• What's to Like about 2006 ISA Firewalls?
• Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
• ISAserver.org Learning Zone Articles of Interest
• KB Articles of the Month
• Tip of the Month
• ISA Firewall Links of the Month
• Ask Dr. Tom

1. What's to Like about 2006 ISA Firewalls?

What do I like best about the new ISA firewall? Here's my short list:

• Web Farm Load Balancing
• FQDN support in site to site VPNs
• Certificate restriction policies
• Basic authentication failover for Outlook 2003 and other non-Web clients
• Support for wildcard certificates on the back end
• Kerberos Constrained Delegation
• Password Change built into OWA FBA
• Kernel Mode Stateful Packet Inspection Driver
• Automatic branch office ISA firewall deployment wizard
• Disconnecting the CONNECT name from the name to be resolved

While there is alot more to like about the new ISA firewall, these are some of the biggies. No, nothing earth shaking, but for current and future ISA firewall admins, all these changes are going to make your life a lot easier and a lot more secure. In fact, I had the opportunity to spend the last two weeks comparing the new ISA firewall to the Cisco ASA and I'm very happy to say that in terms of security, the ISA firewall has the ASA beat!

Want to know more about these improvements included with the new ISA firewall? Let me know! Send me a note and if there's enough interest, I do an article on it on the ISAserver.org site.

Thanks!

Tom tshinder@isaserver.org

=======================

Quote of the Month - "Inanimate objects can be classified scientifically into three major categories; those that don't work, those that break down and those that get lost." Russell Baker

=======================

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

By Thomas W Shinder Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall. While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Publishing Outlook Web Access and Outlook RPC/HTTP with ISA Server 2006 Enterprise Edition (RC) Firewalls using Forms-based Authentication (Single Member Array without NLB) - Part 3: Deploying Certificates and Creating the Web Publishing Rules
• Creating Networks with ISA 2004 (Part 1)
• Publishing Outlook Web Access and Outlook RPC/HTTP with ISA Server 2006 Enterprise Edition (RC) Firewalls using Forms-based Authentication (Single Member Array without NLB) - Part 4 Creating the Web Publishing Rules and Testing the Configuration
• Configuring the Barracuda SPAM appliance in an ISA 2004 Firewall DMZ
• Configuring ISA Firewalls (ISA 2006 RC) to Support User Certificate Authentication using Kerberos Constrained Delegation (Part 1) - Front-end/Back-end Exchange Server Publishing Scenario
• Creating Networks with ISA 2004 (Part 2)
• Configuring ISA Firewalls (ISA 2006 RC) to Support User Certificate Authentication using Kerberos Constrained Delegation (Part 2) - Front-end/Back-end Exchange Server Publishing Scenario

4. KB Articles of the Month

Here are some interesting and useful ISA Server related articles posted by Microsoft in the last month:

• You cannot browse Web servers on a remote site when you use IPsec tunnels to connect sites on a Windows Server 2003-based computer that is running Internet Security and Acceleration Server 2004
• VPN clients may be disconnected when you restart the IPsec Policy Agent service on a computer that is running ISA Server 2004
• The requested site is either unavailable or cannot be found error message when you try to download an attachment from Outlook Web Access through ISA when you use RSA SecurID authentication
• You experience problems when you access the Windows Update Version 5 or Version 6 Web site through a server that is running ISA Server
• A hotfix is available to let you use a different upstream port for Secure Sockets Layer tunneling in Microsoft Internet Security and Acceleration (ISA) Server 2004
• The ISA Server Control service may not start after you rename and then restart a computer that is running ISA Server 2004
• You cannot join a Windows Vista x64 Edition-based client computer to a Windows domain on which ISA Server 2004 is configured as a firewall
• Clients take a long time to log off an OWA session after you publish an OWA server and configure OWA forms-based authentication in ISA Server 2004
• You experience a two minute delay when you access an HTTP Web site from an HTTPS Web site by using Internet Explorer configured as an ISA Server 2004 SP2 Web proxy client

5. Tip of the Month

Jim Harrison (www.isatools.org) comes up with a great tip on how to identify your version of the 2004 ISA firewall:

"In the ISA MMC, click "Help", "About".

