• ISAserver.org Site Updates
• New ISA Server Book Now Available!
• Feature: ISA Server Feature Pack 1 Released
• ISAServer.org Learning Zone Articles of Interest
• Q Articles of the Month
• Post of the Month
• ISA Server Link of the Month
• Ask Dr. Tom

1. Site Updates

By Stephen Chetcuti

The last few weeks saw the launch of ISA Server Feature Pack 1, which Tom covers in detail below, and GFI's freeware WebMonitor for ISA Server, a handy tool that allows you to monitor active ISA Server connections in real time.

If you still haven't snapped up Tom's new ISA Server book, be sure to take advantage of Amazon.com's 30% discount and purchase today!

Best Regards,
Stephen Chetcuti

2. Thomas Shinder's New ISA Server Book is Now Available!

By Thomas W Shinder ISA Server and Beyond is now available! ! We've included tons of stuff on DMZs, firewall chaining, hierarchical Web caching (Web Proxy chaining), SSL bridging, SSL publishing, OWA, Secure IMAP4/SMTP/POP3 publishing, and publishing services on the ISA Server itself! Most of this stuff isn't described anywhere else. If you're ready to take ISA Server 2000 to the next level, then this is a book you must have. Click here to pre-order from Amazon.com today!

Click here to Order your copy today

3. ISA Server Feature Pack 1 Released

ISA Server Feature Pack 1 Released

Thomas W Shinder, M.D., etc.

Its hard to believe that ISA Server 2000 is almost two years old. Its seems like only yesterday when ISA Server first hit the scene. We’ve learned a lot about ISA Server since that first day, and we’re still learning more. Probably the best lesson we’ve learned is that ISA Server is a secure and stable firewall that’s the ideal network perimeter security solution for any Microsoft network.

But security isn’t the whole story. A security device has to be easy to configure. Regardless of operating system or server service, the most common reason for a break down in security is misconfiguration. Any Microsoft savvy network admin will find ISA Server easy to work with, as it incorporates the familiar MMC interface and have Wizards that guide you through almost every configuration option. While I consider ISA Server the easiest firewall on the market to configure, you can always make it easier. And while ISA Server has proven to be virtually impenetrable, you can always make things more secure.

This is where ISA Server Feature Pack 1 (FP1) comes in. FP1 takes many of the features we already like about ISA Server and makes them better. In addition to making existing feature better, FP1 adds some new compelling capabilities to ISA Server which makes FP1 a must have for any ISA Server administrator.

Improved SMTP Filter

ISA Server comes with the SMTP filter right out of the box. The SMTP filter is an application filter that examines SMTP messages and makes sure that commands sent to your SMTP server do not exceed a preconfigured length. This helps prevent buffer overflow attacks. The SMTP filter can also be configured to work with the SMTP Message Screener. The Message Screener is a spam control mechanism that can block messages based on attachment characteristics, source email address or email domain, or keywords in the subject line or body.

One of the drawbacks of the original SMTP filter was that it didn’t support authentication with published SMTP servers. If you wanted to authenticate with a published SMTP server, then you needed to disable the SMTP filter. The new and improved SMTP filter now allows you to send credentials through to a published SMTP server even when the filter is enabled. This allows you to publish a secure SMTP server that you external users can send SMTP messages too. The new SMTP filter also sports better performance characteristics and is much less likely to bog down your ISA Server if you choose to run the Message Screener on the ISA Sever itself.

Delegation of Basic Authentication Credentials

ISA Server allows you to configure Web Publishing Rules that require authentication before the request reaches the Web server. This is a nicely security feature since unauthenticated users are stopped at the Incoming Web Requests listener. However, one of the drawbacks of authenticating at the ISA Server was that you couldn’t enforce authentication at the Web server. You had to choose between authenticating with the Web server or the ISA Server.

ISA Server Feature Pack 1 changes all of this. Now you can create a Web Publishing Rule and limits access to authenticated users. If the users send Basic authentication credentials to the Incoming Web Requests listener, then ISA Server can take those credentials and forward them to the Web Server when then Web server challenges the Web Proxy service for authentication. The Web Proxy service forwards the credentials to the Web server and the user gains access to the Web server. This provides for “single sign on” and allows you to support authentication at the ISA Server and at the Web server.

Delegation of Basic Credentials is great, but keep in mind that Basic authentication is by its very nature insecure. When you use this feature, make sure you configure the Incoming Web Requests listener to force SSL for the connection over the public network.

New Outlook Web Access Wizard

One of the most common questions we see on the ISAserver.org message boards and mailing list is how to publish Outlook Web Access. FP1 includes a new OWA Wizard that takes care of many of the configuration steps you would otherwise have to handle manually. The Wizard creates the Destination Sets, binds certificates to the listener, and creates the Web Publishing Rule. I like this Wizard because it collects several configuration interfaces into a single easy to use Wizard.

The OWA Wizard does more than walk you through the basic ISA Server configuration for publishing your OWA sites. It also makes the ISA Server capable of fixing problems related to SSL publishing. If you’ve ever tried to publish an OWA site using SSL to HTTP bridging, you’ve probably had some problems along the way. The OWA Wizard makes some registry changes and allows the ISA Server to be translate the HTTP responses send by the OWA server to HTTPS links.

