ISAserver.org Monthly Newsletter of August 2007 Sponsored by: Burstek

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. Summer Break

Well it is that time of year when many of us are taking vacations. While I will not be taking a "real" vacation (that is to say, I am not going anywhere), I will be trying to reduce my load for a couple of weeks. The good news is that one of the things I will not have to worry about is my ISA Firewall during this time. Why? Because of all the machines in my computing environment, the machines that give me the fewest problems are my ISA Firewalls.

I have five production ISA Firewalls in my office:

• One ISA Firewall handles inbound communications, such as Web and Server Publishing for Exchange
• One ISA Firewall handles inbound communications for Web publishing for public Web sites and inbound SMTP messages
• One ISA Firewall handles all outbound communications and outbound access control
• One ISA Firewall handles my network services segment, to make sure that core infrastructure servers are protected from production workstations
• The last ISA Firewall is used to create a multihomed wireless DMZ. One segment on the ISA Firewall manages unmanaged wireless hosts and the other supports managed hosts

While this is definitely an overkill for an office of my size, it does provide a strong proof of concept in the power of perimeterization and the value of network security segmentation. We have not experienced any security related events in the last five years since implementing strong security segment access control, and I do not expect that we will ever again, given the strong security measures we have in place. The security gives me peace of mind that allows me to enjoy my downtime.

In addition, my ISA Firewalls are rock solid stable. I rarely have to touch them and only work on them for further proof of concept studies or when I want to check on reports. They never "stop working" and they never fall down, in spite of continuous attack from the Internet worms. It is a real testament to the power, security and stability of the ISA Firewall.

How is your ISA Firewall deployment? Is it a "set it and forget it" affair or do you have continuous problems with your ISA Firewall? Let me know! For those of you with problems, maybe those of us who have no problems will help you solve them.

Thanks!

Tom

tshinder@isaserver.org

=======================

Quote of the Month - "More often than not, it's not"

-- Thomas W Shinder MD commenting on how often network problems are due to the ISA Firewall

=======================

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Generating SSL Certificates for Exchange 2007 and ISA Server 2006
• Publishing Exchange 2007 OWA, Exchange ActiveSync and RPC/HTTP using the 2006 ISA Firewall (Part 5)
• Publishing Exchange 2007 OWA, Exchange ActiveSync and RPC/HTTP using the 2006 ISA Firewall (Part 4)
• Publishing Exchange 2007 OWA, Exchange ActiveSync and RPC/HTTP using the 2006 ISA Firewall (Part 3)
• Publishing Exchange 2007 OWA, Exchange ActiveSync and RPC/HTTP using the 2006 ISA Firewall (Part 2)
• Publishing Exchange 2007 OWA, Exchange ActiveSync and RPC/HTTP using the 2006 ISA Firewall (Part 1)
• The Definitive Guide to ISA Firewall Outbound DNS Scenarios Part 1: DNS Resolvers, DNS Forwarders, DNS Caching and Recursion

4. KB Articles of the Month

Here are some interesting and useful ISA Server related articles posted by Microsoft in the last month:

• How to configure ISA Server 2004 and ISA Server 2006 to log data to an SQL Server database
• How to configure an ISA Server computer for a very large number of authentication requests
• Routing and Remote Access stops responding in Windows Server 2003
• On servers that have been upgraded from ISA Server 2000 to ISA Server 2004, an ISA Server 2004 service pack installation may fail, and event ID 10005 is logged in the Application log
• You cannot start the Microsoft Firewall service on a server that is running ISA 2004 or ISA 2006 if you enable SSL on a Web listener
• ISA Server 2004 blocks requests that include the Accept-Encoding HTTP header when a forward proxy is used
• Throughput for an ISA Server that is running on a Windows Server 2003 Service Pack 2 (SP2)-based multiprocessor computer may be greatly reduced or completely blocked
• ISA Server prevents a file from being downloaded, and the "FWX_E_ABORTIVE_SHUTDOWN" error code is logged in the ISA Server log
• ISA Server 2006 and ISA Server 2004 do not reject weakly encrypted authentication requests for access to an SSL Web site after you configure ISA Server to require 128-bit encryption

5. Tip of the Month

Lots of ISA Firewall admins would like to have an automatic backup of ISA Firewall policies. If you are interested in doing this, check out the tips and tricks in this thread on the ISAserver.org message boards at: Automate Backup to XML

