ISAserver.org Monthly Newsletter of August 2008 Sponsored by: Winfrasoft

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. Why the Forefront TMG is the Cornerstone of Essential Business Server Network Security

If you have not had a chance to check out the Microsoft Essential Business Server (EBS) product, you should carve out some time from your busy schedule to take a look at it. Take a look at the public preview software for EBS.

EBS is a three server solution designed for small or mid-sized businesses with up to 300 PCs. The EBS solution includes three servers, which can be run as physical or virtual machines. There is the Management Server, which is a domain controller and file server that also runs System Center Essentials. There is the Messaging Server, which is also a domain controller, and runs Exchange 2007. And finally there is the Security Server, which runs the Threat Management Gateway (TMG) Medium Business Edition. TMG is the next version of the ISA firewall. In addition to running TMG, the Security Server also runs Exchange Edge Server for anti-spam protection.

From what I have heard, there are a number of people who want the EBS solution, but would like to deploy it without the Security Server. The reason most of these people give for not wanting the Security Server is that they already have a ?firewall? and therefore do not think they need the TMG component or that the TMG firewall adds to much complexity to what is considered an otherwise ?simple? network security configuration.

At first blush you might think ?sure, that is a valid request. If the customer already has a firewall, why introduce a second firewall into the mix?? The problem with this thinking is that the EBS team put a great deal of work thinking about the EBS threat models and how to make sure that all components of the solution have adequate defenses against the enumerated threats.

The TMG in the EBS solution allows remote access to a number of services on the EBS network. Some examples of the services to which users can gain remote access to include OWA, RPC/HTTP, Exchange ActiveSync, Terminal Services and Terminal Services Gateway, and SMTP. And these are the default settings. In a production network, you?ll likely see the TMG allow inbound access to POP3S, IMAP4S, DNS and other protocols.

Given all the remote access traffic that the EBS solution supports, you need to be assured that the connections from the external clients can be trusted. The problem the EBS team has, and you as a potential EBS customer, is that how can you define the threat model and the response to the established EBS threat model if you can?t control the nature of the defenses against those threats.

The type of ?firewall? that small and midsized businesses might already have in place can vary widely. In most cases, the ?firewall? they are currently using is little more than a NAT device that also provides some NAT editors and the ability to perform reverse NAT or ?port forwarding? for UDP and TCP ports. Some of them might even include a rudimentary remote access VPN server or even support site to site VPN connections. Other ?firewalls? the customer might have in place might include some degree of content filtering or even anti-malware capabilities.

The thing is, the EBS team does not know what kind of ?firewall? you already have in place. But they do know what security features and capabilities the TMG has. The TMG provides an exceptionally high level of security for remote access connections by providing pre-authentication for inbound connections to Web servers, a firewall generated log on page, protections against anonymous attacks, an HTTP Security Filter to ensure HTTP protocol stream compliance and security, an SMTP filter to block SMTP exploits, an Edge Exchange Server prevent spam and its attendant malware and phishing attacks from entering the network over the SMTP protocol channel, strong outbound access control on a per user, per group, per protocol, per site basis, network flood protection, stateful packet and application layer inspection for all communications through and to the TMG firewall (including remote access VPN connections), and many more security capabilities.

Thus, the threat and response model for the EBS solution is based on a relatively sophisticated set of network security tools that are available with the TMG. Yes, it is possible that a small or midsized business has paid thousands of dollars for another firewall solution that can provide some of the features included in the TMG feature set, but it is unlikely that a non-TMG firewall could provide all the features that are used to provide the strong inbound and outbound access controls and connection scrubbing that the TMG firewall can provide.

So, rather than thinking of the TMG as a potential burden to your network, think of it as a unique opportunity to increase your network?s security posture to a level that your network has not seen before. This is not to say that you need to get rid of your current network firewall. Two heads are better than one, and two firewalls are better than one. The EBS team has done a great job at making it easy to drop in the TMG firewall behind your existing firewall. After the TMG firewall is installed, all you need to do on your existing firewall is configure some port forwarding rules for HTTP, HTTPS, SMTP, RDP and other protocols, so that they are redirected to the external IP address on the TMG firewall.

