The #1 unofficial ISA Server resource site

ISAserver.org Newsletter of August 2004

Sponsored by: GFI Software Ltd.
ISAserver.org Newsletter
August, 2004

In this issue: Welcome to the ISAserver.org newsletter! Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

GFI WebMonitor for ISA Server FREEWARE - Monitor & block web browsing in real time

GFI's WebMonitor for ISA Server is a freeware utility for ISA server that allows you to monitor the web sites being browsed by network users and the files they are downloading - in REAL TIME. It also allows administrators to block current web connections as needed.

Click here to download the fully functional freeware version.



1. Reasons for Upgrading to the ISA 2004 Firewall

By Dr. Thomas W Shinder, MD, MVP

You've been running an ISA Server 2000 firewall and it's doing what you want it to do. Now Microsoft comes out with a brand new and improved firewall, ISA 2004 (ISA firewall). You might be thinking "My ISA Server 2000 firewall is doing just fine for me. Why should I go through the hassle of upgrading, which is going to include exporting and importing my old rules, learning how the new things works, and dealing with all the things that you have to deal with when a new Microsoft product comes out?"

Good question! I'm the same way. Why should I go through the stress and strain of upgrading my firewall when it's doing exactly what I want it to do. There better be some very good reasons for upgrading, or else I'm going to keep things exactly as they are.

The good news is that there are a great number of reasons for upgrading. To support this premise, I've cherry picked a list of features that battled-hardened ISA Server 2000 firewall veterans will appreciate the most, and provide the most compelling reasons to upgrade:
  • One of a kind VPN Server
  • IPSec tunnel mode support for site to site VPN
  • Preserve the source IP address for Web Publishing Rules
  • Publish a PPTP VPN Server
  • HTTP filtering on a per rule basis, including Windows executable blocking, for inbound and outbound connections
  • Create Protocol Definitions with multiple Primary Connections
  • Firewall Groups
  • RADIUS Authentication for Web Proxy connections
  • Access Policy is an ordered list
  • Forms-based authentication with the ISA firewall generating the form
  • Port redirection for both Web and Server Publishing Rules (FTP too!)
  • NAT and Route relationships between networks
  • Real time firewall log monitor
  • Automatically save reports as HTML files
  • Real Firewall backup and restore
  • Real DMZ networking with multi-adapter ISA firewalls
  • Real Time Log Monitoring and Filtering
Looks good? Let's take a closer look at each of these and see if any one or more of them might give you the urge to upgrade.

One of a Kind VPN Server


The VPN server included with the new ISA firewall is nothing like you've ever seen before. Unlike most VPN servers and gateways (including the ISA Server 2000 VPN server and gateway) the new ISA firewall's VPN capabilities allow you very granular, user/group, protocol and site based access control. The ISA firewall applies both stateful filtering and stateful application layer inspection to all communications moving over the VPN link.

For example, suppose your users want to use the full Outlook MAPI client to access the corporate Exchange Server from remote locations. You could use secure Exchange RPC publishing, but there are a lot of dull-bulb ISPs who are blocking the RPC endpoint mapper (TCP 135), so your users might be blocked from using the very cool secure Exchange RPC publishing rule to connect Outlook to your corporate Exchange Server.

Your other option is to use VPN. Just about all hotels, convention centers and airports allow outbound PPTP, since even the most elementary stateful filtering hardware firewall includes a PPTP NAT editor. The problem with VPN is that once the user VPNs into the network, they can potentially hit any server or workstation on that network.

Sure, you could create RRAS packet filters and limit users to specific servers, but like a hardware firewall, those packet filters apply to everyone. Not everyone needs access to the Exchange Server when they VPN into the network. Rudimentary stateful filtering doesn't provide the level of access control you require to provide the highest level of protection for your networks.

The new ISA firewall allows you to create a Firewall group, and then create a rule that allows members of this Firewall group access to the Exchange Server only. And when users in this group get to the Exchange Server, they can only use the protocols they require to access it via the full Outlook MAPI client.

