ISAserver.org Monthly Newsletter of January 2008 Sponsored by: GFI

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. Windows Essential Business Server and ISA Firewalls

Are you an SBS admin who's tired of having to put your network firewall on your domain controller? Have you ever wondered if you could ever be secure with this kind of configuration? Are you tired of having your ISA Firewall related questions ignored on the ISAserver.org message boards? Is your business growing and an "all in one" server just isn't cutting the mustard anymore?

If you answered yes to any of these questions, then I have some great news for you! Microsoft recently announced its new Windows Essential Business Server (or EBS to its friends). EBS is a three server solution that includes Windows Server 2008, Exchange Server 2008, System Center Essentials, Forefront Security for Exchange, and the next versions of the ISA Firewall and SQL Server 2008.

Think about how you install and configure Windows Servers. First you install the operating system, and then you tweak the operating system using your own codified best practices. Then you install server services on the operating system, and then tweak the server services based on your own best practices again. It actually takes quite a bit of work to get things going for a single server. Now how long does it take to get three servers with multiple server services running, many of which have dependencies on one another? The amount of time to get a best practices configuration going could take days in some cases.

Now enter EBS. Instead of you having to install the operating systems and server services independently, the EBS installer does all the work for you! Microsoft has included in the installation process hundreds (maybe thousands) of best practices configurations for each of the operating systems and server services - stuff that would take you days to set up and configure on your own, even if you were aware of all of these settings.

I have been testing a beta version EBS for over a month now, and I have to tell you that it is sweet. What was most interesting to me was the ISA Firewall configuration (no, I cannot tell you what is in the next version of the ISA Firewall yet, that is a strict NDA situation). The best practices configuration for publishing Exchange and other server services was enlightening! They have also improved the certificate setup situation, but I cannot tell you how just yet. There is also central monitoring and configuration, so you can monitor and configure your ISA Firewall and all of the other servers in the EBS network from a single monitoring station.

I typically dislike automated approaches to configuring the ISA Firewall, as proven by my avoidance of network templates. However, the EBS team did a fantastic job at automating ISA Firewall installation and configuration. While there are a few tweaks the ISA Firewall admin might like to make, the EBS team has done an exceptional job at creating a full featured, powerful ISA Firewall security solution right out of the box.

As soon as I can tell you more about EBS I will. But keep your eyes out on the EBS blog site, There is information there on how to sign up for the Beta! If you sign up for the beta, let me know, and we can exchange tips and tricks.

Thanks!

Tom

=======================

Quote of the Month - "You're not paranoid if they actually are out to get you"

Security Administrator's motto

=======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• ISA Best Practices Analyzer and Visio
• Teaching the Boss and the Network Guys About the ISA Firewall (Part 2)
• Teaching the Boss and the Network Guys About the ISA Firewall (Part 1)
• SurfControl Web Filter Voted ISAserver.org Readers' Choice Award Winner - Content Security
• Configuring WPAD Support for ISA Firewall Web Proxy and Firewall Clients

4. KB Articles of the Month

Good news! KB articles of the month are back. An ISAserver.org reader read about our plight and pointed me to an MCP only search site where you can use the old search interface, that allows you to search based on date. I still feel bad for the Microsoft admins who do not have access to this search capability, as they have to wade through thousands of articles using the new KB search site. Let us continue to hope that they repair the KB search site that we have been using so well for years until a couple of months ago.

• You experience problems when you access the Windows Update Version 5 or Version 6 Web site through a server that is running ISA Server
• Existing IP address entries in the "Directly access these servers or domains" list may disappear in the ISA Server Management console on a computer that is running ISA Server 2004 or that is running ISA Server 2006
• You receive a "Resource allocation failure" alert on your Internet Security and Acceleration Server 2006 and on ISA Server 2004 computer
• How to publish a Citrix Metaframe version 1.8 server by using Internet Security and Acceleration Server 2006 or ISA Server 2004
• Internet Security and Acceleration (ISA) Server does not log an IP packet that consists of only an IP header
• When you publish a back-end ISA Server 2006 computer on a front-end ISA Server 2006 computer that faces the Internet, you cannot enable forms-based authentication on both computers
• Clients may receive an "Error 792: The L2TP connection attempt failed because security negotiation timed out." error message when they try to complete a VPN connection to ISA Server 2006 or to ISA Server 2004

5. Tips of the Month

Jerry Young came up with a great explanation of how Blackberry networking works on the ISAserver.org mailing. This post should help you understand how to get the BB working with your ISA Firewall protected networks:

"There are several ways to get corporate email to a BlackBerry handheld.

