• ISA 2006 Web Farm Load Balancing
• Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
• ISAserver.org Learning Zone Articles of Interest
• KB Articles of the Month
• Tip of the Month
• ISA Firewall Links of the Month
• Ask Dr. Tom

1. ISA 2006 Web Farm Load Balancing

ISA 2006 Web Farm Load Balancing enables the ISA firewall administrator to publish a farm of Web servers that host the same content or perform similar roles. The ISA firewall provides both load balancing and failover and failback for the published Web farm and does not require NLB to be enabled on the ISA firewall array or on the Web farm. You benefit from this feature because you do not need to enable NLB on the farm warm (which would require that the farm members be SecureNET clients) and the customer does not need to purchase an expensive external load balancer, such as F5.

For example, suppose you have a front-end/back-end Exchange Server configuration. You can make sure that you have very high uptime for your remote access solution to Exchange Web services, such as OWA, OMA, Exchange ActiveSync, and RPC/HTTP. One way to do this is to put together an NLB array of front-end Exchange Servers. In this way, if one of the FE Exchange Servers goes down, one of the other FE Exchange Servers will transparently take over for the downed servers.

While this provides an acceptable high availability solution for the FE Exchange Servers, you will lose session state and users may need to reconnect. In addition, in order to benefit from NLB enabled on the FE Exchange NLB array, you need to make the FE Exchange array a SecureNET client of the ISA firewall and you must configure the ISA firewall to preserve the source IP address of the external client. Many companies do not want to configure a default gateway on the FE Exchange Servers, because for security reasons, there's no reason why the FE Exchange Servers need direct access to the Internet.

Web Farm load balancing solves this problem by managing the connections. The ISA firewall will manage the load balancing and real-time failover and failback. In addition, since the ISA firewall is managing the sessions, the users will not need to log on again if one of the servers goes down. When the downed server comes back online, the ISA firewall will once again load balance the connections to the FE Exchange server that comes back online.

Notice that NLB is not required on either the ISA firewall or the FE Exchange Servers. However, you do have the option of enabling NLB on the ISA firewall array to further increase high availability. NLB on the ISA firewall array will provide real-time failover and failback in the event that one of the ISA firewalls goes down or is taken offline for maintenance. By combining NLB and Web farm load balancing, you'll find that getting five lines up is easy and it doesn't involve the prohibitive costs of an external load balancer!

When you get a chance, check out the ISA firewall's Web farm load balancing solution. After trying it out, let me know what you think about it. If you need help figuring out how it works, check out my article series on the subject.

Thanks!

Tom tshinder@isaserver.org

=======================

Quote of the Month - "I absolutely hate "the customer can stand on his left foot, hold one hand over their head and chant "booga-wonka-whee!" while pressing CTRL-ALT-WIN-PrtScn-SrlLk twice in rapid succession three times" answers to technical issues...." Jim Harrison

=======================

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

By Thomas W Shinder Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall. While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Red Line Software Internet Access Monitor - Voted ISAserver.org Readers' Choice Award Winner - Reporting
• Creating a Branch Office Site to Site VPN Connection using the Branch Office Connectivity Wizard
• Creating a Site to Site VPN using ISA 2006 Firewalls at the Main and Branch Office (Part 2)
• Creating a Site to Site VPN using ISA 2006 Firewalls at the Main and Branch Office (Part 1)
• Using the ISA 2006 Firewall (RC) to Publish OWA Sites - Single Exchange Server Scenario, Part 2
• Using the 2006 ISA Firewall (RC) to Publish OWA Sites - Single Exchange Server Scenario

4. KB Articles of the Month

Here are some interesting and useful ISA Server related articles posted by Microsoft in the last month:

• Logging to an SQL database in ISA Server 2004 does not work
• You experience problems when you access the Windows Update Version 5 or Version 6 Web site through a server that is running ISA Server
• You cannot configure ISA Server 2004 to use different servers for RADIUS authentication and for RADIUS accounting
• Application filter events are not triggered on a computer that is running ISA Server 2004 with Service Pack 2
• The actual idle time-out period may be shorter than the value that you configure in the Idle Session Timeout area for OWA forms-based authentication in ISA Server 2004
• Error message and error code "0xc00403557" when you use the export feature or the backup feature in ISA Server 2004: "ISA Server cannot load the property page"
• The Microsoft Firewall service on an ISA Server 2004 Standard Edition-based computer may stop responding to client computer requests, and Event ID: 7031 and Event ID: 14057 may be logged in Event Viewer
• An Office Outlook client that connects through ISA Server 2004 may be unable to reconnect for 24 hours
• You cannot join a new array member to an existing ISA Server 2004-based array