If members of that group try to access the Exchange Server using any other protocol, they will be denied. If members of that group try to access any other server on the network, they will be denied. If you set a schedule and they try to access the server at a time outside of the scheduled times where connections are allowed, they will be denied. Best of all, the users name will be included in the firewall logs, along with the protocols and servers they tried to use and access.

This is just the tip of the iceberg for the new ISA firewall's VPN server and VPN gateway. If you're using the ISA Server 2000 VPN features, then you'll want to check out the new ISA firewall's VPN capabilities, I know you'll be impressed.

IPSec Tunnel Mode Support for Site to Site VPN


One major barrier to adoption for the ISA Server 2000 firewall was its inability to establish an IPSec tunnel mode connection with a third party VPN gateway. Many organizations had to hamstring their ISA Server 2000 firewalls and relegate them to the role of a common Web Proxy server at the branch office, all because the ISA Server 2000 firewall could not establish an IPSec tunnel mode VPN connection to the main office VPN gateway.

The new ISA firewall can connect to third party VPN gateways using IPSec tunnel mode site to site links. Now you can drop in an ISA firewall in your branch offices, and use the complete ISA firewall feature set! No more pain from putting a simple stateful filtering "hardware" firewall in front of a Web Proxy only ISA Server 2000 firewall - the 2004 firewall can be your branch office's complete VPN, Web caching and firewall solution right out of the box.

Preserve the Source IP address for Web Publishing Rules


One thing that drove ISA Server 2000 firewall admins nuts was the inability to preserve the source IP address of a remote client when it was connecting to a Web server via a Web Publishing Rule.

ISA Server 2000 firewall admins wanted to use Web Publishing Rule instead of Server Publishing Rules because the Web Publishing Rules provided the deep stateful application layer inspection they needed to secure their published Web servers. But the inability to preserve the source IP address of the remote host made it impossible to use the Web server logs for site analysis - all source IP addresses appeared as the IP address of the ISA Server 2000 firewall's internal interface.

The new ISA firewall allows you to choose between using the IP address on the internal interface of the ISA firewall or the original remote host's IP address. If you don't want to make the Web server a SecureNAT client, then use the internal address for the remote hosts IP address that the Web server sees; if you want to keep the original source address for log analysis purposes, then you can configure the Web Publishing Rule to preserve the address. Cool!

Publish a PPTP VPN Server


Many ISA Server 2000 firewall administrators used a back to back ISA Server 2000 firewall configuration. This allowed them to put Internet-facing servers on the DMZ between the ISA firewalls.

While the back to back ISA Server 2000 firewall configuration served them well, inbound VPN connections to the Internal network were a bit problematic. You can use the "tunnel within a tunnel" method, with the users establishing a VPN link to the external ISA Server 2000 firewall and then creating a second VPN tunnel inside that tunnel to reach the back-end ISA Server 2000 firewall.

When you upgrade, the new ISA firewall will allow you to publish the back-end VPN server. The updated PPTP filter now supports outbound and inbound PPTP connections. Your users can create the VPN connection to the front-end ISA firewall and the Server Publishing Rule will forward the PPTP VPN connections to the back-end ISA firewall. No more "tunnel within a tunnel" requirement. Great!

HTTP Filtering on a Per Rule Basis (including Windows Executable Blocking) for Inbound and Outbound Connections


The ISA Server 2000 firewall performed a very thorough, deep stateful application layer inspection on published Web servers when you used URLScan and Web Publishing Rules.

However, if you wanted more detailed inspection for inbound connections, you needed to get a third party application to plug into the ISA firewall. The same was true for outbound Web connections; you got some basic stateful application layer inspection, but not the kind of granular HTTP communications-control you really want and need to prevent 21st century attacks from internal and external attackers.

