• Should You Get an ISA Firewall or the IAG 2007?
• Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
• ISAserver.org Learning Zone Articles of Interest
• KB Articles of the Month
• Tip of the Month
• ISA Firewall Links of the Month
• Blog Posts
• Ask Dr. Tom

1. Should You Get an ISA Firewall or the IAG 2007?

I had the opportunity to attend the RSA conference a couple of weeks ago and spent a good deal of time hanging out at the ISA and IAG booths. I really enjoyed the experience as I got to talk with people about their production deployments of the ISA Firewall. So many issues come up when talking to people at the conferences that I never hear about when working with people online on the Web boards or over e-mail. The most popular question at the RSA conference was how to decide whether to get an ISA Firewall or an IAG?

It's a good question because there is a lot of overlap between the ISA Firewall and the IAG. Both products include the ISA Firewall product, which makes them similar. However, the IAG also includes the upgraded Whale SSL VPN components.

The decision on whether to get an ISA Firewall versus an IAG is not always a straightforward one, but I think the decision isn't as hard as it might seem. Here are some key considerations:

• The IAG is designed as an inbound access gateway for SSL VPN, PPTP VPN and IPSec VPN. It can also be used as a site to site VPN gateway. The IAG is not designed for outbound access control.
• The ISA Firewall is designed to be a network stateful packet and application layer inspection firewall, VPN server and site to site VPN gateway, Web proxy and caching server, and secure application publishing server. The ISA Firewall is designed to perform strong user/group access controls for both inbound and outbound access.
• Both the ISA Firewall and the IAG can be configured to provide strong inbound access control via Publishing Rules. For Web Publishing Rules, the IAG is orders of magnitude more sophisticated and more secure than the ISA Firewall. The IAG does not support Server Publishing Rules, so an ISA Firewall would be preferred in this scenario, as it performs application layer inspection on these connections.
• For Web Publishing scenarios, the IAG supports granular policy controls, so that user access is customized based on what type of device is connecting; application functionality can also be controlled based on the security state of the connecting machine, as the IAG has a very powerful endpoint checking feature (probably the best endpoint checking feature in the SSL VPN industry). The ISA Firewall does not perform any type of endpoint checks for Web Publishing scenarios; endpoint checking is only supported for VPN connections using Remote Access Quarantine Control, which is absurdly complex to configure and typically requires a third party application such as Winfasoft VPN-Q 2006 or Fred Esnouf's QSS v4
• The IAG supports three types of "SSL VPN". The first type is Web publishing of Webified and non-Webified applications, the second is socket and/or port forwarding, and the third type is a true SSL VPN, which is network layer VPN connectivity over an SSL tunnel (called the "network connector", similar to what SSTP will provide with Longhorn Server and Vista SP1 https://209.34.241.68/rrasblog/archive/tags/SSTP/default.aspx). The ISA Firewall does not support SSL port/socket forwarding or network level SSL VPN.
• The IAG is significantly more costly than the ISA Firewall. While pricing is not available yet, you can expect to pay at least twice as much (more likely three times as much) for an IAG 2007 appliance compared to an ISA Firewall appliance or software solution.

Given these observations, I think we can come up with the following conclusions:

• If you only need inbound access control (Web publishing and SSL VPN), then the IAG 2007 is the product of choice
• If you only need inbound access control but are extremely price sensitive, then the ISA Firewall is the product of choice
• If you need both strong inbound and outbound access control, then the ISA Firewall is the product of choice
• If you need only strong outbound access control, then the ISA Firewall is the product of choice
• If you need application layer inspection for non-Web application protocols, then the ISA Firewall is the product of choice
• If you need strong inbound and outbound access control and the highest level of security for both, then you should purchase both an ISA Firewall and an IAG appliance
• If you need a network layer SSL VPN, then the IAG is the right decision, regardless of any other considerations, because the ISA Firewall does not support SSL VPN

In the very near future I'll start posting articles on the IAG 2007 on the ISAserver.org Web site and we'll start supporting it on the Web boards. Remember, the IAG has the ISA Firewall on it, so it's completely appropriate as an edge device as the ISA Firewall has never been compromised and has no security issues reported on the www.secunia.com Web site (unlike most of the "hardware" firewalls you might be familiar with). Given that the IAG is an ISA Firewall based device, it's appropriate that we cover it here on ISAserver.org.

If you want to play with the IAG 2007 now, you can download the IAG 2007 hands on labs over at http://www.microsoft.com/forefront/edgesecurity/privacy.mspx

HTH,

Tom

Thanks!

