• Introducing ISA Server 2004 Enterprise Edition
• Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
• ISAserver.org Learning Zone Articles of Interest
• KB Articles of the Month
• Post of the Month
• ISA Firewall Links of the Month
• Ask Dr. Tom

1. Introducing ISA Server 2004 Enterprise Edition

Big news! ISA Server 2004 Enterprise Edition has officially been released to manufacturing (RTM) and we'll have it in our hot little hands in just a few weeks. We're really excited about the release of Enterprise Edition. In contrast to the ISA Server 2000 Enterprise Edition, which added relatively little to the ISA Server 2000 Standard Edition offering, the ISA Server 2004 Enterprise Edition adds some significant bells and whistles to the already powerful ISA Server 2004 Standard Edition firewall.

Like Standard Edition (SE), the ISA Server 2004 Enterprise Edition firewall is a stateful packet and application layer inspection firewall. Like ISA Server 2004 SE, the ISA Server 2004 Enterprise Edition firewall provides stateful packet inspection and stateful application layer filtering for all connections made to and through the ISA Server 2004 Enterprise Edition firewall device.

In addition to being an exquisitely secure stateful firewall, the ISA Server 2004 Enterprise Edition firewall can be configured as a Web caching proxy array, remote access VPN server, and a site to site VPN gateway.

ISA Server 2004 Enterprise Edition includes all the features and functionality found in ISA Server 2004 Standard Edition. In addition, ISA Server 2004 Enterprise Edition includes:

• Support for Web caching arrays using the Cache Array Routing Protocol (CARP). Web caching arrays significantly improve ISA Server Web proxy and caching performance via its intelligent CARP algorithm. Web performance enhancements provided by CARP lead to increased end-user satisfaction and productivity, and have the potential for significantly reducing internet bandwidth costs.
• Integrated support for the Windows Network Load Balancing (NLB) service. NLB allows you deploy an array of ISA Server 2004 Enterprise Edition firewalls in a highly availability network environment. NLB provides both failover and load balancing for all connections made through an ISA Server 2004 Enterprise Edition NLB array. If one array member should go offline, remaining array members take over for the downed server. The load balancing feature of NLB increases array performance, as it prevents any single server in the array from being overwhelmed by connection requests.
• Array configuration now is stored in an Active Directory Application Mode database (AD/AM or ADAM) instead of the Active Directory. Firewall policy for the array is stored in an ADAM database and the ADAM can be placed on an array member firewall, on a configuration storage server on the corporate network, or on a domain controller. Multiple configuration storage servers can be created to provide array configuration fault tolerance. Configuration storage servers can also be placed at multiple locations, such as main and branch offices, to insure firewall configuration is always available to firewall array members.
• An enhanced management console allows you to manage all arrays in the organization. You can manage hundreds of array member servers contained in dozens of arrays located at disparate locations situated around the globe from a single ISA Server 2004 Enterprise Edition management console. The ISA Server 2004 Enterprise Edition management console allows you to configure firewall policy at a single location and automatically update globally distributed array member servers automatically.
• Support for Enterprise and Array Policy. You can create enterprise policies that are applied to multiple arrays. Enterprise policies allow you to create standardized firewall access policy and have it applied to globally distributed arrays. Array administrators can be allowed to customize array policy by creating firewall policies that apply only to a specific array and integrate array policy with enterprise policy. Combining enterprise and array firewall policies provides both the required level of centralized firewall control for an entire organization and enables array administrators to customize firewall policy to meet specific requirements of their particular enterprise array.

ISA Server 2004 Enterprise Edition provides centralized control over network security policy and high availability required by globally distributed enterprise environments. I've been highly impressed with the stability and performance of ISA Server 2004 Enterprise Edition arrays, and this new product truly launches the ISA firewall brand as a best of breed, second generation stateful packet inspection and stateful application layer inspection firewall.