In the enterprise, the most common method is to purchase a BlackBerry Enterprise Server (BES). A user is created on the BES box, which points to a mailbox on an Exchange server. A service account for BES is used to access the users mailbox and send updates via TCP port 3101 (to na.srp.blackberry.net in the States) to the user's handheld. Updates generally include complete PIM data (Inbox, Calendar, Contacts, Notes, Tasks) - wireless synchronization. The information is pulled via a MAPI (a lot of them - 10/user is a good start) connection handled by the BES service account, which needs Send As permissions to the mailbox in addition to other Exchange permissions, and then routed to the handheld via the carrier network after reaching the RIM box mentioned earlier.

Another means is to use the BlackBerry Internet Service (BIS - gets confusing, I know!) offered by the carrier. This is just a web page that the user can access to configure BIS to pull email from different accounts. To my knowledge, the only data that can be "synched" is email; no Calendar, Contacts, Notes, or Tasks synchronization. This service allows several means of contacting mail servers - POP, IMAP, and OWA (HTTP). My guess is, based on your description, this is what your users are using and what they probably need to have updated to point to the correct page - this is a user function, though, and not something an admin would do unless the user and admin were *really, really* friendly.

A third method is to use the BlackBerry Desktop Redirector. This is a "poor man's" version of BES. A program sits on the user's workstation and monitors the Outlook profile's mailbox. Changes made to the mailbox are then forwarded to the handheld, although, I'm not sure if by the same destination/port. This requires, however, that the user's workstation is on all the time and connected to the Exchange server at all times. When the BlackBerry Desktop Redirector isn't running, no magic happens.

The final method - and one I hate to try using because of the silly browsers on BlackBerry handhelds - is to access web mail and acces your mailbox via a web page. This will almost always requires JScript to be enabled on the device and as others have reported, is spotty at best.

Honestly, I think the only thing that needs to happen is that the users update the URL used to pull mail from OWA via their BIS accounts.

I hope this helps. If you have any other questions about BES/BlackBerry, let me know... I'm fairly familiar with the technology.

I am an independent contractor now so ah... ;) Yeah. :D"

Thanks Jerry! By the way, if you'd like to hire Jerry as your ISA Firewall or network consultant, let me know and I will forward his email address to you.

6. ISA Firewall Links of the Month

• Country by country Computer Sets by Tim Mullen (Thor of HammerofGod.com)
• ISA Firewall Webcasts
• ISA 2006 Evaluation Guide
• ISA Firewall Case Studies

7. Blog Posts

• Get Dr. Tom Shinder's ISA 2006 Book — Its the Best of Breed
• Publishing Exchange 2007 may fail after installing the update "Update for Publishing Microsoft Exchange Server 2007 for ISA Server 2006"
• HammerOfGod Computer Sets — Block and Log by Country
• Administrating ISA Server 2006 Remotely Using MMC and Remote Desktop Connections
• Don't Forget the ISA 2006 Supportability Update

8. Ask Dr. Tom

QUESTION: Hello Thomas !!!

My name is Kobi Rotenberg and I'm working as a System Administrator. In my Job I provide system services to a large company which has ISA 2004 Sp3 (I've upgraded from Sp1 to Sp2 and then of course to Sp3).

My problem is that I can't do RPC/HTTP in my organization. I've used the tool rpcoverhttp.exe (or something) but still no good. My Exchange Server is 2003 (windows 2003 Sp1) - Exchange Sp2: as a member server in my domain. Any ideas?

Thank you very much. -- Kobi

ANSWER: There are many reasons for RPC/HTTP not working through the ISA Firewall. The first thing you should check is to make sure that RPC/HTTP is working internally. That will help you determine if it is even an ISA Firewall issue or not. If RPC/HTTP is working internally (that is to say, you're connecting directory to the RPC/HTTP proxy), then the next step is to look at the ISA Firewall configuration. The best place for you to start troubleshooting your RPC/HTTP connection problems is to use Jim Harrison's troubleshooting guide. It is a several part series, so make sure to read each part in the series.

QUESTION: Good day

I am having problem with my very small network which comprises of 10 machines and a server running Windows Server 2003 and Exchange Server 2003. The problem is all the machines cannot connect to the Internet and the problem started when I deny access to some users. Right now the server is the only machine which can connect to the Internet.

Is there any way of helping me out of this problem?

Your response will be greatly welcomed.

Regards, Anthony Maume

ANSWER: The most likely cause of this is that in order to block users, those users need to be able to authenticate. If users cannot authenticate, and you create a rule that blocks users based on your identity, then all users will be blocked. In order to allow users to authenticate with the ISA Firewall, you need to configure the browsers as Web Proxy clients and install the Firewall client. Web proxy client authentication only works for HTTP, HTTPS and FTP (through the Web browser). The Firewall client will allow you to authenticate users for all protocols, including the Web protocols.

Remember to create rules for servers based on IP addresses, since servers should not have logged on users most of the time. Put the rules that do not require authentication before those that require authentication. Finally, when having problems with your Firewall rules, make sure to check the ISA Firewall's log files using the real time log viewer to figure out which rule might be causing the problem.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.