Tom tshinder@isaserver.org

=======================

Quote of the Month - "Artificial Intelligence: the art of making computers that behave like the ones in movies"

-- Bill Bulko

=======================

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

By Thomas W Shinder Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall. While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Configuring the ISA Server 2006 HTTP Filter
• Advanced ISA Firewall Configuration: "Network Behind a Network" Scenarios
• Providing Branch Office Access to the ISA 2006 Firewall's Web Proxy Listener
• Enabling Remote Access VPN Clients Access to the Branch Office over a Site to Site VPN

4. KB Articles of the Month

Here are some interesting and useful ISA Server related articles posted by Microsoft in the last month:

• How to configure Internet Security and Acceleration Server 2004 to skip name resolution in a Web proxy chaining configuration
• A log query may not return all the results that you expect in Internet Security and Acceleration Server 2004
• You cannot use Netstat to verify holes in ISA Server 2004
• The ReturnAuthRequiredIfAuthUserDenied property setting does not work if the access rules include a Content Type rule in ISA Server 2004
• Internal clients cannot use Internet Explorer to access FTP sites through Microsoft Proxy Server or Internet Security and Acceleration Server 2000
• The ISA Server Control service may not start after you rename and then restart a computer that is running ISA Server 2004
• You cannot use an IP address for AutoDiscovery in ISA Server 2004 Web Proxy Client
• RPC clients cannot use Kerberos authentication to authenticate with a server that you publish behind ISA Server 2004, Enterprise Edition
• Data that is contained in the Filter Information column may be truncated when you turn on HTTP Compression in the Microsoft Internet Security and Acceleration Server 2004 log viewer
• Authentication fails when client computers use Internet Explorer 7 to authenticate with an upstream ISA Server computer through a downstream ISA Server computer that does not require authentication
• Virtual memory allocation for the Microsoft Firewall service increases by as much as 512 MB in ISA Server 2004

5. Tip of the Month

"We have been working on this weird email issue. Everyone else can send us mail and we can send out without issue but with this one company. They have ISA 2004 and Exchange 2003, we have ISA 2004 and exchange 2003. We capture packets and here is the error we got:

Response: 421 5.5.2 Syntax error (command line too long)\r\n

I have searched for this error and some one was leading us to it being an ISA to exchange issue. They can receive email all day from us but nothing will make it back to us. Anyone have any ideas? We would greatly appreciate any help. Thanks and make it an awesome day. Bill"

Jason Jones comes back with the answer!

"Just in case anyone else is running into this issue. I was having trouble receiving email from one specific domain to our domain. I could send email to them but they could not send to me. The resolution for me was found in this Microsoft article after running a packet sniffer on the firewall and finding the error:

421 5.5.2 Syntax Error (command too long)

MS Article - http://support.microsoft.com/kb/312213

After changing the NOOP verb size from 6 to 1024 on the ISA 2004 SMTP filter as recommended in the article I could receive email from their domain."

6. ISA Firewall Links of the Month

Check out this great demo lab environment that provides VMs and hands on labs for the ISA Firewall and the new Microsoft IAG 2007.

http://www.microsoft.com/forefront/edgesecurity/privacy.mspx

Microsoft Branch Office Infrastructure promotion. Get a price break on branch office ISA Firewalls that work with your Windows Server 2003 R2 branch office infrastructure.

http://www.microsoft.com/technet/branchoffice/promo.mspx

Rolling out Vista now? Then you need to update your Firewall client software. Download it here:

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=05c2c932-b15a-4990-b525-66380743da89

When to use VSS on your ISA Firewall? This is a must read:

http://www.microsoft.com/technet/isa/2006/development/vss_writer.mspx

Lots of people have had problems publishing their Exchange 2007 mail sites using the ISA Firewall. There are a lot of changes with Exchange 2007, and you can't depend on your knowledge of Exchange 2003 to get you through the hump. Exchange 2007 lacks an intuitive interface, so you can't click your way through and figure things out. This article on how to publish Exchange 2007 using the ISA 2006 Firewall will get you through some of the pain:

http://www.microsoft.com/technet/isa/2006/deployment/exchange.mspx

After installing the ISA Firewall, you'll see a Web page with links to the ISA Firewall security guide. Most of us just close the window and don't read it, which is a shame, since this is a great document not only on ISA Firewall security, but network security in general. I highly recommend you read this doc, I think you'll learn a thing or two that you can put to use immediately on your network.

