• What's the ISA Firewall-based Microsoft IAG About?
• Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
• ISAserver.org Learning Zone Articles of Interest
• KB Articles of the Month
• Tip of the Month
• ISA Firewall Links of the Month
• Blog Posts
• Ask Dr. Tom

1. What's the ISA Firewall-based Microsoft IAG About?

If you go to the front page of the Microsoft ISA Firewall site, you'll see a lot of headlines about the new Microsoft Intelligent Application Gateway or IAG. The Microsoft IAG is an SSL VPN solution based on the recently acquired Whale SSL VPN and the 2006 ISA Firewall. This hybrid firewall and SSL VPN gateway is so impressive that it's received many laudatory reviews by groups such as Forester and Gartner even before a release version hit the streets.

So, just what is the Microsoft IAG? The Microsoft IAG includes the following:

• An enhanced version of Web Publishing, which is far more sophisticated than the ISA Firewall's method of Web publishing. The level of security that the Microsoft IAG can provide for remote access to key Web enabled applications is orders of magnitude more secure than what the ISA Firewall can provide out of the box.
• An SSL encapsulated socket and port forwarder. The socket and port forwarders enable you to control what protocols and/or applications remote users can access after they connect to the Microsoft IAG SSL VPN gateway. The port forwarder acts more like a simple SOCKS proxy, while the socket forwarder behaves more like the ISA Firewall's advanced Winsock proxy client Firewall Client application, but works for remote access connections to the Microsoft IAG.
• A "Network Connector" feature that enables true SSL VPN capabilities. I refer to this as a "true" SSL VPN connection because the network connector enables network level connectivity to the corporate network, in a manner similar to conventional PPTP and L2TP/IPSec (sometimes referred to as "IPSec") VPNs. I find the network connector one of the most interesting and compelling components of the Microsoft IAG solution and am looking forward to Microsoft further enhancing this feature.
• Built in wizards for SSL VPN creation. The "portal" is a Web page providing users links to corporate resources. The portal page will automatically configure itself based on user account accessing the site, so that only links to services for which that user is authorized to use appear on the page.
• The ISA Firewall is also included on the box. The main functions the ISA Firewall will perform are strong host based firewall protection for the Microsoft IAG itself, and support for PPTP and L2TP/IPSec VPN connections.

Many of you will wonder how to compare the ISA Firewall with the Microsoft IAG. My answer to you is that the ISA Firewall is an enterprise grade network firewall that includes stateful packet inspection, application layer inspection, Web proxy and Web caching and PPTP, L2TP/IPSec, and IPSec VPN server and gateway capabilities. The Microsoft IAG is a special purpose appliance used only for inbound connections and is not designed for full-fledged firewall deployments that require strong user/group based access control for both inbound and outbound connections.

The ISA Firewall and the Microsoft IAG complement each other, rather than compete with one another. There are a variety of network scenarios and topologies where you can place both the ISA Firewall and the Microsoft IAG on your network to gain exceptional security for both inbound and outbound connections through your corporate network. In the next few months I'll spend quite a bit of time writing to you about these topologies and how to deploy both the ISA Firewall and Microsoft IAG to get the highest level of security available today for inbound and outbound connections to the Internet!

HTH,

Thanks!

Tom tshinder@isaserver.org

=======================

Quote of the Month - "We've all heard that a million monkeys banging on a million typewriters will eventually reproduce the entire works of Shakespeare. Now, thanks to the Internet, we know this is not true."

-- Robert Wilensky

=======================

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

By Thomas W Shinder Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall. While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Creating a Site to Site VPN using the ISA 2006 Firewall Branch Office Connection Wizard (Part 7)
• SurfControl Web Filter - Voted ISAserver.org Readers' Choice Award Winner - Content Security
• Load Balancing Web-Proxy Clients With ISA Server 2004 Standard Edition (Part 2)
• ISA Server 2006 as a Kitchen Utensil: Part 2 - Internal Attacks

4. KB Articles of the Month

Here are some interesting and useful ISA Server related articles posted by Microsoft in the last month:

• Host headers and URLs are considered to be encoded by UTF8 encoding in Internet Security and Acceleration Server 2004
• Users who do not have the appropriate permissions can receive restricted content from ISA Server 2004
• The Microsoft Firewall service does not start and event ID 7024 is logged in the system event log of the computer that is running ISA Server 2006 or ISA Server 2004
• After you change the network relationship type for an IPSec site-to-site network rule from Route to NAT and then back to Route, ICMP ping traffic does not pass through the ISA Server 2004 VPN connection for one minute
• Users are prompted for authentication credentials when Internet Explorer is configured for automatic discovery in ISA Server 2004
• ISA Server 2004 Enterprise Edition may stop responding if the firewall does not go into lockdown mode when MSDE logging fails
• A large file download fails when an ISA Server 2004 SOCKS client computer uses passive mode FTP

5. Tip of the Month

A common question about the ISA Firewall is how to configure it to support the BackupExec agent on the ISA Firewall device. I've never investigated this problem myself, since there are some significant security issues with running third party, non-firewall related software on the ISA Firewall. However, if you do want to do this, then check out this post from Duane:

I am also experiencing the same issue as Phil. The rules we had in place for ISA 2004 Standard, that migrated (and still appear to be allowing connections) are defined as follows:

Rule: Veritas RA
  Allow the Veritas RA Protocol (Defined below)
  From: Localhost
  To: Internal
  Condition: All Users
Rule: Veritas NDMP
  Allow the Veritas NDMP Protocol (Defined below)
  From: Internal
  To: Localhost
  Condition: All Users
Protocol: Vertias RA
  Primary Connections:
   Port Range: 11000-11049
   Protocol: TCP
   Direction: Outbound
  Secondary Connections:
   Port Range: 11050-11099
   Protocol: TCP
   Direction: Inbound
Protocol: Veritas NDMP
  Primary Connections:
   Port Range: 11000
   Protocol: TCP
   Direction: Outbound

When monitoring traffic while Backup Exec attempts to run a job, I see these connections open and close, and it appears this system state is being backed up (though I'm not positive). My guess is that it is really a Veritas issue, more than an ISA configuration problem, however I'm open to any help that I can get for this problem.

