• Branch Office Deployment Options for ISA Firewalls
• Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
• ISAserver.org Learning Zone Articles of Interest
• KB Articles of the Month
• Tip of the Month
• ISA Firewall Links of the Month
• Ask Dr. Tom

1. Branch Office Deployment Options for ISA Firewalls

Since the release of ISA Server 2004, Microsoft has made it a point that ISA firewalls are ideal for branch office deployments. Microsoft (and myself) have demonstrated the security and ease of use involved with site to site VPN connections that join the main and branch offices. If you have ISA firewalls at both the main and branch offices, then you have the choice of PPTP or L2TP/IPSec for your site to site VPN connection. If you have an ISA firewall at only the main or branch office, and a third party firewall/VPN gateway on the other side, then you can use the ISA firewall's built-in support for IPSec tunnel mode.

Note that when using ISA firewalls on each end that you should not use IPSec tunnel mode because IPSec tunnel mode doesn't support header compression and thus you cut your VPN throughput in half.

While site to site VPNs are a nice solution for offices that don't have dedicated WAN links, most enterprise environments have long established WAN links connecting the main and branch offices and they're not interested in removing these links. In this scenario, the ISA firewall's site to site VPN feature set doesn't really add much value for the main office/branch office configuration.

The problem is that there isn't a whole lot of guidance out there (on ISAserver.org or on the Microsoft.com Web site) on how to leverage your ISA firewall investment at the branch office when a site to site VPN isn't required. I think this is something we really need to fix as many of the updates included in ISA Server 2004 Service Pack 2 were targeted at accelerating the branch office experience.

There are several options available to you when deploying the ISA firewall at the branch office, with or without a dedicated WAN link. These include:

• Branch office firewall/branch office "services" segment
• Branch office forward proxy
• Branch office reverse proxy
• Branch office Internet edge firewall

When you have an existing WAN link, you can deploy the ISA firewall as a branch office firewall. In this scenario, the ISA firewall is segmented away from the main office by the ISA firewall. All traffic between the branch office and the main office must traverse the ISA firewall and that traffic is subject to ISA firewall policy. Since these branch offices likely contain domain members, the ISA firewall can be easily joined to the domain and provide strong user/group based authentication for all protocols. You also have the option to use a Route or NAT relationship between the main and branch offices depending on your requirements. Another major benefit in this scenario is that you can take advantage of the ISA firewall's advanced worm and flood mitigation, which has been significantly beefed up in ISA Server 2006.

Another role that ISA firewall can play when the branch office is connected to the main office via a WAN link is as a branch office forward proxy. In this scenario, the ISA firewall is not an inline device, but can be placed anywhere on the branch office network. Browsers at the branch office are configured as Web proxy clients. The branch office forward proxy ISA firewall then either directly forwards Web connections to main office and Internet Web servers, or the branch office forward proxy ISA firewall can be chained to an ISA Enterprise Edition firewall array which then forwards the connections to the main office or Internet Web servers.

A variation of the forward proxy branch office deployment is the branch office reverse proxy deployment. Like the forward proxy deployment, the reverse proxy branch office ISA firewall can be installed on a single NIC machine on the branch office network and does not need to be an inline device (although you can deploy this scenario on a multi-NIC device). The main reason for this type of deployment is to obtain application layer inspection for SSL connections to main office Web servers. While the ISA firewall does not support application layer inspection for forward proxy connections, you can get HTTP application layer inspection for SSL connections using Web Publishing Rules. In this case, you create Web Publishing Rules that publish the secure Web servers at the main office.

Note that this deployment scenario is limited to publishing main office secure Web servers, because you must configure the certificates on the branch office reverse proxy ISA firewall with the names of the published servers.

The last scenario enables branch office communications with the main office without requiring a site to site VPN or dedicated WAN links. In this case, the branch office is connected to the Internet with an inexpensive DSL or cable connection. Users at the branch offices connect to resources at the main office via Web and server publishing rules configured on the main office's ISA firewall. This deployment allows branch office users to connect to commonly used services such as:

• OWA
• Outlook Exchange connections via RPC/HTTP
• Outlook Exchange connections via secure Exchange RPC
• SMTP/SMTPS
• POP3/POP3S
• NNTP/NNTPS
• RDP
• CIFS (unencrypted)
• Potentially all protocols via firewall chaining

In this scenario you have many of the features of a network level VPN connection without requiring a VPN link. The primary limitations are that not all protocols are supported when using Web and Server Publishing Rules, not all traffic can be encrypted (there is no CIFS/TLS yet), and if you want to use complex protocols, firewall chaining can introduce networking and cost overhead that might be excessive for some shops. However, for the core services protocols, this is a great solution in that you avoid the administrative overhead of a site to site VPN and the costs of a dedicated WAN link.