http://www.microsoft.com/technet/isa/2006/security_guide.mspx

7. Blog Posts

A Quest for Strong User Authentication with RPC over HTTP services and ISA Server 2006

http://blogs.isaserver.org/pouseele/2007/02/06/a-quest-for-strong-user-authentication-with-rpc-over-http-services-and-isa-server-2006/

Redirecting OWA Users to the Correct Directories and Protocols with ISA Server 2006 (Part2)

http://blogs.isaserver.org/pouseele/2007/02/03/redirecting-owa-users-to-the-correct-directories-and-protocols-with-isa-server-2006-part2/

Microsoft Ships Intelligent Apps Gateway 2007

http://blogs.isaserver.org/shinder/2007/02/02/microsoft-ships-intelligent-apps-gateway-2007/

Network Engines Expands Intelligent Application Gateway 2007 Product Line with Single-Height Rackmount Appliance

http://blogs.isaserver.org/shinder/2007/02/02/network-engines-expands-intelligent-application-gateway-2007-product-line-with-single-height-rackmount-appliance/

ISA Firewall Quick Tip : Creating Detailed Reports Using ISA Server 2006 & Excel

http://blogs.isaserver.org/shinder/2007/01/31/isa-firewall-quick-tip-creating-detailed-reports-using-isa-server-2006-excel/

8. Ask Dr. Tom

QUESTION: I was on your personal page at…. http://www.isaserver.org/Thomas_Shinder/ researching on how to set up a VPN gateway for my wireless router on my primary server (I desire as secure as possible wireless and the router only goes to the VPN side of the server which is inside my network and offers access to the network and internet).

Anyway, I was clicking on the link in the first paragraph and they do not seem to work."The ISA Server 2000 VPN Deployment Kit is Now Available for Download
You asked for it, you got it! No more searching all over the Internet for the information you need to roll out an ISA Server firewall/VPN server combo. The ISA Server 2000 VPN Deployment Kit has all the information you need, and all the information you need is in one place. Want to put together an L2TP/IPSec VPN? The kit shows you how, step by step, from creating the Certificate Authority, to requesting and issuing the certificates, to running the ISA Server VPN Wizards and finally to tuning the VPN server and configuring the VPN clients. Its all here. Check out the introduction of the Kit here and download either the Word format or PDF format. Question? Head on over to the ISAServer.org Message Boards and I'll answer them."

Hoping you could redirect me. --Jim

ANSWER: I'm glad you asked! The ISA 2000 and ISA 2004 Deployment Kits were real works of art and represented one of the most comprehensive and user friendly documentation projects in the history of software documentation. OK, I'm a bit proud of them but I'll stand fast on my opinion that these kits made a major difference to thousands of ISA Firewall admins and significantly increased the uptake of the ISA Firewall. It's a real shame there was no deployment kits for the 2006 ISA Firewall. Maybe we'll have them for the next version of the ISA Firewall, ISA 2008. Keep your fingers crossed!

The easiest way to find our deployment kits on the ISAserver.org Web site is to use the Search Site box on any ISAserver.org Web page. Or, you can click this link http://www.isaserver.org/pages/search.asp?query=Deployment+Kit to find almost all of our deployment kits.

QUESTION: I want to use ISA 2004 for load balancing a number of Softgrid servers. Softgrid streams applications using the RTSP protocol over port 554. The Softgrid documentation says:

Creating a highly available SoftGrid Server
When defining high availability, just remember that SoftGrid acts almost like a Web server or any other Web service. In other words, when determining your high availability solution, treat SoftGrid like a Web server. In our experience, both Windows Load Balancing and third party hardware load balancers fit the bill. In either case, you build multiple, identical SoftGrid Servers, and then load balance TCP ports 80, 554, and 8080. The clients then reference a DNS name that resolves to the load-balanced IP address.

My question is: Will ISA 2004 be able to load balance requests from clients on our LAN to a number of Softgrid servers (like a web farm)? I know this can be done with web servers using HTTP, but can it be done with streaming traffic?

ANSWER: Yes! If you use ISA Enterprise Edition you can use the integrated support for NLB to publish your farm of servers. You would create Web and Server Publishing Rules to publish the appropriate protocols, and then confirm that each publishing rule preserves the source IP address of the incoming request. This is the default setting for Server Publishing Rules, but you have to manually set this value for Web Publishing Rules. If you're not interested in advanced security for the incoming Web requests, you can avoid Web Publishing Rules entirely and create a Server Publishing Rule for TCP port 80.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.