Std Ed RTM is 2161.50

Std Ed SP1 is 2163.213

Std Ed SP2 is 2165.594

Std Ed with 916106 rollup is 2165.610"

======================

Dmatos on the ISAserver.org Web boards comes up with a nice .asp page for your OWA redirects:

I currently use an aspx page on the root to redirect:

1. create a file named redirect.aspx on the root folder for owa.yourdomain.com

2. insert this into the file:
<%@ Page Language="C#" %>
<script runat="server">
private void Page_Load(object sender, System.EventArgs e)
{

if (Request.ServerVariables["HTTP_HOST"] == "owa.yourdomain.com")
 Response.Redirect("https://owa.yourdomain.com/exchange/",false);
if (Request.ServerVariables["HTTP_HOST"] == "owa.yourdomain.local")
 Response.Redirect("https://owa.yourdomain.com/exchange/",false);

if (Request.ServerVariables["HTTP_HOST"] == "owa")
 Response.Redirect("https://owa.yourdomain.com/exchange/",false);

Response.Write(Request.ServerVariables["HTTP_HOST"]);

}
</script>

3. set redirect.aspx as a default document with high priority in IIS

4. notice that I have several redirects. I use this asp.net script to allow the users to type owa, owa.yourdomain.local or owa.yourdomain.com, over http or https. it all redirects correctly to the correct https site.

(you need asp.net enabled on the site. I could have used case-statements, but I was just lazy... it works...)

Find the original post at: http://forums.isaserver.org/m_2002021383/mpage_1/key_/tm.htm#2002021467

======================

Want to sniff ICQ IM sessions on the cheap? Check out this post from Daniilkireev on the ISAserver.org Web boards at: http://forums.isaserver.org/m_2002021110/mpage_1/key_/tm.htm#2002021483

6. ISA Firewall Links of the Month

Tim Mullen and Jim Harrison are going to host a fantastic two day ISA firewall class at this year's Black Hat conference in Las Vegas. You can get all the information about it in my blog over at http://blogs.isaserver.org/shinder/2006/06/20/isa-ninjitsu-designing-building-and-maintaining-enterprise-firewall-and-dmz-topologies-with-microsoft-isa-server-2004/

Want to get some hands-on with the ISA firewall but don't want to download and print out PDF files? Try the ISA firewall Interactive Training over at http://www.isa2004training.com/

Hardware ISA firewalls are all the rage! Get more information on hardware ISA firewalls at http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?EventID=1032265783&EventCategory=5&culture=en-US&CountryCode=US

If you plan on upgrading your 2004 ISA firewall to the 2006 ISA firewall, then you better know how to do it right. Check here for how to do it right: http://www.microsoft.com/technet/prodtechnol/isa/2006/upgrade_guide_se.mspx
Note that there is no direct path for upgrading 2000 ISA firewalls to 2006.

One of the most important things you can to do "harden" the ISA firewall is to correctly configure System Policy. Here's a great Microsoft doc on how to interpret and configure System Policy http://www.microsoft.com/technet/prodtechnol/isa/2006/system_policy.mspx

7. Ask Dr. Tom

QUESTION: I'm getting ready to install a new ISA firewall for the first time. Do you have any hints and tips on how to configure the IP addressing information on the ISA firewall's interfaces? Thanks! -Bob.

ANSWER: The appropriate IP addressing information for the ISA firewalls NICs depends on the deployment scenario in which the ISA firewall finds itself. For example, each of the following deployment scenarios would lend themselves to different approaches to assigning IP addressing information:

• Edge ISA firewall
• Back-end ISA firewall
• Internal network perimeter ISA firewall
• Trihomed (or four or 20 homed) ISA firewall
• Unihomed (hork mode) ISA firewall

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.