5. Tip of the Month

A lot of people have been asking me about problems they're having with VLAN trunking with their ISA firewalls when NLB is enabled on the NICs associated with the 802.1q tagging. What? You didn't know that the ISA firewall supported VLAN tagging? Of course it does. Remember, the ISA firewall starts at layer 3, so the ISA firewall works with what you're doing at layer 2. The ISA firewall supports as many VLANs as the NIC driver supports. We have a couple of boxes supporting 64 VLANs just for fun, and one that can support more than 250! And unlike some of the "hardware" firewall vendors, we don't have to pay extra for more VLANs. Pretty nice, eh?

But back to the problem. Jim Harrison helped us out with the answer. You can get your VLAN tagging working with the ISA firewall but you need a fix. Check out the fix at The Firewall service may not start when you enable 802.1Q VLAN tagging and integrated NLB in ISA Server 2004, Enterprise Edition with Service Pack 2

6. ISA Firewall Links of the Month

Not sure if you configured your ISA firewall correctly? If so, download the ISA firewall BPA at

http://www.microsoft.com/downloads/details.aspx?FamilyID=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en

Want to know what's in the ISA firewall's Web proxy Web cache? Then check out the CacheDir.exe tool at

http://www.microsoft.com/downloads/details.aspx?FamilyId=88117626-D72C-4CC8-A15F-C1FBDBCFF688&displaylang=en

Convert your MSDE logs to text files using the MSDEtoText tool. Download it at

http://www.microsoft.com/downloads/details.aspx?FamilyId=A60A09A0-E4AD-47C7-9961-5E22E65CA986&displaylang=en

Tired of clueless "hardware" firewall admins telling you the world the flat and that the ISA firewall can't be secure because it runs on Windows? Throw the ISA Firewall Core white paper in their faces and you'll be able to bask in the light of truth and they'll shut their pie-holes too :-) Get the White paper at

http://www.microsoft.com/isaserver/2006/prodinfo/Firewall_Corewp.mspx

With the new ISA firewall/Citrix branch office hardware firewall solution not far away, you might want to check out what you can get in a hardware ISA firewall right now. To find out more, check out

http://www.microsoft.com/isaserver/hardware/default.mspx

7. Ask Dr. Tom

QUESTION: Hey Tom, I hear that the new ISA firewall provides more options for User Certificate authentication. I was thinking of setting up my new ISA 2006 firewall (when it becomes available) to use OWA FBA and also required a user certificate. In that way, I figure I could have something almost as strong as two-factor authentication but without having to pay for smart cards or RSA stuff. What do you think of this?

ANSWER: It's true! The new ISA 2006 firewall includes a ton of new authentication options and one of those options is more ways you can use User Certificate authentication to increase security for your remote access connection to Exchange Web services. One of the big improvements is Kerberos Constrained Delegation (KCD). When Kerberos Constrained Delegation is enabled, an external user can present a user certificate to authenticate with the ISA firewall, and the ISA firewall will forward that user's credentials as Kerberos credentials to the published Web server. If this sounds like magic, I agree.

However, there's no magic involved at all and it uses established technologies included in the Windows OS. For more information about Kerberos Constrained Delegation, check out this link.

The new ISA 2006 firewall will support the scenario you're thinking of deploying. You can configure the Web Publishing Rule to require a valid user certificate before the form is presented to the user. If the user can't present a valid User Certificate, then the connection to the ISA firewall-generated form will be denied. This isn't really two-factor authentication, because the user doesn't have the certificate, the machine "has" the certificate. What I mean by this is that if the machine is stolen, the thief has the certificate because it's installed on the machine.

In contrast to true two-factor authentication, the user "has" both the certificate (on a smart card, for example) and the user name and password. However, your design will confirm that only corporate managed machines can connect to the OWA Web site and prevents the nightmare scenario of users connecting to OWA from airport kiosks and other unmanaged machines that might have keyloggers and other exploits installed on them.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.