Need to install the Firewall client but looking for a "true" silent installation? Then check out this thread on the ISAserver.org message boards at True silent install of client

Are you fighting your own personal war with Exchange 2007? You know that I am! Currently there is little help for setting up Outlook Autodiscovery on the www.microsoft.com site, but here is a great link to an article that might get you there: How to set up Autodiscovery for Outlook 2007

Problems with using Vista as a VPN and Firewall client? Then check out this thread Vista - VPN yellow triangle - Limited Connection

6. ISA Firewall Links of the Month

Tarek Majdalani is a new ISA Firewall MVP! Tarek has been a great help on the ISAserver.org message boards and his posts are always filled with helpful information and dedication to solving ISAserver.org member problems, in the true spirit of a Microsoft MVP. But did you know that Tarek (who goes by Elmajdal [http://forums.isaserver.org/showProfile.aspx?memid=24217] on the Web boards) has his own site with lots of great articles on the ISA Firewall? Check it out at

http://www.elmajdal.net/isaserver

Another great site for ISA Firewall information is Steve Moffat's Web site. Check it out!

http://www.isaserver.bm/

Of course, the place to go for ISA Firewall tools and scripts is Jim Harrison's site:

http://www.isatools.org

Not to be outdone, Jason Fossen, another ISA Firewall MVP has his own ISA Firewall scripts site. Jason also teaches classes about the ISA Firewall, so you might want to check those out too.

http://www.isascripts.org

7. Blog Posts

• Jim Harrison's Definitive Guide on Troubleshooting RPC/HTTP Publishing
• Windows Server 2003 SP2 RRS Bug Biting All Over
• Users experience delayed logins when you enable Password Management features in ISA Server 2006
• Don't Forget to Enable Autodiscovery Publishing
• Scripts from Rob Bosch to Import URLBLACKLIST.COM Blacklists into the ISA Firewall
• Why You Should Use the ISA Firewall for SOX and HIPAA Compliance
• Domain Membership of ISA Firewalls Enhances SOX Compliance

8. Ask Dr. Tom

QUESTION: Hey Tom

I'd like to configure my ISA Firewall so that when users connect to an internal Web server from internal machines, their original source IP address is preserved. I haven't figured out how to do this in a forward Web proxy filter environment.

Thanks!
Rich

ANSWER: You can do this, but you'll need to use a Web Publishing Rule with the Web Listener listening on the internal interface. Then you'll need to configure DNS to resolve the name of the destination Web server to be the IP address that the Web listener is using. Then configure the Web Publishing Rule to preserve the source IP address.

QUESTION: I have installed W2K3 SP2 on my server and rebooted it. After that ISA 2000 services (Proxy) stops working. I have removed it and now proxy started but MMC console is not able to open management ISA window. Kindly help Regards, Akhtar

ANSWER: I haven't seen the ISA 2000 firewall for a few years, but you might have been bitten by the Windows Server 2003 RSS (Receive Side Scaling) bug. For more information on how to possibly fix this problem, check out Windows Server 2003 SP2 RSS Bug Biting All Over

QUESTION: Dear Dr. Shinder

I have a question. If the ISA Firewall is domain member and clients are workgroup members, can I use yahoo messenger from client with firewall client program? Please give me a solution.

Best regards
Pantea Afzali

ANSWER: If your clients are workgroup members, you will need to mirror the local user accounts on the ISA Firewall. For each workgroup member, create an account that uses the same username and password that the user logs in as on the ISA Firewall. To reduce your administrative overhead, you should join the client systems to the same domain to which the ISA Firewall belongs.

QUESTION: I am trying to run some applications on a server running ISA 2006. I need to allow access from the outside to the external IP address of the ISA 2006 server on ports 8000 and 8081.

In ISA 2000 you could do this by creating IP packet filters under the access policy node. I have not been able to find a way of doing this in ISA 2006. Any help that you give in resolving this problem will be greatly appreciated.

Bosco Fernande

ANSWER: No no no no no no no!!! Do not run extraneous services on the ISA Firewall. The only exception to this rule is if you want to install the DNS service on the ISA Firewall to make it a caching only DNS server or when you want to use the ISA Firewall as a filtering SMTP relay. It sounds like you want to run some type of Web server on the ISA Firewall, which completely breaks the ISA Firewall's security model. This increases the ISA Firewall's attack surface to unacceptable levels. Put the Web servers behind the ISA Firewall and then use Web Publishing Rules to publish those Web servers.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.