Sponsored by: GFI Software Ltd
ISAserver.org Newsletter
December 2005
In this issue:
Welcome to the ISAserver.org newsletter! Each month we will
bring you interesting and helpful information on ISA Server.
We want to know what all *you* are interested in hearing about.
Please send your suggestions for future newsletter content to:
tshinder@isaserver.org
GFI WebMonitor for ISA Server 3 out now in BETA - Includes content filtering & virus scanning features!
The latest version of GFI WebMonitor for ISA Server, a utility for ISA server that allows for real time monitoring of web sites being browsed by network users and the files they are downloading, is now available in BETA! Version 3, BETA now includes a real-time online adult content filter, virus scanning and file type blocking capabilities and byte transfer stats per user/per site.
Click here to download the new and improved BETA version!
|
1. Holiday Gifts for your ISA FirewallsBy Thomas W Shinder MD, MVP
Since the holiday season is a time for gift giving, I thought I point out a number of tools from Microsoft and others that you can use for free to help manage, monitor and configure your ISA firewall. Here's a list of my favorites:
Cachedir.exe: This handy little tool allows you to view the contents in the ISA firewall's Web cache. Not only can you view the content, you can also remove content from the cache. Download cachedir.exe at http://www.microsoft.com/downloads/details.aspx?FamilyId=88117626-D72C-4CC8-A15F-C1FBDBCFF688&displaylang=en
MSDEtoText.vbs: This tool allows you to export your MSDE log files to text files that can be viewed by any text reader. It's especially useful if you need to have text logs that can be imported into your favorite log reporting application. Download msdetotext.vbs at http://www.microsoft.com/downloads/details.aspx?FamilyId=A60A09A0-E4AD-47C7-9961-5E22E65CA986&displaylang=en
Firewall Client Tool: The Firewall client tool allows you to use the command line to specify what settings the Firewall client should use, set autodiscovery settings for the Firewall client and Web browser and diagnose problems with the Firewall client. This is a very useful tool that no ISA firewall admin should be without and you can download it from http://www.microsoft.com/downloads/details.aspx?familyid=f20f6267-273d-4870-b1e8-799b261b4786&displaylang=en
Firewall Kernel Mode Tool: This tool allows you to analyze and troubleshoot ISA firewall connectivity issues. Its also the only way you can determine what ports the ISA firewall is listening on, as you cannot use the netstat tool to view these ports like you could with ISA Server 2000. Download the Firewall Kernel Mode Tool at http://www.microsoft.com/downloads/details.aspx?familyid=f3306399-d4f9-4989-865e-c61f8293c330&displaylang=en
ISA 2004 Best Practice Analyzer: The ISA Server 2004 BPA analyzes your ISA firewall configuration and reports problems with configuration and setup. While I don't agree with some of the assessments made by this tool, I find it an invaluable tool for checking out problems with certificate related issues. This is a must-have for your ISA firewall toolkit and you can download it at http://www.microsoft.com/downloads/details.aspx?FamilyID=d22ec2b9-4cd3-4bb6-91ec-0829e5f84063&DisplayLang=en
GFI WebMonitor: This freeware tool from GFI allows you to monitor sites your users are accessing in real time and view what they're downloading. You can immediately disconnect large downloads as well. Download GFI WebMonitor 3.0 at http://www.gfi.com/downloads/downloads.aspx?pid=webmon&lid=EN
ISAtools.org: This isn't just a tool, its Jim Harrison's collection of programs, scripts and docs that enable you to take the ISA firewall to the next level. Be warned, you need to understand how the ISA firewall works, have a little skill with scripting, and be able to figure a lot of things out for yourself to get the most out of Jim's jackpot. Check it out at www.isatools.org
Hope you all had a great 2005 with your ISA firewalls and I'm looking forward to another great year in 2006. We'll likely see a new version of the ISA firewall in 2006, and we have a lot of new content and services planned for you here on ISAserver.org. You can look forward to seeing one of these coming in January, when I unveil a new feature called "ISA Firewall Quick Tips". See you in 2006! Thanks! -Tom.
[Have questions, comments or suggestions? Write to me at tshinder@isaserver.org and let me know.]
=======================
Quote of the Month - "A genius is somebody a computer cannot program" - Taban Lo Liyong
=======================
2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!
|
By Thomas W Shinder
Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall.
While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.
|
Click here to Order your
copy today
|
GFI WebMonitor for ISA Server 3 out now in BETA - Includes content filtering & virus scanning features!