The new ISA firewall has a very sophisticated HTTP Security Filter that can be enabled and configured on a per rule basis. For example, suppose you want to create a rule preventing a group from accessing Windows executable files. No problem. It's a matter of putting a checkmark in a checkbox. And it doesn't even matter what the file extension is; the ISA firewall will be able to determine if the file is a windows executable, even if the file extension is .mom ;-)

The ISA firewall's HTTP Security Filter can inspect just about every aspect of an HTTP communication and block the connection based on the parameters you set, and do this on a per rule basis. Want to block Kazaa using an Access Rule? It's a no-brainer. If you limit the users to Web connections, its as simple as putting the Kazaa host header information in the HTTP Security filter. Wow!

Create Protocol Definitions with Multiple Primary Connections


It was virtually impossible with the ISA Server 2000 firewall to create a Protocol Definition that included a large number of primary connection ports. You had to create one Protocol Definition at a time and include all of them in your Protocol Rule.

The new ISA firewall solves this problem by allowing you to create a range of Primary connections when defining a Protocol Definition. No more long nights entering 500 primary connection ports one at a time. Fantastic!

Firewall Groups


The ISA Server 2000 firewall allowed you to control outbound and inbound access on a user/group basis by using local and domain global groups and users. If you wanted to create a custom group for outbound or inbound access control, you needed to create this group at the level of the Active Directory (or in the local SAM of the ISA Server 2000 firewall). This meant you had to be a domain admin to create these global groups, or worse, you had to beg a domain admin to create the groups for you.

The ISA firewall now allows you to create custom Firewall Groups that you can use in Access Rules. Instead of using domain global groups to control inbound and outbound access through the ISA firewall, all you need is the ability to read the group information in the domain. You can now create custom groups on the firewall, such as Web Only, Exchange MAPI Group and RDP and Web Only and then populate these groups you created on the firewall with users and groups that are already in the Active Directory.

No more begging the domain admins to create your groups. Wh00t!

RADIUS Authentication for Web Proxy Connections


A lot of organizations wanted to take advantage of the advanced logging and reporting included with ISA Server 2000 firewall so that they could have a list of sites users on the internal network visited over a period of time. The problem was that the ISA Server 2000 firewall needed to be a member of the domain in order to authenticate users making outbound requests.

These organizations may only have a single firewall, and so the ISA Server 2000 firewall was located at the Internet edge. They were uncomfortable placing a domain member at the Internet edge and so they couldn't avail themselves of the ISA Server 2000 ability to record user names and the sites these users visited. (This is in contrast to when there is another ISA Server 2000 firewall in front of the ISA Server 2000 firewall, where it would be perfectly acceptable to allow the back-end ISA Server 2000 firewall to be a domain member.)

The new ISA firewall solves this problem for organizations who wish to put the ISA firewall at the Internet edge by allowing RADIUS authentication for outbound and inbound Web Proxy connections. The ISA firewall can be configured to send credentials to a RADIUS server to authenticate users. This removes the requirement that the ISA firewall be a member of the domain for authenticating outgoing Web Proxy connections.
Note:
It is a very common misconception that the ISA firewall needs to be a member of the domain to publish resources requiring authentication. All versions of the ISA firewall supports delegation of basic authentication, where the ISA firewall freezes the connection while it forwards the user credentials to the Web site. The Web site then forwards the credentials to an authentication server (Active Directory DC) and then returns the result to the ISA firewall. If the user successfully authenticates, then the connection is passed to the published Web server. The ISA firewall, be it 2000 or 2004, does not need to be a member of the domain to support delegation of basic authentication!

Access Policy is an Ordered List


I would venture to say that the majority of ISA Server 2000 firewall admins were never really sure when a specific rule would be activated. They sort of knew that unauthenticated would usually be evaluated first, then authenticated and then there was some stuff that had to do with whether it was a Web Proxy connection or a Firewall client or SecureNAT connection.

At that point things got muddy and they hoped for the best by creating Deny rules, which they were fairly confident were evaluated before allow rules.

