• ISA Server Becomes a True Network Firewall in 2004
• Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
• ISAserver.org Learning Zone Articles of Interest
• KB Articles of the Month
• Post of the Month
• ISA Firewall Links of the Month
• Ask Dr. Tom

1. ISA Server Becomes a True Network Firewall in 2004

2004 has been a fantastic year for ISA Server. With the release of ISA Server 2004, we finally have a native Microsoft firewall that really is a true network firewall. I always wondered, prior to the release of ISA Server 2004, if the ISA product would ever reach the level of a true stateful packet inspection (stateful filtering) and stateful application layer inspection firewall.

While I had implicit trust in the ISA Server 2000 product, it had a lot of problems on the firewall front because it applied SPI and stateful application layer inspection only on traffic moving between LAT and non-LAT hosts, and only the external interfaces of the ISA Server 2000 firewall were completely protected by the ISA Server 2000 firewall components.

Any doubt about the future of the ISA Server product as a true third-generation stateful firewall came to an end with the release of ISA Server 2004 in May 2004. In stark contrast to ISA Server 2000, the new ISA firewall applies stateful filtering and stateful application layer inspection to all interfaces, not just the external interface. Not only that, but the new ISA firewall introduced a one of a kind VPN server that applies both stateful filtering and stateful application layer inspection on all VPN interfaces. Connections from both remote access VPN clients and VPN gateways are subjected to the strong stateful inspection that any other connection made through the ISA firewall is subjected to.

The new ISA firewall has come a long way from its humble beginnings as "Proxy Server". The first version of Proxy Server was version 1.0, which was actually called "Internet Access Server" or IAS. IAS is long gone as a Proxy server, but the acronym was brought back to life with Microsoft Internet Authentication Server (which is a RADIUS sever).

Internet Access Server was improved and re-released not long after it went RTM, with the subsequent version known as "Proxy Server 2.0". Both Internet Access Server and Proxy Server 2.0 were primarily Web proxy and Winsock proxy servers. They really didn't fit into the mold of a network firewall because they had significant dependencies on the Internet Information Services WWW service and lacked flexibility in both the stateful filtering and stateful application layer inspection areas.

ISA Server 2000 was a major rewrite of the Proxy Server product line, which moved it away from being a simple Web and Winsock proxy server. The ISA Server 2000 product was no longer dependent on IIS, and could be configured with complex firewall rules to control both inbound and outbound traffic through the ISA Server 2000 firewall. However, one thing really stood in the way of ISA Server 2000 being accepted as true network firewall: its dependency on the LAT and the fact that all communications between LAT hosts were inherently trusted and no stateful inspection was performed on communications between these trusted LAT hosts, which included VPN client and gateway communications.

As much as I liked ISA Server 2000, I was always a bit nervous about its LAT-based nature. The internal interface had to be on the LAT, which meant that the firewall didn't protect itself very well. You really had to be assiduous about patching ISA Server 2000 and the underlying operating system, and performing system hardening tasks that weren't always easy to perform.

ISA Server 2004 completely changed the playing field. The new ISA firewall has no LAT and there is no such thing as a trusted host. Not only are no connections allowed through the ISA firewall by default, no connections are allowed to the ISA firewall by default.

In fact, the new ISA firewall will be the most secure device on your network. All connections to and through the ISA firewall are subjected to its stateful packet inspection and stateful application layer filtering engines. I no longer worry so much about patching the firewall (although I know that I should), since no connections are allowed to the firewall unless I explicitly allow them (and I don't).

No longer is the product just a proxy server. With ISA Server 2004 we have a real, industrial strength network firewall that includes Web and Winsock proxy components, giving us the best of both security worlds by working as a blended stateful packet inspection and proxy firewall.

I can't wait to see what the year 2005 has in store for the new ISA firewall line!

ISA Server Alert!
Just in case you haven't heard yet, our new book Dr. Tom Shinder's Configuring ISA Server 2004 is now on the shelves! If you'd like a taste of what's in the book, check out Chapter 2 online at http://isaserver.org/articles/Configuring-ISA-Server-2004-Chapter2.html

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

By Thomas W Shinder Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder are preparing for you their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logging literally 1000's of flight hours with ISA Server 2004 and they'll be sharing the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall. While the ISA Server 2000 books were good, Configuring ISA Server 2004 is going to be even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today

3. ISAserver.org Learning Zone Articles of Interest

• Configuring the ISA Firewall as an outbound Filtering SMTP Relay
• Configuring the ISA Firewall as an Inbound Filtering SMTP Relay
• Sneak Preview -- Configuring ISA Server 2004: Chapter 2 on ISAserver.org!
• Troubleshooting SMTP Server Publishing Rules
• Creating and Configuring ISA Firewall Networks (2004) [v1.02]
• Should You Allow SSL Through Your ISA Firewall? (and why your hardware firewall leaves you defenseless)
• Why the ISA Firewall Client Rocks: Lessons on the ISA Stateful Application Layer Inspection Firewall

