• Follow Up on ISA Firewall Deployment Blockers
• Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
• ISAserver.org Learning Zone Articles of Interest
• KB Articles of the Month
• Tip of the Month
• ISA Firewall Links of the Month
• Blog Posts
• Ask Dr. Tom

1. Follow Up on ISA Firewall Deployment Blockers

Last month I wrote about how the ISA Firewall can be deployed in a great number of firewall configurations and provided a somewhat comprehensive list of the deployment options. I also mentioned at that time that I was confounded by the number of people who didn't understand that the ISA Firewall was a firewall first, second and last and that its firewall security feature set (not its routing feature set) was on par with Check Point and superior to PIX firewalls.

If you missed last month's newsletter, check it out at:

http://www.isaserver.org/pages/newsletters/november2006.asp

I received a number of excellent responses to that editorial. I found it very interesting that there was a common thread among ISA Firewall fans regarding reasons for not fully deploying the ISA Firewall. These included:

• Lack of NAT options. Most of these readers mentioned that the lack of static NAT was a deployment blocker because they needed to support multiple MX domains. Other people mentioned that they needed static NAT for other reasons, such as IP address based access control on external server access.
• No SSL VPN. Almost all modern firewalls support some sort of SSL VPN. While ISA Web Publishing Rules for OWA/OMA/ActiveSync and RPC/HTTP provide SSL VPN-like functionality, the SSL VPN market has matured to the extent that a true enterprise class firewall needs to support SSL VPN portals, and provide network layer or network layer-like connections to the corporate network.
• Desultory change management tracking. Several readers mentioned that they really wanted to deploy the ISA Firewall as their edge firewalls, but ran into problems with firewall policy change management. It appears that many compliance auditors require that companies provide comprehensive information regarding firewall policy changes, when the changes were made, who made the changes, and ideally, some notation on why the changes were made. The ISA Firewall doesn't provide any meaningful change management controls.
• Out of date encryption protocol support for VPN. The ISA Firewall supports triple DES for remote access and site to site VPN connections. The current standard is AES encryption and this was the case before the 2006 ISA Firewall was released. Why AES encryption support was not added to the latest release of the product is hard to understand.
• Several readers mentioned the absence of a "real" firewall client. What he meant was that a real firewall client would provide end-point security and heath checking before allowing outbound access to the Internet. In addition, other people mentioned that the firewall client should be able to control what applications can be used for specific protocols. The Firewall client should be able to white list applications, not just black list them. This would enable you to force users to user Internet Explorer 7 only when reaching HTTP/HTTPS sites, and use only Outlook when accessing POP3/SMTP sites. Application signatures would be used, not just the application name. An example of how this is currently implemented can be seen in the Microsoft IAG product, which allows you to limit what applications are used when connecting to the corporate network using a specific protocol.
• Key reporting features missing in action. The ISA Firewall provides, out of the box, a slew of reports based on the information contained in the ISA Firewall's firewall and Web proxy logs. However, the report that everybody wants is a report that allows the ISA Firewall administrator to determine a specific user's activity over a specific period of time. This is probably one of the most important forensic activities you can do with the ISA Firewall, but you have to jump through a lot of hoops to get this information.
• Lack of routing protocol integration. Large networks that depend on routing protocols such as RIP or OSPF need the ISA Firewall to be able to dynamically respond to changes on the corporate network. In many cases there is no problem, as the ISA Firewall does support these routing protocols to dynamically update its routing tables. However this support is limited because of a lack of integration. If a new network goes online behind the ISA Firewall and includes IP addresses that are not part of that ISA Firewall's Network Definition for that Network, then connections to that new Network will fail, because the ISA Firewall will not dynamically update the definition of that ISA Firewall Network.

One reader mentioned that he had problems with the "security team". The "team" said that the ISA Firewall wasn't "well known" (hey guys, if you're really security guys, you should see the benefit from "security through obscurity"). Another reader mentioned that his network guys blocked the ISA Firewall because "it runs on Windows" (thus showing how clueless they were about the ISA Firewall's security model and their intellectual sloth that leads to using that old canard).