You can look forward to a whole slew of articles on how to deploy these various branch office ISA configurations in the near future here at ISAserver.org!

Do you have ideas for branch office deployments of the ISA firewall that I haven't thought of? If so, send your ideas to me at tshinder@isaserver.org and I'll cover them in the next newsletter and include them in my comprehensive branch office deployment series here on ISAserver.org.

Thanks! -Tom.

=======================

Quote of the Month - "Natural ability without education has more often attained glory and virtue than education without natural ability." - Cicero (106 BC - 43 BC).

=======================

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

By Thomas W Shinder Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall. While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Optimizing ISA performance (Part One) - Nine Basic Steps
• Publishing a Public Key Infrastructure with ISA Server 2004 (Part 1)
• ISA Server 2006: Installing ISA 2006 Enterprise Edition (beta) in a Unihomed Workgroup Configuration - Post Installation Tasks, Part 3
• ISA Server 2006: Installing ISA 2006 Enterprise Edition (beta) in a Unihomed Workgroup Configuration - Post Installation Tasks, Part 2
• ISA Server 2006: Installing ISA 2006 Enterprise Edition (beta) in a Unihomed Workgroup Configuration - Post Installation Tasks
• How to enable ESP Null Encryption on ISA 2004 in a site-to-site VPN scenario

4. KB Articles of the Month

Here are some interesting and useful ISA Server related articles posted by Microsoft in the last month:

• How to configure ISA Server 2004 after you add a new network adapter or you replace a network adapter
• A question mark may appear next to a client user name in ISA Server 2004
• You cannot assign a static IP address for client computers in a site-to-site VPN connection in Microsoft Internet Security and Acceleration Server 2004
• Update for HTTP issues in Internet Security and Acceleration Server 2004 Service Pack 2

5. Tip of the Month

Tony Gauderman came up with a great tip last month on how to block the ActiveSync clients from downloading attachments:

"I also figured out that if you use URLScan, and don't allow the X-Microsoft-ENUMATTS verb, it won't let the ActiveSync client download any attachments."

If this is true, you should be able to find the same result using the ISA firewall's HTTP security filter. I haven't tested it yet, but when I do I'll let you know the results.

6. ISA Firewall Links of the Month

ISA Server 2006 Beta FAQ

http://www.microsoft.com/isaserver/2006/prodinfo/faq.mspx

Microsoft ISA Server 2006 Beta: Enterprise Edition Installation Guide

http://www.microsoft.com/technet/prodtechnol/isa/2006/deploy/ee_install_guide.mspx

Microsoft ISA Server 2006 Beta: Standard Edition Installation Guide

http://www.microsoft.com/technet/prodtechnol/isa/2006/deploy/se_install_guide.mspx

Upgrading ISA Server 2004 to ISA Server 2006

http://www.microsoft.com/technet/prodtechnol/isa/2006/deploy/upgrade.mspx

7. Ask Dr. Tom

QUESTION: I'm thinking about bringing a MOM server online and I'm wondering if MOM can work with ISA Server. I know that MOM works well with Exchange and other servers, but I'm not sure about ISA because ISA firewall policy might interfere with the MOM Agent. Thanks! -Tim.

ANSWER: Great idea to bring a MOM server into your company! I recently started working with MOM myself and I don't know how I lived without it. MOM allows you to monitor hardware status, service status, alert conditions, and a lot more. In order to monitor a server, you need a MOM pack. Microsoft has created MOM packs for almost all of their server operating systems and server services.

There is a MOM pack for ISA Server 2000, ISA 2004, and ISA Server 2006. The MOM pack measures over 140 key hardware and software components. On the ISA firewall side, the MOM pack checks each key firewall service and component, such as the Web proxy filter, the Firewall service, the remote access VPN server, and the site to site VPN gateway. Whenever there is a significant issue with any of these services or components, the MOM agent communicates that status to the MOM server and the MOM server can be configured to alert you via e-mail or pager about the problem.

You don't need to worry about the MOM agent. You'll need to create two custom Protocol Definitions to support MOM agent communications outbound from the Local Host network to the MOM server. The MOM server doesn't need to initiate any outbound connections from itself to the ISA firewall's Local Host Network. This makes for a secure communications system because a core firewall security tenet is that you should minimize communications to the ISA firewall's Local Host Network to an absolute minimum.

The only issue I've seen with MOM and ISA firewall policy is when installing the MOM agent. If you want to do a push installation of the MOM agent, you'll need to disable the RPC filter and then create rules that allow all traffic in both directions between the ISA firewall's Local Host Network and the MOM server. If you find this to be too much of a security risk (because you don't trust the security status of your MOM server), then you can do a manual installation of the MOM agent on the ISA firewall without making any chances to the RPC filter. The RPC filter will not interfere with the MOM agent's communications with the MOM server.