While at first glance it might seem that the TMG adds needless complexity to the EBS network configuration, the fact is that the EBS installer does most of the heavy lifting for you, so you do not really need to understand the internals of the TMG installation and configuration during the initial setup. The only thing you need to do is configure old firewall with port forwarding rules. You do not even need to renumber your network or change the default gateway settings on the machine on your network.

The bottom line is that the TMG firewall allows you to roll out a secure EBS networking solutions using a known, standard security model that is common to all EBS network scenarios. Sure, you can go in and break the EBS TMG security model by creating unsecure rules, but out of the box, the settings insure a well-defined baseline for network security, something you can?t say if you stayed with the old ?firewall? or NAT device and had not introduced the TMG firewall into the design.

I would like to hear what you think about the TMG as part of the EBS solution. Send me note at tshinder@isaserver.org and I?ll discuss your opinions in the next newsletter.

Tom

Before I close this month, I wanted to let all of my ISAserver.org friends and readers know that I have taken a new position with Prowess Consulting as Microsoft Network Security Consultant and Technical Writer. Prowess is a vibrant and growing consultancy with special expertise in virtualization, integration and documentation. If you or your company are interested in ISA or TMG or IAG consulting, then my team is ready to help. Just send me a note at shinder@prowessconsulting.com and we will put things in motion to make your ISA/TMG/IAG rollout go smoothly and efficiently. Thanks! - Tom 

=====================
Quote of the Month - "The wireless telegraph is not difficult to understand. The ordinary telegraph is like a very long cat. You pull the tail in New York, and it meows in Los Angeles. The wireless is the same, only without the cat." - Albert Einstein
=======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• How to Determine the Correct ISA Server SE Version and Service Pack Information
• Authenticate Guest Users With Collective Software?s Captivate (Part 1)
• Product Review: Winfrasoft's Backup for ISA Server - Filling an Important Gap
• Your New ISA Firewall: ISA 2006 Service Pack 1 - Part 2: Traffic Simulator and Enhanced Diagnostic Logging
• Implementing and Troubleshooting Certificate Deployment in ISA Server 2006

4. KB Articles of the Month

• CPU use may be more than 50 percent when an ISA Server 2004 computer is operating under heavy load conditions
• When you use ISA Server 2006 to publish a Web server, and authentication delegation is enabled, some Web content may not be displayed correctly when a user accesses the published Web server
• Error message when you open a .gz file that you downloaded through an ISA Server 2004 Web proxy server: "Invalid archive directory"
• The Microsoft Firewall service crashes randomly when you use ISA Server 2006 to publish a Web server by enabling forms-based authentication
• ISA Server 2004 does not listen for Web proxy requests after you enable a network adaptor or remove an IP address
• Error message when an application connects to a Web listener that is published by using ISA Server 2004 or by using ISA Server 2006: "Error Code: 403 Forbidden The page requires 128-bit encryption, an enhanced security mechanism"

5. Tip of the Month

Tips and tricks were in great numbers during Tim Mullen's Microsoft security Ninjitsu class at Black Hat this year. One of the tricks Tim shared really opened my eyes regarding how the ISA Firewall performs authentication. I always thought that authentication had to be enforced on the rule if you did not force authentication at the Web Listener. For example, if I create a Web listener that supports Basic or Integrated authentication and do not force authentication at the Web Listener and if I do not use that Web Listener in a Web Publishing Rule that requires authentication, then no authentication takes place. It has always worked like this and I took it for granted that is how authentication works with Web Publishing Rules and Web Listeners.

However, Tim demonstrated in class that he configured his Web Listener to support client certificate authentication. The Web Listener was configured to not require authentication. Then Tim created a Web Publishing Rule that also did not require authentication. What would you expect to happen? What I expected to happen was that no authentication would be required and that no prompt for a client certificate would appears. Wrong! The client certificate request windows opened on the client computer and Tim selected the appropriate certificate and then the connection was established.

Needless to say, there was a lot of discussion around this issue, but at the time we were focused on how the ISA firewall validates the user certificate. What I was not thinking about at the time was why the prompt for the user certificate even came up. I still do not know what client certificate authentication seems to be an exception to the rule that if you do not force authentication at the Web Listener or the Web Publishing Rule, then you will not be required to authenticate. I will let you know when I find out.

