• DMZ Networking with ISA 2004 Firewalls
• Tom and Deb Shinder's Configuring ISA Server 2004 -- Pre-order Today!
• ISAserver.org Learning Zone articles of Interest
• KB Articles of the Month
• Post of the Month
• ISA Server Links of the Month
• Ask Dr. Tom

1. DMZ Networking with ISA 2004 Firewalls

• Apply Firewall Policy to ALL connections made through the ISA Server 2004 firewall
• Apply stateful filtering and stateful application layer inspection on all connections made through the ISA Server 2004 firewall
• Control inbound and outbound access through the ISA Server 2004 firewall based on source and destination networks
• Create DMZ segments representing different security zones and tightly control access between these security zones with each other and with the corporate Internet network
• Apply the ISA Server 2004 firewall's strong stateful filtering and stateful application layer inspection to VPN client connections. This means you won't have to worry about your VPN clients introducing exploits like Blaster into your network.

• One security zone represents the Internal network. The Internal network contains the Active Directory domains hosting your corporate user accounts. One key aspect of the Internal network security zone is that there must be no Internet facing servers on the Internal network.
• An authenticated access-only security zone. This security zone is separate from the Internal network security zone because there are Internet facing servers on this network. For example, the Front-end Exchange Server is placed in this security zone. While this might be considered a DMZ segment, I would call it a "perimeter network" segment because only secure authenticated connections are allowed to Internet facing machines on this network. No anonymous connections are ever made to servers located on this perimeter network segment
• The true "DMZ" segment. This segment allows anonymous connections to Internet facing servers. For example, you would place your public access Web servers, FTP servers and inbound SMTP relays on this segment. All these resources allow anonymous access and this segment is the one most likely to be successfully attacked, because anonymous connections are allowed. ISA Server 2004 firewall policies controlling access to this segment, and the host based security on servers in this segment, are focused on providing the maximum protection against attacks from unauthenticated users.

• Internal Networks behind a NIC named Internal
• Perimeter Network, containing the Front-end Exchange Server is behind a NIC called Perimeter
• Public access DMZ network behind a NIC named DMZ
• The ISA Server 2004 firewall connects to the Internet using a NIC named External

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Pre-order Today!

By Thomas W Shinder Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder are preparing for you their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logging literally 1000's of flight hours with ISA Server 2004 and they'll be sharing the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall. While the ISA Server 2000 books were good, Configuring ISA Server 2004 is going to be even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Pre-order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today

3. ISAserver.org Learning Zone articles of Interest

• Publishing Servers on a ISA 2004 Firewall Public Address DMZ Segment (v1.01)
• Renaming ISA Server 2000 and ISA Server 2004 Firewalls
• ISA Firewall Fairy Tales - What Hardware Firewall Vendors Don't Want You to Know (v1.02)
• Configuring an Inbound and Outbound SMTP Relay on the ISA 2004 Firewall
• Configuring an Inbound and Outbound SMTP Relay to Complement ISA 2004 Firewall Protection for Exchange Servers: Step by Step Instructions Including MailEssentials 9
• Configuring an Inbound and Outbound SMTP Relay to Complement ISA 2004 Firewall Protection for Exchange Servers
• Front-end Back-end Exchange Server Trihomed ISA 2004 Firewall DMZ Network Scenario

4. KB Articles of the Month

• Rule Fields in Firewall Log Are Sometimes Not Logged Properly
• How to Enumerate ISA Sessions
• The SMTP Message Screener may not filter some messages correctly in ISA Server 2000
• ISA Server 2000 performance may be reduced if the Exchange Server 2003 server is processing unusually heavy traffic
• How to configure access auditing for storage and for configuration in ISA Server 2000 and in ISA Server 2004
• Blocking and Logging Traffic on ISA Server Internal Interfaces
• DNS Queries Generated When Static Packet Filter Is Removed
• Windows Update May Not Work in Windows XP If an Authenticating Web Proxy Is Used
• Server-side playlists do not work with ISA Server
• PRB: ISA Web Publishing Rule Using NTLM May Cause Random Authentication Prompts
• ISA Server 2000 cannot access an imported SSL certificate

5. Post of the Month

"In cases where Customers can't justify MS Exchange CALS for their employees, we deploy Kerio (www.kerio.com). Kerio's webmail server is an Apache (Open SSL) Server.

We chose Kerio, as it's the only POP3 messaging system that uses Active Directory.

Using a Windows 2003 Enterprise CA, I worked out how to generate a new certificate request, Issue it from the Windows 2003 Certificate Server, and then import the signed certificate into the Apache web server.

So far so good...This works perfectly from internal systems.

Now, to be able to publish it through ISA, I need to import the signed Certificate into the Personal Store of the Local Computer (ISA Server).

I've installed an X.509 certificate from a .cer file into the Personal Certificate Store of the Local Computer. This works perfectly, accept for when I check the properties of the certificate I don't get the message that "You have a private key that corresponds to this certificate.", and therefore this certificate is not visible when adding it to the Incoming listener on ISA.

I have the Private Key (.key) file, that I would like to import/associate with this certificate. Does anyone know how to do this?

Unfortunately because this application is using an Apache (Open SSL) server, I don't have the luxury of generating a .pfx file, as you do with IIS, nor do I have the option of sending the request immediately to an on-line authority.

After downloading a copy of the OpenSSL Toolkit from either of these sites...
http://www.kerio.com/dwn/kms/sslcert.zip
http://www.shininglightpro.com/products/x86/OpenSSL/official/OpenSSL.exe

I was then able to run the following command to create the PKCS #12 file.

openssl pkcs12 -export -in webmail.cer -inkey webmail.key -out webmail.p12

Whilst researching I came across these two URL's that may be of use to someone that reads this post in the future.
http://support.ipswitch.com/kb/IM-20030415-DM01.htm
http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html

It now works perfectly."

6. ISA Server Links of the Month

7. Ask Dr. Tom