immediately, because although the web listener considers the user to be authenticated (e.g., logged on, albeit with a non-domain account), the local account is not a member of the group that has permission.

If you enable the ReturnAuthRequiredIfAuthUserDenied setting on the web listener for the Internal network, then the user will get an authentication dialog. The command-line syntax for the script is as follows:

RequestAuth.vbs /NETWORK:<name> [/ENABLE | /DISABLE]

The /NETWORK option specifies the ISA Network object on which you want to modify the web listener (e.g., Internal). To enable the setting, type /ENABLE; to disable it, use /DISABLE. For example:

RequestAuth.vbs /network:Internal /enable

This command would enable the ReturnAuthRequiredIfAuthUserDenied setting on the Internal Network object's web listener.

In my opinion, this option really should be exposed in the GUI, especially since the default behavior is the exact opposite of ISA 2000.

Thanks! Bill.

Thanks Bill! A great script and an impressive explanation for the rationale behind it.

6. ISA Firewall Links of the Month

If you haven't downloaded and installed ISA Server 2004 Service Pack 1 yet, then its time you do it. It'll be painless and you'll feel the performance enhancements:

http://www.microsoft.com/downloads/details.aspx?FamilyID=69c5d85c-5c80-473c-9cb4-60dda75d568d&displaylang=en

Download the free ISA firewall trial software and test it out on some virtual machines before shelling out your cash:

http://www.microsoft.com/isaserver/evaluation/trial/default.asp

The only thing more secure than an ISA firewall you build yourself is a dedicated, hardware-based ISA firewall appliance. Check out this list of ISA-based hardware firewall vendors:

http://www.microsoft.com/isaserver/partners/hardwarepartners.asp

Get the inside information on how the ISA firewall works and dozens of never published tips and tricks on how to configure the ISA firewall by watching these bevy of Webcasts:

http://www.microsoft.com/events/series/isaserversecurity.mspx

Learn how to configure the ISA firewall to publish Exchange Server services, allow remote access VPNs and strong outbound access policies and firewall rules in the comfort of your easy chair by using your laptop to take these ISA firewall online lab practicals. Microsoft provides the virtual machine environment and lab manuals for free:

http://www.microsoft.com/technet/traincert/virtuallab/isa.mspx

SBS users unfortunately get short-shrift in the ISAserver.org mailing lists, Web boards and articles. ISAserver.org is fully dedicated to high-security computing, and we try to promote security best practices to the greatest extent possible. ISAserver.org members know that the new ISA firewall is on-par with any other high-end sophisticated stateful packet inspection and stateful application layer inspection firewall and try to stay within the bound of network security best practices recognized throughout the industry. So, co-locating a network centric firewall on a domain controller, Exchange Server, SharePoint Server and SQL server runs shivers down the spine of a security purist. However, like all other things in life, you try to get the best you can afford. SBS presents this type of compromise. If you're an SBS user who's interested in using the ISA firewall as a transmogrified host-based firewall, then check out Amy Babinchak's ISA in SBS Web log at:

http://isainsbs.blogspot.com/

OK, I've posted these links the last several months and this time is the last for a while, but I really want to point out again the great information in the ISA deployment kits. There are kits for rolling out the ISA firewall in the branch office, using the ISA firewall to protect Exchange Servers, using the ISA firewall as a cutting edge IPSec and SSL VPN server and VPN site to site VPN gateway, and more. Check out the kits listed below for more info:

ISA 2004 Branch Office Deployment Kit
http://download.microsoft.com/download/1/8/8/188ab94a-4ec5-4746-ac0f-a18177040fbf/ISA2004SE_branchoffice-Rev%201%2003.doc

ISA 2004 Exchange Deployment Kit
http://download.microsoft.com/download/1/8/8/188ab94a-4ec5-4746-ac0f-a18177040fbf/ISA2004SE_exchangekit-Rev%201%2005.doc

ISA 2004 Quick Start Guide
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/ISA2004SE_quickstartguide-Rev%201%2003.doc

ISA 2004 Configuration Guide
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/ISA2004SE_configguide-Rev%201%2003.doc

ISA 2004 VPN Deployment Kit
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/ISA2004SE_vpnkit-Rev%201%2004.doc

7. Ask Dr. Tom

QUESTION: I have two Internet connections: one is an ADSL connection and the other is a T1. I would like to use both of these connections and route some traffic to the ADSL connection and other traffic to the T1. I also want to aggregate the bandwidth from both links to increase overall throughput. I hear that ISA Server 2004 has multinetworking so this should work. How do I get this to work? Thanks! -Jarrod.

ANSWER: Multinetworking, from the standpoint of the ISA firewall, has to do with the ability to define ISA firewall Networks and then "connect" these networks by assigning route relationships between connected Networks. You can define a NAT or Route relationship between any two ISA firewall Networks.

For example, you can define a NAT relationship between the Dfault Internal Network and the Default External Network and a Route relationship between the Default Internal Network and a network services segment Network. The key to understanding ISA firewall Networks is to understand that all IP addresses directly reachable from an interface installed on the ISA firewall are considered part of the same ISA firewall Network. If you have multiple network IDs behind a single NIC, all of the IP addresses on those networks are part of the same ISA firewall Network.

What multinetworking does not mean is that you can assign multiple default gateways on the ISA firewall. You cannot implement policy based routing (for example, sending a particular protocol to one gateway and another protocol to another gateway) and you can't configure the ISA firewall to use multiple ISPs, since you can have only a single default gateway. If you want to support multiple ISPs and aggregate bandwidth and route protocols to a particular ISP, then check out RainConnect. RainConnect to a powerful multi-ISP, bandwidth aggregation and protocol routing add-on to the ISA firewall that also supports ISP failover, so that your Server Publishing Rules and Web Publishing Rules continue to work, even when one of your ISPs links goes down.

QUESTION: I am looking to find a fix for my relay server problem. I really liked your article and solution that you provided. My current setup is almost like your article. I have a relay server in my DMZ and the mail server in my internal network. My problem is how do you take care of reverse DNS solutions. I am having problems having my relay server to relay mail from my internal network. I try to send email to my relay server in the DMZ, but it just won't send the mail. I can't seem to find any log to troubleshoot what is happening. I am using Windows 2000 Pro IIS SMTP service.

Do I need to setup a relay server inside the network? My relay server in the DMZ is running a spam filter. I wanted to have my users relay their mail in the same relay server.

Could you comment on this? Thanks, Vincent

ANSWER: You can use your DMZ SMTP server as an outbound SMTP relay. However, you need to be very careful about the configuration, as you need to make the outbound SMTP relay an "open" relay to a certain extent, since it must be able to forward mail to any domain, instead of just the remote domains you configure for inbound mail relay.

In order to do this, you can configure the SMTP relay in the DMZ to allow relay for authenticated users, and then configure the Exchange Server on the internal network to authenticate with the SMTP relay in the DMZ. There is a risk to doing this, as spammers are trying brute force attacks on SMTP relays in an attempt to use them as an open relay to all Internet mail domains. If you choose to do this, use a very complex password that includes at least 24 characters for the account the Exchange Server will use to authenticate with the DMZ SMTP relay. Another thing you can do is configure the SMTP filter to block the AUTH command by removing it from the list of commands in the SMTP filter properties.

You also need to create a rule that allows the SMTP relay in the DMZ to use DNS from the DMZ to the Default External Network. This is required because the SMTP relay in the DMZ must be able to query Internet DNS servers to discover the IP address of the SMTP server responsible for mail deliver to each domain. An alternative is to configure the SMTP relay in the DMZ to use an internal network DNS resolver to resolve mail domain names.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org