-Duane"

Thanks for the tip!

6. ISA Firewall Links of the Month

Want to know more about the ISA Firewall's Firewall Engine core? Then check out this seminal white paper on the ISA Firewall's Firewall Engine core at http://www.microsoft.com/isaserver/prodinfo/firewall_corewp.mspx

Need some good information on the ISA Firewall's Web proxy component of the Firewall service to put in front of your non-techie boss? Then check out the white paper Secure Remote and Outbound Internet Access using the ISA 2006 Firewall's Web Proxy at http://www.microsoft.com/isaserver/prodinfo/web_proxywp.mspx

Microsoft has a new promotion for deploying the ISA Firewall at the branch office. Check it out at http://www.microsoft.com/windowsserversystem/solutions/branch/promo.mspx#E1

The Microsoft Intelligent Application Gateway (IAG), based on the ISA Firewall, was placed on the Gartner SSL VPN Visionaries section of the Magic Quadrant. For more details, go to http://www.microsoft.com/presspass/press/2007/jan07/01-03SASDMagicPR.mspx

Microsoft is named a leader in the SSL VPN market, based on Forrester's assessment of the ISA Firewall based Microsoft IAG. Check out http://www.microsoft.com/presspass/press/2006/dec06/12-13MSGrowingSSLPR.mspx for more information

Try out the 2006 ISA Firewall by downloading a .vhd image that you can run from your own machine. Download the image from the VHD download center at http://www.microsoft.com/downloads/results.aspx?pocId=&freetext=msvhds&DisplayLang=en

7. Blog Posts

TCP connection established using Firewall client may close unexpectedly

http://blogs.isaserver.org/pouseele/2007/01/19/tcp-connection-established-using-firewall-client-may-close-unexpectedly/

Update is available that supports publishing Microsoft Exchange Server 2007 behind Internet Security and Acceleration (ISA) Server 2006

http://blogs.isaserver.org/shinder/2007/01/18/update-is-available-that-supports-publishing-microsoft-exchange-server-2007-behind-internet-security-and-acceleration-isa-server-2006/

Join the ISA Server 2008 beta TAP

http://blogs.isaserver.org/shinder/2007/01/09/join-the-isa-server-2008-beta-tap/

ISA Ninjitsu: Designing, Building and Maintaining Enterprise Firewall and DMZ Topologies with Microsoft ISA Server 2004

http://blogs.isaserver.org/shinder/2007/01/05/isa-ninjitsu-designing-building-and-maintaining-enterprise-firewall-and-dmz-topologies-with-microsoft-isa-server-2004-2/

Background for the Microsoft Whale IAG Placement in the Gartner Visionaries Quadrant for SSL VPN

http://blogs.isaserver.org/shinder/2007/01/05/background-for-the-microsoft-whale-iag-placement-in-the-gartner-visionaries-quadrant-for-ssl-vpn/

Sharing a Hotel Wireless Internet Connection using a Simple Wireless NAT Device

http://blogs.isaserver.org/shinder/2006/12/28/sharing-a-hotel-wireless-internet-connection-using-a-simple-wireless-nat-device/

8. Ask Dr. Tom

QUESTION: Hello,

I just saw your article on the internet. Now I have a problem and I was wondering if you could help me. I have an ISA Firewall on my network and I want my Workstation to assist other users over the internet. When, for instance, I make a connection with Live Messenger and I ask the other person to ask for help, I see the "trying to connect to …." Screen. But I get a no connect at the end. Which rules must I use in my ISA 2006 so that it works.

Thank you for your time. -Rob, The Netherlands

ANSWER: The problem in this case isn't related to the ISA Firewall, it's a core limitation of how the Remote Assistance feature works. When the client sends the request for assistance, the IP address of the actual client is included in the request. Since it's likely that the client is behind a NAT device, the client will have a private IP address. Since this address isn't accessible over the Internet, the connection attempt fails. The only solution to this problem is to assign the client a public IP address by connecting that client directly to the Internet. However, if you want to move beyond the Remote Assistance feature, you can inform the user to configure his NAT device to forward RDP connections to his workstation and then enable Remote Connections on his computer.

QUESTION: Dr. Shinder,

I really liked your article. I found it via Google at the following URL:

http://www.isaserver.org/tutorials/You_Cannot_Control_the_Source_IP_Address_on_the_External_Interface_of_the_ISA_Server.html

I'm having a similar issue with IIS 6, multiple web sites and their distinct IPs. Some of the applications on these sites are Web services which in turn make outbound Web requests to other servers. The other services are protected by IP filters and we absolutely don't want our outbound requests all using the same outbound IP address…

Anyway, I'm writing to see if you have learned of any solutions to this? I appreciate your time. Any update is appreciated. Regards, Brett Herrmann.

ANSWER: Unfortunately, there is no solution at this time using the ISA Firewall. There are some rumors that the next version of the ISA Firewall will allow you this type of source IP address control, but at this time, you cannot control the source IP address of outbound connections through the ISA Firewall.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.