4. KB Articles of the Month

• How to configure, to manage, and to troubleshoot the Firewall client in Microsoft Internet Security and Acceleration (ISA) Server 2004
• You cannot use the RADIUS authentication protocol when you use the Outlook Web Access (OWA) Forms-Based Authentication on a Web publishing rule to publish an internal Web site such as OWA in ISA Server 2004
• Cannot configure access to Exchange Server between two routed networks in ISA Server 2004
• Core services that must be enabled for your Internet Security and Acceleration (ISA) Server 2004 computer to function correctly
• How to Configure Client Proxy Server Settings by Using a Registry File
• HTTP compression support in ISA Server 2004
• When you use the ISA 2004 Firewall Client program, you cannot make a PPTP-based VPN connection

5. Post of the Month

"You can have your cake and eat it too.

The reason why the Web server doesn't compress is that it never receives the accept-encoding header, and assumes the browser doesn't support compression.

So far I believe we both agree, but your assumption about why this happens is a little bit off: "...the webfilter, which appears to be responsible for striping the header."

The actual reason: SendAcceptEncodingHeader is set to False by default for a new rule.

Setting it to True lets it through. There's no checkbox for this in ISA 2004 admin, but it's nothing mysterious about it. It is properly documented in the ISA 2004 DOM on MSDN, and the below script is an example of how to set it.

ruleName = WScript.Arguments(0)
Set FW = CreateObject ("FPC.Root")
Set myRule = FW.GetContainingArray.ArrayPolicy.PolicyRules.Item (ruleName)
myRule.WebPublishingProperties.SendAcceptEncodingHeader = True
myRule.Save
WScript.Echo "Settings changed for " & ruleName

run it from the commandline:
WScript yourScriptName.vbs yourRule

In addition to this, to enable compression during https, you probably have to uncheck Block high bit and verify normalization under configure HTTP. You don't have to disable any filter.

As pointed out earlier by Dr Shinder, if you compress you cannot inspect - but most of us probably don't need to inspect outgoing information in a regular web publishing scenario anyway.

Credits: A hint by an MS guy that works with ISA 2004. Of course they know, and of course ISA 2004 is secure.

Personally, I think ISA 2004 is amazing. I have never used a software that has made so much difference for me in so short time.

Joe"

http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=22;t=000161

6. ISA Firewall Links of the Month

The Microsoft SharePoint Services team has come up with a great document on how to configure both ISA Server 2000 and the 2004 ISA firewall to publish Windows SharePoint Services sites. Check it out at:

http://support.microsoft.com/default.aspx?scid=kb;en-us;887006

Want to try out the ISA firewall but don't have the trial software yet? Here you go!

http://www.microsoft.com/isaserver/evaluation/trial/default.asp

Are you getting ready to roll out an ISA firewall solution, but you're not sure how much hardware horsepower you need? Check out the ISA firewall's Performance Best Practices Guide:

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/bestpractices.mspx

How about some hardware-based ISA firewalls? Hardware ISA firewalls take the drudgery out of hardening the OS yourself, and they also sport hardware and drivers that have been optimized to squeeze our top performance from the ISA firewall software. Check out the current crop of ISA hardware firewalls here:

http://www.microsoft.com/isaserver/howtobuy/hardwaresolutions.asp

We all know that the ISA firewall is the firewall for protecting Microsoft Exchange Servers. But what about Microsoft Live Communications Server 2003? No problem! Check out this doc on how to use your ISA firewall to bullet-proof remote access connections to LCS 2003:

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/tls-isa.mspx

I want to point out again the great information in the ISA deployment kits. There are kits for rolling out the ISA firewall in the branch office, using the ISA firewall to protect Exchange Servers, using the ISA firewall as a cutting edge VPN server and VPN site to site VPN gateway, and more. Check out the kits listed below for more info:

ISA 2004 Branch Office Deployment Kit
http://download.microsoft.com/download/1/8/8/188ab94a-4ec5-4746-ac0f-a18177040fbf/ISA2004SE_branchoffice-Rev%201%2003.doc

ISA 2004 Exchange Deployment Kit
http://download.microsoft.com/download/1/8/8/188ab94a-4ec5-4746-ac0f-a18177040fbf/ISA2004SE_exchangekit-Rev%201%2005.doc

ISA 2004 Quick Start Guide
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/ISA2004SE_quickstartguide-Rev%201%2003.doc

ISA 2004 Configuration Guide
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/ISA2004SE_configguide-Rev%201%2003.doc

ISA 2004 VPN Deployment Kit
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/ISA2004SE_vpnkit-Rev%201%2004.doc

Remember, ISA Server 2004 Webcast week is coming up next month. There will be a ton of sessions on how to make the most out of your new ISA firewall. Register for these online Webcasts at:

http://www.microsoft.com/seminar/events/series/isaserversecurity.mspx

7. Ask Dr. Tom