The new ISA firewall changes the entire Access Policy model. Now the ISA firewall uses a simple, unified and ordered list of rules. The rules are evaluated from the top down. The first rule to match the connection request is the one applied. It doesn't matter if it's a Web Proxy, Firewall or SecureNAT client and it doesn't matter if it's allow or deny. The first rule on the list that matches the connection parameters is applied. Easy!

Forms-based Authentication with the ISA Firewall Generating the Form


If you've ever used Outlook Web Access and turned on forms-based authentication on the Exchange 2003 Server, you've seen the form that allows you to log on to the OWA Web site. The problem with letting the OWA Web site generate the form is that in order to access the form, an unauthenticated connection is allowed directly to the OWA Web site. I don't know about you, but I wouldn't take too kindly to allowing unauthenticated connections anywhere near my OWA Web server!

Well, the ISA firewall team understood that unauthenticated connections to an OWA server was a very bad thing; allowing unauthenticated connections to the OWA Web site can provide a powerful portal of attack for the bad guys. That's why they included with the new ISA firewall the ISA Forms-based Authentication (FBA) protocol.

When you publish an OWA Web site using the ISA FBA, the form is generated by the ISA firewall. The user enters his credentials in the form and sends them to the ISA firewall. The ISA firewall forwards the credentials to the OWA site and the OWA site validates them by sending them to a DC. The OWA site informs the ISA firewall of the authentication results. If the credentials are valid, then connection is then allowed to the OWA site, if they're not good, then the connection is dropped.

In addition, the ISA firewall generates the form for all versions of OWA. Without the ISA firewall protecting the OWA site, you only have forms-based authentication Exchange 2003. With the ISA firewall firmly in place protecting your network, you have FBA for all version of OWA, include OWA 5.5 and OWA 2000. The ISA FBA not only generates the form to prevent unauthenticated connections to the OWA site, it also allows you to block attachments and automatically log off OWA users after a predefined period of time or if they leave the OWA site.

If you need remote access to OWA sites, then upgrading to the new ISA firewall is the best thing you can do for that OWA site's health!

But Wait, There's More...


We've covered a lot of ground here, but we're not done! I'll finish up this list of compelling reasons to upgrade to the new and improved ISA firewall next month. See you then!

Send me a note if you have questions or comments on any of the improvements I discussed in this article. Send it to tshinder@isaserver.org and I'll get right back to you. -Tom.

-Tom.

2. Tom and Deb Shinder's Configuring ISA Server 2004 -- Pre-order Today!


Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder are preparing for you their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logging literally 1000's of flight hours with ISA Server 2004 and they'll be sharing the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall.

While the ISA Server 2000 books were good, Configuring ISA Server 2004 is going to be even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Pre-order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.


Click here to Order your
copy today

GFI WebMonitor for ISA Server FREEWARE - Monitor & block web browsing in real time

GFI's WebMonitor for ISA Server is a freeware utility for ISA server that allows you to monitor the web sites being browsed by network users and the files they are downloading - in REAL TIME. It also allows administrators to block current web connections as needed.

Click here to download the fully functional freeware version.



3. ISAserver.org Learning Zone articles of Interest


We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

4. KB Articles of the Month


Here are some interesting and useful ISA Server related Q articles posted by Microsoft in the last month:

5. Post of the Month


A lot of ISA firewall admins want to help users who have problems entering the correct URL when accessing published OWA sites. This month, Andrew Toon helps us out with this advice:
"The way I've done this is to use an .asp page to do a redirect from http://owaserver.com to https://owaserver.com/exchange.

First create the redirect .asp file and virtual directory, and set up the redirect to happen when you get an error 403.4

See - http://support.microsoft.com/default.aspx?scid=kb;en-us;555126&Product=exch2003 for info on how to do this.

Once you've setup the redirect you need to create a web publishing rule for the exchange server and HTTP only. This rule will redirect any requests for HTTP to the redirect .asp. An example rule is shown below.