A few people mentioned the usual stuff, like the network guys were "on the take" with the "hardware" reps, that the network guys were too weak in the noggin to understand the ISA Firewall, and that the network or security guys needed to keep Microsoft out of the network infrastructure because of job security issues, such as having to explain to the comptroller why they spent 10-20 times more on network security solutions than they needed to.

=======================

This is the last newsletter of the year and I wish everyone Merry Christmas and happy holidays! I hope over the past year you were able to get some useful information from this newsletter and that it helped you manage your ISA Firewall better and increase the overall level of security the ISA Firewall could provide for your company.

In 2007, look forward to more coverage of the Microsoft Internet Application Gateway (IAG), which is based on the ISA Firewall. The Microsoft IAG provides the ISA Firewall with SSL VPN features and I guarantee that you are going to LOVE the product. The IAG should be available sometime in the first quarter of 2007, and if I can get permission, I'll provide you some preview information on the product so that you can be first in line to get it!

HTH,

Thanks!

Tom tshinder@isaserver.org

=======================

Quote of the Month - "Aren't we forgetting the true meaning of Christmas? You know, the birth of Santa."

Matt Groening (1954 - ), The Simpsons

=======================

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

By Thomas W Shinder Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall. While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• ISA Firewall Publishing OWA and RPC/HTTP with a Single IP Address: Part 3 - Single Exchange Server with Separate DC Scenario/LDAP Authentication
• Load Balancing Web-Proxy Clients With ISA Server 2004 Standard Edition (Part 2)
• Find a career with Dell! The Dell Careers Blog is Open
• ISA Firewall Publishing OWA and RPC/HTTP with a Single IP Address: Part 4 - Single Exchange Server with Separate DC Scenario/LDAP Authentication
• ISA Firewall Publishing OWA and RPC/HTTP with a Single IP Address: Part 5 - Single Exchange Server with Separate DC Scenario/LDAP Authentication
• Creating a Site to Site VPN using the ISA 2006 Firewall Branch Office Connection Wizard (Part 1)
• Creating a Site to Site VPN using the ISA 2006 Firewall Branch Office Connection Wizard (Part 2)
• Creating a Site to Site VPN using the ISA 2006 Firewall Branch Office Connection Wizard (Part 3)

4. KB Articles of the Month

Here are some interesting and useful ISA Server related articles posted by Microsoft in the last month:

• You receive a "The remote procedure call failed" error message and RPC route publishing is not permitted in ISA Server 2004
• Cannot connect to a service from a particular client computer in ISA Server 2004
• You experience problems when you access the Windows Update Version 5 or Version 6 Web site through a server that is running ISA Server
• Virtual memory allocation for the Microsoft Firewall service increases by as much as 512 MB in ISA Server 2004
• Error message when a client computer tries to access an FTP site through ISA Server 2004: "Error Code: 502 Proxy Error"
• Data that is contained in the Filter Information column may be truncated when you turn on HTTP Compression in the Microsoft Internet Security and Acceleration Server 2004 log viewer
• How to configure ISA Server 2004 to log data to an SQL Server database

5. Tip of the Month

Calvin was having problems related to Firefox and how the ISA Firewall forwarded HTTP requests. Here was the problem:

"I am publishing a web farm and everything is working except for one annoying little thing. I am forwarding all port 80 traffic to https in the publishing rule but when it forwards http://www.foo.com/page.htm, it forwards to https://www.foo.com:0/page.htm. I'm not sure why that ":0" gets in there and it works fine in IE but a firefox user that tries to go to http gets an "Unable to connect" error and has to manually remove the ":0" to get to the page.

Looking in the logs I see the client connecting to ISA but not getting redirected to a web server in the farm. ISA sees them trying on port 80, says there was a failed connection attempt, and gives me an http status code of 12241. I can't find the definition of that status code anywhere."