URLScan 2.5 for ISA Server

You probably have used URLScan to protect your Web servers. URLScan is an ISAPI plug in that allows servers to examine the integrity of the HTTP request before allowing it to go through. Many people have asked for a version of URLScan that works with ISA Server. URLScan 2.5 installs on ISA Server and examines all the HTTP requests coming in for all Web Publishing Rules. When you have URLScan installed on the ISA Server, the HTTP requests are examined before they ever get to the internal Web server, thus improving security on your Web servers many fold. URLScan configuration works the same way as it does on Web servers: you make changes to the URLScan.ini file.

Link Translator

The Link Translation feature is an interesting one. It’s something I never thought about needing, but there must have been a groundswell of support that led to the development of this feature. The Link Translator allows you to publish Web sites that have embedded “hard links” to internal resources that are located on the internal network. For example, the Web site or application has a link for http://server/. External users can’t use that reference, but the Link Translator can be configured with a dictionary that converts http://server/ to http://www.server.net/, which is accessible from the Internet.

Another interesting feature of the Link Translator is that you can use it to manipulate the protocols used in a bridging situation. For example, if an external client makes a request using SSL to the ISA Server, and the bridging is from SSL to HTTP, absolute links in the response body that contain HTTP in them can be converted to HTTPS and insure that the communications work between the Web server and the external network client.

I’m definitely going to have to spend some time with the Link Translator. I see a lot of potential for this tool and I’ll keep you in “on the know” with regular article updates over at http://www.isaserver.org/.

Improved RPC Filter

Perhaps the most compelling reason to use ISA Server instead of another firewall is the ability to easily publish an internal Exchange Server so that external Outlook MAPI clients can connect to that server. Exchange RPC publishing allows you to create a complete mail server publishing solution with a single rule. You don’t need to monkey around with SMTP, POP3 or IMAP4 if your clients all use “big Outlook” (Outlook 2002/2002).  

If there was a drawback to Exchange RPC publishing, it would have been that there was no way you could force your external network clients to use encryption. The users had the option to use, or not use, and encrypted RPC link. The new FP1 RPC Filter allows you to force your external Outlook Clients to use encryption. When you force encryption, external network clients not using encryption will not be able to connect to the published Exchange Server.

Another big plus of the new RPC Filter is that it supports outbound access to external Exchange Servers. This configuration had been problematic because you would have to create a Protocol Rule that requires secondary connections and then configure the clients as Firewall clients. With the new RPC Filter, even the lowly and underpowered SecureNAT client can connect to external Exchange Servers through the ISA Server.

Conclusion

Feature Pack 1 delivers a bevy of must-have features. The improvements in the SMTP and RPC filters make it almost mandatory that you install FP1. Other features, such as Link Translation and URLScan have a place in many environments too. I’ve installed the feature pack on over a dozen machines so far, and haven’t found any adverse effects. Web and Server Publishing Rules work better, the VPNs work as they always have, and outbound access is improved because now the SecureNAT clients can access external Exchange Servers. Bottom line: get ISA Server Feature Pack 1 and install it now! You can find it at http://www.microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-af6c-5be084b345f9&DisplayLang=en.

4. ISAServer.org Learning Zone articles of Interest

• GFI offers WebMonitor for ISA Server as freeware
• How to publish VNC behind an ISA Server by Greg Mulholland
• Using ISA Server Feature Pack 1 to Forward Basic Authentication Credentials
• Configuring an ISP Co-located Web/SMTP/ISA Server
• Controlling Outbound Access for Web Proxy Clients with Site and Content Rules
• 14120 Errors; Discussion and Solution
• The Mystery of the HTTP Redirector and Site&Content Rules

5. Q Articles of the Month

• Outlook Clients Cannot Connect to an ISA Server-Published Exchange 2000 Server
• HOW TO: Enable a Cisco IPSec VPN Client to Connect to a Cisco VPN Concentrator Through ISA Server 2000
• Cannot Perform Load Balancing with Network Load Balancing and Server Publishing Enabled
• Server Publishing Rules May Not Permit Inbound UDP Packets Through to Published Server
• ISA Cache Only Mode and the All Internal Destinations Destination Set
• Cannot Send SMTP Outbound Mail Through ISA Server

6. Post of the Month!

The status code, which appears in the ISA log entry, comes from one of the following sources

1. (most common) - actual HTTP code returned by a web server (e.g. 200, 304 etc.)

2. ISA web proxy event code. You can find a list of those in the ISA.CHM Help file under Troubleshooting-Additional Resources -> Event Messages -> Web Proxy service event messages

The response received by a client browser, will contain the corresponding HTTP code
(such as "407 Proxy Authorization Required", "414 URL too long" etc.) while the log will list the exact error code (e.g. 12209, 12215 etc.).

Note, that in case of 12215 error, you will probably need to use the Search tab on the CHM document, since the link to it from the page I've referenced above, seems to be missing.

3. Other errors - usually caused by an unexpected condition. '64' is an example of such an error; this is the Windows error code meaning "The specified network name is no longer available. " (Editor's Note: open a command prompt and type net helpmsg 64 and you'll see a description of the error. --Tom.)

This was apparently caused by faulty client/browser or server software, which unexpectedly terminated the connection to the ISA server in the middle of the session.

The '995' code also belongs to this last group (Editor's Note: 995 is the  I/O operation has been aborted because of either a thread exit or an application request error. --Tom.)

--
Alex Polak Microsoft ISA Server Product Team This posting is provided "AS IS" and includes no warranties, and confers no rights.

7. ISA Server Link of the Month

 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/ISA/ISAPrfBP.asp

8. Ask Dr. Tom