Get the ISA Server 2004 Enterprise Edition CD and kit at http://www.microsoft.com/isaserver/evaluation/trial/default.asp

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

By Thomas W Shinder Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall. While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Understanding and Implementing ISA 2004 as an Application Firewall with the RPC Stateful Inspection Filter
• Win an Autographed Copy of Configuring ISA Server 2004 When You Sign Up!
• How to Make the ISA Firewall as Dumb as a Traditional Stateful Packet Inspection Firewall - Redux
• Understanding ISA Firewall Networks (v1.1)
• Exporting Your SSL Certificate from IIS 6.0 and Importing To ISA Server 2004 By Wayne Berry
• Unsupported, but nice: Customize Forms-based logon page in your ISA Server 2004 By Ladislav Solc
• Enabling Full Outlook Client Access Anywhere using the ISA Firewall's Secure Exchange RPC Filter

4. KB Articles of the Month

Here are some interesting and useful ISA Server related Q articles posted by Microsoft in the last month:

• Blank page or page cannot be displayed when you view SSL sites through ISA Server
• How to configure Internet Security and Acceleration Server 2004 to skip name resolution in a Web proxy chaining configuration
• You are repeatedly prompted for your logon credentials through Outlook Web Access in Internet Security and Acceleration Server 2004
• Multiple log databases are created for the next day when the Firewall service is restarted in Internet Security and Acceleration Server 2004
• How to avoid logging images in Internet Security and Acceleration Server 2004
• You cannot use the SOCKS proxy to connect to the external network in Internet Security and Acceleration Server 2004
• How to create a policy that enables only Web proxy clients in Internet Security and Acceleration Server 2004
• Routing and Remote Access stops responding in Windows Server 2003
• You cannot remotely manage ISA Server 2004 in a network environment where IPSec is enforced
• A change to the UDP protocol direction in a server publishing rule may not take effect in ISA Server 2004
• "The protocol specified cannot be used for publishing" error is logged when you try to publish an internal IPsec server by using the IPsec ESP Server protocol in Internet Security and Acceleration Server 2004

5. Post of the Month

Unlike your old "open a port" packet filter firewall, the ISA firewall provides advanced protection for inbound and outbound connections. But with this advanced protection comes a price, you need to know how to configure the ISA firewall's Access Rules and put them in the correct order. If you don't order your rules correctly, you might not get the protection you desire. Jim Harrison has you covered in this post he had on the ISAserver.org Web board:

Ever wonder what the "best practice" is for configuring the rules? It's actually very simple.ISA 2004 processes the rules list in this order:

1. System rules
2. Array rules

In both cases, the rules are processed in the order they're listed.

You should ALWAYS group your rules thus:

Anonymous rules
- Deny rules
- Allow rules

Authenticated rules
- Deny rules
- Allow rules

"What's the logic behind this method?" came wafting up from the back of the class.

Here 'tis:

- Deny rules are created to protect your ISA, clients and servers - let's give ISA a fighting chance by allowing those to fire first.
- Authentication is relatively expensive for the policy engine; if we can simplify the task by allowing an unauthenticated rule to fire first, we won't waste time trying to authenticate when we don't care who the user is.

"Yeh" came the call from the front row, "but how do you define the relationship between the rules for best performance?"

Good question says I - and here's the crux of the biscuit:

- If your ISA is primarily used for outbound access (internal folks using ISA for surfing), then place your access rules first, using the grouping above.
- If your ISA is used primarily to publish sites, then place your publishing rules first.
- In either case, always use the groupings I listed above and your ISA will sing and dance for you.

Thanks Jim!

6. ISA Firewall Links of the Month

We've got a bunch of great links for you this month. Check out the tasty ISA firewall morsels below for the goodies.

Order the ISA Server 2004 Enterprise Edition CD and trial kit:
http://www.microsoft.com/isaserver/evaluation/trial/default.asp

Very cool hands-on interactive training for ISA firewalls:
http://www.isa2004training.com

Rolling out ISA Server 2004 isn't for the faint of heart, but there some excellent guidance on how to get things up and running in a branch office scenario with the least amount of heartache

Introduction to Branch Deployment of ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/intro_to_branch_deployment_ee.mspx

One way to install the ISA Server 2004 Enterprise Edition firewall is in a "workgroup", where none of the array members are part of an Active Directory domain. While we don't recommend this configuration here at ISAServer.org (because you lose the security advantages of domain membership), a lot of you have to deal with security "specialists" who prevent you from deploying the best configuration. So, for your reading enjoyment check out ISA Server 2004 Enterprise Edition in a Workgroup

http://www.microsoft.com//technet/prodtechnol/isa/2004/plan/workgroup_ee.mspx

Capacity planning for ISA firewall provisioning is always a great topic of discussion. Here's a cool article on SSL issues when sizing your ISA firewalls SSL Capacity Planning

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ssl_performance.mspx

Like I do every month, I want to point out again the great information in the ISA deployment kits. From my experiences on the ISAServer.org Web boards and mailing list, as well as the Microsoft newsgroups, I would say that 90+% of the questions on how to do things with the ISA firewall are answered in these kit docs. They are so packed with information it's impossible to describe in words just how useful and comprehensive they are!