6. ISA Firewall Links of the Month

ISA Firewall fans and writers! If you publish an article or a blog post about the ISA firewall, let me know. I?ll put links to your articles and posts in the newsletter. Just send the link to tshinder@isaserver.org 

• Connecting Macintosh Machines Behind ISA Server
• How To Determine Which ISA Server 2006 Version You Have
• Considerations when using antivirus software on ISA Server
• "Deep Packet Inspection"; What Does it Mean, Really?

7. Blog Posts

• ISA Server 2004 blocks requests that include the Accept-Encoding HTTP header when a forward proxy is used
• New Kid on the Block - Captivate Captive Portals for ISA Firewalls
• CARP and NLB
• Forefront Edge Security Community
• Files larger than 512MB are not served from cache after ISA Server firewall service is restarted
• Publishing Exchange 2007 Services with ISA Server 2006 - Creating the Publishing Rule for Outlook Anywhere with Transparent Windows Authentication
• Vista Problem Accessing Office Documents from SharePoint Document Libraries That Are Published Using ISA Server 2006
• Publishing Microsoft CRM 4.0 through ISA Server 2006

8. Ask Dr. Tom

QUESTION:

Hi Thomas,

I have gone through your articles on RPC over HTTP protocol. I configured both Outlook and exchange server (single server) to use RPC over HTTP protocol and tested it on LAN but it did not work for me because Outlook was using TCP instead of HTTP to connect to the Exchange server. When I blocked the other port except port 80 and 443 at server, Outlook was not even able to connect to the server. Might be because our Exchange server does not have an external FQDN. So now my question is ?Is it possible to test this scenario on LAN with an Exchange server accessible only on LAN and not on Internet (i.e. it doesn?t have an external FQDN).

I am using MS Exchange server SP1 on Windows Server 2003 SP1 Enterprise edition and MS Outlook 2007. Also for web site certificates I used the Windows Certificate Services.

Thanks in advance. Regards, Ashish

ANSWER:

From what I understand, you have your ISA firewall configured to publish RPC over HTTP and it works for external clients. But what you want to do it test the RPC/HTTP configuration while the Outlook clients are on the internal network.

If so, yes, this is possible. What you need to do is configure your internal DNS servers so that the name of the RPC over HTTP proxy resolves to the name of the Exchange Server on the internal network. The best way to implement this is to use a split DNS. When you use a split DNS, you use the same name to connect to the RPC/HTTP proxy regardless of the client?s location - the same name is used for both internal and external clients.

One other thing you need to do is configure the Outlook client to use RPC/HTTP instead of ?TCP?, even when the client is connected to a ?fast? network. This is done in the Properties dialog box for the Outlook profile that the Outlook client is using to connect to the RPC/HTTP server.

Finally, if your ISA firewall is working correctly for your RPC/HTTP publishing scenario, you can configure your split DNS to resolve the name of the RPC/HTTP proxy for internal clients to the internal interface of the ISA firewall. Then you configure the Web Listener used for the RPC/HTTP Web Publishing Rule to listen on the Internal network as well as the external Network.

QUESTION:

Hi Tom,

I've been having problem in connecting to some HTTPS sites via ISA 2004 using the web proxy client. The errors I get are:

"Status: 995 The I/O operation has been aborted because of either a thread exit or an application request"
" 407 Proxy authentication required"

The "Required Authentication" is disabled for web proxy. ISA keeps prompting for username & password even though they're supplied. By-passing proxy, I then can connect to the website.
Any clues. Thank you. Regards, Naro.

ANSWER:

Without the details of your ISA firewall configuration, it is hard to come up with a hard and fast answer. The first thing I would look at is the ISA firewall?s log files. Check what rule is triggering the request for authentication. This will appear in the log files. Check the configuration of the rule that is requesting authentication. Are you limiting the MIME types that are allowed by SSL sites that you?re trying to connect to? Are you trying to limit access to the path that the client is trying to connect to? Are you having other authentication problems for your Web Proxy clients? Is the ISA firewall a member of the same domain that the clients belong to? Are there any hints in the Event Viewer indicating authentication problems?

Another thing you should do is download the ISA Firewall Best Practices Analyzer. Whenever you run into a problem with the ISA Firewall, this is one of the first things you should do. Download the ISA Firewall BPA.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.