ISAserver.org Monthly Newsletter of December 2007 Sponsored by: Collective Software

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. Is 2008 the Year of "Re-perimeterization"?

Ever since the release of the ISA 2004 firewall, I made it a point in many of my articles to discuss the importance of categorizing your computing assets and assigning them to security zones that are physically or logically isolated from one another. My main motivation for pushing this security philosophy is that the ISA 2004 and ISA 2006 firewalls are the ideal solution for providing for this kind of segregation of computing assets based on security zones.

It's been a hard struggle to get this message across. At the same time that I've been pushing for strong access control based on security zones and ISA firewall segregation of those security zones, another camp has been pushing the concept of "death of the DMZ" and "there are no more perimeters" - giving readers the impression that there is no need for security zones and segmentation based on those zones.

While I haven't given up fighting the good fight of "least privilege" for network communications, it has seemed that the uphill battle was getting steeper and steeper. People who I would otherwise consider strong advocates of least privilege were saying to me "the solutions are so complex that the relative security advantages might be lost in the complexity and increased risk of firewall misconfiguration". This is especially frustrating, because these kinds of comments come from people who understand the ISA Firewall and security zoning very well, but believe that perimeterization just isn't worth the effort.

Given all this, you can imagine my surprise when I had a discussion with someone within Microsoft about the future of "re-perimeterization"! While I had never heard of the term "re-perimeterization", I found out that what they meant by that term was security zone-based network segmentation! I've been blowing the horn for this for years and getting pushback even from those within Microsoft. But now, it seems someone on the inside appreciates the security value provided by security zone based network segmentation.

Their idea of "re-perimeterization" is that core network infrastructure services should be placed behind a network security device in order to protect them from other hosts and workstations on the network. For example, the Exchange Server, the SQL Server, the SharePoint Server, the domain controllers and the Web servers should be segregated from the users by putting them on a network services segment. Yes! Someone finally heard that security zones and perimeterization is not only not dead, but a key requirement for secure network design and regulatory compliance.

What do you think? Could 2008 be the year of "re-perimeterization?" Are you ready to redesign your networks so that you segregate your core infrastructure assets from the workstations? Do you think there is any value to have strong access control, monitoring and reporting of all connections made to these assets? Do you think there are better ways of doing this, such as NAP or IPSec server and domain isolation? Let me know! I'll include your opinions and observations in the next newsletter. Just send me a note at tshinder@isaserver.org

Finally, this is the last ISAserver.org newsletter for the year. I hope that 2007 was a good year for all of you and that all your wishes for a happy holiday season for you and yours comes true. I'm looking forward to some good things happening on the ISA Firewall and IAG 2007 front in 2008, and I'll be sharing that information with you each month in the newsletter and the ISAserver.org Web site.

Thanks!

Tom

=======================

Quote of the Month - "Why did they break the Microsoft advanced KB search?"

Thousands of Admins trying to find the latest KB articles for the products they manage

=======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• More on Exporting ISA objects to and from 2000, 2004, 2006
• Creating a Custom VPN Client Access Policy to Connect Outlook MAPI Clients to Microsoft Exchange (Part 1)
• Creating a Customer VPN Client Access Policy to Connect Outlook MAPI Clients to Microsoft Exchange (Part 2)
• Allowing Inbound L2TP/IPSec NAT Traversal Connections through a Back to Back ISA Server Firewall DMZ (Part 1)
• Allowing Inbound L2TP/IPSec NAT Traversal Connections through a Back to Back ISA Server Firewall DMZ (Part 2)

4. KB Articles of the Month

Each month for the last several years we've included the most recent KB articles regarding the ISA Firewall. In order to provide this service, I used the advanced search feature on the Microsoft Web site, located at http://support.microsoft.com In the past, you could filter your search for the last 3 days, or the last 7 days, or the last month, or the last six months, etc. Now when you go to the search site at http://support.microsoft.com, you're presented with a very simple interface that doesn't allow you to filter your searches at all. All you can do is enter a search term, that's it. No way to list the results by date, no way to limit your search to MSDN, or any of the other options we used to have. This breakage of the search site started about two weeks ago and we're still hoping that they'll fix it soon. Until then, we'll have to suspend the KB articles of the month feature because there's no way to figure out what KB's came out in the last month!

5. Tips of the Month

Richard Hicks wrote in last month with a great tip on how to automate routing table entries on a new ISA Firewall. Check this out:

"I am writing in response to a request you made in your latest newsletter (November 2007) for any "must have" settings on ISA firewalls. What I have to offer isn't so much a setting, but more of a way to automate a critical setting required when configuring an ISA firewall - the routing table.