After some research, Calvin found this answer:

"I finally got this fixed. Turns out it is related to a bug in the Link Translation module. I'm not 100% sure how that plays in since I am actually using the redirection option but it must use something from link translation to redirect the user. There is a hotfix #927265 that fixes the problem. If anyone else is seeing this though, that hotfix is not released publicly yet so you have to contact Microsoft support to get the download.

Thanks for the help...hopefully this helps someone else."

Many thanks for Calvin for doing the footwork to come up with this solution!

For the complete thread, check out: http://forums.isaserver.org/ISA_Appends_port_%3a0_when_redirecting_to_https_-_breaks_in_firefox/m_2002030622/tm.htm

6. ISA Firewall Links of the Month

Are you an ISA 2004 firewall admin, you should check out the new ISA 2006 firewall. Get the ISA 2006 Firewall trial software at: http://www.microsoft.com/isaserver/prodinfo/trial-software.mspx

The new ISA Firewall based Microsoft Internet Application Gateway (IAG) enables SSL VPN capabilities to the ISA Firewall. Forrester recently identified the Microsoft ISA Firewall based IAG as a market leader! Check it out at: http://www.microsoft.com/presspass/press/2006/dec06/12-13MSGrowingSSLPR.mspx

We've been waiting for a Vista compatible Firewall client for a long time. The wait is over! Download the new Firewall client over at http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=05c2c932-b15a-4990-b525-66380743da89

Need to squeeze the most out of your ISA Firewall? Then check out the Best Practices for Performance in the ISA 2006 Firewall at http://www.microsoft.com/technet/isa/2006/perf_bp.mspx

SSL accelerators help you get the best performance in your secure Web application publishing environment using the ISA Firewall. Here's a great paper on who to configure your ISA Firewall to work with SSL accelerators, both on-box and off-box: http://www.microsoft.com/technet/isa/2006/deployment/ssl_accelerator.mspx

7. Blog Posts

Getting out of the Hardware Appliance Racket

http://blogs.isaserver.org/shinder/2006/12/01/getting-out-of-the-hardware-appliance-racket/

Windows XP Web Proxy Clients Fail to Connect to Windows and Microsoft Update Sites through the ISA Firewall

http://blogs.isaserver.org/shinder/2006/11/29/windows-xp-web-proxy-clients-fail-to-connect-to-windows-and-microsoft-update-sites-through-the-isa-firewall/

Route Relationships, Server Publishing Rules, and Port Stealing

http://blogs.isaserver.org/shinder/2006/11/29/route-relationships-server-publishing-rules-and-port-stealing/

Another Possible Solution for Connection Problems to SSL Sites

http://blogs.isaserver.org/shinder/2006/11/27/another-possible-solution-for-connection-problems-to-ssl-sites/

ISA Firewall Flood Mitigation Settings

http://blogs.isaserver.org/shinder/2006/11/18/isa-firewall-flood-mitigation-settings/

8. Ask Dr. Tom

QUESTION: Hi Tom,

I'd like to know how to block FTP upload and download.

ANSWER: In order to prevent FTP download, don't create any rules that allow that user access to the FTP protocol. If you want to allow users access to FTP download, but not FTP upload, then you can configure the FTP protocol policy for the rule that applies to that user. Right click on the Firewall Policy rule that allows the user access to the FTP protocol and click FTP Policy. Configure the policy to deny FTP upload, which is the default setting.

QUESTION: Hi Tom,

I was wondering if you could tell me if ISA 2006 supports the use of Wildcard SSL certs without having to use a cert with the proper common name on the internal web server (like you have to do in ISA 2000/2004).

ANSWER: The 2006 ISA Firewall now supports wildcard certificates on both the front end and the back end. This is a change from the ISA 2004 Firewall, which only supported wildcard certificates on the front end.

In the front end wildcard certificate scenario, you can publish multiple SSL Web sites using a single certificate. The only requirement is that the SSL sites are accessible from a single second level domain name. For example, in this scenario you can use public names owa.msfirewall.org, mobile.msfirewall.org and rpchttp.msfirewall.org using the same certificate.

HTH,

Tom

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.