There are kits for rolling out the ISA firewall in the branch office, using the ISA firewall to protect Exchange Servers, using the ISA firewall as a cutting edge VPN server and VPN site to site VPN gateway, and more. Check out the kits listed below for more info:

ISA 2004 Branch Office Deployment Kit
http://download.microsoft.com/download/1/8/8/188ab94a-4ec5-4746-ac0f-a18177040fbf/ISA2004SE_branchoffice-Rev%201%2003.doc

ISA 2004 Exchange Deployment Kit
http://download.microsoft.com/download/1/8/8/188ab94a-4ec5-4746-ac0f-a18177040fbf/ISA2004SE_exchangekit-Rev%201%2005.doc

ISA 2004 Quick Start Guide
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/ISA2004SE_quickstartguide-Rev%201%2003.doc

ISA 2004 Configuration Guide
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/ISA2004SE_configguide-Rev%201%2003.doc

ISA 2004 VPN Deployment Kit
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/ISA2004SE_vpnkit-Rev%201%2004.doc

Finally, if you want to get some hands-on experience with the ISA firewall software and don't want to incur the overhead of installing the software on a test network, check out the free hands-on labs provided by Microsoft. The hands-on labs are really popular and for good reason: they work well and provide you your own lab environment to test the ISA firewall without incurring the overhead of building a lab yourself! Finally, if you want to get some hands-on experience with the ISA firewall software and don't want to incur the overhead of installing the software on a test network, check out the free hands-on labs provided by Microsoft. The hands-on labs are really popular and for good reason: they work well and provide you your own lab environment to test the ISA firewall without incurring the overhead of building a lab yourself!

http://www.microsoft.com/technet/traincert/virtuallab/isa.mspx

7. Ask Dr. Tom

QUESTION: Is there a document on the configuration on the "back to back" solution? I am new to ISA. I have created a lab with both servers up and running. It seems like I can not get the back firewall to talk to the front. When trying to get to the Internet the internal NIC of the back end firewall keeps getting denied access. Any help would be greatly appreciated. FYI: Love the book!! Thanks! Brian.

ANSWER: Hey Brian, thanks for getting the book!

The back to back configuration is a good one that works well with front-end and back-end ISA firewalls. There was a time when the recommendation was that you use different firewalls for the front-end and back-end, but now we know firewall related security issues are tied much more closely to firewall misconfiguration, not to some attacker leveraging his knowledge of the front-end firewall to attack the back-end firewall.

There are many approaches you to can take for this configuration. The easiest method is to just make the back-end ISA firewall a SecureNAT client of the front-end. However, making the back-end ISA firewall only a SecureNAT client has the potential of limiting protocol access for the back-end ISA firewall, since the SecureNAT client requires application filters to support complex protocols.

What I typically do is configure the back-end ISA firewall to be a Firewall client and a SecureNAT client of the front-end ISA firewall. You do this by chaining the back-end ISA firewall to the front-end. Then create a user account on the front-end ISA firewall that the back-end ISA firewall can use to authenticate with the front-end ISA firewall. Create an Access Rule that allows the back-end ISA firewall's user account to all protocols and all sites. Then create another Access Rule on the front-end ISA firewall that allows the primary IP address on the external interface of the back-end ISA firewall to the ICMP protocols required for PING and other network management communications.

You can also use a cool feature in the ISA Server 2004 Enterprise Edition to prevent the back-end ISA firewall from remoting connections for all application to a set of pre-defined ports that are well-known as worm ports. While port blocking isn't rocket science, it still has a place and the Firewall chaining configuration allows you to full advantage of both the Firewall client's stateful application layer inspection smarts and improve overall performance.

You might also consider making the back-end ISA firewall a Web proxy client to the front-end ISA firewall. Create a Web proxy chaining rule to forward all Web requests to the front-end ISA firewall. You can use a second use account for the Web proxy chaining configuration, so that you have a user account on the front-end ISA firewall for the Firewall chaining setup and the Web proxy chaining setup.

This information should get you started in the right direction. I'll get to work on a an article series on how to do this! Thanks! -Tom.