For deployments such as ours, with a massive internal network that spans the globe, getting the routing table configured correctly is vital to the proper operation of an ISA firewall. With numerous registered networks that are internally reachable, manually typing in a bunch of "route add -p blah blah blah..." at the command line can be tedious, time consuming, and of course prone to error. My solution was to create a quick VBScript that automates this. My script prompts you for the gateway you wish to use, then reads a text file that contains the network address and subnet mask for each of our internal networks and populates the registry with that information. The code is as follows:

###

Option Explicit

On Error Resume Next

Dim Shell, Gateway, FSO, File, Line

Const ForReading = 1

Gateway = Trim(InputBox("Enter the Default Gateway for this Network: "))

If Gateway = "" Then
WScript.Quit
End If

Set FSO = CreateObject("Scripting.FileSystemObject")
Set File = FSO.OpenTextFile("routes.txt", ForReading)

Set Shell = CreateObject("WScript.Shell")

Do Until File.AtEndOfStream

Line = File.ReadLine
Shell.RegWrite
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\PersistentRoutes\" & Line & "," & Gateway & ",1", "", "REG_SZ"

Loop

Set Shell = Nothing
Set File = Nothing
Set FSO = Nothing

MsgBox "Static Routes Added Successfully!", vbInformation, "Update Complete"

###

I'm sure this code could be cleaned up a bit, with additional bounds checking and error handling, but it works for me. I would be very interested in hearing what you think of this tip."

Great tip, Richard! Thanks!

6. ISA Firewall Links of the Month

• ISA 2006 EAL 4+ Common Criteria Evaluation
• A fine collection of ISA Firewall Webcasts
• An update enables multicast operations for ISA Server integrated NLB
• ISA Firewall Quick Tip : How to Disable Caching of Specific Website
• ISA Firewall Virtual Labs!

7. Blog Posts

• A lesson learned by debugging Silverlight through ISA Server
• Multiple L2TP/IPsec VPN clients behind a NAT device
• Fixing Windows Media Player Authentication Prompts
• Client requests to access a published Web site are blocked when you configure ISA Server 2006 to allow direct authentication to access a published Web server

8. Ask Dr. Tom

QUESTION: I am getting access denied HTTP 502 proxy error when I log on to any FTP site. I have read al articles and references to how to fix this but nothing works. What can I do. Any help is appreciated. For testing purposes, I even opened all ports internal to external and it still gets blocked. Thanks! - Carlos.

ANSWER: FTP problems are common for all firewalls. You mention that you're getting a proxy error, which indicates that you're using HTTP tunnel FTP connections to the ISA Firewall, which also means that you're using the Web browser to access the FTP site. There are many issues that can lead to FTP problems, so there's no "magic bullet" to fix your problem. Check out the articles at Using Active PORT Mode FTP Programs from Behind the ISA Firewall and there's a good chance you'll find a solution there.

QUESTION: Dear Dr Shinder,

We are experiencing the following error message when accessing OWA from internally and externally.

• Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
• IP Address: 192.168.96.22
• Date: 07/12/07 12:43:06 PM
• Server: ecdc-eln-isa01.ecdc.int
• Source: proxy

ANSWER: You don't mention from where you're trying to connect to the OWA site through the ISA Firewall. I will assume that you're testing the configuration from an external client. The most likely reason for the error you're seeing is that the name on the Public Name tab of the Web Publishing Rule that publishes the OWA site. Remember, the name on the Public Name tab must be the same as the common/subject name on the Web site certificate you're using on the Web listener. So, if you reach the site using https://owa.company.com/exchange , the name on the certificate must be owa.company.com. In addition, you need to configure your external DNS entries so that owa.company.com resolves to the IP address on the external interface of the ISA Firewall, or of the NAT device in front of the ISA Firewall that forwards the connections to the ISA Firewall's external interface.

QUESTION: Hi Tom,

I would appreciate it if you could help with the current situation I'm having. I've been using ISA 2000 without any issues for years, I decided recently to configure a ISA 2006 server to replace the 2000 box and afford functionality for Sharepoint that was not available in 2000.

My problem is this. I have 5 subnets
10.100.10.0/22 - Local to head office
10.100.20.0/22 - Namibia
10.100.30.0/22 - Durban
10.100.40.0/22 - Port Elizabeth
10.100.50.0/22 - Cape Town
10.100.10.0/22 works fine and clients can connect without a problem but all the other subnets cannot. They have all been added to the routing table and to the Internal Network config.

Pinging from the subnets works, but any other protocol is dropped as spoofed. When I examine the logs it would seem that ISA is seeing the Serial interface of the router (i.e. 192.168.100.2 - Namibia) and dropping the packet.

I have created access and subnets for these locations but without any luck. Been battling for 3 weeks and am unable to find any help on the subject.

Could you give me some advice on what to try next. You response will be greatly appreciated.

Kind regards, Jeremy

ANSWER: If the ISA Firewall is seeing a NATed address from the other networks, then you need to include that NATed address in the definition of the ISA Firewall Network that the connection is being received from on the ISA Firewall. From what I can tell, you have a single default Internal ISA Firewall Network. In that case, you need to add the addresses being presented to the ISA Firewall, in this case, at least the address 192.168.100.2. However, this is problematic, since this is an off-subnet address, and therefore there needs to be a router between the ISA Firewall's internal interface and the NAT device that's presenting the 192.168.100.x addresses to the ISA Firewall. However, you might be trying to use the internal interface as a router, which worked with ISA 2000, but does not work with ISA 2006, because ISA 2000 did not perform stateful packet inspection on the internal interface, and ISA 2006 does perform stateful packet inspection on all interfaces.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.