Rule Name : OWA Redirect
Action : Allow
From : Anywhere
To : Internal name of Exchange Server
Traffic : HTTP
Listener : Standard HTTP
Public Name : External name of Exchange Server
Paths :
External = "/*",
Internal = "//"
Bridging : Redirect requests to HTTP (note don't tick the HTTPS box)
Users : All Users"
Thanks Andrew!

GFI WebMonitor for ISA Server FREEWARE - Monitor & block web browsing in real time

GFI's WebMonitor for ISA Server is a freeware utility for ISA server that allows you to monitor the web sites being browsed by network users and the files they are downloading - in REAL TIME. It also allows administrators to block current web connections as needed.

Click here to download the fully functional freeware version.



6. ISA Server Links of the Month


Now that the new ISA firewall has hit the streets, there's a ton of great ISA firewall documentation up on the Microsoft Web site. Just check out some of these tasty tomes:

Want to read the ISA 2004 firewall's Help file without having to download the entire eval version? Get it here:

http://www.microsoft.com/isaserver/techinfo/productdoc/2004.asp

There are some key ISA firewall tools that didn't make it onto the CD. You can download the Firewall Client Tool, the Firewall Kernal Mode Tool, and the Remote Access Quarantine Tool here:

http://www.microsoft.com/isaserver/downloads/2004.asp

One of the key technologies included with the ISA firewall is the HTTP Security Filter. You can block sites, P2P programs, IMers and a lot more using the HTTP Security Filter. Here's a great article that shows you how:

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/httpfiltering.mspx

Is the ISA firewall's VPN Quarantine feature driving you nuts? Maybe this article is what you need:

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/vpnroamingquarantine.mspx

As always, there's a lot more, but you'll have to wait for next month ;)

7. Ask Dr. Tom


QUESTION: Hi Tom, I'm trying to publish a Windows Media Server using an ISA firewall, 2004 version. I created a Server Publishing Rule that allowed inbound MMS, but its still not working. Is there anything I need to do? Thanks! --Marcus.

ANSWER: I can't say that I'm the Windows Media Server expert, but I was able to get it installed and create a folder from which to server .wmv files. I used the default .wmv files that were placed in the folder for my testing. After publishing the server using the built-in Windows Media Protocol Definition (MMS Server), I found that indeed it did not work. Checking the ISA firewall's real time log viewer showed a number of failed RTSP connection attempts. I added an RTSP Server Publishing Rule and bingo! That worked. Note that because the ISA firewall has application layer filters, you do not need to create any access rules to support outbound connections from the Media Server.

QUESTION: I've created a site to site VPN using an ISA firewall [2004] on each side. The connection works, but the only thing I can do is ping the other ISA firewall. The clients on the networks can't ping clients on the other networks. Why are the ISA firewalls able to connect but then not allow connections between the networks? Thanks! --Victor

ANSWER: The most likely reason is that you've created a remote access VPN client connection from one ISA firewall to the other. You can confirm this by looking in the RRAS console. If you see a user name listed in the Remote Access Clients node, then you know that you have a remote access VPN client connection and not a VPN gateway connection. This indicates the calling VPN gateway isn't authenticating using a user account with the same name as the demand-dial interface on the answering VPN gateway. Make sure that you create a account on the answering VPN gateway that has the same name as the demand-dial interface that is uses to answer the calling VPN gateway's call. Then, configure the calling VPN gateway to authenticate with the username and password you configured on the answering VPN gateway.

GFI WebMonitor for ISA Server FREEWARE - Monitor & block web browsing in real time

GFI's WebMonitor for ISA Server is a freeware utility for ISA server that allows you to monitor the web sites being browsed by network users and the files they are downloading - in REAL TIME. It also allows administrators to block current web connections as needed.

Click here to download the fully functional freeware version.
Visit the Subscription Management section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@isaserver.org.
Copyright © ISAserver.org 2004. All rights reserved.