The latest version of GFI WebMonitor for ISA Server, a utility for ISA server that allows for real time monitoring of web sites being browsed by network users and the files they are downloading, is now available in BETA! Version 3, BETA now includes a real-time online adult content filter, virus scanning and file type blocking capabilities and byte transfer stats per user/per site.
Click here to download the new and improved BETA version!
|
3. ISAserver.org Learning Zone Articles of Interest
We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:
4. KB Articles of the Month
Here are some interesting and useful ISA Server related Q articles posted by Microsoft in the last month:
5. Post of the Month
An ISAserver.org Web boards member reminded me about MDSE logging and the need to install SQL updates. In fact, immediately after installing the ISA firewall (which you should do when the ISA firewall machine is not connected to the Internet) you should do the following:
- Get Updates from the MSDE and Office Web Components
- Get the ISA firewall application updates
- Analyze the ISA firewall's security configuration using the Microsoft Baseline Security Analyzer
- Harden the ISA firewall using the ISA Server Security Hardening Guide
- Put a recurring appointment in your Outloook Calendar to repeat these steps once a month
For more information and links, check out the ISA Firewall Security Update Center at: http://www.microsoft.com/isaserver/techinfo/2004se-p2w-postinstall%28en%29.mspx
GFI WebMonitor for ISA Server 3 out now in BETA - Includes content filtering & virus scanning features!
The latest version of GFI WebMonitor for ISA Server, a utility for ISA server that allows for real time monitoring of web sites being browsed by network users and the files they are downloading, is now available in BETA! Version 3, BETA now includes a real-time online adult content filter, virus scanning and file type blocking capabilities and byte transfer stats per user/per site.
Click here to download the new and improved BETA version!
|
6. ISA Firewall Links of the Month
Microsoft has recently released a slew of exceptionally useful documents on all sorts of ISA firewall topics. Many of them are dedicated to ISA firewall troubleshooting. Check out this collection of ISA firewall Christmas presents from Microsoft:
Troubleshooting Firewall Clients in ISA Server 2004
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/troubleshooting_fwc.mspx
Troubleshooting Virtual Private Networking
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/troubleshooting-vpn.mspx
Configuring ISA Server 2004 on a Computer with a Single Network Adapter
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/single_adapter.mspx
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ts_client_rules.mspx
Troubleshooting Network Load Balancing in ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ts_nlb_ee.mspx
Troubleshooting: Setup
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ts_setup.mspx
Troubleshooting Web Proxy Traffic in ISA Server 2004
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ts_proxy_traffic.mspx
Troubleshooting Network Configuration in ISA Server 2004
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ts_networks.mspx
Best Practices Firewall Policy for ISA Server 2004
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/firewall_policy.mspx
Best Practices: Logging
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/logging-best-practices.mspx
Best Practices for Configuring Networks in ISA Server 2004
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/bp_networks.mspx
7. Ask Dr. Tom
QUESTION: I have a single NIC ISA firewall and have run the Single NIC Network Template on it. I've created Access Rules that allow communications from Internal to External but the Access Rules does not work. What's the problem here?
ANSWER: The problem is that when you run the Single NIC Network Template on the ISA firewall, the Internal network changes so that it includes all addresses in the IPv4 range are included in the definition of the Internal Network (with the exception of the loopback network ID). All Access Rules created on a unihomed ISA firewall on which the Single NIC Network Template is run should include the source and destination networks as Internal, or you can use other Network Objects to represent the source and destinations.
QUESTION: I need to connect to an SSL Web site using TCP port 8081 but my Web Proxy client will not connect. What can I do to connect to the SSL Web site using an alternate port?
ANSWER: Check out Jim Harrison's www.isatools.org Web site. Jim has an excellent tool there that extends the SSL tunnel port range to any ports you desire. The name of the file is isa2k4_ssl_tpr.zip
Got a question for Dr. Tom? Send it to tshinder@isaserver.org
GFI WebMonitor for ISA Server 3 out now in BETA - Includes content filtering & virus scanning features!
The latest version of GFI WebMonitor for ISA Server, a utility for ISA server that allows for real time monitoring of web sites being browsed by network users and the files they are downloading, is now available in BETA! Version 3, BETA now includes a real-time online adult content filter, virus scanning and file type blocking capabilities and byte transfer stats per user/per site.
Click here to download the new and improved BETA version!
|
|
